Merge pull request #21 from xiaoheihei1107/master

Add Geowebserver 5.3.3 Arbitrary File Read，CVE-2019-18818，Kyan Network monitoring time RCE

Geowebserver/5_3_3_Arbitrary_File_Read/README.md

@@ -0,0 +1,9 @@
+# Geowebserver 5.3.3 Arbitrary File Read
+
+GEOVISION GEOWEBSERVER less than 5.3.3 are vulnerable to several XSS ,HTML Injection ,Local File Include ,XML Injection ,Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS ,client side exploitation, including session theft.
+
+FOFA **query rule**: [app="Geowebserver"](https://fofa.so/result?qbase64=YXBwPSJHZW93ZWJzZXJ2ZXIi)
+
+# Demo
+
+![Geowebserver_5_3_3_Arbitrary_File_Read](Geowebserver_5_3_3_Arbitrary_File_Read.gif)

Kyan/Kyan_time_RCE/README.md

@@ -0,0 +1,9 @@
+# Kyan Network monitoring time RCE
+
+Kyan network monitoring equipment time.php can execute arbitrary commands after authentication, and can obtain server permissions with the account password leaked by the host.
+
+FOFA **query rule**: [app="Kyan设计"](https://fofa.so/result?qbase64=YXBwPSJLeWFu6K6%2B6K6hIg%3D%3D)
+
+# Demo
+
+![Kyan_Network_monitoring_time_RCE](Kyan_Network_monitoring_time_RCE.gif)

Strapi/CVE-2019-18818/README.md

@@ -0,0 +1,9 @@
+# Strapi 3.0.0 17.4 Password Reset (CVE-2019-18818)
+
+Strapi is an open source headless content management system (CMS), strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
+
+FOFA **query rule**: [banner="X-Powered-By: Strapi <strapi.io>"](https://fofa.so/result?qbase64=YmFubmVyPSJYLVBvd2VyZWQtQnk6IFN0cmFwaSA8c3RyYXBpLmlvPiI%3D)
+
+# Demo
+
+![Strapi_17_4_Password_Reset_CVE_2019_18818](Strapi_17_4_Password_Reset_CVE_2019_18818.gif)